You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Alexander Rojas <al...@mesosphere.io> on 2018/05/29 14:21:07 UTC
Review Request 67357: Added constant time comparison of JWT
signatures.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67357/
-----------------------------------------------------------
Review request for mesos and Alexander Rukletsov.
Repository: mesos
Description
-------
A vulnerability in our JWT implementation allows an unauthenticated
remote attacker to execute to execute timing [attacks](https://codahale.com/a-lesson-in-timing-attacks/).
This patch removes the vulnerability by adding a constant time
comparison of hashes, where the whole message is visited during
the comparison instead of returning at the first failure.
Diffs
-----
3rdparty/libprocess/src/jwt.cpp 4477ddd17dede2b924a47e33942b39244f10316f
Diff: https://reviews.apache.org/r/67357/diff/1/
Testing
-------
```sh
make check
```
Thanks,
Alexander Rojas