openssl: Use a longer key to test/initialize HMAC instances

OpenSSL enforces a minimum of 14 bytes (112 bits) on the key size when
used in FIPS-mode (as required by SP 800-131A).  So by using an empty
string, instantiation always failed.  32 bytes (256 bits) should be safe
for now.

Closes strongswan/strongswan#557

diff --git a/src/libstrongswan/plugins/openssl/openssl_hmac.c b/src/libstrongswan/plugins/openssl/openssl_hmac.c
index c4462fd3fd1e973d97aa3dbba1c972cc47ce6a2f..f1a81919cef7c1af29ff58bf6d0e2915845712d8 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_hmac.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hmac.c
@@ -100,8 +100,9 @@ METHOD(mac_t, set_key, bool,
        private_mac_t *this, chunk_t key)
 {
        if (!key.ptr)
-       {       /* HMAC_Init_ex() won't reset the key if a NULL pointer is passed */
-               key = chunk_from_str("");
+       {       /* HMAC_Init_ex() won't reset the key if a NULL pointer is passed,
+                * use a lenghty string in case there is a limit in FIPS-mode */
+               key = chunk_from_str("00000000000000000000000000000000");
        }
        return reset(this, key);
 }
@@ -188,7 +189,7 @@ static mac_t *hmac_create(hash_algorithm_t algo)
 #endif
 
        /* make sure the underlying hash algorithm is supported */
-       if (!set_key(this, chunk_from_str("")))
+       if (!set_key(this, chunk_empty))
        {
                destroy(this);
                return NULL;