crypto: allow zero-length secrets and IKM in HKDF (and in webcrypto PBKDF2)#44201
Closed
panva wants to merge 2 commits intonodejs:mainfrom
Closed
crypto: allow zero-length secrets and IKM in HKDF (and in webcrypto PBKDF2)#44201panva wants to merge 2 commits intonodejs:mainfrom
panva wants to merge 2 commits intonodejs:mainfrom
Conversation
panva
added
crypto
Collaborator
|
Review requested:
|
nodejs-github-bot
added
c++
panva
force-pushed
the
crypto-zero-length-hkdf-ikm
branch
from
f0bdeaa to
2999a12
Compare
github-actions
bot
removed
the
request-ci
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
7 tasks
Member
|
If the provided key is a detached |
Member
Author
|
@LiviaMedeiros I have to say I don't know enough about detached ArrayBuffer to make the call, would you please explain (or link to explanation of) what a detached ArrayBuffer is, what its unique properties are, and how might I end up with one in Node.js? |
Member
|
Spec-wise, it is done by 25.1.2.3 DetachArrayBuffer. Code-wise, it can be demonstrated with this: import assert from 'node:assert';
const view = new Uint8Array([1, 2, 3]);
const buffer = view.buffer;
assert(view.byteLength === 3);
assert(buffer.byteLength === 3);
new MessageChannel().port1.postMessage(buffer, [buffer]); // second argument is an array of objects that are transfered
assert(buffer.byteLength === 0); // detached buffer has zero length
assert(view.byteLength === 0); // any view on detached buffer also has zero length
const viewDetached = new Uint8Array(buffer); // TypeError: Cannot perform Construct on a detached ArrayBufferFunction to make a view and buffer for testing purposes: const makeDetachedBuffer = () => {
const view = new Uint8Array();
new MessageChannel().port1.postMessage('', [view.buffer]);
return { view, buffer: view.buffer };
}Context-wise, detached buffers are a subset of zero-length buffers, and they can be used by mistake in userland code. I'm not sure if webcrypto specs explicitly allows or restricts that, but there is possibility that it will either be silently interpreted as empty key, or throw a |
Member
Author
|
Thank you @LiviaMedeiros, I will do some more testing in browsers. |
panva
force-pushed
the
crypto-zero-length-hkdf-ikm
branch
from
2999a12 to
6b9e49e
Compare
Member
Author
WebCryptoAPI is silent on the matter and the browsers I've tested (Chrome, Safari, Firefox) do not throw on import of detached buffers. |
panva
force-pushed
the
crypto-zero-length-hkdf-ikm
branch
from
6b9e49e to
de3fc6c
Compare
This comment was marked as outdated.
This comment was marked as outdated.
panva
force-pushed
the
crypto-zero-length-hkdf-ikm
branch
from
de3fc6c to
f5890df
Compare
Fyko
pushed a commit
to Fyko/node
that referenced
this pull request
Sep 15, 2022
Unify the implementation and perform the same OpenSSL calls regardless of whether the key and/or salt are empty. This simplifies the code and improves coverage. Refs: nodejs#44201 PR-URL: nodejs#44272 Reviewed-By: Filip Skokan <[email protected]>
Member
|
This is is causing compile errors. ../src/crypto/crypto_hkdf.cc:134:28: error: no matching member function for call to 'data'
params.salt.data(),
~~~~~~~~~~~~^~~~
../src/crypto/crypto_util.h:228:12: note: candidate template ignored: couldn't infer template argument 'T'
const T* data() const { return reinterpret_cast<const T*>(get()); }
^
1 error generated. |
panva
added a commit
to panva/node
that referenced
this pull request
Oct 3, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
panva
added a commit
to panva/node
that referenced
this pull request
Oct 3, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]>
panva
added a commit
to panva/node
that referenced
this pull request
Oct 3, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 3, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 4, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 4, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 4, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 4, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 5, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 5, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 7, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 7, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 8, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
panva
added a commit
to panva/node
that referenced
this pull request
Oct 8, 2022
PR-URL: nodejs#44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: nodejs#44872
juanarbol
pushed a commit
that referenced
this pull request
Oct 10, 2022
PR-URL: #44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: #44872
juanarbol
pushed a commit
that referenced
this pull request
Oct 10, 2022
PR-URL: #44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: #44872
juanarbol
added a commit
that referenced
this pull request
Oct 11, 2022
Notable changes: assert: add `getCalls` and `reset` to callTracker (Moshe Atlow) #44191 crypto: allow zero-length IKM in HKDF and in webcrypto PBKDF2 (Filip Skokan) #44201 crypto: allow zero-length secret KeyObject (Filip Skokan) #44201 doc: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) #44588 http: throw error on content-length mismatch (sidwebworks) #44378 http: make idle http parser count configurable (theanarkh) #43974 lib: add diagnostics channel for process and worker (theanarkh) #44045 net: add local family (theanarkh) #43975 net,tls: pass a valid socket on `tlsClientError` (Daeyeon Jeong) #44021 os: add machine method (theanarkh) #44416 report: expose report public native apis (Chengzhong Wu) #44255 src: expose environment RequestInterrupt api (Chengzhong Wu) #44362 stream: add `ReadableByteStream.tee()` (Daeyeon Jeong) #44505 test_runner: add before/after/each hooks (Moshe Atlow) #43730 util: add `maxArrayLength` option to Set and Map (Kohei Ueno) #43576
Merged
juanarbol
pushed a commit
that referenced
this pull request
Oct 11, 2022
PR-URL: #44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: #44872
juanarbol
pushed a commit
that referenced
this pull request
Oct 11, 2022
PR-URL: #44201 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Backport-PR-URL: #44872
juanarbol
added a commit
that referenced
this pull request
Oct 11, 2022
Notable changes: assert: add `getCalls` and `reset` to callTracker (Moshe Atlow) #44191 crypto: allow zero-length secret KeyObject (Filip Skokan) #44201 crypto: allow zero-length IKM in HKDF and in webcrypto PBKDF2 (Filip Skokan) #44201 doc: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) #44588 http: make idle http parser count configurable (theanarkh) #43974 http: throw error on content-length mismatch (sidwebworks) #44378 lib: add diagnostics channel for process and worker (theanarkh) #44045 net,tls: pass a valid socket on `tlsClientError` (Daeyeon Jeong) #44021 net: add local family (theanarkh) #43975 report: expose report public native apis (Chengzhong Wu) #44255 src: expose environment RequestInterrupt api (Chengzhong Wu) #44362 stream: add `ReadableByteStream.tee()` (Daeyeon Jeong) #44505 test_runner: add before/after/each hooks (Moshe Atlow) #43730 util: add `maxArrayLength` option to Set and Map (Kohei Ueno) #43576 PR-URL: #44886
juanarbol
added a commit
that referenced
this pull request
Oct 12, 2022
Notable changes: assert: add `getCalls` and `reset` to callTracker (Moshe Atlow) #44191 crypto: allow zero-length secret KeyObject (Filip Skokan) #44201 crypto: allow zero-length IKM in HKDF and in webcrypto PBKDF2 (Filip Skokan) #44201 doc: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) #44588 http: make idle http parser count configurable (theanarkh) #43974 http: throw error on content-length mismatch (sidwebworks) #44378 lib: add diagnostics channel for process and worker (theanarkh) #44045 net,tls: pass a valid socket on `tlsClientError` (Daeyeon Jeong) #44021 net: add local family (theanarkh) #43975 report: expose report public native apis (Chengzhong Wu) #44255 src: expose environment RequestInterrupt api (Chengzhong Wu) #44362 stream: add `ReadableByteStream.tee()` (Daeyeon Jeong) #44505 test_runner: add before/after/each hooks (Moshe Atlow) #43730 util: add `maxArrayLength` option to Set and Map (Kohei Ueno) #43576 PR-URL: #44886
juanarbol
added a commit
that referenced
this pull request
Oct 12, 2022
Notable changes: assert: add `getCalls` and `reset` to callTracker (Moshe Atlow) #44191 crypto: allow zero-length secret KeyObject (Filip Skokan) #44201 crypto: allow zero-length IKM in HKDF and in webcrypto PBKDF2 (Filip Skokan) #44201 doc: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) #44588 http: make idle http parser count configurable (theanarkh) #43974 http: throw error on content-length mismatch (sidwebworks) #44378 lib: add diagnostics channel for process and worker (theanarkh) #44045 net,tls: pass a valid socket on `tlsClientError` (Daeyeon Jeong) #44021 net: add local family (theanarkh) #43975 report: expose report public native apis (Chengzhong Wu) #44255 src: expose environment RequestInterrupt api (Chengzhong Wu) #44362 stream: add `ReadableByteStream.tee()` (Daeyeon Jeong) #44505 test_runner: add before/after/each hooks (Moshe Atlow) #43730 util: add `maxArrayLength` option to Set and Map (Kohei Ueno) #43576 PR-URL: #44886
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR
This picks up one of the individual items from #43656 and fixes ~1870 WPTs.