-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: fix non-multiple of 8 in SubtleCrypto.deriveBits #55296
Conversation
Review requested:
|
@jasnell do you remember what lead to the current implementation which follows neither the docs nor the spec? |
@panva ... sorry! I just spotted this one!
I think it's just a bug. |
Failed to start CI⚠ Something was pushed to the Pull Request branch since the last approving review. ✘ Refusing to run CI on potentially unsafe PRhttps://github.com/nodejs/node/actions/runs/11860937753 |
Firefox has updated their implementation, i think it's alright to follow suit with this. Question is whether major or not? |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #55296 +/- ##
==========================================
- Coverage 88.42% 88.42% -0.01%
==========================================
Files 654 654
Lines 187852 187862 +10
Branches 36134 36136 +2
==========================================
+ Hits 166102 166109 +7
- Misses 14989 15001 +12
+ Partials 6761 6752 -9
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 5 out of 5 changed files in this pull request and generated no suggestions.
I still consider this a bug fix and not a major change. |
PR-URL: nodejs#55296 Reviewed-By: James M Snell <[email protected]>
PR-URL: #55296 Reviewed-By: James M Snell <[email protected]>
PR-URL: #55296 Reviewed-By: James M Snell <[email protected]>
PR-URL: #55296 Reviewed-By: James M Snell <[email protected]>
PR-URL: #55296 Reviewed-By: James M Snell <[email protected]>
A WPT update made me look into this.
From the Node.js docs:
This was never true, instead the implementation returned the closest full byte length.
At the moment the browser implementations do the following
There's no interop on this in the first place and there's a pending decision around disallowing truncation in ECDH/X25519/X448 altogether in a future spec update.
Given that this is in my opinion a semver-majorPRs that contain breaking changes and should be released in the next major version.
change I would rather we only have to do one, i.e. disallow truncation when the spec changes in a major, or fix the implementation with this PR in a major. We've got time to figure out what to do in time for v24.x but i'm opening this to ping @nodejs/crypto and @nodejs/web-standards