Am Freitag, 3. Mai 2019, 03:42:41 CEST schrieb Herbert Xu:

Hi Herbert,

> On Thu, May 02, 2019 at 06:38:12PM +0200, Stephan Müller wrote:
> > +static int drbg_fips_continuous_test(struct drbg_state *drbg,
> > +                                const unsigned char *entropy)
> > +{
> > +#if IS_ENABLED(CONFIG_CRYPTO_FIPS)
> 
> This should look like
> 
>       if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) {
>               ...
>       } else {
>               ...
>       }
> 
> This way the compiler will see everything regardless of whether
> FIPS is enabled or not.
> 
> > diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h
> > index 3fb581bf3b87..939051480c83 100644
> > --- a/include/crypto/drbg.h
> > +++ b/include/crypto/drbg.h
> > @@ -129,6 +129,10 @@ struct drbg_state {
> > 
> >     bool seeded;            /* DRBG fully seeded? */
> >     bool pr;                /* Prediction resistance enabled? */
> > 
> > +#if IS_ENABLED(CONFIG_CRYPTO_FIPS)
> > +   bool fips_primed;       /* Continuous test primed? */
> > +   unsigned char *prev;    /* FIPS 140-2 continuous test value */
> > +#endif
> 
> You can still use #ifdef here.

The variables would need to be defined unconditionally if we use a runtime 
check in the C code. Is that what you want me to do?

Ciao
Stephan


Reply via email to