'use strict'; const common = require('../common'); if (!common.hasCrypto) common.skip('missing crypto'); if (!common.enoughTestMem) common.skip('memory-intensive test'); const assert = require('assert'); const crypto = require('crypto'); const BENCHMARK_FUNC_PATH = `${common.fixturesDir}/crypto-timing-safe-equal-benchmark-func`; function runOneBenchmark(...args) { const benchmarkFunc = require(BENCHMARK_FUNC_PATH); const result = benchmarkFunc(...args); // Don't let the comparison function get cached. This avoid a timing // inconsistency due to V8 optimization where the function would take // less time when called with a specific set of parameters. delete require.cache[require.resolve(BENCHMARK_FUNC_PATH)]; return result; } function getTValue(compareFunc) { const numTrials = 1e5; const bufSize = 10000; // Perform benchmarks to verify that timingSafeEqual is actually timing-safe. const rawEqualBenches = Array(numTrials); const rawUnequalBenches = Array(numTrials); for (let i = 0; i < numTrials; i++) { if (Math.random() < 0.5) { // First benchmark: comparing two equal buffers rawEqualBenches[i] = runOneBenchmark(compareFunc, 'A', 'A', bufSize); // Second benchmark: comparing two unequal buffers rawUnequalBenches[i] = runOneBenchmark(compareFunc, 'B', 'C', bufSize); } else { // Flip the order of the benchmarks half of the time. rawUnequalBenches[i] = runOneBenchmark(compareFunc, 'B', 'C', bufSize); rawEqualBenches[i] = runOneBenchmark(compareFunc, 'A', 'A', bufSize); } } const equalBenches = filterOutliers(rawEqualBenches); const unequalBenches = filterOutliers(rawUnequalBenches); // Use a two-sample t-test to determine whether the timing difference between // the benchmarks is statistically significant. // https://wikipedia.org/wiki/Student%27s_t-test#Independent_two-sample_t-test const equalMean = mean(equalBenches); const unequalMean = mean(unequalBenches); const equalLen = equalBenches.length; const unequalLen = unequalBenches.length; const combinedStd = combinedStandardDeviation(equalBenches, unequalBenches); const standardErr = combinedStd * Math.sqrt(1 / equalLen + 1 / unequalLen); return (equalMean - unequalMean) / standardErr; } // Returns the mean of an array function mean(array) { return array.reduce((sum, val) => sum + val, 0) / array.length; } // Returns the sample standard deviation of an array function standardDeviation(array) { const arrMean = mean(array); const total = array.reduce((sum, val) => sum + Math.pow(val - arrMean, 2), 0); return Math.sqrt(total / (array.length - 1)); } // Returns the common standard deviation of two arrays function combinedStandardDeviation(array1, array2) { const sum1 = Math.pow(standardDeviation(array1), 2) * (array1.length - 1); const sum2 = Math.pow(standardDeviation(array2), 2) * (array2.length - 1); return Math.sqrt((sum1 + sum2) / (array1.length + array2.length - 2)); } // Filter large outliers from an array. A 'large outlier' is a value that is at // least 50 times larger than the mean. This prevents the tests from failing // due to the standard deviation increase when a function unexpectedly takes // a very long time to execute. function filterOutliers(array) { const arrMean = mean(array); return array.filter((value) => value / arrMean < 50); } // t_(0.99995, ∞) // i.e. If a given comparison function is indeed timing-safe, the t-test result // has a 99.99% chance to be below this threshold. Unfortunately, this means // that this test will be a bit flakey and will fail 0.01% of the time even if // crypto.timingSafeEqual is working properly. // t-table ref: http://www.sjsu.edu/faculty/gerstman/StatPrimer/t-table.pdf // Note that in reality there are roughly `2 * numTrials - 2` degrees of // freedom, not ∞. However, assuming `numTrials` is large, this doesn't // significantly affect the threshold. const T_THRESHOLD = 3.892; const t = getTValue(crypto.timingSafeEqual); assert( Math.abs(t) < T_THRESHOLD, `timingSafeEqual should not leak information from its execution time (t=${t})` ); // As a sanity check to make sure the statistical tests are working, run the // same benchmarks again, this time with an unsafe comparison function. In this // case the t-value should be above the threshold. const unsafeCompare = (bufA, bufB) => bufA.equals(bufB); const t2 = getTValue(unsafeCompare); assert( Math.abs(t2) > T_THRESHOLD, `Buffer#equals should leak information from its execution time (t=${t2})` );