Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: DSA parameter validation in FIPS mode #3756

Closed
wants to merge 3 commits into from
Closed

crypto: DSA parameter validation in FIPS mode #3756

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c308612
crypto: DSA parameter validation in FIPS mode
stefanmb Nov 10, 2015
27712a2
test: add test for invalid DSA key size
stefanmb Nov 13, 2015
76f50a9
test: add hasFipsCrypto to test/common.js
stefanmb Nov 12, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions src/node_crypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3746,6 +3746,29 @@ SignBase::Error Sign::SignFinal(const char* key_pem,
if (pkey == nullptr || 0 != ERR_peek_error())
goto exit;

#ifdef NODE_FIPS_MODE
/* Validate DSA2 parameters from FIPS 186-4 */
if (EVP_PKEY_DSA == pkey->type) {
size_t L = BN_num_bits(pkey->pkey.dsa->p);
size_t N = BN_num_bits(pkey->pkey.dsa->q);
bool result = false;

if (L == 1024 && N == 160)
result = true;
else if (L == 2048 && N == 224)
result = true;
else if (L == 2048 && N == 256)
result = true;
else if (L == 3072 && N == 256)
result = true;

if (!result) {
fatal = true;
goto exit;
}
}
#endif // NODE_FIPS_MODE

if (EVP_SignFinal(&mdctx_, *sig, sig_len, pkey))
fatal = false;

Expand Down
14 changes: 11 additions & 3 deletions test/common.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,9 +137,17 @@ Object.defineProperty(exports, 'opensslCli', {get: function() {
return opensslCli;
}, enumerable: true });

Object.defineProperty(exports, 'hasCrypto', {get: function() {
return process.versions.openssl ? true : false;
}});
Object.defineProperty(exports, 'hasCrypto', {
get: function() {
return process.versions.openssl ? true : false;
}
});

Object.defineProperty(exports, 'hasFipsCrypto', {
get: function() {
return process.config.variables.openssl_fips ? true : false;
}
});

if (exports.isWindows) {
exports.PIPE = '\\\\.\\pipe\\libuv-test';
Expand Down
11 changes: 10 additions & 1 deletion test/fixtures/keys/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem ca2-crl.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem
all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem ca2-crl.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem dsa1025.pem dsa_private_1025.pem dsa_public_1025.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem


#
Expand Down Expand Up @@ -267,6 +267,15 @@ dh1024.pem:
dh2048.pem:
openssl dhparam -out dh2048.pem 2048

dsa1025.pem:
openssl dsaparam -out dsa1025.pem 1025

dsa_private_1025.pem:
openssl gendsa -out dsa_private_1025.pem dsa1025.pem

dsa_public_1025.pem:
openssl dsa -in dsa_private_1025.pem -pubout -out dsa_public_1025.pem

rsa_private_1024.pem:
openssl genrsa -out rsa_private_1024.pem 1024

Expand Down
9 changes: 9 additions & 0 deletions test/fixtures/keys/dsa1025.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
-----BEGIN DSA PARAMETERS-----
MIIBLgKBiQCtjGXOH3Rq+lM09nwe6nbShOduCyfjgZhgMZ2WfY6PYLW3gNnhNYT7
88rZbECcyKlyzRApFgs9KMfiqWfWIhQn+FmolmeUNdRXpmkGyJAqY63GobI8S1Jn
xYbwdH7PsV1IwM56ylrnpdUDhSH7+Y95rgEIUXX9OHS503gzFFEHCmQl1/RS7Qxp
AhUApmbNUvRisdjnyjhDK6RO3pafN90CgYhQLHJ+qq+nxLX/lqQL/tCFY3P6DlYc
3ezT3Ic+3GhEMMXMBMJ+WRmRkCW5vh1grQyLVa/MLWvYgNkoUAO8eGElcloUero8
m5Tp3bFArEqb8rJXWYM1sAlnl/Y0uFpw1AyHLuZC26z+SSeDbV9REtz14EknkFXk
su4QN55ZQKoiBv2cFDMsIf9b
-----END DSA PARAMETERS-----
12 changes: 12 additions & 0 deletions test/fixtures/keys/dsa_private_1025.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
-----BEGIN DSA PRIVATE KEY-----
MIIB0QIBAAKBiQCtjGXOH3Rq+lM09nwe6nbShOduCyfjgZhgMZ2WfY6PYLW3gNnh
NYT788rZbECcyKlyzRApFgs9KMfiqWfWIhQn+FmolmeUNdRXpmkGyJAqY63GobI8
S1JnxYbwdH7PsV1IwM56ylrnpdUDhSH7+Y95rgEIUXX9OHS503gzFFEHCmQl1/RS
7QxpAhUApmbNUvRisdjnyjhDK6RO3pafN90CgYhQLHJ+qq+nxLX/lqQL/tCFY3P6
DlYc3ezT3Ic+3GhEMMXMBMJ+WRmRkCW5vh1grQyLVa/MLWvYgNkoUAO8eGElcloU
ero8m5Tp3bFArEqb8rJXWYM1sAlnl/Y0uFpw1AyHLuZC26z+SSeDbV9REtz14Ekn
kFXksu4QN55ZQKoiBv2cFDMsIf9bAoGHFPpl8uRj7sNjsnIPPI9CuqlIoZXFNXeM
X9Yu7T3s5mn5Q2ATcgnryDXwqpqle630wy1LZjjmtyE84oVJd4W6YTlzHNwIv2ql
ymMzWBE5+BrRXtqIndvkaWJRSUwtZ7XPPeeCzqR5uXRAsy54azoFDoisuOO5dVOm
VZERfp4Up+Duvws5+Gq2AhQlmsEI+CInYqsDR2ha+UcwXmGJSg==
-----END DSA PRIVATE KEY-----
12 changes: 12 additions & 0 deletions test/fixtures/keys/dsa_public_1025.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
-----BEGIN PUBLIC KEY-----
MIIBzTCCATsGByqGSM44BAEwggEuAoGJAK2MZc4fdGr6UzT2fB7qdtKE524LJ+OB
mGAxnZZ9jo9gtbeA2eE1hPvzytlsQJzIqXLNECkWCz0ox+KpZ9YiFCf4WaiWZ5Q1
1FemaQbIkCpjrcahsjxLUmfFhvB0fs+xXUjAznrKWuel1QOFIfv5j3muAQhRdf04
dLnTeDMUUQcKZCXX9FLtDGkCFQCmZs1S9GKx2OfKOEMrpE7elp833QKBiFAscn6q
r6fEtf+WpAv+0IVjc/oOVhzd7NPchz7caEQwxcwEwn5ZGZGQJbm+HWCtDItVr8wt
a9iA2ShQA7x4YSVyWhR6ujyblOndsUCsSpvysldZgzWwCWeX9jS4WnDUDIcu5kLb
rP5JJ4NtX1ES3PXgSSeQVeSy7hA3nllAqiIG/ZwUMywh/1sDgYsAAoGHFPpl8uRj
7sNjsnIPPI9CuqlIoZXFNXeMX9Yu7T3s5mn5Q2ATcgnryDXwqpqle630wy1LZjjm
tyE84oVJd4W6YTlzHNwIv2qlymMzWBE5+BrRXtqIndvkaWJRSUwtZ7XPPeeCzqR5
uXRAsy54azoFDoisuOO5dVOmVZERfp4Up+Duvws5+Gq2
-----END PUBLIC KEY-----
24 changes: 24 additions & 0 deletions test/parallel/test-dsa-fips-invalid-key.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
'use strict';
var common = require('../common');
var assert = require('assert');

if (!common.hasFipsCrypto) {
console.log('1..0 # Skipped: node compiled without FIPS OpenSSL.');
return;
}

var crypto = require('crypto');
var fs = require('fs');

var input = 'hello';

var dsapub = fs.readFileSync(common.fixturesDir +
'/keys/dsa_public_1025.pem');
var dsapri = fs.readFileSync(common.fixturesDir +
'/keys/dsa_private_1025.pem');
var sign = crypto.createSign('DSS1');
sign.update(input);

assert.throws(function() {
sign.sign(dsapri);
}, /PEM_read_bio_PrivateKey failed/);