-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: re-add crypto.timingSafeEqual #8304
crypto: re-add crypto.timingSafeEqual #8304
Conversation
Looks like the arm tests are failing like before, but linux is working now. One of the arm tests had a t-value of -32 (i.e. checking unequal buffers took significantly longer than checking equal buffers). This is the opposite of what was happening on linux, so it seems unlikely to be the same problem. |
I added a temporary I don't have access to any ARM hardware, so debugging/reproducing this locally might be tricky. (I suppose I could look into emulating one.) |
Here's a run of the test 100 times on armv7-wheezy. (Hopefully I did it right. It's building right now...) https://ci.nodejs.org/job/node-stress-single-test/871/nodes=armv7-wheezy/console |
Wow, that's a lot of numbers. Output for posterity |
So I'm not sure whether this is related to the test failures, but I noticed that a vast majority of the benchmark times (over 98%) ended with the digit |
@nodejs/crypto @nodejs/v8 |
Of the 52 times that the previous test failed, all of the t-values were positive numbers between 3 and 7. I pushed another test commit to flip the order of the benchmarks; could we run another stress-test? If the problem is caused by a security issue with the timingSafeEqual implementation, we would expect the t-values to still be positive numbers after swapping. If the problem is caused by something else (e.g. V8 optimization), the t-values will be negative numbers after swapping. |
That time all the t-values were numbers between -3 and -7, i.e. the comparisons between unequal buffers took longer. Based on that, I'm pretty confident that this is not a security issue; whichever pair of buffers is compared first ends up with longer benchmarks, regardless of the actual contents of the buffers. |
Pushed another commit to alternate the order of the benchmarks on each iteration. (This might not actually solve this issue, depending on whether it's only the first benchmark overall that matters, or the first benchmark of each iteration. But it's probably worth trying anyway since it would be nice to have non-flaky tests even if it's not a security problem.) |
Whoa, that didn't help; that time they all failed with positive t-values. It's interesting that before that change, the test was failing almost exactly half of the time. I'm guessing there's some optimization that was kicking in at a random point, causing the test to fail if it kicked in between invocations, and pass if it kicked in after a pair of invocations is finished. (I remember we reached something similar to this conclusion last time and tried manually optimizing the function without success.) |
To prevent V8 from optimizing the cases differently, I split the (This was also attempted in #8203 (comment), but it seems like there weren't any timing failures on ARM during that CI run, so it might solve the issue.) |
That version passed 96/100 times. 🎉 I have no idea what happened with the 4 failures though; t-values of 6, -31, -33, and 3. |
I think this is ready for review; the tests are slightly flaky on ARM, but they seem to pass somewhat consistently on other platforms, and we have fairly good reason to believe that the inconsistencies are not a security problem. (The implementation in this PR is the same as in #8040; only the tests have changed.) |
I guess let's start with a regular CI run: https://ci.nodejs.org/job/node-test-pull-request/3881/ |
Two relevant failures: |
Woo! tentative LGTM assuming CI looks green. |
There's no big rush, but I'd like to keep the process moving along on this PR, if possible. Is there anything I can do to advance it, or are we just waiting for people to review it at this point? |
LGTM And maybe /cc @AndreasMadsen and/or @fhinkel for reviews if they have the time? I wouldn’t hold the PR up about that but it might be good to get other math-y looks. |
Let's give it another 24 hours at least.... and perhaps another dozen or so CI runs ;-) lol (kidding about the last bit). |
Is it worth running the CI again now that the Raspberry Pi machines are no longer out of commission? If this test is going to break the build again for some reason, it would be better to find now rather than after the PR is merged. |
ha! I started one at the exact moment @Trott did. Cancelled mine! |
@not-an-aardvark Can you get in touch with me out-of-band? I want to talk about the Collaborator onboarding stuff, but don't want to muddy up this issue with a bunch of irrelevant back-and-forth. Any of these work for me:
Or if you'd prefer some other mechanism to communicate, let me know. Thanks! |
CI is all green except for the perma-yellow AIX, so I think this is good to land. |
Reinstate crypto.timingSafeEqual() which was reverted due to test issues. The flaky test issues are resolved in this new changeset. PR-URL: nodejs#8304 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Landed in 079accc 🎉 Thanks for persevering, @not-an-aardvark! |
Sorry to be a party pooper but it seems the test is still flaky: https://ci.nodejs.org/job/node-test-commit-linux/5019/nodes=debian8-x86/consoleText |
@bnoordhuis Yep, there is a PR open to fix this (see #8456). |
Reinstate crypto.timingSafeEqual() which was reverted due to test issues. The flaky test issues are resolved in this new changeset. PR-URL: #8304 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Notable changes: * crypto: Added `crypto.timingSafeEqual()`. (not-an-aardvark) #8304 * events: Made the "max event listeners" memory leak warning more accessible. (Anna Henningsen) #8298 * promises: Unhandled rejections now emit a process warning after the first tick. (Benjamin Gruenbaum) #8223 * repl: Added auto alignment for `.editor` mode. (Prince J Wesley) #8241 * util: Some functionality has been added to `util.inspect()`: - Returning `this` from a custom inspect function now works. (Anna Henningsen) #8174 - Added support for Symbol-based custom inspection methods. (Anna Henningsen) #8174 Refs: #8428 Refs: #8457 PR-URL: #8466
Notable changes: * crypto: Added `crypto.timingSafeEqual()`. (not-an-aardvark) nodejs#8304 * events: Made the "max event listeners" memory leak warning more accessible. (Anna Henningsen) nodejs#8298 * promises: Unhandled rejections now emit a process warning after the first tick. (Benjamin Gruenbaum) nodejs#8223 * repl: Added auto alignment for `.editor` mode. (Prince J Wesley) nodejs#8241 * util: Some functionality has been added to `util.inspect()`: - Returning `this` from a custom inspect function now works. (Anna Henningsen) nodejs#8174 - Added support for Symbol-based custom inspection methods. (Anna Henningsen) nodejs#8174 Refs: nodejs#8428 Refs: nodejs#8457 PR-URL: nodejs#8466
Notable changes: * crypto: Added `crypto.timingSafeEqual()`. (not-an-aardvark) nodejs/node#8304 * events: Made the "max event listeners" memory leak warning more accessible. (Anna Henningsen) nodejs/node#8298 * promises: Unhandled rejections now emit a process warning after the first tick. (Benjamin Gruenbaum) nodejs/node#8223 * repl: Added auto alignment for `.editor` mode. (Prince J Wesley) nodejs/node#8241 * util: Some functionality has been added to `util.inspect()`: - Returning `this` from a custom inspect function now works. (Anna Henningsen) nodejs/node#8174 - Added support for Symbol-based custom inspection methods. (Anna Henningsen) nodejs/node#8174 Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
Notable changes: * crypto: Added `crypto.timingSafeEqual()`. (not-an-aardvark) nodejs/node#8304 * events: Made the "max event listeners" memory leak warning more accessible. (Anna Henningsen) nodejs/node#8298 * promises: Unhandled rejections now emit a process warning after the first tick. (Benjamin Gruenbaum) nodejs/node#8223 * repl: Added auto alignment for `.editor` mode. (Prince J Wesley) nodejs/node#8241 * util: Some functionality has been added to `util.inspect()`: - Returning `this` from a custom inspect function now works. (Anna Henningsen) nodejs/node#8174 - Added support for Symbol-based custom inspection methods. (Anna Henningsen) nodejs/node#8174 Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>
crypto.timingSafeEqual() has been added in v6.6.0 cf. #8304 This commit adds the metadata that will display "Added in: v6.6.0" and that can later be checked on https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b PR-URL: #8796 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Teddy Katz <teddy.katz@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
crypto.timingSafeEqual() has been added in v6.6.0 cf. #8304 This commit adds the metadata that will display "Added in: v6.6.0" and that can later be checked on https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b PR-URL: #8796 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Teddy Katz <teddy.katz@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
crypto.timingSafeEqual() has been added in v6.6.0 cf. #8304 This commit adds the metadata that will display "Added in: v6.6.0" and that can later be checked on https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b PR-URL: #8796 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Teddy Katz <teddy.katz@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Checklist
make -j4 test
(UNIX), orvcbuild test nosign
(Windows) passesAffected core subsystem(s)
crypto test
Description of change
Refs: #8040, #8203, #8225
This re-adds crypto.timingSafeEqual, which was previously reverted due to test failures and concerns that the implementation might not be timing-safe.
Some investigation is still needed to determine why the tests are failing on ARM systems.