Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-94614

Make hybrid MLKEM work with our FIPS provider (3.0.7)

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • openssl-3.5.0-7.el10
    • No
    • Important
    • 1
    • rhel-security-crypto
    • ssg_security
    • 19
    • 26
    • 4
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25August
    • Hide
      • AC1: the TLS key exchange groups Secp256r1MLKEM768 and Secp384r1MLKEM1024 are supported and working in FIPS mode
      • AC2: The group X25519MLKEM768 is not supported in FIPS mode and cannot be negotiated (client doesn't negotiate it, server will not select it)
      • AC3: when in FIPS mode OpenSSL client sends key share for Secp256r1MLKEM768 and P-256 by default (may require crypto-policies update, file a follow up bug if it doesn't work: RHEL-91144)
      • AC4: the implementation of Secp256r1 and Secp384r1 is fetched from the fips.so provider when in FIPS mode
      Show
      AC1: the TLS key exchange groups Secp256r1MLKEM768 and Secp384r1MLKEM1024 are supported and working in FIPS mode AC2: The group X25519MLKEM768 is not supported in FIPS mode and cannot be negotiated (client doesn't negotiate it, server will not select it) AC3: when in FIPS mode OpenSSL client sends key share for Secp256r1MLKEM768 and P-256 by default (may require crypto-policies update, file a follow up bug if it doesn't work: RHEL-91144 ) AC4: the implementation of Secp256r1 and Secp384r1 is fetched from the fips.so provider when in FIPS mode
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      Feature, enhancement: Hybrid Post-Quantum groups are now supported in FIPS mode
      Reason: The new version of the OpenSSL package has been updated to fetch the ECDH part of the new hybrid post-quantum groups from the fips.so provider when the system is running in FIPS mode.
      Result: The OpenSSL library is using FIPS certified cryptography for the ECDH part of the hybrid post-quantum key exchanges.
      Show
      Feature, enhancement: Hybrid Post-Quantum groups are now supported in FIPS mode Reason: The new version of the OpenSSL package has been updated to fetch the ECDH part of the new hybrid post-quantum groups from the fips.so provider when the system is running in FIPS mode. Result: The OpenSSL library is using FIPS certified cryptography for the ECDH part of the hybrid post-quantum key exchanges.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Make hybrid MLKEM work with our FIPS provider (3.0.7)

              dbelyavs@redhat.com Dmitry Belyavskiy
              dbelyavs@redhat.com Dmitry Belyavskiy
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: