crypto: testmgr - desupport SHA-1 for FIPS 140

The sunset period of SHA-1 is approaching [1] and FIPS 140 certificates
have a validity of 5 years. Any distros starting FIPS certification for
their kernels now would therefore most likely end up on the NIST
Cryptographic Module Validation Program "historical" list before their
certification expires.

While SHA-1 is technically still allowed until Dec. 31, 2030, it is
heavily discouraged by NIST and it makes sense to set .fips_allowed to
0 now for any crypto algorithms that reference it in order to avoid any
costly surprises down the line.

[1]: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Acked-by: Stephan Mueller <smueller@chronox.de>
Cc: Marcus Meissner <meissner@suse.de>
Cc: Jarod Wilson <jarod@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: John Haxby <john.haxby@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 72005074a5c26ae8edaa94507ad2c86f3a03b4da..a4ad939e03c9eaccdadab76f3fd2d0fc55d7b757 100644 (file)
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -4229,7 +4229,6 @@ static const struct alg_test_desc alg_test_descs[] = {
        }, {
                .alg = "authenc(hmac(sha1),cbc(aes))",
                .test = alg_test_aead,
-               .fips_allowed = 1,
                .suite = {
                        .aead = __VECS(hmac_sha1_aes_cbc_tv_temp)
                }
@@ -4248,7 +4247,6 @@ static const struct alg_test_desc alg_test_descs[] = {
        }, {
                .alg = "authenc(hmac(sha1),ctr(aes))",
                .test = alg_test_null,
-               .fips_allowed = 1,
        }, {
                .alg = "authenc(hmac(sha1),ecb(cipher_null))",
                .test = alg_test_aead,
@@ -4258,7 +4256,6 @@ static const struct alg_test_desc alg_test_descs[] = {
        }, {
                .alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))",
                .test = alg_test_null,
-               .fips_allowed = 1,
        }, {
                .alg = "authenc(hmac(sha224),cbc(des))",
                .test = alg_test_aead,
@@ -5100,7 +5097,6 @@ static const struct alg_test_desc alg_test_descs[] = {
        }, {
                .alg = "hmac(sha1)",
                .test = alg_test_hash,
-               .fips_allowed = 1,
                .suite = {
                        .hash = __VECS(hmac_sha1_tv_template)
                }
@@ -5436,7 +5432,6 @@ static const struct alg_test_desc alg_test_descs[] = {
        }, {
                .alg = "sha1",
                .test = alg_test_hash,
-               .fips_allowed = 1,
                .suite = {
                        .hash = __VECS(sha1_tv_template)
                }