From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 21 Feb 2025 07:09:31 +0000 (+0100)
Subject: wolfssl: Set a dummy key when testing KDF implementations
X-Git-Tag: 6.0.2dr1~3^2~2
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=879e3ce05a5c526a101087340d54361c4d437dda;p=thirdparty%2Fstrongswan.git

wolfssl: Set a dummy key when testing KDF implementations

In FIPS mode, wolfSSL enforces a minimum key size for these algorithms.
---

diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.c b/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.c
index dafc6abf92..da06cab310 100644
--- a/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.c
@@ -156,6 +156,7 @@ kdf_t *wolfssl_kdf_create(key_derivation_function_t algo, va_list args)
 	pseudo_random_function_t prf_alg;
 	enum wc_HashType hash;
 	char buf[HASH_SIZE_SHA512];
+	chunk_t dummy_key = chunk_create(buf, sizeof(buf));
 
 	if (algo != KDF_PRF && algo != KDF_PRF_PLUS)
 	{
@@ -179,9 +180,11 @@ kdf_t *wolfssl_kdf_create(key_derivation_function_t algo, va_list args)
 		},
 		.type = algo,
 		.hash = hash,
+		.key = chunk_clone(dummy_key),
 	);
 
-	/* test if we can actually use the algorithm */
+	/* test if we can actually use the algorithm (using a long dummy key in
+	 * case FIPS mode is used) */
 	if (!get_bytes(this, algo == KDF_PRF ? get_length(this) : sizeof(buf), buf))
 	{
 		destroy(this);