New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/net/http2/hpack: optimize constantTimeStringCompare #19238
Comments
"Optimize" like in "call it less" or like in "make it faster"? If uglier code is fine, unrolling the loop gives a nice boost EDIT: yeah, need to benchmark better. |
Either/both? |
How long are typical inputs to constantTimeStringCompare? |
Inputs are HTTP header values, so typically less than 100 bytes. (The longest would probably be some random UUID/hex-looking session identifier.) |
CL https://golang.org/cl/37329 mentions this issue. |
@tombergan, are you able to share a histogram of HTTP header value sizes from the Flywheel data? I tried looking at https://telemetry.mozilla.org/ too but don't see it. |
I'm not sure why constant time string comparison is needed in the first place. RFC 7541 does not mention a need for this AFAICT. I couldn't find any reported vulnerabilities after a quick search. It seems like staticTable could be implemented as a map rather than an array. I looked at the source code for two other HTTP2 implementations. Neither appears to use constant-time string comparisons: /cc @tatsuhiro-t who originally wrote the code, thoughts? |
There was a statement regarding prevention of timing attacks, but it was removed. |
Thanks for digging that up. In that case, I think it's safe to remove the constant-time string comparison entirely. |
SGTM. Sent you a CL. |
I think it was removed because Never Indexed has been introduced for the sensitive header fields. |
CL https://golang.org/cl/37394 mentions this issue. |
Delete the constant time string comparison. It's slow and shows up in profiles, nobody else does it, and the spec text no longer recommends doing it. See bug for discussion and details. Also clean up some naked returns while I'm here (noted during review). Fixes golang/go#19238 Change-Id: I344c5766c5d97bbcf01eab0624097941591ce00f Reviewed-on: https://go-review.googlesource.com/37394 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Tom Bergan <tombergan@google.com>
hpack's constantTimeStringCompare shows up in profiles as slow.
Investigate optimizing it.
/cc @jeffallen @tombergan
The text was updated successfully, but these errors were encountered: