Change the DRBG HMAC implementation to lookup allowed digest names
authorMatt Caswell <matt@openssl.org>
Thu, 20 Jun 2019 12:17:22 +0000 (13:17 +0100)
committerMatt Caswell <matt@openssl.org>
Fri, 28 Jun 2019 09:22:21 +0000 (10:22 +0100)
As per the previous commit we make the same change for DRBG HMAC and
more closely align the FIPS_MODE and non FIPS_MODE implementations.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9035)

crypto/rand/drbg_hmac.c

index a6ed58bf6c6819fcbe620ce93f95ec186b8a7c43..baafc590648c0acf4ce75dbf650f7bfc5a1e5147 100644 (file)
@@ -13,6 +13,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include "internal/thread_once.h"
+#include "internal/providercommon.h"
 #include "rand_lcl.h"
 
 /*
@@ -201,19 +202,35 @@ int drbg_hmac_init(RAND_DRBG *drbg)
     EVP_MD *md = NULL;
     RAND_DRBG_HMAC *hmac = &drbg->data.hmac;
 
-#ifndef FIPS_MODE
-    /* Any approved digest is allowed - assume we pass digest (not NID_hmac*) */
-    md = EVP_MD_meth_dup(EVP_get_digestbynid(drbg->type));
-#else
-    /* TODO(3.0): Fill this out with the complete list of allowed digests */
+    /*
+     * Confirm digest is allowed. Outside FIPS_MODE we allow all non-legacy
+     * digests. Inside FIPS_MODE we only allow approved digests. Also no XOF
+     * digests (such as SHAKE).
+     */
     switch (drbg->type) {
     default:
         return 0;
+
+    case NID_sha1:
+    case NID_sha224:
     case NID_sha256:
-        md = EVP_MD_fetch(drbg->libctx, "SHA256", "");
+    case NID_sha384:
+    case NID_sha512:
+    case NID_sha512_224:
+    case NID_sha512_256:
+    case NID_sha3_224:
+    case NID_sha3_256:
+    case NID_sha3_384:
+    case NID_sha3_512:
+#ifndef FIPS_MODE
+    case NID_blake2b512:
+    case NID_blake2s256:
+    case NID_sm3:
+#endif
         break;
     }
-#endif
+
+    md = EVP_MD_fetch(drbg->libctx, ossl_prov_util_nid_to_name(drbg->type), "");
     if (md == NULL)
         return 0;