crypto: forbid setting the PBKDF2 iter count to 0 #30578
Conversation
nodejs-github-bot
added
the
crypto
|
Not sure whether to mark this as semver-major. It might break code, but that code was most likely not working as intended to begin with. |
|
I like the better error checking and forcing of passing an explicit value. I would mark semver-major, people could be using |
tniessen
added
the
semver-major
|
@sam-github I understand that, and I am fine with landing this as semver-major. However, I suspect that most invocations with I marked this as semver-major, so cc @nodejs/tsc. |
|
Agreed its probably bugs. If it was resulting in zero iterations actually occurring, that would be terrible, and we would backport it as a sec fix, breaking or not. But since using < 1 results in 1, I don't think its worth forcing on people in stable branches. |
RFC 2898 does not permit an iteration count of zero, and OpenSSL 1.1.1 will treat it as one iteration internally. Future OpenSSL versions will reject such inputs (already on master branch), but until that happens, Node.js should manually reject them. Refs: nodejs/webcrypto#29
tniessen
force-pushed
the
crypto-forbid-iteration-count-zero
branch
from
ad82adb
to
a1ba429
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Landed in 10f5fa7 |
RFC 2898 does not permit an iteration count of zero, and OpenSSL 1.1.1 will treat it as one iteration internally. Future OpenSSL versions will reject such inputs (already on master branch), but until that happens, Node.js should manually reject them. Refs: nodejs/webcrypto#29 PR-URL: #30578 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: David Carlier <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
|
What a weird commit. You broke all prev codes. It shouldn't be a problem setting this number explicitly as 0 if someone intentionally did that. In my case, I need that to be 0 due to performance concerns which I have already a random seed and uses this function to hide randomness information. So, I don't need to iterate over. Anyway, you should be careful about commits that you made that can easily break codes. |
|
@muctemi None of that is true.
It seems like this commit led to the discovery of misuse of PBKDF2 in your code. You are welcome.
No, only code that incorrectly passed 0, which is not a valid value and never behaved as you appear to think it should.
It is a problem. It is not allowed by the PBKDF2 specification, the result would be undefined, and it is unsupported by OpenSSL.
If you don't need iteration, then why do you even use PBKDF2? That's not what PBKDF2 was designed for. Also, as discussed in earlier comments, passing the invalid value 0 never had any benefit over the valid value 1. Check the code if you still don't believe us (it behaves the same, whether
We are extremely careful. This was marked as semver-major, which means that it was exluded from all minor and patch releases of existing release lines. |
RFC 2898 does not permit an iteration count of zero, and OpenSSL 1.1.1 will treat it as one iteration internally.
Future OpenSSL versions will reject such inputs (already on master branch), but until that happens, Node.js should manually reject them.
Refs: nodejs/webcrypto#29
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes