You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2018/12/01 13:31:55 UTC
[mesos] branch master updated: Fixed thread safety issue in jwt
signature validation.
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new 9bba87b Fixed thread safety issue in jwt signature validation.
9bba87b is described below
commit 9bba87b963aeaf3c0fbbe8ee10724d012e3a5283
Author: Alexander Rojas <al...@mesosphere.io>
AuthorDate: Sat Dec 1 14:28:14 2018 +0100
Fixed thread safety issue in jwt signature validation.
Fixes the implementation of the OpenSSL utilities which computed an
HMAC 256 signature by making a non thread safe call to the OpenSSL
library.
Review: https://reviews.apache.org/r/69412/
---
3rdparty/libprocess/src/ssl/utilities.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/3rdparty/libprocess/src/ssl/utilities.cpp b/3rdparty/libprocess/src/ssl/utilities.cpp
index 72ad079..c4a8ab4 100644
--- a/3rdparty/libprocess/src/ssl/utilities.cpp
+++ b/3rdparty/libprocess/src/ssl/utilities.cpp
@@ -355,6 +355,7 @@ Try<string> generate_hmac_sha256(
const string& key)
{
unsigned int md_len = 0;
+ unsigned char buffer[EVP_MAX_MD_SIZE] = {0};
unsigned char* rc = HMAC(
EVP_sha256(),
@@ -362,7 +363,7 @@ Try<string> generate_hmac_sha256(
key.size(),
reinterpret_cast<const unsigned char*>(message.data()),
message.size(),
- nullptr,
+ buffer,
&md_len);
if (rc == nullptr) {
@@ -372,7 +373,7 @@ Try<string> generate_hmac_sha256(
"HMAC failed" + (reason == nullptr ? "" : ": " + string(reason)));
}
- return string(reinterpret_cast<char*>(rc), md_len);
+ return string(reinterpret_cast<char*>(buffer), md_len);
}