openssl: Ensure underlying hash algorithm is available during HMAC init
authorTobias Brunner <tobias@strongswan.org>
Tue, 3 Dec 2019 15:11:39 +0000 (16:11 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 09:27:24 +0000 (10:27 +0100)
Without this we only would learn that the algorithm isn't actually
available (e.g. due to FIPS mode) when set_key() is called later, so there
isn't any automatic fallback to other implementations.

Fixes #3284.

src/libstrongswan/plugins/openssl/openssl_hmac.c

index e3f44de..e0b9f21 100644 (file)
@@ -185,6 +185,12 @@ static mac_t *hmac_create(hash_algorithm_t algo)
        this->hmac = &this->hmac_ctx;
 #endif
 
+       /* make sure the underlying hash algorithm is supported */
+       if (!set_key(this, chunk_from_str("")))
+       {
+               destroy(this);
+               return NULL;
+       }
        return &this->public;
 }