mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ti...@apache.org
Subject [mesos] 01/02: Fixed thread safety issue in jwt signature validation.
Date Sat, 01 Dec 2018 14:33:31 GMT
This is an automated email from the ASF dual-hosted git repository.

tillt pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 97c3afef6081b40cf91cc16675a49038fa4bfac0
Author: Alexander Rojas <alexander@mesosphere.io>
AuthorDate: Sat Dec 1 14:28:14 2018 +0100

    Fixed thread safety issue in jwt signature validation.
    
    Fixes the implementation of the OpenSSL utilities which computed an
    HMAC 256 signature by making a non thread safe call to the OpenSSL
    library.
    
    Review: https://reviews.apache.org/r/69412/
---
 3rdparty/libprocess/src/ssl/utilities.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/3rdparty/libprocess/src/ssl/utilities.cpp b/3rdparty/libprocess/src/ssl/utilities.cpp
index 4d3727d..f59de67 100644
--- a/3rdparty/libprocess/src/ssl/utilities.cpp
+++ b/3rdparty/libprocess/src/ssl/utilities.cpp
@@ -349,6 +349,7 @@ Try<std::string> generate_hmac_sha256(
   const std::string& key)
 {
   unsigned int md_len = 0;
+  unsigned char buffer[EVP_MAX_MD_SIZE] = {0};
 
   unsigned char* rc = HMAC(
       EVP_sha256(),
@@ -356,7 +357,7 @@ Try<std::string> generate_hmac_sha256(
       key.size(),
       reinterpret_cast<const unsigned char*>(message.data()),
       message.size(),
-      nullptr,
+      buffer,
       &md_len);
 
   if (rc == nullptr) {
@@ -366,7 +367,7 @@ Try<std::string> generate_hmac_sha256(
         "HMAC failed" + (reason == nullptr ? "" : ": " + std::string(reason)));
   }
 
-  return std::string(reinterpret_cast<char*>(rc), md_len);
+  return std::string(reinterpret_cast<char*>(buffer), md_len);
 }
 
 } // namespace openssl {


Mime
View raw message