Open Bug 1920672 Opened 1 year ago Updated 1 year ago

The X25519 deriveBits function should reject small-order points

Categories

(Core :: DOM: Web Crypto, defect, P5)

Product:
Core
Component:
DOM: Web Crypto
Type:
defect

Tracking

()

People

(Reporter: jfernandez, Assigned: anna.weine)

References

Details

The Secure Curves spec [1] states the following in the X25519 DeriveBits operations:

    If secret is the all-zero value, then throw a OperationError. This check must be performed in constant-time, as per [RFC7748] Section 6.1.

This is the root cause of the following errors in WPT

https://wpt.fyi/results/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits_curve25519.https.any.html?label=experimental&label=master&aligned

[1] https://wicg.github.io/webcrypto-secure-curves/#x25519-operations

Duplicate of this bug: 1920671

Yea, I am aware of it. Gonna try to solve as soon as I have some free time :)

Assignee: nobody → anna.weine
Severity: -- → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.