diff options
Diffstat (limited to 'providers/implementations/rands/drbg.c')
-rw-r--r-- | providers/implementations/rands/drbg.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index de9b2a5a44..cae7718b84 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -922,3 +922,32 @@ int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]) return 0; return 1; } + +/* Confirm digest is allowed to be used with a DRBG */ +int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md) +{ +#ifdef FIPS_MODULE + /* FIPS 140-3 IG D.R limited DRBG digests to a specific set */ + static const char *const allowed_digests[] = { + "SHA1", /* SHA 1 allowed */ + "SHA2-256", "SHA2-512", /* non-truncated SHA2 allowed */ + "SHA3-256", "SHA3-512", /* non-truncated SHA3 allowed */ + }; + size_t i; + extern int FIPS_restricted_drbg_digests_enabled(OSSL_LIB_CTX *libctx); + + if (FIPS_restricted_drbg_digests_enabled(libctx)) { + for (i = 0; i < OSSL_NELEM(allowed_digests); i++) + if (EVP_MD_is_a(md, allowed_digests[i])) + return 1; + ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); + return 0; + } +#endif + /* Outside of FIPS, any digests that are not XOF are allowed */ + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); + return 0; + } + return 1; +} |