diff options
| author | Vegard Nossum <[email protected]> | 2025-05-21 12:55:19 +0000 |
|---|---|---|
| committer | Herbert Xu <[email protected]> | 2025-06-13 09:26:16 +0000 |
| commit | 9d50a25eeb05c45fef46120f4527885a14c84fb2 (patch) | |
| tree | f82021e93bc647b57b80c0c31c45d58c64a299bb /crypto/testmgr.c | |
| parent | crypto: ccp - Add missing bootloader info reg for pspv6 (diff) | |
| download | kernel-9d50a25eeb05c45fef46120f4527885a14c84fb2.tar.gz kernel-9d50a25eeb05c45fef46120f4527885a14c84fb2.zip | |
crypto: testmgr - desupport SHA-1 for FIPS 140
The sunset period of SHA-1 is approaching [1] and FIPS 140 certificates
have a validity of 5 years. Any distros starting FIPS certification for
their kernels now would therefore most likely end up on the NIST
Cryptographic Module Validation Program "historical" list before their
certification expires.
While SHA-1 is technically still allowed until Dec. 31, 2030, it is
heavily discouraged by NIST and it makes sense to set .fips_allowed to
0 now for any crypto algorithms that reference it in order to avoid any
costly surprises down the line.
[1]: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
Acked-by: Stephan Mueller <[email protected]>
Cc: Marcus Meissner <[email protected]>
Cc: Jarod Wilson <[email protected]>
Cc: Neil Horman <[email protected]>
Cc: John Haxby <[email protected]>
Signed-off-by: Vegard Nossum <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Diffstat (limited to 'crypto/testmgr.c')
| -rw-r--r-- | crypto/testmgr.c | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 72005074a5c2..a4ad939e03c9 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4229,7 +4229,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "authenc(hmac(sha1),cbc(aes))", .test = alg_test_aead, - .fips_allowed = 1, .suite = { .aead = __VECS(hmac_sha1_aes_cbc_tv_temp) } @@ -4248,7 +4247,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "authenc(hmac(sha1),ctr(aes))", .test = alg_test_null, - .fips_allowed = 1, }, { .alg = "authenc(hmac(sha1),ecb(cipher_null))", .test = alg_test_aead, @@ -4258,7 +4256,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))", .test = alg_test_null, - .fips_allowed = 1, }, { .alg = "authenc(hmac(sha224),cbc(des))", .test = alg_test_aead, @@ -5100,7 +5097,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "hmac(sha1)", .test = alg_test_hash, - .fips_allowed = 1, .suite = { .hash = __VECS(hmac_sha1_tv_template) } @@ -5436,7 +5432,6 @@ static const struct alg_test_desc alg_test_descs[] = { }, { .alg = "sha1", .test = alg_test_hash, - .fips_allowed = 1, .suite = { .hash = __VECS(sha1_tv_template) } |