From: Neil Horman <nhorman@redhat.com> Date: Mon, 6 Oct 2008 12:52:11 -0400 Subject: [crypto] fips: panic kernel if we fail crypto self tests Message-id: 20081006165211.GD3307@hmsendeavour.rdu.redhat.com O-Subject: [RHEL 5.3 PATCH] Panic the kernel if we fail any crypto self tests and are operating in fips_enabled mode (bz 462909) Bugzilla: 462909 RH-Acked-by: Jarod Wilson <jarod@redhat.com> RH-Acked-by: David Miller <davem@redhat.com> Hey all- Backport of a patch I have waiting in Herbers 2.6.28 queue for FIPS compliance. This patch forces a kernel panic in the event that we fail a crypto self test and are running in fips compliant mode. Satisfies bz 462909 Thanks & Regards Neil diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 721bfba..2393aaf 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -1317,6 +1317,7 @@ static int alg_find_test(const char *alg) int alg_test(const char *driver, const char *alg, u32 type, u32 mask) { int i; + int rc = 0; if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) { char nalg[CRYPTO_MAX_ALG_NAME]; @@ -1329,19 +1330,24 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask) if (i < 0) goto notest; - return alg_test_cipher(alg_test_descs + i, driver, type, mask); + rc = alg_test_cipher(alg_test_descs + i, driver, type, mask); + goto test_done; } i = alg_find_test(alg); if (i < 0) goto notest; - return alg_test_descs[i].test(alg_test_descs + i, driver, + rc = alg_test_descs[i].test(alg_test_descs + i, driver, type, mask); + goto test_done; notest: printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver); - return 0; +test_done: + if (fips_enabled && rc) + panic("%s: %s alg test failed in fips mode!\n", driver, alg); + return rc; } EXPORT_SYMBOL_GPL(alg_test);