Ciphersuites with RSA KX should be filterd in FIPS mode

Related: rhbz#2085088
2022-05-19 14:29:23 +02:00 · 2022-05-19 14:29:23 +02:00 · 7bc4f9f094
commit 7bc4f9f094
parent b393177f7d
2 changed files with 15 additions and 0 deletions
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@ -681,3 +681,16 @@ diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecpara
         if (comment == NULL)
             comment = "CURVE DESCRIPTION NOT AVAILABLE";
         if (sname == NULL)
+diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
+--- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa	2022-05-19 13:32:32.536708638 +0200
+++ openssl-3.0.1/ssl/ssl_ciph.c	2022-05-19 13:42:29.734002959 +0200
+@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
+     ctx->disabled_mkey_mask = 0;
+     ctx->disabled_auth_mask = 0;
+ 
+    if (EVP_default_properties_is_fips_enabled(ctx->libctx))
+        ctx->disabled_mkey_mask |= SSL_kRSA;
+
+     /*
+      * We ignore any errors from the fetches below. They are expected to fail
+      * if theose algorithms are not available.
--- a/openssl.spec
+++ b/openssl.spec
@ -452,6 +452,8 @@ install -m644 %{SOURCE9} \
 * Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
 - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
 - Resolves: rhbz#2083240
+- Ciphersuites with RSA KX should be filterd in FIPS mode
+- Related: rhbz#2085088

 * Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31
 - Disable SHA-1 signature verification in FIPS mode