From: Neil Horman <nhorman@redhat.com>
Date: Mon, 6 Oct 2008 12:52:11 -0400
Subject: [crypto] fips: panic kernel if we fail crypto self tests
Message-id: 20081006165211.GD3307@hmsendeavour.rdu.redhat.com
O-Subject: [RHEL 5.3 PATCH] Panic the kernel if we fail any crypto self tests and are operating in fips_enabled mode (bz 462909)
Bugzilla: 462909
RH-Acked-by: Jarod Wilson <jarod@redhat.com>
RH-Acked-by: David Miller <davem@redhat.com>

Hey all-
	Backport of a patch I have waiting in Herbers 2.6.28 queue for FIPS
compliance.  This patch forces a kernel panic in the event that we fail a crypto
self test and are running in fips compliant mode.  Satisfies bz 462909

Thanks & Regards
Neil

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 721bfba..2393aaf 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1317,6 +1317,7 @@ static int alg_find_test(const char *alg)
 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
 {
 	int i;
+	int rc = 0;
 
 	if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) {
 		char nalg[CRYPTO_MAX_ALG_NAME];
@@ -1329,19 +1330,24 @@ int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
 		if (i < 0)
 			goto notest;
 
-		return alg_test_cipher(alg_test_descs + i, driver, type, mask);
+		rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
+		goto test_done;
 	}
 
 	i = alg_find_test(alg);
 	if (i < 0)
 		goto notest;
 
-	return alg_test_descs[i].test(alg_test_descs + i, driver,
+	rc = alg_test_descs[i].test(alg_test_descs + i, driver,
 				      type, mask);
+	goto test_done;
 
 notest:
 	printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);
-	return 0;
+test_done:
+	if (fips_enabled && rc)
+		panic("%s: %s alg test failed in fips mode!\n", driver, alg);
+	return rc;
 }
 EXPORT_SYMBOL_GPL(alg_test);