From 7bc4f9f09480461da02687686cc8639555e0990f Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 19 May 2022 14:29:23 +0200 Subject: [PATCH] Ciphersuites with RSA KX should be filterd in FIPS mode Related: rhbz#2085088 --- 0045-FIPS-services-minimize.patch | 13 +++++++++++++ openssl.spec | 2 ++ 2 files changed, 15 insertions(+) diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index 2d216c2..e10b504 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -681,3 +681,16 @@ diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecpara if (comment == NULL) comment = "CURVE DESCRIPTION NOT AVAILABLE"; if (sname == NULL) +diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c +--- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200 ++++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200 +@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) + ctx->disabled_mkey_mask = 0; + ctx->disabled_auth_mask = 0; + ++ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) ++ ctx->disabled_mkey_mask |= SSL_kRSA; ++ + /* + * We ignore any errors from the fetches below. They are expected to fail + * if theose algorithms are not available. diff --git a/openssl.spec b/openssl.spec index 1748ffe..c744ef8 100644 --- a/openssl.spec +++ b/openssl.spec @@ -452,6 +452,8 @@ install -m644 %{SOURCE9} \ * Thu May 19 2022 Dmitry Belyavskiy - 1:3.0.1-32 - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode - Resolves: rhbz#2083240 +- Ciphersuites with RSA KX should be filterd in FIPS mode +- Related: rhbz#2085088 * Wed May 18 2022 Clemens Lang - 1:3.0.1-31 - Disable SHA-1 signature verification in FIPS mode