You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2018/11/21 13:47:00 UTC

[jira] [Created] (MESOS-9411) Validation of JWT tokens using HS256 hashing algorithm is not thread safe.

Alexander Rojas created MESOS-9411:
--------------------------------------

             Summary: Validation of JWT tokens using HS256 hashing algorithm is not thread safe.
                 Key: MESOS-9411
                 URL: https://issues.apache.org/jira/browse/MESOS-9411
             Project: Mesos
          Issue Type: Bug
          Components: libprocess
    Affects Versions: 1.8.0
            Reporter: Alexander Rojas
            Assignee: Alexander Rojas


from the [OpenSSL documentation|https://www.openssl.org/docs/man1.0.2/crypto/hmac.html]:

{quote}
It places the result in {{md}} (which must have space for the output of the hash function, which is no more than {{EVP_MAX_MD_SIZE}} bytes). If {{md}} is {{NULL}}, the digest is placed in a static array. The size of the output is placed in {{md_len}}, unless it is {{NULL}}. Note: passing a {{NULL}} value for {{md}} to use the static array is not thread safe.
{quote}

We are calling {{HMAC()}} as follows:

{code}
  unsigned int md_len = 0;

  unsigned char* rc = HMAC(
      EVP_sha256(),
      secret.data(),
      secret.size(),
      reinterpret_cast<const unsigned char*>(message.data()),
      message.size(),
      nullptr,       // <----- This is `md`
      &md_len);

  if (rc == nullptr) {
    return Error(addErrorReason("HMAC failed"));
  }

  return string(reinterpret_cast<char*>(rc), md_len);
{code}

Given that this code does not run inside a process, race conditions could occur.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)