You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Gavin (JIRA)" <ji...@apache.org> on 2019/04/29 09:28:01 UTC
[jira] [Issue Comment Deleted] (MESOS-9411) Validation of JWT
tokens using HS256 hashing algorithm is not thread safe.
[ https://issues.apache.org/jira/browse/MESOS-9411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gavin updated MESOS-9411:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> Validation of JWT tokens using HS256 hashing algorithm is not thread safe.
> --------------------------------------------------------------------------
>
> Key: MESOS-9411
> URL: https://issues.apache.org/jira/browse/MESOS-9411
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Affects Versions: 1.5.1, 1.6.0, 1.7.0, 1.8.0
> Reporter: Alexander Rojas
> Assignee: Alexander Rojas
> Priority: Major
> Labels: integration, mesosphere, security
> Fix For: 1.5.3, 1.6.2, 1.7.1, 1.8.0
>
>
> from the [OpenSSL documentation|https://www.openssl.org/docs/man1.0.2/crypto/hmac.html]:
> {quote}
> It places the result in {{md}} (which must have space for the output of the hash function, which is no more than {{EVP_MAX_MD_SIZE}} bytes). If {{md}} is {{NULL}}, the digest is placed in a static array. The size of the output is placed in {{md_len}}, unless it is {{NULL}}. Note: passing a {{NULL}} value for {{md}} to use the static array is not thread safe.
> {quote}
> We are calling {{HMAC()}} as follows:
> {code}
> unsigned int md_len = 0;
> unsigned char* rc = HMAC(
> EVP_sha256(),
> secret.data(),
> secret.size(),
> reinterpret_cast<const unsigned char*>(message.data()),
> message.size(),
> nullptr, // <----- This is `md`
> &md_len);
> if (rc == nullptr) {
> return Error(addErrorReason("HMAC failed"));
> }
> return string(reinterpret_cast<char*>(rc), md_len);
> {code}
> Given that this code does not run inside a process, race conditions could occur.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)