From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 3 Dec 2019 15:11:39 +0000 (+0100)
Subject: openssl: Ensure underlying hash algorithm is available during HMAC init
X-Git-Tag: 5.8.2rc1~5
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=6b347d5232c7a8f5637e752ae36591d39aad0cee;hp=96b8fa72b39bb6c416ddf99e3887270e5b0c27e9

openssl: Ensure underlying hash algorithm is available during HMAC init

Without this we only would learn that the algorithm isn't actually
available (e.g. due to FIPS mode) when set_key() is called later, so there
isn't any automatic fallback to other implementations.

Fixes #3284.
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.c b/src/libstrongswan/plugins/openssl/openssl_hmac.c
index e3f44de..e0b9f21 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hmac.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hmac.c
@@ -185,6 +185,12 @@ static mac_t *hmac_create(hash_algorithm_t algo)
 	this->hmac = &this->hmac_ctx;
 #endif
 
+	/* make sure the underlying hash algorithm is supported */
+	if (!set_key(this, chunk_from_str("")))
+	{
+		destroy(this);
+		return NULL;
+	}
 	return &this->public;
 }