nodejs · nodejs-github-bot · Nov 15, 2021 · Nov 12, 2021
diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
@@ -738,19 +738,25 @@ bool SignTraits::DeriveBits(
       size_t len;
       unsigned char* data = nullptr;
       if (IsOneShot(params.key)) {
-        EVP_DigestSign(
+        if (!EVP_DigestSign(
             context.get(),
             nullptr,
             &len,
             params.data.data<unsigned char>(),
-            params.data.size());
+            params.data.size())) {
+          crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey);
+          return false;
+        }
         data = MallocOpenSSL<unsigned char>(len);
-        EVP_DigestSign(
+        if (!EVP_DigestSign(
             context.get(),
             data,
             &len,
             params.data.data<unsigned char>(),
-            params.data.size());
+            params.data.size())) {
+              crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey);
+              return false;
+            }
         ByteSource buf =
             ByteSource::Allocated(reinterpret_cast<char*>(data), len);
         *out = std::move(buf);
@@ -760,13 +766,16 @@ bool SignTraits::DeriveBits(
                 params.data.data<unsigned char>(),
                 params.data.size()) ||
             !EVP_DigestSignFinal(context.get(), nullptr, &len)) {
+          crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey);
           return false;
         }
         data = MallocOpenSSL<unsigned char>(len);
         ByteSource buf =
             ByteSource::Allocated(reinterpret_cast<char*>(data), len);
-        if (!EVP_DigestSignFinal(context.get(), data, &len))
+        if (!EVP_DigestSignFinal(context.get(), data, &len)) {
+          crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey);
           return false;
+        }
 
         if (UseP1363Encoding(params.key, params.dsa_encoding)) {
           *out = ConvertSignatureToP1363(env, params.key, buf);

diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
@@ -742,3 +742,17 @@ assert.throws(
     }
   }
 }
+
+// The sign function should not swallow OpenSSL errors.
+// Regression test for /~https://github.com/nodejs/node/issues/40794.
+{
+  assert.throws(() => {
+    const { privateKey } = crypto.generateKeyPairSync('rsa', {
+      modulusLength: 512
+    });
+    crypto.sign('sha512', 'message', privateKey);
+  }, {
+    code: 'ERR_OSSL_RSA_DIGEST_TOO_BIG_FOR_RSA_KEY',
+    message: /digest too big for rsa key/
+  });
+}