drbg: streamline test for allowed digests

Under FIPS, we've got a whitelist of algorithms.  There is no need to then
also check for XOF digests because they aren't possible.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25007)

diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index 66b61bbd33bc654dbcc802779808582c30b2d45c..c15c4606e62da84f1df43125384a3f3472e86bfe 100644 (file)
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -1029,11 +1029,12 @@ int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx,
             return 0;
         }
     }
-#endif
+#else   /* FIPS_MODULE */
     /* Outside of FIPS, any digests that are not XOF are allowed */
     if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
         ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
         return 0;
     }
+#endif  /* FIPS_MODULE */
     return 1;
 }