Am Thursday 11 June 2015, 12:05:44 schrieb Tadeusz Struk: Hi Tadeusz, >+ >+static int akcipher_clone_key(struct crypto_akcipher *tfm, >+ const struct public_key *pkey) >+{ >+ int i, ret = 0; >+ >+ tfm->pkey = kzalloc(sizeof(*tfm->pkey), GFP_KERNEL); >+ >+ if (!tfm->pkey) >+ return -ENOMEM; >+ >+ for (i = 0; i < ARRAY_SIZE(tfm->pkey->mpi); i++) { >+ if (!pkey->mpi[i]) >+ continue; >+ >+ if (mpi_copy(&tfm->pkey->mpi[i], pkey->mpi[i])) { >+ akcipher_free_key(tfm->pkey); >+ tfm->pkey = NULL; >+ ret = -ENOMEM; >+ break; >+ } >+ } >+ return ret; >+} The testmgr code can mark an entire cipher implementation as fips_allowed=1 as already done for RSA. However, unlike with the other ciphers, that flag must go in conjunction with the used key sizes. For FIPS mode, the following restrictions apply: - RSA: 2048/3072 - DSA: L 2048 / N 224; L 2048 / N 256; L 3072 / N 256 - ECDSA: only the NIST curves Any other key sizes for the given ciphers is not allowed in FIPS mode. Should that constraint be considered here? Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html