Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: fix non-multiple of 8 in SubtleCrypto.deriveBits #55296

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

crypto: fix non-multiple of 8 in SubtleCrypto.deriveBits #55296

wants to merge 1 commit into from
+28 −27

Conversation

panva
Copy link
Member

@panva panva commented Oct 6, 2024
edited
Loading

A WPT update made me look into this.

From the Node.js docs:

The Node.js implementation requires that length, when a number, is a multiple
of 8.

This was never true, instead the implementation returned the closest full byte length.

At the moment the browser implementations do the following

  • Chromium aligns with this PR (and the updated WPTs)
  • Firefox throws DataError
  • Safari aligns with Node.js prior to this PR

There's no interop on this in the first place and there's a pending decision around disallowing truncation in ECDH/X25519/X448 altogether in a future spec update.

Given that this is in my opinion a semver-major PRs that contain breaking changes and should be released in the next major version. change I would rather we only have to do one, i.e. disallow truncation when the spec changes in a major, or fix the implementation with this PR in a major. We've got time to figure out what to do in time for v24.x but i'm opening this to ping @nodejs/crypto and @nodejs/web-standards

@panva panva added crypto Issues and PRs related to the crypto subsystem. semver-major PRs that contain breaking changes and should be released in the next major version. webcrypto web-standards Issues and PRs related to Web APIs labels Oct 6, 2024
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Oct 6, 2024
@panva
Copy link
Member Author

panva commented Oct 6, 2024

@jasnell do you remember what lead to the current implementation which follows neither the docs nor the spec?

@panva panva mentioned this pull request Oct 24, 2024
Merged
@jasnell
Copy link
Member

jasnell commented Nov 5, 2024

@panva ... sorry! I just spotted this one!

do you remember what lead to the current implementation which follows neither the docs nor the spec?

I think it's just a bug.

@panva panva removed the semver-major PRs that contain breaking changes and should be released in the next major version. label Nov 15, 2024
@panva panva marked this pull request as ready for review November 15, 2024 17:40
@panva panva added the request-ci Add this label to start a Jenkins CI on a PR. label Nov 15, 2024
@github-actions github-actions bot added request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed. and removed request-ci Add this label to start a Jenkins CI on a PR. labels Nov 15, 2024
@github-actions GitHub Actions
Copy link
Contributor

Failed to start CI
   ⚠  Something was pushed to the Pull Request branch since the last approving review.
   ✘  Refusing to run CI on potentially unsafe PR
https://github.com/nodejs/node/actions/runs/11860937753

@panva panva removed the request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed. label Nov 15, 2024
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/63558/

@panva
Copy link
Member Author

panva commented Nov 15, 2024
edited
Loading

Firefox has updated their implementation, i think it's alright to follow suit with this. Question is whether major or not?

@codecov Codecov
Copy link

codecov bot commented Nov 15, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.42%. Comparing base (b02cd41) to head (af40b70).
Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #55296      +/-   ##
==========================================
- Coverage   88.42%   88.42%   -0.01%     
==========================================
  Files         654      654              
  Lines      187852   187862      +10     
  Branches    36134    36136       +2     
==========================================
+ Hits       166102   166109       +7     
- Misses      14989    15001      +12     
+ Partials     6761     6752       -9
Files with missing lines Coverage Δ
lib/internal/crypto/diffiehellman.js 97.59% <100.00%> (+0.06%) ⬆️

... and 35 files with indirect coverage changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anonrig anonrig anonrig left review comments

@jasnell jasnell jasnell approved these changes

Assignees
No one assigned
Labels
crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. web-standards Issues and PRs related to Web APIs webcrypto
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@panva @nodejs-github-bot @jasnell @anonrig