mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Review Request 67357: Added constant time comparison of JWT signatures.
Date Tue, 29 May 2018 14:21:07 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67357/
-----------------------------------------------------------

Review request for mesos and Alexander Rukletsov.


Repository: mesos


Description
-------

A vulnerability in our JWT implementation allows an unauthenticated
remote attacker to execute to execute timing [attacks](https://codahale.com/a-lesson-in-timing-attacks/).

This patch removes the vulnerability by adding a constant time
comparison of hashes, where the whole message is visited during
the comparison instead of returning at the first failure.


Diffs
-----

  3rdparty/libprocess/src/jwt.cpp 4477ddd17dede2b924a47e33942b39244f10316f 


Diff: https://reviews.apache.org/r/67357/diff/1/


Testing
-------

```sh
make check
```


Thanks,

Alexander Rojas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message