From 86381961674061dbe4fd65c94258b0006203bb55 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 16 Jun 2022 15:06:45 +0200 Subject: [PATCH] Ciphersuites with RSAPSK KX should be filterd in FIPS mode Related: rhbz#2085088 --- 0045-FIPS-services-minimize.patch | 2 +- openssl.spec | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index 7fd3d8d..abb13e0 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -689,7 +689,7 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c ctx->disabled_auth_mask = 0; + if (EVP_default_properties_is_fips_enabled(ctx->libctx)) -+ ctx->disabled_mkey_mask |= SSL_kRSA; ++ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; + /* * We ignore any errors from the fetches below. They are expected to fail diff --git a/openssl.spec b/openssl.spec index 2109d0f..cd20450 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 35%{?dist} +Release: 36%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -458,6 +458,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Jun 16 2022 Dmitry Belyavskiy - 1:3.0.1-36 +- Ciphersuites with RSAPSK KX should be filterd in FIPS mode +- Related: rhbz#2085088 + * Wed Jun 08 2022 Clemens Lang - 1:3.0.1-35 - Add explicit indicators for signatures in FIPS mode and mark signature primitives as unapproved.