From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Stephan Mueller <smueller@chronox.de>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 09/11] crypto: rng - Make crypto_stdrng_get_bytes() use normal RNG in non-FIPS mode
Date: Wed, 25 Mar 2026 17:15:05 -0700 [thread overview]
Message-ID: <20260326001507.66500-10-ebiggers@kernel.org> (raw)
In-Reply-To: <20260326001507.66500-1-ebiggers@kernel.org>
"stdrng" is needed only in "FIPS mode". Therefore, make
crypto_stdrng_get_bytes() delegate to either the normal Linux RNG or to
"stdrng", depending on the current mode.
This will eliminate the need to built the SP800-90A DRBG and its
dependencies into CRYPTO_FIPS=n kernels.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/rng.c | 4 ++--
include/crypto/rng.h | 15 +++++++++++++--
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/crypto/rng.c b/crypto/rng.c
index f52f4793f9ea..1d4b9177bad4 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -140,11 +140,11 @@ static void crypto_put_default_rng(void)
mutex_lock(&crypto_default_rng_lock);
crypto_default_rng_refcnt--;
mutex_unlock(&crypto_default_rng_lock);
}
-int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len)
{
int err;
err = crypto_get_default_rng();
if (err)
@@ -152,11 +152,11 @@ int crypto_stdrng_get_bytes(void *buf, unsigned int len)
err = crypto_rng_get_bytes(crypto_default_rng, buf, len);
crypto_put_default_rng();
return err;
}
-EXPORT_SYMBOL_GPL(crypto_stdrng_get_bytes);
+EXPORT_SYMBOL_GPL(__crypto_stdrng_get_bytes);
#if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE)
int crypto_del_default_rng(void)
{
int err = -EBUSY;
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index f61e037afed9..07f494b2c881 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -10,10 +10,12 @@
#define _CRYPTO_RNG_H
#include <linux/atomic.h>
#include <linux/container_of.h>
#include <linux/crypto.h>
+#include <linux/fips.h>
+#include <linux/random.h>
struct crypto_rng;
/**
* struct rng_alg - random number generator definition
@@ -55,22 +57,31 @@ struct rng_alg {
struct crypto_rng {
struct crypto_tfm base;
};
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len);
+
/**
* crypto_stdrng_get_bytes() - get cryptographically secure random bytes
* @buf: output buffer holding the random numbers
* @len: length of the output buffer
*
* This function fills the caller-allocated buffer with random numbers using the
- * highest-priority "stdrng" algorithm in the crypto_rng subsystem.
+ * normal Linux RNG if fips_enabled=0, or the highest-priority "stdrng"
+ * algorithm in the crypto_rng subsystem if fips_enabled=1.
*
* Context: May sleep
* Return: 0 function was successful; < 0 if an error occurred
*/
-int crypto_stdrng_get_bytes(void *buf, unsigned int len);
+static inline int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+{
+ might_sleep();
+ if (fips_enabled)
+ return __crypto_stdrng_get_bytes(buf, len);
+ return get_random_bytes_wait(buf, len);
+}
/**
* DOC: Random number generator API
*
* The random number generator API is used with the ciphers of type
--
2.53.0
next prev parent reply other threads:[~2026-03-26 0:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-26 0:14 [PATCH 00/11] Stop pulling DRBG code into non-FIPS kernels Eric Biggers
2026-03-26 0:14 ` [PATCH 01/11] crypto: rng - Add crypto_stdrng_get_bytes() Eric Biggers
2026-03-26 1:38 ` Jason A. Donenfeld
2026-03-26 2:31 ` Eric Biggers
2026-03-29 22:50 ` Eric Biggers
2026-03-26 0:14 ` [PATCH 02/11] crypto: dh - Use crypto_stdrng_get_bytes() Eric Biggers
2026-03-26 0:14 ` [PATCH 03/11] crypto: ecc " Eric Biggers
2026-03-26 0:15 ` [PATCH 04/11] crypto: geniv " Eric Biggers
2026-03-26 0:15 ` [PATCH 05/11] crypto: hisilicon/hpre " Eric Biggers
2026-03-26 0:15 ` [PATCH 06/11] crypto: intel/keembay-ocs-ecc " Eric Biggers
2026-03-26 0:15 ` [PATCH 07/11] net: tipc: " Eric Biggers
2026-03-26 0:15 ` [PATCH 08/11] crypto: rng - Unexport "default RNG" symbols Eric Biggers
2026-03-26 0:15 ` Eric Biggers [this message]
2026-03-26 0:15 ` [PATCH 10/11] crypto: fips - Depend on CRYPTO_DRBG=y Eric Biggers
2026-03-26 0:15 ` [PATCH 11/11] crypto: rng - Don't pull in DRBG when CRYPTO_FIPS=n Eric Biggers
2026-04-03 1:05 ` [PATCH 00/11] Stop pulling DRBG code into non-FIPS kernels Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260326001507.66500-10-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.