From eea6367d6e26ef926f16750617d38a3fa974315b Mon Sep 17 00:00:00 2001 From: Andre Russ Date: Thu, 26 Feb 2026 14:30:10 +0100 Subject: [PATCH 1/2] remove the sha1 allowance for fips mode --- prepare_source | 1 + upstream_patches/no-sha1-for-fips.patch | 43 +++++++++++++++++++++++++ upstream_patches/series | 1 + 3 files changed, 45 insertions(+) create mode 100644 upstream_patches/no-sha1-for-fips.patch create mode 100644 upstream_patches/series diff --git a/prepare_source b/prepare_source index 9148119..2d0a7bf 100755 --- a/prepare_source +++ b/prepare_source @@ -27,3 +27,4 @@ rm -rf "$dir/src/debian/config" cp -r config "$dir/src/debian/" apply_patches fixes_debian +import_upstream_patches diff --git a/upstream_patches/no-sha1-for-fips.patch b/upstream_patches/no-sha1-for-fips.patch new file mode 100644 index 0000000..fdd3786 --- /dev/null +++ b/upstream_patches/no-sha1-for-fips.patch @@ -0,0 +1,43 @@ +diff -Nur linux-6.19.3.org/crypto/testmgr.c linux-6.19.3.new/crypto/testmgr.c +--- linux-6.19.3.org/crypto/testmgr.c 2026-02-19 16:33:27.000000000 +0100 ++++ linux-6.19.3.new/crypto/testmgr.c 2026-02-24 09:44:34.790238895 +0100 +@@ -4090,7 +4090,6 @@ + .alg = "authenc(hmac(sha1),cbc(aes))", + .generic_driver = "authenc(hmac-sha1-lib,cbc(aes-generic))", + .test = alg_test_aead, +- .fips_allowed = 1, + .suite = { + .aead = __VECS(hmac_sha1_aes_cbc_tv_temp) + } +@@ -4111,7 +4110,6 @@ + }, { + .alg = "authenc(hmac(sha1),ctr(aes))", + .test = alg_test_null, +- .fips_allowed = 1, + }, { + .alg = "authenc(hmac(sha1),ecb(cipher_null))", + .generic_driver = "authenc(hmac-sha1-lib,ecb-cipher_null)", +@@ -4122,7 +4120,6 @@ + }, { + .alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))", + .test = alg_test_null, +- .fips_allowed = 1, + }, { + .alg = "authenc(hmac(sha224),cbc(des))", + .generic_driver = "authenc(hmac-sha224-lib,cbc(des-generic))", +@@ -4984,7 +4981,6 @@ + .alg = "hmac(sha1)", + .generic_driver = "hmac-sha1-lib", + .test = alg_test_hash, +- .fips_allowed = 1, + .suite = { + .hash = __VECS(hmac_sha1_tv_template) + } +@@ -5356,7 +5352,6 @@ + .alg = "sha1", + .generic_driver = "sha1-lib", + .test = alg_test_hash, +- .fips_allowed = 1, + .suite = { + .hash = __VECS(sha1_tv_template) + } diff --git a/upstream_patches/series b/upstream_patches/series new file mode 100644 index 0000000..a764882 --- /dev/null +++ b/upstream_patches/series @@ -0,0 +1 @@ +no-sha1-for-fips.patch From 9ea2941aab02fa59b37852fbea1d47d803d5bbf2 Mon Sep 17 00:00:00 2001 From: Andre Russ Date: Thu, 26 Feb 2026 14:33:51 +0100 Subject: [PATCH 2/2] Update crypto test manager for FIPS compliance Remove SHA-1 algorithm usage for FIPS compliance in test manager. --- upstream_patches/no-sha1-for-fips.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/upstream_patches/no-sha1-for-fips.patch b/upstream_patches/no-sha1-for-fips.patch index fdd3786..0893002 100644 --- a/upstream_patches/no-sha1-for-fips.patch +++ b/upstream_patches/no-sha1-for-fips.patch @@ -1,6 +1,6 @@ -diff -Nur linux-6.19.3.org/crypto/testmgr.c linux-6.19.3.new/crypto/testmgr.c ---- linux-6.19.3.org/crypto/testmgr.c 2026-02-19 16:33:27.000000000 +0100 -+++ linux-6.19.3.new/crypto/testmgr.c 2026-02-24 09:44:34.790238895 +0100 +diff -Nur a/crypto/testmgr.c b/crypto/testmgr.c +--- a/crypto/testmgr.c 2026-02-19 16:33:27.000000000 +0100 ++++ b/crypto/testmgr.c 2026-02-24 09:44:34.790238895 +0100 @@ -4090,7 +4090,6 @@ .alg = "authenc(hmac(sha1),cbc(aes))", .generic_driver = "authenc(hmac-sha1-lib,cbc(aes-generic))",