On Thu, Sep 17, 2009 at 08:39:51AM -0700, Herbert Xu wrote: > On Thu, Sep 17, 2009 at 08:43:51AM -0400, Neil Horman wrote: > > > > As Jarod mentioned, currently only the NIST certification vectors and, as a > > result our testmgr vectors require disabling of the internal continuity test, > > but to generalize from that, I would imagine that any set of certification > > vectors that exist in the wild, may or may not assume the presence of the oth > > iteration consumption, and this patch gives us the flexability to make use of > > those. I was thinking that this api extension could also be used for various > > debugging purposes (additional flags could be created to enable internal > > debugging, etc). > > My gut feeling would be to just get rid of the test vectors. > > But if you really want to keep them, please do it like CTR and > RFC3686. That is, have the raw RNG tested with the current vectors, > and implement the FIPS version as a wrapper on top of it to remove > the required bits. > Just so that I'm clear on what your suggesting, you're approach would be to register two algs in ansi_cprng, a 'raw' cprng, and a 'fips compliant cprng' underneath that used the raw cprng as a base, but implemented the continuity test underneath it? If so, yeah, I can get behind that idea. I'll spin a new set of patches shortly. Neil -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
