Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65586

Malformed ML-KEM client key shares are not rejected by OpenSSL server

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-10.0
    • openssl
    • None
    • No
    • Low
    • rhel-security-crypto-diamonds
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      When openssl server receives hybrid ML-KEM shares with the ML-KEM being malformed, it doesn't reject the client key shares.

      https://github.com/openssl/openssl/issues/25781

      openssl-3.2.2-13.el10.x86_64
      oqsprovider-0.7.0-2.el10.x86_64
      liboqs-0.11.0-3.el10.x86_64

              dbelyavs@redhat.com Dmitry Belyavskiy
              hkario@redhat.com Alicja Kario
              Dmitry Belyavskiy Dmitry Belyavskiy
              Georgios Stavros Pantelakis Georgios Stavros Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: