Richard van Schagen <vschagen@xxxxxx> wrote: > As part of my EIP93 crypto module I would like to implement the PRNG. > This is intented to be used to automaticly insert an IV for IPSEC / > full ESP processing, but can be used "just as PRNG" and its full ANSI > X9.31 compliant. > > Looking over the code in "ansi_cprng.c" I can implement the none "FIPS" > part since it doesnt require a reseed everytime. For full FIPS it needs > to be seeded by the user which means if I do this in Hardware I can not > "switch" seeds or reseed with another one from another context becasue > that would not give the expected results. > > Is it acceptable to only implement "none-fips" and/or return an error > (-EBUSY ?) when more than 1 call occurs to "cra_init" before the > previous user called "cra_exit" ? Yes you could certainly add such a PRNG. However, please don't make cra_init return an error. Instead you should make all tfms of your PRNG use the same underlying hardware PRNG. IOW it's as if users of those tfms are actually using just one tfm. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
