[MESOS-9411] Validation of JWT tokens using HS256 hashing algorithm is not thread safe. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.5.1, 1.6.0, 1.7.0, 1.8.0
Fix Version/s: 1.5.3, 1.6.2, 1.7.1, 1.8.0
Component/s: libprocess
Labels:

Target Version/s:

1.5.1, 1.6.1, 1.7.0, 1.8.0
Sprint:
Mesos Integration R8 Sprint 34
Story Points:
5

Description

from the OpenSSL documentation:

It places the result in md (which must have space for the output of the hash function, which is no more than EVP_MAX_MD_SIZE bytes). If md is NULL, the digest is placed in a static array. The size of the output is placed in md_len, unless it is NULL. Note: passing a NULL value for md to use the static array is not thread safe.

We are calling HMAC() as follows:

  unsigned int md_len = 0;

  unsigned char* rc = HMAC(
      EVP_sha256(),
      secret.data(),
      secret.size(),
      reinterpret_cast<const unsigned char*>(message.data()),
      message.size(),
      nullptr,       // <----- This is `md`
      &md_len);

  if (rc == nullptr) {
    return Error(addErrorReason("HMAC failed"));
  }

  return string(reinterpret_cast<char*>(rc), md_len);

Given that this code does not run inside a process, race conditions could occur.

Attachments

Activity

People

Assignee:: Alexander Rojas

Reporter:: Alexander Rojas

Shepherd:: Till Toenshoff

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 21/Nov/18 13:46

Updated:: 29/Apr/19 09:27

Resolved:: 01/Dec/18 14:36