Ciphersuites with RSAPSK KX should be filterd in FIPS mode

Related: rhbz#2085088
2 years ago · 8638196167
parent 8b08b372c8
commit 8638196167
2 changed files with 6 additions and 2 deletions
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@ -689,7 +689,7 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
     ctx->disabled_auth_mask = 0;
 
 +    if (EVP_default_properties_is_fips_enabled(ctx->libctx))
-+        ctx->disabled_mkey_mask |= SSL_kRSA;
+        ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
 +
     /*
      * We ignore any errors from the fetches below. They are expected to fail
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 35%{?dist}
+Release: 36%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -458,6 +458,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Thu Jun 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-36
+- Ciphersuites with RSAPSK KX should be filterd in FIPS mode
+- Related: rhbz#2085088
+
 * Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
 - Add explicit indicators for signatures in FIPS mode and mark signature
  primitives as unapproved.