From: Eric Biggers <ebiggers@kernel.org>
Date: Thu, 26 Mar 2026 00:15:05 +0000 (-0700)
Subject: crypto: rng - Make crypto_stdrng_get_bytes() use normal RNG in non-FIPS mode
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=65b3c2f6278516397bebcdbf4698bd3102120ca5;p=thirdparty%2Flinux.git

crypto: rng - Make crypto_stdrng_get_bytes() use normal RNG in non-FIPS mode

"stdrng" is needed only in "FIPS mode".  Therefore, make
crypto_stdrng_get_bytes() delegate to either the normal Linux RNG or to
"stdrng", depending on the current mode.

This will eliminate the need to built the SP800-90A DRBG and its
dependencies into CRYPTO_FIPS=n kernels.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

diff --git a/crypto/rng.c b/crypto/rng.c
index f52f4793f9ea5..1d4b9177bad4d 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -142,7 +142,7 @@ static void crypto_put_default_rng(void)
 	mutex_unlock(&crypto_default_rng_lock);
 }
 
-int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len)
 {
 	int err;
 
@@ -154,7 +154,7 @@ int crypto_stdrng_get_bytes(void *buf, unsigned int len)
 	crypto_put_default_rng();
 	return err;
 }
-EXPORT_SYMBOL_GPL(crypto_stdrng_get_bytes);
+EXPORT_SYMBOL_GPL(__crypto_stdrng_get_bytes);
 
 #if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE)
 int crypto_del_default_rng(void)
diff --git a/include/crypto/rng.h b/include/crypto/rng.h
index f61e037afed92..07f494b2c8817 100644
--- a/include/crypto/rng.h
+++ b/include/crypto/rng.h
@@ -12,6 +12,8 @@
 #include <linux/atomic.h>
 #include <linux/container_of.h>
 #include <linux/crypto.h>
+#include <linux/fips.h>
+#include <linux/random.h>
 
 struct crypto_rng;
 
@@ -57,18 +59,27 @@ struct crypto_rng {
 	struct crypto_tfm base;
 };
 
+int __crypto_stdrng_get_bytes(void *buf, unsigned int len);
+
 /**
  * crypto_stdrng_get_bytes() - get cryptographically secure random bytes
  * @buf: output buffer holding the random numbers
  * @len: length of the output buffer
  *
  * This function fills the caller-allocated buffer with random numbers using the
- * highest-priority "stdrng" algorithm in the crypto_rng subsystem.
+ * normal Linux RNG if fips_enabled=0, or the highest-priority "stdrng"
+ * algorithm in the crypto_rng subsystem if fips_enabled=1.
  *
  * Context: May sleep
  * Return: 0 function was successful; < 0 if an error occurred
  */
-int crypto_stdrng_get_bytes(void *buf, unsigned int len);
+static inline int crypto_stdrng_get_bytes(void *buf, unsigned int len)
+{
+	might_sleep();
+	if (fips_enabled)
+		return __crypto_stdrng_get_bytes(buf, len);
+	return get_random_bytes_wait(buf, len);
+}
 
 /**
  * DOC: Random number generator API