On Fri, Jan 23, 2009 at 10:58:17AM -0500, Neil Horman wrote:
>
> diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
> index 0fac8ff..7eef5be 100644
> --- a/crypto/ansi_cprng.c
> +++ b/crypto/ansi_cprng.c
> @@ -132,10 +132,20 @@ static int _get_more_prng_bytes(struct prng_context *ctx)
> */
> if (!memcmp(ctx->rand_data, ctx->last_rand_data,
> DEFAULT_BLK_SZ)) {
> - printk(KERN_ERR
> - "ctx %p Failed repetition check!\n",
> - ctx);
> - ctx->flags |= PRNG_NEED_RESET;
> + if (fips_enabled) {
> + /* FIPS 140-2 requires that we disable
> + * further use of crypto code if we fail
> + * this test, easiest way to do that
> + * is panic the box
> + */
> + panic("cprng %p failed continuity test",
> + ctx);
> + } else {
> + printk(KERN_ERR
> + "ctx %p Failed repetition check!\n",
> + ctx);
> + ctx->flags |= PRNG_NEED_RESET;
> + }
I'm OK with this change but I'd like it to look like:
if (fips_enabled) {
panic(...)
}
blah blah blah
This way the FIPS crap doesn't get in the way of everyday use.
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
