diff options
| author | Vegard Nossum <vegard.nossum@oracle.com> | 2025-05-21 14:55:19 +0200 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2025-06-13 17:26:16 +0800 |
| commit | 9d50a25eeb05c45fef46120f4527885a14c84fb2 (patch) | |
| tree | f82021e93bc647b57b80c0c31c45d58c64a299bb | |
| parent | aaeff14688d0254b39731d9bb303c79bfd610f7d (diff) | |
crypto: testmgr - desupport SHA-1 for FIPS 140
The sunset period of SHA-1 is approaching [1] and FIPS 140 certificates
have a validity of 5 years. Any distros starting FIPS certification for
their kernels now would therefore most likely end up on the NIST
Cryptographic Module Validation Program "historical" list before their
certification expires.
While SHA-1 is technically still allowed until Dec. 31, 2030, it is
heavily discouraged by NIST and it makes sense to set .fips_allowed to
0 now for any crypto algorithms that reference it in order to avoid any
costly surprises down the line.
[1]: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
Acked-by: Stephan Mueller <smueller@chronox.de>
Cc: Marcus Meissner <meissner@suse.de>
Cc: Jarod Wilson <jarod@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: John Haxby <john.haxby@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| -rw-r--r-- | crypto/testmgr.c | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 72005074a5c2..a4ad939e03c9 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4229,7 +4229,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "authenc(hmac(sha1),cbc(aes))", .test = alg_test_aead, - .fips_allowed = 1, .suite = { .aead = __VECS(hmac_sha1_aes_cbc_tv_temp) } @@ -4248,7 +4247,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "authenc(hmac(sha1),ctr(aes))", .test = alg_test_null, - .fips_allowed = 1, }, { .alg = "authenc(hmac(sha1),ecb(cipher_null))", .test = alg_test_aead, @@ -4258,7 +4256,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))", .test = alg_test_null, - .fips_allowed = 1, }, { .alg = "authenc(hmac(sha224),cbc(des))", .test = alg_test_aead, @@ -5100,7 +5097,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "hmac(sha1)", .test = alg_test_hash, - .fips_allowed = 1, .suite = { .hash = __VECS(hmac_sha1_tv_template) } @@ -5436,7 +5432,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "sha1", .test = alg_test_hash, - .fips_allowed = 1, .suite = { .hash = __VECS(sha1_tv_template) } |