[
https://issues.apache.org/jira/browse/MESOS-9411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin updated MESOS-9411:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> Validation of JWT tokens using HS256 hashing algorithm is not thread safe.
> --------------------------------------------------------------------------
>
> Key: MESOS-9411
> URL: https://issues.apache.org/jira/browse/MESOS-9411
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Affects Versions: 1.5.1, 1.6.0, 1.7.0, 1.8.0
> Reporter: Alexander Rojas
> Assignee: Alexander Rojas
> Priority: Major
> Labels: integration, mesosphere, security
> Fix For: 1.5.3, 1.6.2, 1.7.1, 1.8.0
>
>
> from the [OpenSSL
> documentation|https://www.openssl.org/docs/man1.0.2/crypto/hmac.html]:
> {quote}
> It places the result in {{md}} (which must have space for the output of the
> hash function, which is no more than {{EVP_MAX_MD_SIZE}} bytes). If {{md}} is
> {{NULL}}, the digest is placed in a static array. The size of the output is
> placed in {{md_len}}, unless it is {{NULL}}. Note: passing a {{NULL}} value
> for {{md}} to use the static array is not thread safe.
> {quote}
> We are calling {{HMAC()}} as follows:
> {code}
> unsigned int md_len = 0;
> unsigned char* rc = HMAC(
> EVP_sha256(),
> secret.data(),
> secret.size(),
> reinterpret_cast<const unsigned char*>(message.data()),
> message.size(),
> nullptr, // <----- This is `md`
> &md_len);
> if (rc == nullptr) {
> return Error(addErrorReason("HMAC failed"));
> }
> return string(reinterpret_cast<char*>(rc), md_len);
> {code}
> Given that this code does not run inside a process, race conditions could
> occur.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
