-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Throw on truncation in the ECDH derive bits operation #351
base: main
Are you sure you want to change the base?
Conversation
This should not be merged. See #369 (comment) |
e8b5255
to
5bdfd07
Compare
I've updated the MR to throw on all truncation instead of only for 0, as discussed in #369 :) |
This seems reasonable, modulo what I wrote in the corresponding issue:
It's also a bit surprising to me that it didn't handle the case of length being too long, but maybe that is handled elsewhere. It's hard to find all the callers of the algorithms in this specification. |
It is indeed
|
This PR is removing this statement, though; we are requiring now that the value of the 'length' argument is exactly the expected key size for the used key algorithm. |
Correct. The case is handled before and after the PR. |
A change to reject truncated ECDH breaks deriveKey, wrapKey, and unwrapKey where the length sent to deriveBits is a result of the target key's |
Are there any WPT tests to cover that case ? If not, would you mind adding them ? |
Yeah there are. And they promptly start failing once you introduce this PR to an implementation. |
Right, we might want to start by throwing in the Though, I'm not sure if there's a very legitimate use case for truncating ECDH output in any of those other uses, either? (But, we'd need to double check whether we can compatibly break those, of course. But, I think they're also covered by https://chromestatus.com/metrics/feature/timeline/popularity/4746, i.e. very low usage.) |
Definitely not.
Looking at the code that seems to be the case. @davidben could confirm. |
I may have understanding the wrap/unwrap tests wrongly, but my prototype to implement the "throw on truncation" behavior in x25519 only shows failures when using the deriveBits function in the 'equalKeys' function, and the failure comes from the fact that it's hardcoding 128 as the deriveBits's length argument. The wrap/unwrapp calls in previous test cases pass as expected. |
Right, actually the |
Throw on truncation in the ECDH derive bits operation, as discussed in #369.
Truncating the derived value in ECDH does not really make sense, and from Chromium's usage statistics, there is very low usage of truncation, so this change should be relatively low risk.
Preview | Diff