Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: fix non-multiple of 8 in SubtleCrypto.deriveBits #55296

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

crypto: fix non-multiple of 8 in SubtleCrypto.deriveBits #55296

wants to merge 1 commit into from
+28 −27

Conversation

panva
Copy link
Member

@panva panva commented Oct 6, 2024
edited
Loading

A WPT update made me look into this.

From the Node.js docs:

The Node.js implementation requires that length, when a number, is a multiple
of 8.

This was never true, instead the implementation returned the closest full byte length.

At the moment the browser implementations do the following

  • Chromium aligns with this PR (and the updated WPTs)
  • Firefox throws DataError
  • Safari aligns with Node.js prior to this PR

There's no interop on this in the first place and there's even a pending decision around disallowing truncation in ECDH/X25519/X448 altogether.

Given that this is in my opinion a semver-major PRs that contain breaking changes and should be released in the next major version. change I would rather we only have to do one, i.e. disallow truncation when the spec changes in a major, or fix the implementation with this PR in a major. We've got time to figure out what to do in time for v24.x but i'm opening this to ping @nodejs/crypto and @nodejs/web-standards

@panva panva added crypto Issues and PRs related to the crypto subsystem. semver-major PRs that contain breaking changes and should be released in the next major version. webcrypto web-standards Issues and PRs related to Web APIs labels Oct 6, 2024
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Oct 6, 2024
@panva
Copy link
Member Author

panva commented Oct 6, 2024

@jasnell do you remember what lead to the current implementation which follows neither the docs nor the spec?

@panva panva mentioned this pull request Oct 24, 2024
Merged
@jasnell
Copy link
Member

jasnell commented Nov 5, 2024

@panva ... sorry! I just spotted this one!

do you remember what lead to the current implementation which follows neither the docs nor the spec?

I think it's just a bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anonrig anonrig anonrig left review comments

@jasnell jasnell jasnell approved these changes

Assignees
No one assigned
Labels
crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version. web-standards Issues and PRs related to Web APIs webcrypto
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@panva @nodejs-github-bot @jasnell @anonrig