SHA512-DRBG default ENTROPY_SCALE_FACTOR on par with SHA256-DRBG

Author: kaleb-himes

wolfssl/wolfcrypt/random.h

@@ -262,12 +262,16 @@ struct OS_Seed {
  * vectors (seedlen = 440 bits for SHA-256, 888 bits for SHA-512 per
  * SP 800-90A Table 2).
  *
- * When the SHA-512 DRBG is enabled we also enforce a floor of
- * DRBG_SHA512_SEED_LEN (111 bytes / 888 bits) so the raw seed is never
- * shorter than the internal state, even with ENTROPY_SCALE_FACTOR = 1. */
+ * In FIPS mode (ENTROPY_SCALE_FACTOR >= 4) the base is already >= 128 bytes
+ * which exceeds DRBG_SHA512_SEED_LEN (111), so both DRBGs use the same
+ * seed size.  In non-FIPS mode we use the base for both DRBGs so that
+ * enabling SHA-512 DRBG does not inflate the per-init entropy cost.
+ * SP 800-90A requires only security_strength bits (256 = 32 bytes) of
+ * entropy regardless of hash size; hash_df compresses the seed material
+ * into the internal V/C state vectors. */
 #define WC_DRBG_SEED_SZ_BASE  (RNG_SECURITY_STRENGTH*ENTROPY_SCALE_FACTOR/8)
 
-#if defined(WOLFSSL_DRBG_SHA512) && \
+#if defined(HAVE_FIPS) && defined(WOLFSSL_DRBG_SHA512) && \
     (WC_DRBG_SEED_SZ_BASE < DRBG_SHA512_SEED_LEN)
     #define WC_DRBG_SEED_SZ    DRBG_SHA512_SEED_LEN
 #else