From 6b347d5232c7a8f5637e752ae36591d39aad0cee Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 3 Dec 2019 16:11:39 +0100 Subject: [PATCH] openssl: Ensure underlying hash algorithm is available during HMAC init Without this we only would learn that the algorithm isn't actually available (e.g. due to FIPS mode) when set_key() is called later, so there isn't any automatic fallback to other implementations. Fixes #3284. --- src/libstrongswan/plugins/openssl/openssl_hmac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.c b/src/libstrongswan/plugins/openssl/openssl_hmac.c index e3f44de..e0b9f21 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hmac.c +++ b/src/libstrongswan/plugins/openssl/openssl_hmac.c @@ -185,6 +185,12 @@ static mac_t *hmac_create(hash_algorithm_t algo) this->hmac = &this->hmac_ctx; #endif + /* make sure the underlying hash algorithm is supported */ + if (!set_key(this, chunk_from_str(""))) + { + destroy(this); + return NULL; + } return &this->public; } -- 2.7.4