From: Pauli <ppzgs1@gmail.com>
Date: Fri, 26 Jul 2024 01:59:09 +0000 (+1000)
Subject: drbg: streamline test for allowed digests
X-Git-Tag: openssl-3.4.0-alpha1~271
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c57eb736e9f4d63380d31f37c6c2a1fa267df9b;p=thirdparty%2Fopenssl.git

drbg: streamline test for allowed digests

Under FIPS, we've got a whitelist of algorithms.  There is no need to then
also check for XOF digests because they aren't possible.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25007)
---

diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index 66b61bbd33b..c15c4606e62 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -1029,11 +1029,12 @@ int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx,
             return 0;
         }
     }
-#endif
+#else   /* FIPS_MODULE */
     /* Outside of FIPS, any digests that are not XOF are allowed */
     if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
         ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
         return 0;
     }
+#endif  /* FIPS_MODULE */
     return 1;
 }