Permalink
Browse files

Added constant time comparison of JWT signatures.

A vulnerability in our JWT implementation allows an unauthenticated
remote attacker to execute to execute timing attacks [1].

This patch removes the vulnerability by adding a constant time
comparison of hashes, where the whole message is visited during
the comparison instead of returning at the first failure.

[1] https://codahale.com/a-lesson-in-timing-attacks/

Review: https://reviews.apache.org/r/67357
  • Loading branch information...
sambatyon committed May 29, 2018
1 parent fd362da commit 2c282f19755ea7518caf6f43e729524b1c6bdb23
Showing with 19 additions and 3 deletions.
  1. +19 −3 3rdparty/libprocess/src/jwt.cpp
@@ -159,6 +159,24 @@ Try<JSON::Object> parse_payload(const string& component)
return payload;
}
// Implements equality between strings which run in constant time by either
// comparing the sizes, and thus ignoring their content, or checking the whole
// content of them, thus avoiding timing attacks when comparing hashes.
bool constantTimeEquals(const string& left, const string& right)
{
if (left.size() != right.size()) {
return false;
}
unsigned valid = 0;
for (size_t i = 0; i < left.size(); ++i) {
valid |= left[i] ^ right[i];
}
return valid == 0;
}
} // namespace {
@@ -250,9 +268,7 @@ Try<JWT, JWTError> JWT::parse(const string& token, const string& secret)
JWTError::Type::UNKNOWN);
}
const bool valid = hmac.get() == signature.get();
if (!valid) {
if (!constantTimeEquals(hmac.get(), signature.get())) {
return JWTError(
"Token signature does not match",
JWTError::Type::INVALID_TOKEN);

0 comments on commit 2c282f1

Please sign in to comment.