Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-9411

Validation of JWT tokens using HS256 hashing algorithm is not thread safe.

    XMLWordPrintableJSON

    Details

    • Target Version/s:
    • Sprint:
      Mesos Integration R8 Sprint 34
    • Story Points:
      5

      Description

      from the OpenSSL documentation:

      It places the result in md (which must have space for the output of the hash function, which is no more than EVP_MAX_MD_SIZE bytes). If md is NULL, the digest is placed in a static array. The size of the output is placed in md_len, unless it is NULL. Note: passing a NULL value for md to use the static array is not thread safe.

      We are calling HMAC() as follows:

        unsigned int md_len = 0;
      
        unsigned char* rc = HMAC(
            EVP_sha256(),
            secret.data(),
            secret.size(),
            reinterpret_cast<const unsigned char*>(message.data()),
            message.size(),
            nullptr,       // <----- This is `md`
            &md_len);
      
        if (rc == nullptr) {
          return Error(addErrorReason("HMAC failed"));
        }
      
        return string(reinterpret_cast<char*>(rc), md_len);
      

      Given that this code does not run inside a process, race conditions could occur.

        Attachments

          Activity

            People

            • Assignee:
              arojas Alexander Rojas
              Reporter:
              arojas Alexander Rojas
              Shepherd:
              Till Toenshoff
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: