-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: forbid setting the PBKDF2 iter count to 0 #30578
crypto: forbid setting the PBKDF2 iter count to 0 #30578
Conversation
Not sure whether to mark this as semver-major. It might break code, but that code was most likely not working as intended to begin with. |
I like the better error checking and forcing of passing an explicit value. I would mark semver-major, people could be using |
@sam-github I understand that, and I am fine with landing this as semver-major. However, I suspect that most invocations with I marked this as semver-major, so cc @nodejs/tsc. |
Agreed its probably bugs. If it was resulting in zero iterations actually occurring, that would be terrible, and we would backport it as a sec fix, breaking or not. But since using < 1 results in 1, I don't think its worth forcing on people in stable branches. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, Tobias.
RFC 2898 does not permit an iteration count of zero, and OpenSSL 1.1.1 will treat it as one iteration internally. Future OpenSSL versions will reject such inputs (already on master branch), but until that happens, Node.js should manually reject them. Refs: nodejs/webcrypto#29
ad82adb
to
a1ba429
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Landed in 10f5fa7 |
RFC 2898 does not permit an iteration count of zero, and OpenSSL 1.1.1 will treat it as one iteration internally. Future OpenSSL versions will reject such inputs (already on master branch), but until that happens, Node.js should manually reject them. Refs: nodejs/webcrypto#29 PR-URL: #30578 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
What a weird commit. You broke all prev codes. It shouldn't be a problem setting this number explicitly as 0 if someone intentionally did that. In my case, I need that to be 0 due to performance concerns which I have already a random seed and uses this function to hide randomness information. So, I don't need to iterate over. Anyway, you should be careful about commits that you made that can easily break codes. |
@muctemi None of that is true.
It seems like this commit led to the discovery of misuse of PBKDF2 in your code. You are welcome.
No, only code that incorrectly passed 0, which is not a valid value and never behaved as you appear to think it should.
It is a problem. It is not allowed by the PBKDF2 specification, the result would be undefined, and it is unsupported by OpenSSL.
If you don't need iteration, then why do you even use PBKDF2? That's not what PBKDF2 was designed for. Also, as discussed in earlier comments, passing the invalid value 0 never had any benefit over the valid value 1. Check the code if you still don't believe us (it behaves the same, whether
We are extremely careful. This was marked as semver-major, which means that it was exluded from all minor and patch releases of existing release lines. |
RFC 2898 does not permit an iteration count of zero, and OpenSSL 1.1.1 will treat it as one iteration internally.
Future OpenSSL versions will reject such inputs (already on master branch), but until that happens, Node.js should manually reject them.
Refs: nodejs/webcrypto#29
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes