nodejs
diff --git a/‎lib/internal/crypto/diffiehellman.js‎
Lines changed: 9 additions & 17 deletions b/‎lib/internal/crypto/diffiehellman.js‎
Lines changed: 9 additions & 17 deletions
diff --git a/‎lib/internal/crypto/hash.js‎
Lines changed: 17 additions & 4 deletions b/‎lib/internal/crypto/hash.js‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎lib/internal/crypto/mac.js‎
Lines changed: 26 additions & 11 deletions b/‎lib/internal/crypto/mac.js‎
Lines changed: 26 additions & 11 deletions
diff --git a/‎lib/internal/crypto/util.js‎
Lines changed: 42 additions & 0 deletions b/‎lib/internal/crypto/util.js‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎lib/internal/crypto/webcrypto.js‎
Lines changed: 2 additions & 1 deletion b/‎lib/internal/crypto/webcrypto.js‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎lib/internal/crypto/webidl.js‎
Lines changed: 9 additions & 25 deletions b/‎lib/internal/crypto/webidl.js‎
Lines changed: 9 additions & 25 deletions
diff --git a/‎src/crypto/crypto_keygen.cc‎
Lines changed: 9 additions & 1 deletion b/‎src/crypto/crypto_keygen.cc‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/crypto/crypto_keygen.h‎
Lines changed: 4 additions & 2 deletions b/‎src/crypto/crypto_keygen.h‎
Lines changed: 4 additions & 2 deletions
@@ -3,10 +3,8 @@
 const {
   ArrayBufferPrototypeSlice,
   FunctionPrototypeCall,
-  MathCeil,
   ObjectDefineProperty,
   TypedArrayPrototypeGetBuffer,
-  Uint8Array,
 } = primordials;
 
 const { Buffer } = require('buffer');
@@ -59,7 +57,9 @@ const {
   getArrayBufferOrView,
   jobPromise,
   jobPromiseThen,
+  numBitsToBytes,
   toBuf,
+  truncateToBitLength,
   kHandle,
 } = require('internal/crypto/util');
 
@@ -328,7 +328,6 @@ function diffieHellman(options, callback) {
   job.run();
 }
 
-let masks;
 // The ecdhDeriveBits function is part of the Web Crypto API and serves both
 // deriveKeys and deriveBits functions.
 function ecdhDeriveBits(algorithm, baseKey, length) {
@@ -372,27 +371,20 @@ function ecdhDeriveBits(algorithm, baseKey, length) {
     return bits;
 
   return jobPromiseThen(bits, (bits) => {
-    // If the length is not a multiple of 8 the nearest ceiled
-    // multiple of 8 is sliced.
-    const sliceLength = MathCeil(length / 8);
+    const sliceLength = numBitsToBytes(length);
 
     const { byteLength } = bits;
     // If the length is larger than the derived secret, throw.
     if (byteLength < sliceLength)
       throw lazyDOMException('derived bit length is too small', 'OperationError');
 
-    const slice = ArrayBufferPrototypeSlice(bits, 0, sliceLength);
+    if (length % 8 === 0) {
+      if (byteLength === sliceLength)
+        return bits;
+      return ArrayBufferPrototypeSlice(bits, 0, sliceLength);
+    }
 
-    const mod = length % 8;
-    if (mod === 0)
-      return slice;
-
-    // eslint-disable-next-line no-sparse-arrays
-    masks ||= [, 0b10000000, 0b11000000, 0b11100000, 0b11110000, 0b11111000, 0b11111100, 0b11111110];
-
-    const masked = new Uint8Array(slice);
-    masked[sliceLength - 1] = masked[sliceLength - 1] & masks[mod];
-    return TypedArrayPrototypeGetBuffer(masked);
+    return TypedArrayPrototypeGetBuffer(truncateToBitLength(length, bits));
   });
 }
 
 
@@ -6,6 +6,7 @@ const {
   StringPrototypeReplace,
   StringPrototypeToLowerCase,
   Symbol,
+  TypedArrayPrototypeGetBuffer,
 } = primordials;
 
 const {
@@ -21,7 +22,10 @@ const {
 const {
   getStringOption,
   jobPromise,
+  jobPromiseThen,
   normalizeHashName,
+  numBitsToBytes,
+  truncateToBitLength,
   validateMaxBufferLength,
   kHandle,
   getCachedHashId,
@@ -227,15 +231,24 @@ function asyncDigest(algorithm, data) {
     case 'SHA3-384':
       // Fall through
     case 'SHA3-512':
-      // Fall through
+      return jobPromise(() => new HashJob(
+        kCryptoJobWebCrypto,
+        normalizeHashName(algorithm.name),
+        data));
     case 'cSHAKE128':
       // Fall through
-    case 'cSHAKE256':
-      return jobPromise(() => new HashJob(
+    case 'cSHAKE256': {
+      const outputLength = algorithm.outputLength;
+      const bits = jobPromise(() => new HashJob(
         kCryptoJobWebCrypto,
         normalizeHashName(algorithm.name),
         data,
-        algorithm.outputLength));
+        numBitsToBytes(outputLength) * 8));
+      if (outputLength % 8 === 0)
+        return bits;
+      return jobPromiseThen(bits, (bits) =>
+        TypedArrayPrototypeGetBuffer(truncateToBitLength(outputLength, bits)));
+    }
     case 'TurboSHAKE128':
       // Fall through
     case 'TurboSHAKE256':
 
@@ -20,6 +20,8 @@ const {
   hasAnyNotIn,
   jobPromise,
   normalizeHashName,
+  numBitsToBytes,
+  truncateToBitLength,
 } = require('internal/crypto/util');
 
 const {
@@ -38,6 +40,27 @@ const {
   validateJwk,
 } = require('internal/crypto/webcrypto_util');
 
+function normalizeKeyLength(handle, algorithm) {
+  let length = handle.getSymmetricKeySize() * 8;
+  if (length === 0 && algorithm.name === 'HMAC')
+    throw lazyDOMException('Zero-length key is not supported', 'DataError');
+
+  if (algorithm.length !== undefined) {
+    const byteLength = numBitsToBytes(algorithm.length);
+    if (byteLength !== handle.getSymmetricKeySize())
+      throw lazyDOMException('Invalid key length', 'DataError');
+
+    if (algorithm.length % 8 !== 0) {
+      handle = importSecretKey(
+        truncateToBitLength(algorithm.length, handle.export()));
+    }
+
+    length = algorithm.length;
+  }
+
+  return { handle, length };
+}
+
 function hmacGenerateKey(algorithm, extractable, usages) {
   const {
     hash,
@@ -113,7 +136,6 @@ function macImportKey(
   let length;
   switch (format) {
     case 'KeyObjectHandle': {
-      length = keyData.getSymmetricKeySize() * 8;
       handle = keyData;
       break;
     }
@@ -122,7 +144,6 @@ function macImportKey(
       if (format === 'raw' && !isHmac) {
         return undefined;
       }
-      length = keyData.byteLength * 8;
       handle = importSecretKey(keyData);
       break;
     }
@@ -140,20 +161,13 @@ function macImportKey(
       }
 
       handle = importJwkSecretKey(keyData);
-      length = handle.getSymmetricKeySize() * 8;
       break;
     }
     default:
       return undefined;
   }
 
-  if (length === 0)
-    throw lazyDOMException('Zero-length key is not supported', 'DataError');
-
-  if (algorithm.length !== undefined &&
-      algorithm.length !== length) {
-    throw lazyDOMException('Invalid key length', 'DataError');
-  }
+  ({ handle, length } = normalizeKeyLength(handle, algorithm)); // eslint-disable-line prefer-const
 
   const algorithmObject = {
     name: algorithm.name,
@@ -190,7 +204,8 @@ function kmacSignVerify(key, data, algorithm, signature) {
     getCryptoKeyHandle(key),
     algorithm.name,
     algorithm.customization,
-    algorithm.outputLength / 8,
+    getCryptoKeyAlgorithm(key).length,
+    algorithm.outputLength,
     data,
     signature));
 }
 
@@ -9,6 +9,7 @@ const {
   DataViewPrototypeGetBuffer,
   DataViewPrototypeGetByteLength,
   DataViewPrototypeGetByteOffset,
+  MathFloor,
   Number,
   ObjectDefineProperty,
   ObjectEntries,
@@ -550,6 +551,45 @@ function validateMaxBufferLength(data, name, max = kMaxBufferLength) {
   }
 }
 
+/**
+ * Converts a bit length to the number of bytes needed to contain it.
+ * Non-byte lengths are rounded up to the next byte.
+ * @param {number} length
+ * @returns {number}
+ */
+function numBitsToBytes(length) {
+  return MathFloor(length / 8) + MathFloor((7 + (length % 8)) / 8);
+}
+
+/**
+ * Copies `bytes` up to the byte length needed for `length` bits, then clears
+ * unused least-significant bits in the final byte.
+ * @param {number} length
+ * @param {ArrayBuffer|ArrayBufferView} bytes
+ * @returns {Uint8Array}
+ */
+function truncateToBitLength(length, bytes) {
+  const lengthBytes = numBitsToBytes(length);
+  const isView = ArrayBufferIsView(bytes);
+  const result = TypedArrayPrototypeSlice(
+    new Uint8Array(
+      isView ? getDataViewOrTypedArrayBuffer(bytes) : bytes,
+      isView ? getDataViewOrTypedArrayByteOffset(bytes) : 0,
+      isView ?
+        getDataViewOrTypedArrayByteLength(bytes) :
+        ArrayBufferPrototypeGetByteLength(bytes),
+    ),
+    0,
+    lengthBytes,
+  );
+
+  const remainder = length % 8;
+  if (remainder !== 0)
+    result[lengthBytes - 1] &= (0xff << (8 - remainder)) & 0xff;
+
+  return result;
+}
+
 let webidl;
 
 // Keep this as a regular object. The WebIDL converters read and spread these
@@ -971,6 +1011,8 @@ module.exports = {
   cleanupWebCryptoResult,
   prepareWebCryptoResult,
   validateMaxBufferLength,
+  numBitsToBytes,
+  truncateToBitLength,
   bigIntArrayToUnsignedBigInt,
   bigIntArrayToUnsignedInt,
   getBlockSize,
 
@@ -65,6 +65,7 @@ const {
   jobPromiseThen,
   normalizeAlgorithm,
   normalizeHashName,
+  numBitsToBytes,
   prepareWebCryptoResult,
   validateMaxBufferLength,
 } = require('internal/crypto/util');
@@ -1914,7 +1915,7 @@ class SubtleCrypto {
         case 'KMAC128':
         case 'KMAC256':
           if (normalizedAdditionalAlgorithm.length === undefined ||
-              normalizedAdditionalAlgorithm.length === 256) {
+              numBitsToBytes(normalizedAdditionalAlgorithm.length) === 32) {
             break;
           }
           return false;
 
@@ -269,6 +269,13 @@ converters.EcdsaParams = createDictionaryConverter(
     ],
   ]);
 
+function validateHmacKeyLength(parameterName, zeroError) {
+  return (V) => {
+    if (V === 0)
+      throw lazyDOMException(`${parameterName} cannot be 0`, zeroError);
+  };
+}
+
 for (const { 0: name, 1: zeroError } of [['HmacKeyGenParams', 'OperationError'], ['HmacImportParams', 'DataError']]) {
   converters[name] = createDictionaryConverter(
     name, [
@@ -284,7 +291,7 @@ for (const { 0: name, 1: zeroError } of [['HmacKeyGenParams', 'OperationError'],
           key: 'length',
           converter: (V, opts) =>
             converters['unsigned long'](V, enforceRangeOptions(opts)),
-          validator: validateMacKeyLength(`${name}.length`, zeroError),
+          validator: validateHmacKeyLength(`${name}.length`, zeroError),
         },
       ],
     ]);
@@ -366,12 +373,6 @@ converters.CShakeParams = createDictionaryConverter(
         key: 'outputLength',
         converter: (V, opts) =>
           converters['unsigned long'](V, enforceRangeOptions(opts)),
-        validator: (V, opts) => {
-          // The Web Crypto spec allows for SHAKE output length that are not multiples of
-          // 8. We don't.
-          if (V % 8)
-            throw lazyDOMException('Unsupported CShakeParams outputLength', 'NotSupportedError');
-        },
         required: true,
       },
       {
@@ -656,18 +657,7 @@ converters.Argon2Params = createDictionaryConverter(
     ],
   ]);
 
-function validateMacKeyLength(parameterName, zeroError) {
-  return (V) => {
-    if (V === 0)
-      throw lazyDOMException(`${parameterName} cannot be 0`, zeroError);
-
-    // The Web Crypto spec allows for key lengths that are not multiples of 8. We don't.
-    if (V % 8)
-      throw lazyDOMException(`Unsupported ${parameterName}`, 'NotSupportedError');
-  };
-}
-
-for (const { 0: name, 1: zeroError } of [['KmacKeyGenParams', 'OperationError'], ['KmacImportParams', 'DataError']]) {
+for (const name of ['KmacKeyGenParams', 'KmacImportParams']) {
   converters[name] = createDictionaryConverter(
     name, [
       dictAlgorithm,
@@ -676,7 +666,6 @@ for (const { 0: name, 1: zeroError } of [['KmacKeyGenParams', 'OperationError'],
           key: 'length',
           converter: (V, opts) =>
             converters['unsigned long'](V, enforceRangeOptions(opts)),
-          validator: validateMacKeyLength(`${name}.length`, zeroError),
         },
       ],
     ]);
@@ -690,11 +679,6 @@ converters.KmacParams = createDictionaryConverter(
         key: 'outputLength',
         converter: (V, opts) =>
           converters['unsigned long'](V, enforceRangeOptions(opts)),
-        validator: (V, opts) => {
-          // The Web Crypto spec allows for KMAC output length that are not multiples of 8. We don't.
-          if (V % 8)
-            throw lazyDOMException('Unsupported KmacParams outputLength', 'NotSupportedError');
-        },
         required: true,
       },
       {
 
@@ -64,7 +64,13 @@ Maybe<void> SecretKeyGenTraits::AdditionalConfig(
     SecretKeyGenConfig* params) {
   CHECK(args[*offset]->IsUint32());
   uint32_t bits = args[*offset].As<Uint32>()->Value();
-  params->length = bits / CHAR_BIT;
+  params->length_bits = bits;
+  if (mode == kCryptoJobWebCrypto) {
+    params->length = NumBitsToBytes(static_cast<size_t>(bits));
+    params->truncate_to_bit_length = bits % CHAR_BIT != 0;
+  } else {
+    params->length = bits / CHAR_BIT;
+  }
   *offset += 1;
   return JustVoid();
 }
@@ -77,6 +83,8 @@ KeyGenJobStatus SecretKeyGenTraits::DoKeyGen(Environment* env,
     return KeyGenJobStatus::FAILED;
   }
   params->out = ByteSource::Allocated(bytes.release());
+  if (params->truncate_to_bit_length)
+    TruncateToBitLength(params->length_bits, &params->out);
   return KeyGenJobStatus::OK;
 }
 
 
@@ -284,8 +284,10 @@ struct KeyPairGenTraits final {
 };
 
 struct SecretKeyGenConfig final : public MemoryRetainer {
-  size_t length;        // In bytes.
-  ByteSource out;       // Placeholder for the generated key bytes.
+  size_t length = 0;  // In bytes.
+  size_t length_bits = 0;
+  bool truncate_to_bit_length = false;
+  ByteSource out;  // Placeholder for the generated key bytes.
 
   void MemoryInfo(MemoryTracker* tracker) const override;
   SET_MEMORY_INFO_NAME(SecretKeyGenConfig)