Switch BN_generate_dsa_nonce's hash back to SHA-512/256.

SHA-512 is faster to calculate on 64-bit systems and that's what we were
using before. (Though, realistically, this doesn't show up at all.)

Change-Id: Id4f386ca0b5645a863b36405eef03bc62d0f29b3
Reviewed-on: https://boringssl-review.googlesource.com/16006
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

crypto/fipsmodule/bn/random.c

@@ -270,16 +270,16 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
   OPENSSL_memcpy(private_bytes, priv->d, todo);
   OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
 
-  /* Pass a SHA256 hash of the private key and message as additional data into
+  /* Pass a SHA512 hash of the private key and message as additional data into
    * the RBG. This is a hardening measure against entropy failure. */
-  OPENSSL_COMPILE_ASSERT(SHA256_DIGEST_LENGTH == 32,
-                         additional_data_is_different_size_from_sha256);
-  SHA256_CTX sha;
-  uint8_t digest[SHA256_DIGEST_LENGTH];
-  SHA256_Init(&sha);
-  SHA256_Update(&sha, private_bytes, sizeof(private_bytes));
-  SHA256_Update(&sha, message, message_len);
-  SHA256_Final(digest, &sha);
+  OPENSSL_COMPILE_ASSERT(SHA512_DIGEST_LENGTH >= 32,
+                         additional_data_is_too_large_for_sha512);
+  SHA512_CTX sha;
+  uint8_t digest[SHA512_DIGEST_LENGTH];
+  SHA512_Init(&sha);
+  SHA512_Update(&sha, private_bytes, sizeof(private_bytes));
+  SHA512_Update(&sha, message, message_len);
+  SHA512_Final(digest, &sha);
 
   /* Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2. */
   return bn_rand_range_with_additional_data(out, 1, range, digest);