Google Chrome 115.0.5790.102 produces incorrect SHA-256 hashes about js-sha256 HOT 21 CLOSED

We're experiencing slowly increasing error rate based some Chrome version rollout.

For now, we changed to @aws-crypto/sha256-js

import { Sha256 } from '@aws-crypto/sha256-js';

export const sha256 = (s: string): string => {
  const hash = new Sha256();
  hash.update(s);
  const hashUint8Array = hash.digestSync();

  return Buffer.from(hashUint8Array).toString('hex');
};

from js-sha256.

workaround in v0.10.0. Please check if it fixed.

from js-sha256.

I'm having the same issue with Chrome 116.0.5845.110 on x86-64 Linux. The JIT is doing some weird optimizations to the a variable in the Sha256.prototype.hash function which causes its value to be inconsistent.

As a workaround, using the a variable immediately after setting it in each pass seems to fix this. I accomplish this by passing it to an empty unnamed function here.

from js-sha256.

@hanzheliva I can reproduce by download old version. And I use @NicolasFlamel1 's workaround but change to an assignment

{
  //...
  e = a + t1 << 0;
  a = t1 + t2 << 0;
  this.chromeBugWorkAround = true;
}

This seems work and won't lose performance too much. I will use this change to fix this issue in next version.

But I can't sign in my npm account to publish. still working on it...

from js-sha256.

@djouf007 I found that I can disable polyfills in my package. use v0.10.1 should work.

from js-sha256.

I have a similar problem with Google Chrome 116.0.0.0, it will produce incorrect hashes for a while and then after a certain number of hashes are computed, all future hash outputs will be correct.

from js-sha256.

Can you give a sample code?

from js-sha256.

I can reproduce it in Chrome 116.0.5845.110 using this code:

<html>
<body>
<pre id="output"></pre>
<script src="https://cdn.jsdelivr.net/gh/emn178/js-sha256/build/sha256.min.js"></script>
<script>
    for (let i = 0; i < 100; i++) {
        document.getElementById("output").innerText += i + ": " + sha256.hex("a") + "\n"
    }
</script>
</body>
</html>

After 33 iterations it starts returning a different value.

from js-sha256.

An input of "b" is even more interesting. Then it produces more than two different values.

from js-sha256.

I can't reproduce in my Chrome 116.0.5845.110 (arm64)

from js-sha256.

I had the same problem and needed to open a traceless browser to solve it.my Chrome 116.0.5845.96

from js-sha256.

Same problem, could you help how to fixe that in angular 16 pls, do i need to go to the file js-sha256? is it possible to explain how we do it

thanks

from js-sha256.

We've replaced this library with @aws-crypto/sha256-browser as a solution

from js-sha256.

I use @slisson 's sample code and tried on many versions and devices. I still can't reproduce this issue. Can you guys reproduce by the sample code?

from js-sha256.

https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Mac/1160321/

The link is located using https://www.chromium.org/getting-involved/download-chromium/

If you run this Chromium 116.0.5845.96 on Macbook x86 version, you will get a different hash after 132 tries.

And this behavior is not stable if you run the sample code another time

@emn178

from js-sha256.

My coworker and I narrowed at least part of it down to this i++ operation acting very strangely — if you hover over it and then other expressions on this line repeatedly in the debugger, it causes i to increment just by previewing that value, which is extremely not-correct behavior. At this state in the debugger i simultaneously has a value of 0, and 2 depending on which part of the devtools you ask, and it seems that the incremented value is the one used in the calculation.

Sharing in case this is helpful in updating this library's code to work around this problem. Perhaps not inlining the combined var and ++ parts might help? In particular it's weird that i is declared much higher up than where it's used in this loop.

from js-sha256.

FWIW, even though the above debugger behavior was reproducible on my computer, the simple repro case above does not repro for me, but does repro for my coworker consistently. I haven't run into this general problem happening in production, but he does very consistently. IIRC we use the same model of computer (m1 pro macbook pro 16")

from js-sha256.

Thanks Sir but i have this erros with npm install [email protected]

./node_modules/js-sha256/src/sha256.js:68:17-34 - Error: Module not found: Error: Can't resolve 'crypto' in '/var/www/produits/neoshop/neoV16/node_modules/js-sha256/src'

BREAKING CHANGE: webpack < 5 used to include polyfills for node.js core modules by default.
This is no longer the case. Verify if you need this module and configure a polyfill for it.

If you want to include a polyfill, you need to:
        - add a fallback 'resolve.fallback: { "crypto": require.resolve("crypto-browserify") }'
        - install 'crypto-browserify'
If you don't want to include a polyfill, you can use an empty module like this:
        resolve.fallback: { "crypto": false }

How do i can fixe this

Thanks again

from js-sha256.

This version remove eval, so webpack detects "require" and causes this. Please check
https://stackoverflow.com/questions/54162297/module-not-found-error-cant-resolve-crypto

from js-sha256.

Thank you so much; it's all working perfectly @emn178

from js-sha256.

Has anyone opened an issue on crbug.com for this?

from js-sha256.