crypto: don't expose openssl internals

codebytere · BridgeAR · commit d11ee1951b78 · 2019-09-03T23:45:53.000+02:00
PR-URL: #29325 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -5200,7 +5200,7 @@ template <PublicKeyCipher::Operation operation,
 bool PublicKeyCipher::Cipher(Environment* env,
                              const ManagedEVPPKey& pkey,
                              int padding,
-                             const char* oaep_hash,
+                             const EVP_MD* digest,
                              const unsigned char* data,
                              int len,
                              AllocatedBuffer* out) {
@@ -5212,9 +5212,8 @@ bool PublicKeyCipher::Cipher(Environment* env,
   if (EVP_PKEY_CTX_set_rsa_padding(ctx.get(), padding) <= 0)
     return false;
 
-  if (oaep_hash != nullptr) {
-    if (!EVP_PKEY_CTX_md(ctx.get(), EVP_PKEY_OP_TYPE_CRYPT,
-                         EVP_PKEY_CTRL_RSA_OAEP_MD, oaep_hash))
+  if (digest != nullptr) {
+    if (!EVP_PKEY_CTX_set_rsa_oaep_md(ctx.get(), digest))
       return false;
   }
 
@@ -5256,6 +5255,12 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
 
   const node::Utf8Value oaep_str(env->isolate(), args[offset + 2]);
   const char* oaep_hash = args[offset + 2]->IsString() ? *oaep_str : nullptr;
+  const EVP_MD* digest = nullptr;
+  if (oaep_hash != nullptr) {
+    digest = EVP_get_digestbyname(oaep_hash);
+    if (digest == nullptr)
+      return THROW_ERR_OSSL_EVP_INVALID_DIGEST(env);
+  }
 
   AllocatedBuffer out;
 
@@ -5265,7 +5270,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
       env,
       pkey,
       padding,
-      oaep_hash,
+      digest,
       buf.data(),
       buf.length(),
       &out);
diff --git a/src/node_crypto.h b/src/node_crypto.h
@@ -713,7 +713,7 @@ class PublicKeyCipher {
   static bool Cipher(Environment* env,
                      const ManagedEVPPKey& pkey,
                      int padding,
-                     const char* oaep_hash,
+                     const EVP_MD* digest,
                      const unsigned char* data,
                      int len,
                      AllocatedBuffer* out);
diff --git a/src/node_errors.h b/src/node_errors.h
@@ -42,6 +42,7 @@ void PrintErrorString(const char* format, ...);
   V(ERR_CONSTRUCT_CALL_REQUIRED, TypeError)                                  \
   V(ERR_CONSTRUCT_CALL_INVALID, TypeError)                                   \
   V(ERR_INVALID_ARG_VALUE, TypeError)                                        \
+  V(ERR_OSSL_EVP_INVALID_DIGEST, Error)                                      \
   V(ERR_INVALID_ARG_TYPE, TypeError)                                         \
   V(ERR_INVALID_MODULE_SPECIFIER, TypeError)                                 \
   V(ERR_INVALID_PACKAGE_CONFIG, SyntaxError)                                 \
@@ -89,6 +90,7 @@ void PrintErrorString(const char* format, ...);
   V(ERR_CONSTRUCT_CALL_REQUIRED, "Cannot call constructor without `new`")    \
   V(ERR_INVALID_TRANSFER_OBJECT, "Found invalid object in transferList")     \
   V(ERR_MEMORY_ALLOCATION_FAILED, "Failed to allocate memory")               \
+  V(ERR_OSSL_EVP_INVALID_DIGEST, "Invalid digest used")                      \
   V(ERR_MISSING_MESSAGE_PORT_IN_TRANSFER_LIST,                               \
     "MessagePort was found in message but not listed in transferList")       \
   V(ERR_MISSING_PLATFORM_FOR_WORKER,                                         \
