crypto: rng - Make crypto_stdrng_get_bytes() use normal RNG in non-FIPS mode

"stdrng" is needed only in "FIPS mode".  Therefore, make
crypto_stdrng_get_bytes() delegate to either the normal Linux RNG or to
"stdrng", depending on the current mode.

This will eliminate the need to built the SP800-90A DRBG and its
dependencies into CRYPTO_FIPS=n kernels.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/rng.c b/crypto/rng.c
index f52f4793f9ea58a75769023121da48b7b3b7e43c..1d4b9177bad4d4a8f163040e6ec2f988aa3ea501 100644 (file)
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -142,7 +142,7 @@ static void crypto_put_default_rng(void)
        mutex_unlock(&crypto_default_rng_lock);
 }
 
-int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len)
 {
        int err;
 
@@ -154,7 +154,7 @@ int crypto_stdrng_get_bytes(void *buf, unsigned int len)
        crypto_put_default_rng();
        return err;
 }
-EXPORT_SYMBOL_GPL(crypto_stdrng_get_bytes);
+EXPORT_SYMBOL_GPL(__crypto_stdrng_get_bytes);
 
 #if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE)
 int crypto_del_default_rng(void)

diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index f61e037afed928c3093eb49b448cf0b9807eabfa..07f494b2c8817d82ea9d47c0ee5bfe4b32ede60e 100644 (file)
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -12,6 +12,8 @@
 #include <linux/atomic.h>
 #include <linux/container_of.h>
 #include <linux/crypto.h>
+#include <linux/fips.h>
+#include <linux/random.h>
 
 struct crypto_rng;
 
@@ -57,18 +59,27 @@ struct crypto_rng {
        struct crypto_tfm base;
 };
 
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len);
+
 /**
  * crypto_stdrng_get_bytes() - get cryptographically secure random bytes
  * @buf: output buffer holding the random numbers
  * @len: length of the output buffer
  *
  * This function fills the caller-allocated buffer with random numbers using the
- * highest-priority "stdrng" algorithm in the crypto_rng subsystem.
+ * normal Linux RNG if fips_enabled=0, or the highest-priority "stdrng"
+ * algorithm in the crypto_rng subsystem if fips_enabled=1.
  *
  * Context: May sleep
  * Return: 0 function was successful; < 0 if an error occurred
  */
-int crypto_stdrng_get_bytes(void *buf, unsigned int len);
+static inline int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+{
+       might_sleep();
+       if (fips_enabled)
+               return __crypto_stdrng_get_bytes(buf, len);
+       return get_random_bytes_wait(buf, len);
+}
 
 /**
  * DOC: Random number generator API