Skip to content

Commit e0537e6

Browse files
tniessenBridgeAR
tniessen
authored and
BridgeAR
committed
crypto: simplify DSA validation in FIPS mode
PR-URL: #29195 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
1 parent 219c195 commit e0537e6

File tree

1 file changed

+23
-49
lines changed

1 file changed

+23
-49
lines changed

src/node_crypto.cc

Lines changed: 23 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -4877,15 +4877,7 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
48774877
return AllocatedBuffer();
48784878
}
48794879

4880-
Sign::SignResult Sign::SignFinal(
4881-
const ManagedEVPPKey& pkey,
4882-
int padding,
4883-
const Maybe<int>& salt_len) {
4884-
if (!mdctx_)
4885-
return SignResult(kSignNotInitialised);
4886-
4887-
EVPMDPointer mdctx = std::move(mdctx_);
4888-
4880+
static inline bool ValidateDSAParameters(EVP_PKEY* key) {
48894881
#ifdef NODE_FIPS_MODE
48904882
/* Validate DSA2 parameters from FIPS 186-4 */
48914883
if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(pkey.get())) {
@@ -4896,23 +4888,29 @@ Sign::SignResult Sign::SignFinal(
48964888
const BIGNUM* q;
48974889
DSA_get0_pqg(dsa, nullptr, &q, nullptr);
48984890
size_t N = BN_num_bits(q);
4899-
bool result = false;
4900-
4901-
if (L == 1024 && N == 160)
4902-
result = true;
4903-
else if (L == 2048 && N == 224)
4904-
result = true;
4905-
else if (L == 2048 && N == 256)
4906-
result = true;
4907-
else if (L == 3072 && N == 256)
4908-
result = true;
4909-
4910-
if (!result) {
4911-
return SignResult(kSignPrivateKey);
4912-
}
4891+
4892+
return (L == 1024 && N == 160) ||
4893+
(L == 2048 && N == 224) ||
4894+
(L == 2048 && N == 256) ||
4895+
(L == 3072 && N == 256)
49134896
}
49144897
#endif // NODE_FIPS_MODE
49154898

4899+
return true;
4900+
}
4901+
4902+
Sign::SignResult Sign::SignFinal(
4903+
const ManagedEVPPKey& pkey,
4904+
int padding,
4905+
const Maybe<int>& salt_len) {
4906+
if (!mdctx_)
4907+
return SignResult(kSignNotInitialised);
4908+
4909+
EVPMDPointer mdctx = std::move(mdctx_);
4910+
4911+
if (!ValidateDSAParameters(pkey.get()))
4912+
return SignResult(kSignPrivateKey);
4913+
49164914
AllocatedBuffer buffer =
49174915
Node_SignFinal(env(), std::move(mdctx), pkey, padding, salt_len);
49184916
Error error = buffer.data() == nullptr ? kSignPrivateKey : kSignOk;
@@ -4963,32 +4961,8 @@ void SignOneShot(const FunctionCallbackInfo<Value>& args) {
49634961
if (!key)
49644962
return;
49654963

4966-
#ifdef NODE_FIPS_MODE
4967-
/* Validate DSA2 parameters from FIPS 186-4 */
4968-
if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key.get())) {
4969-
DSA* dsa = EVP_PKEY_get0_DSA(key.get());
4970-
const BIGNUM* p;
4971-
DSA_get0_pqg(dsa, &p, nullptr, nullptr);
4972-
size_t L = BN_num_bits(p);
4973-
const BIGNUM* q;
4974-
DSA_get0_pqg(dsa, nullptr, &q, nullptr);
4975-
size_t N = BN_num_bits(q);
4976-
bool result = false;
4977-
4978-
if (L == 1024 && N == 160)
4979-
result = true;
4980-
else if (L == 2048 && N == 224)
4981-
result = true;
4982-
else if (L == 2048 && N == 256)
4983-
result = true;
4984-
else if (L == 3072 && N == 256)
4985-
result = true;
4986-
4987-
if (!result) {
4988-
return CheckThrow(env, SignBase::Error::kSignPrivateKey);
4989-
}
4990-
}
4991-
#endif // NODE_FIPS_MODE
4964+
if (!ValidateDSAParameters(key.get()))
4965+
return CheckThrow(env, SignBase::Error::kSignPrivateKey);
49924966

49934967
ArrayBufferViewContents<char> data(args[offset]);
49944968

0 commit comments

Comments
 (0)