Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-99813

X25519-MLKEM768 should be aliased to MLKEM768-X25519

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • crypto-policies-20250714-1.git95bf40e.el10
    • No
    • Low
    • 1
    • rhel-security-crypto
    • 21
    • 26
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25August
    • Hide
      • using either X25519-MLKEM768 or MLKEM769-X25519 in the policy produces the same generated policies
      • using X25519-MLKEM768 produces a warning
      • using MLKEM769-X25519 does not produce a warning
      • no warnings are emitted on the policies we ship
      Show
      using either X25519-MLKEM768 or MLKEM769-X25519 in the policy produces the same generated policies using X25519-MLKEM768 produces a warning using MLKEM769-X25519 does not produce a warning no warnings are emitted on the policies we ship
    • Pass
    • Enabled
    • Automated
    • Deprecated Functionality
    • Hide
      Description: X25519-MLKEM768 value in crypto-policies will be deprecated and aliased to MLKEM768-X25519
      Consequence: there might be warnings when custom policies that use the old name are applied; change X25519-MLKEM768 to MLKEM768-X25519 to get rid of them
      Show
      Description: X25519-MLKEM768 value in crypto-policies will be deprecated and aliased to MLKEM768-X25519 Consequence: there might be warnings when custom policies that use the old name are applied; change X25519-MLKEM768 to MLKEM768-X25519 to get rid of them
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      X25519-MLKEM768 value should be aliased to MLKEM768-X25519, because, while the first one is the unfortunate X25519MLKEM768 IANA group naming used in TLS, the actual order of concatenation is ML-KEM768 first, x25519 second, for FIPS reasons. I'm not aware of protocols that'd use a different concatenation order.

      To ease the confusion and to accommodate that we've previously used both in two different contexts (X25519-MLKEM768 in the TLS one, MLKEM768-X25519 in the SSH one), crypto-policies should allow using either value, but indicate preference towards the MLKEM768-X25519 one.

      crypto-policies has a pre-existing regex replacement mechanism that can optionally raise PolicySyntaxDeprecationWarning that we've already used to support syntax we find obsolete. With this we can replace \bX25519-MLKEM768\b with MLKEM768-X25519 and emit a warning to update custom (sub)policies accordingly. And, of course, we'd have to update our policies to the new name to cause no warnings.

      The only things in the policy other than the values are keys, scopes and comments. keys and scopes belong to a curated list and cannot contain X25519-MLKEM768 as a substring. Comments do not affect the interpretation of the policy. So I think the existing regex replacement mechanism is adequate for the job at hand.

      Were we to reverse this decision anytime later, it must be done on a y-stream release boundary.

              asosedki@redhat.com Alexander Sosedkin
              asosedki@redhat.com Alexander Sosedkin
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: