Skip to content

Commit 61140ff

Browse files
tniessenTrott
tniessen
authored and
Trott
committed
crypto: simplify DSA validation in FIPS mode
PR-URL: #29195 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
1 parent f769034 commit 61140ff

File tree

1 file changed

+23
-49
lines changed

1 file changed

+23
-49
lines changed

src/node_crypto.cc

Lines changed: 23 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -4879,15 +4879,7 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
48794879
return AllocatedBuffer();
48804880
}
48814881

4882-
Sign::SignResult Sign::SignFinal(
4883-
const ManagedEVPPKey& pkey,
4884-
int padding,
4885-
const Maybe<int>& salt_len) {
4886-
if (!mdctx_)
4887-
return SignResult(kSignNotInitialised);
4888-
4889-
EVPMDPointer mdctx = std::move(mdctx_);
4890-
4882+
static inline bool ValidateDSAParameters(EVP_PKEY* key) {
48914883
#ifdef NODE_FIPS_MODE
48924884
/* Validate DSA2 parameters from FIPS 186-4 */
48934885
if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(pkey.get())) {
@@ -4898,23 +4890,29 @@ Sign::SignResult Sign::SignFinal(
48984890
const BIGNUM* q;
48994891
DSA_get0_pqg(dsa, nullptr, &q, nullptr);
49004892
size_t N = BN_num_bits(q);
4901-
bool result = false;
4902-
4903-
if (L == 1024 && N == 160)
4904-
result = true;
4905-
else if (L == 2048 && N == 224)
4906-
result = true;
4907-
else if (L == 2048 && N == 256)
4908-
result = true;
4909-
else if (L == 3072 && N == 256)
4910-
result = true;
4911-
4912-
if (!result) {
4913-
return SignResult(kSignPrivateKey);
4914-
}
4893+
4894+
return (L == 1024 && N == 160) ||
4895+
(L == 2048 && N == 224) ||
4896+
(L == 2048 && N == 256) ||
4897+
(L == 3072 && N == 256)
49154898
}
49164899
#endif // NODE_FIPS_MODE
49174900

4901+
return true;
4902+
}
4903+
4904+
Sign::SignResult Sign::SignFinal(
4905+
const ManagedEVPPKey& pkey,
4906+
int padding,
4907+
const Maybe<int>& salt_len) {
4908+
if (!mdctx_)
4909+
return SignResult(kSignNotInitialised);
4910+
4911+
EVPMDPointer mdctx = std::move(mdctx_);
4912+
4913+
if (!ValidateDSAParameters(pkey.get()))
4914+
return SignResult(kSignPrivateKey);
4915+
49184916
AllocatedBuffer buffer =
49194917
Node_SignFinal(env(), std::move(mdctx), pkey, padding, salt_len);
49204918
Error error = buffer.data() == nullptr ? kSignPrivateKey : kSignOk;
@@ -4965,32 +4963,8 @@ void SignOneShot(const FunctionCallbackInfo<Value>& args) {
49654963
if (!key)
49664964
return;
49674965

4968-
#ifdef NODE_FIPS_MODE
4969-
/* Validate DSA2 parameters from FIPS 186-4 */
4970-
if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key.get())) {
4971-
DSA* dsa = EVP_PKEY_get0_DSA(key.get());
4972-
const BIGNUM* p;
4973-
DSA_get0_pqg(dsa, &p, nullptr, nullptr);
4974-
size_t L = BN_num_bits(p);
4975-
const BIGNUM* q;
4976-
DSA_get0_pqg(dsa, nullptr, &q, nullptr);
4977-
size_t N = BN_num_bits(q);
4978-
bool result = false;
4979-
4980-
if (L == 1024 && N == 160)
4981-
result = true;
4982-
else if (L == 2048 && N == 224)
4983-
result = true;
4984-
else if (L == 2048 && N == 256)
4985-
result = true;
4986-
else if (L == 3072 && N == 256)
4987-
result = true;
4988-
4989-
if (!result) {
4990-
return CheckThrow(env, SignBase::Error::kSignPrivateKey);
4991-
}
4992-
}
4993-
#endif // NODE_FIPS_MODE
4966+
if (!ValidateDSAParameters(key.get()))
4967+
return CheckThrow(env, SignBase::Error::kSignPrivateKey);
49944968

49954969
ArrayBufferViewContents<char> data(args[offset]);
49964970

0 commit comments

Comments
 (0)