drbg: streamline test for allowed digests

Under FIPS, we've got a whitelist of algorithms. There is no need to then also check for XOF digests because they aren't possible. Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tom Cosgrove <[email protected]> Reviewed-by: Neil Horman <[email protected]> (Merged from openssl#25007)
siemens · Jul 28, 2024 · 9c57eb7 · 9c57eb7
1 parent 4811efe
commit 9c57eb7
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
@@ -1029,11 +1029,12 @@ int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx,
             return 0;
         }
     }
-#endif
+#else   /* FIPS_MODULE */
     /* Outside of FIPS, any digests that are not XOF are allowed */
     if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) {
         ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
         return 0;
     }
+#endif  /* FIPS_MODULE */
     return 1;
 }