Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-98639

mlkem768x25519 trips channel.isFIPS indicator

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • rhel-10.1
    • nss
    • No
    • Low
    • 2
    • rhel-security-crypto-clubs
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Crypto25August, Crypto25October
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      When connecting from NSS to NSS with all-defaults, mlkem768x25519 group is now selected in RHEL-10.1
      and that trips FIPS indicator. I see:

      tstclnt: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC
tstclnt: Server Auth: 2048-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3
         Key Exchange Group:mlkem768x25519

      as opposed to 10.0's

      tstclnt: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC FIPS
tstclnt: Server Auth: 2048-bit TLS 1.3, Key Exchange: 256-bit TLS 1.3
         Key Exchange Group:P256

      cmd/tstclnt/tstclnt.c:172 conditions printing that "FIPS" bit on channel.isFIPS value.
      I expect that to not be the case and mlkem768x25519 usage to be approved in FIPS mode.

              rrelyea Robert Relyea
              asosedki@redhat.com Alexander Sosedkin
              Robert Relyea Robert Relyea
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: