Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-151579

openssh explodes with FIPS:TEST-PQ in FIPS

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.2
    • rhel-10.2
    • openssh
    • None
    • No
    • Important
    • rhel-security-crypto-diamonds
    • 27
    • 28
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Approved Exception
    • Pass
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Enable mlkem768x25519-sha256 in crypto-policies.

      What is the impact of this issue to you?

      Blocks me from enabling mlkem768x25519-sha256 in FIPS even though it should work with kryoptic.

      It's worse for 9: can't enable it in 9 PQ for fears that someone might be driving FIPS:PQ.

      Please provide the package NVR for which the bug is seen:

      openssh-9.9p1-19.el10

      How reproducible is this bug?:

      reliably

      Steps to reproduce

      1. be in FIPS mode
      2. update-crypto-policies --set FIPS:TEST-PQ

      Expected results

      the algorithm is skipped, connections happen with a different kex, sshd doesn't just crash

      Actual results

      your ssh complains that "mlkem768x25519-sha256" is not allowed in FIPS mode, and your sshd is down

              dbelyavs@redhat.com Dmitry Belyavskiy
              asosedki@redhat.com Alexander Sosedkin
              Dmitry Belyavskiy Dmitry Belyavskiy
              Miluse Bezo Konecna Miluse Bezo Konecna
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: