Am Freitag, 3. Mai 2019, 03:42:41 CEST schrieb Herbert Xu:
Hi Herbert,
> On Thu, May 02, 2019 at 06:38:12PM +0200, Stephan Müller wrote:
> > +static int drbg_fips_continuous_test(struct drbg_state *drbg,
> > + const unsigned char *entropy)
> > +{
> > +#if IS_ENABLED(CONFIG_CRYPTO_FIPS)
>
> This should look like
>
> if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
> ...
> } else {
> ...
> }
>
> This way the compiler will see everything regardless of whether
> FIPS is enabled or not.
>
> > diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h
> > index 3fb581bf3b87..939051480c83 100644
> > --- a/include/crypto/drbg.h
> > +++ b/include/crypto/drbg.h
> > @@ -129,6 +129,10 @@ struct drbg_state {
> >
> > bool seeded; /* DRBG fully seeded? */
> > bool pr; /* Prediction resistance enabled? */
> >
> > +#if IS_ENABLED(CONFIG_CRYPTO_FIPS)
> > + bool fips_primed; /* Continuous test primed? */
> > + unsigned char *prev; /* FIPS 140-2 continuous test value */
> > +#endif
>
> You can still use #ifdef here.
The variables would need to be defined unconditionally if we use a runtime
check in the C code. Is that what you want me to do?
Ciao
Stephan
