crypto: allow non-multiple of 8 in SubtleCrypto.deriveBits

panva · panva · commit 55938d21c890 · 2024-10-06T21:06:45.000+02:00
diff --git a/doc/api/webcrypto.md b/doc/api/webcrypto.md
@@ -600,9 +600,6 @@ Using the method and parameters specified in `algorithm` and the keying
 material provided by `baseKey`, `subtle.deriveBits()` attempts to generate
 `length` bits.
 
-The Node.js implementation requires that `length`, when a number, is a multiple
-of `8`.
-
 When `length` is not provided or `null` the maximum number of bits for a given
 algorithm is generated. This is allowed for the `'ECDH'`, `'X25519'`, and `'X448'`
 algorithms, for other algorithms `length` is required to be a number.
diff --git a/lib/internal/crypto/diffiehellman.js b/lib/internal/crypto/diffiehellman.js
@@ -5,6 +5,7 @@ const {
   MathCeil,
   ObjectDefineProperty,
   SafeSet,
+  Uint8Array,
 } = primordials;
 
 const { Buffer } = require('buffer');
@@ -342,18 +343,45 @@ async function ecdhDeriveBits(algorithm, baseKey, length) {
 
   // If the length is not a multiple of 8 the nearest ceiled
   // multiple of 8 is sliced.
-  length = MathCeil(length / 8);
-  const { byteLength } = bits;
+  const sliceLength = MathCeil(length / 8);
 
+  const { byteLength } = bits;
   // If the length is larger than the derived secret, throw.
-  // Otherwise, we either return the secret or a truncated
-  // slice.
-  if (byteLength < length)
+  if (byteLength < sliceLength)
     throw lazyDOMException('derived bit length is too small', 'OperationError');
 
-  return length === byteLength ?
-    bits :
-    ArrayBufferPrototypeSlice(bits, 0, length);
+  const slice = ArrayBufferPrototypeSlice(bits, 0, sliceLength);
+
+  let mask;
+  switch (length % 8) {
+    case 0:
+      return slice;
+    case 1:
+      mask = 0b10000000;
+      break;
+    case 2:
+      mask = 0b11000000;
+      break;
+    case 3:
+      mask = 0b11100000;
+      break;
+    case 4:
+      mask = 0b11110000;
+      break;
+    case 5:
+      mask = 0b11111000;
+      break;
+    case 6:
+      mask = 0b11111100;
+      break;
+    case 7:
+      mask = 0b11111110;
+      break;
+  }
+
+  const masked = new Uint8Array(slice);
+  masked[sliceLength - 1] = masked[sliceLength - 1] & mask;
+  return masked.buffer;
 }
 
 module.exports = {
diff --git a/test/parallel/test-webcrypto-derivebits-cfrg.js b/test/parallel/test-webcrypto-derivebits-cfrg.js
@@ -140,9 +140,11 @@ async function prepareKeys() {
           public: publicKey
         }, privateKey, 8 * size - 11);
 
-        assert.strictEqual(
-          Buffer.from(bits).toString('hex'),
-          result.slice(0, -2));
+        const expected = Buffer.from(result.slice(0, -2), 'hex');
+        expected[size - 2] = expected[size - 2] & 0b11111000;
+        assert.deepStrictEqual(
+          Buffer.from(bits),
+          expected);
       }
     }));
 
diff --git a/test/parallel/test-webcrypto-derivebits-ecdh.js b/test/parallel/test-webcrypto-derivebits-ecdh.js
@@ -161,9 +161,11 @@ async function prepareKeys() {
           public: publicKey
         }, privateKey, 8 * size - 11);
 
-        assert.strictEqual(
-          Buffer.from(bits).toString('hex'),
-          result.slice(0, -2));
+        const expected = Buffer.from(result.slice(0, -2), 'hex');
+        expected[size - 2] = expected[size - 2] & 0b11111000;
+        assert.deepStrictEqual(
+          Buffer.from(bits),
+          expected);
       }
     }));
 
