X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=fips%2Frand%2Ffips_drbg_hash.c;h=4b3b72340702e202cf068d3d9625718bec767f9e;hp=b20d0726466af0f405fb89e4668a977882fdc5b0;hb=4420b3b17acf19f78f4fdea1a69d5f0a644c8154;hpb=52b6ee8245c06042fd4f1bfea32f652ebe1774f3

diff --git a/fips/rand/fips_drbg_hash.c b/fips/rand/fips_drbg_hash.c
index b20d072646..4b3b723407 100644
--- a/fips/rand/fips_drbg_hash.c
+++ b/fips/rand/fips_drbg_hash.c
@@ -56,8 +56,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/crypto.h>
-#include <openssl/evp.h>
-#include <openssl/aes.h>
 #include <openssl/fips.h>
 #include <openssl/fips_rand.h>
 #include "fips_rand_lcl.h"
@@ -195,17 +193,29 @@ static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
 		{
 		FIPS_digestinit(&hctx->mctx, hctx->md);
 		FIPS_digestupdate(&hctx->mctx, hctx->vtmp, dctx->seedlen);
-		if (outlen < dctx->blocklength)
+		if (!(dctx->xflags & DRBG_FLAG_TEST) && !dctx->lb_valid)
+			{
+			FIPS_digestfinal(&hctx->mctx, dctx->lb, NULL);
+			dctx->lb_valid = 1;
+			}
+		else if (outlen < dctx->blocklength)
 			{
 			FIPS_digestfinal(&hctx->mctx, hctx->vtmp, NULL);
+			if (!fips_drbg_cprng_test(dctx, hctx->vtmp))
+				return 0;
 			memcpy(out, hctx->vtmp, outlen);
 			return 1;
 			}
-		FIPS_digestfinal(&hctx->mctx, out, NULL);
-		outlen -= dctx->blocklength;
-		if (outlen == 0)
-			return 1;
-		out += dctx->blocklength;
+		else
+			{
+			FIPS_digestfinal(&hctx->mctx, out, NULL);
+			if (!fips_drbg_cprng_test(dctx, out))
+				return 0;
+			outlen -= dctx->blocklength;
+			if (outlen == 0)
+				return 1;
+			out += dctx->blocklength;
+			}
 		ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
 		}
 	}
@@ -317,37 +327,22 @@ int fips_drbg_hash_init(DRBG_CTX *dctx)
 	{
 	const EVP_MD *md;
 	DRBG_HASH_CTX *hctx = &dctx->d.hash;
+	md = FIPS_get_digestbynid(dctx->type);
+	if (!md)
+		return -2;
 	switch (dctx->type)
 		{
 		case NID_sha1:
-		md = EVP_sha1();
 		dctx->strength = 128;
 		break;
 
 		case NID_sha224:
-		md = EVP_sha224();
 		dctx->strength = 192;
 		break;
 
-		case NID_sha256:
-		md = EVP_sha256();
-		dctx->strength = 256;
-		break;
-
-		case NID_sha384:
-		md = EVP_sha384();
-		dctx->strength = 256;
-		break;
-
-		case NID_sha512:
-		md = EVP_sha512();
-		dctx->strength = 256;
-		break;
-
 		default:
-		return -2;
+		dctx->strength = 256;
 		break;
-
 		}
 
 	dctx->instantiate = drbg_hash_instantiate;
@@ -376,7 +371,7 @@ int fips_drbg_hash_init(DRBG_CTX *dctx)
 	dctx->max_pers = DRBG_MAX_LENGTH;
 	dctx->max_adin = DRBG_MAX_LENGTH;
 
-	dctx->max_request = 1<<19;
+	dctx->max_request = 1<<16;
 	dctx->reseed_interval = 1<<24;
 
 	return 1;