Why is that not stated in my man page which knows about kernel 3.19? Is that a regression or a RedHat specific patch?

In rCa6a6e94027abf18a51f5f93bf9fb2cfe5496bdf8#74835, @werner wrote:

Why is that not stated in my man page which knows about kernel 3.19? Is that a regression or a RedHat specific patch?

Right now, this is specific only to RHEL kernel, which has this limitation to satisfy the FIPS DRBG chaining requirements. It is not applicable to generic kernel, but whoever will want to make kernel/libgcrypt fips compliant will need some changes to the DRBG anyway.

I initially did not propose this change here, only in https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/7 to give it some test-ride because of the above.

Given that, I do not insist on having this in upstream, but the previous change aab1d63e4def on its own is not solving the requirement either so we can do one of the following:

• revert both of these commits and keep it on the downstream patch
• keep both of the patches and clarify this in comments. I would have to check if we have already some reference for the upstream kernel for this

A minor clarification in the code comment would be enough. Something like: Some non-standard kernel return only 32 bytes of strong entropy to satisfy current FIPS requirements.

I tried to clarify the comment in the following merge request. Feel free to pull it from there or adjust if it is too verbose or missing some points:

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/7