crypto: use byteLength in timingSafeEqual #23341
Conversation
nodejs-github-bot
added
crypto
|
Hm? |
|
ah |
|
... weird. |
|
Try |
|
cc @nodejs/crypto |
ZaneHannanAU
changed the title
timingSafeEqual use bytewise length instead of array lengthtimingSafeEqual use bytewise length instead of array length
|
... uh what should I do? |
|
Please follow the guidelines from the CONTRIBUTING file to correctly format your (first) commit message. You can use interactive rebasing to rewrite the first commit message, but there are other possibilities. |
|
… I should really figure out git … |
|
Is there a way to do it through the gh ui? |
|
... I have no idea what I'm doing |
|
... does this do anything? |
|
@ZaneHannanAU What are you trying to do? You can run the tests locally by |
|
I'm trying to edit the commit message and as you can tell, I have no idea what I'm doing. |
|
Okay; how can I rebase the mess I've made myself to just have 1 commit saying for the time being? |
|
I took the liberty of fixing your branch accordingly, the old HEAD was c177921. |
tniessen
changed the title
timingSafeEqual use bytewise length instead of array length
|
Thank you! You've absolutely saved me there… |
| @@ -518,7 +518,7 @@ E('ERR_CRYPTO_SCRYPT_NOT_SUPPORTED', 'Scrypt algorithm not supported', Error); | |||
| // Switch to TypeError. The current implementation does not seem right. | |||
| E('ERR_CRYPTO_SIGN_KEY_REQUIRED', 'No key provided to sign', Error); | |||
| E('ERR_CRYPTO_TIMING_SAFE_EQUAL_LENGTH', | |||
| 'Input buffers must have the same length', RangeError); | |||
| 'Input buffers must have the same byteLength', RangeError); | |||
There was a problem hiding this comment.
You might want to consider undoing this change. Error message changes are considered semver-major, meaning this couldn't be released until Node.js 12.
There was a problem hiding this comment.
I’m not sure, are we still doing that? I was under the impression that we don’t necessarily consider it semver-major when there’s an associated message code…
There was a problem hiding this comment.
Agreed that error message changes shouldn't be semver major if there is an error code, since that was (one of) the advertised advantage in migrating to them. That said, I'm not sure there is much benefit to changing this. IMO, the error message was better before, even if it didn't completely reflect the implementation details.
There was a problem hiding this comment.
Perhaps, Input buffers must have the same number of bytes? Same idea, a bit more human readable?
| 0, 1, // 26 | ||
| 1, 0, // 28 | ||
| 1, 1, // 30 | ||
| 0) // 31 |
There was a problem hiding this comment.
Can you factor out these Buffer.of() calls? Just assign it once to a const expected = Buffer.of(...) and compare against that.
|
I am closing this PR since it has become inactive and the relevant changes were merged in #29657. @ZaneHannanAU I added you to 6174306 as a co-author. |
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passescrypto.timingSafeEqual() can cause the core to abort
if the length parameter matches; however the internal
byte length differs. This commit makes the length
validation use bytewise (ArrayBufferLike)
byteLengthrather than array content length.
Reissuing of #21397 with various modifications and fixes.