Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-95239

Make hybrid MLKEM work with our FIPS provider (3.0.7) [Rhel 9.7]

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • openssl-3.5.0-4.el9
    • No
    • Important
    • 1
    • rhel-security-crypto
    • ssg_security
    • 26
    • 0
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25August
    • Hide
      • AC1: the TLS key exchange groups Secp256r1MLKEM768 and Secp384r1MLKEM1024 are supported and working in FIPS:PQ policy
      • AC2: The group X25519MLKEM768 is not supported in FIPS:PQ policy and cannot be negotiated (client doesn't negotiate it, server will not select it)
      • AC3: the implementation of Secp256r1 and Secp384r1 is fetched from the fips.so provider when in FIPS mode
      • AC4: when system is in FIPS mode and running the FIPS:PQ policy, the openssl client sends Secp256r1MLKEM768 and SECP256r1 key shares by default (see also RHEL-91292)
      • AC5: when in FIPS mode and running FIPS policy, the post-quantum groups are not advertised
      Show
      AC1: the TLS key exchange groups Secp256r1MLKEM768 and Secp384r1MLKEM1024 are supported and working in FIPS:PQ policy AC2: The group X25519MLKEM768 is not supported in FIPS:PQ policy and cannot be negotiated (client doesn't negotiate it, server will not select it) AC3: the implementation of Secp256r1 and Secp384r1 is fetched from the fips.so provider when in FIPS mode AC4: when system is in FIPS mode and running the FIPS:PQ policy, the openssl client sends Secp256r1MLKEM768 and SECP256r1 key shares by default (see also RHEL-91292 ) AC5: when in FIPS mode and running FIPS policy, the post-quantum groups are not advertised
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      Feature, enhancement: Hybrid Post-Quantum groups are now supported in FIPS mode
      Reason: The new version of the OpenSSL package has been updated to fetch the ECDH part of the new hybrid post-quantum groups from the fips.so provider when the system is running in FIPS mode.
      Result: The OpenSSL library is using FIPS certified cryptography for the ECDH part of the hybrid post-quantum key exchanges. When the system is running with the ``FIPS:PQ`` crypto-policy, the hybrid post-quantum groups are enabled and used by default by openssl servers and clients.
      Show
      Feature, enhancement: Hybrid Post-Quantum groups are now supported in FIPS mode Reason: The new version of the OpenSSL package has been updated to fetch the ECDH part of the new hybrid post-quantum groups from the fips.so provider when the system is running in FIPS mode. Result: The OpenSSL library is using FIPS certified cryptography for the ECDH part of the hybrid post-quantum key exchanges. When the system is running with the ``FIPS:PQ`` crypto-policy, the hybrid post-quantum groups are enabled and used by default by openssl servers and clients.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Make hybrid MLKEM work with our FIPS provider (3.0.7)

      This is a copy of https://issues.redhat.com/browse/RHEL-94614

              dbelyavs@redhat.com Dmitry Belyavskiy
              dbelyavs@redhat.com Dmitry Belyavskiy
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: