RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-15 16:04:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: jwt: use CRYPTO_memcmp() to compare HMACs

Browse Source 
As Tim reported in github issue #1414, we ought to use a constant-time
memcmp() when comparing hashes to avoid time-based attacks. Let's use
CRYPTO_memcmp() since this code already depends on openssl.

No backport is needed, this was just merged into 2.5.
This commit is contained in:
Willy Tarreau 2021-10-15 11:52:41 +02:00
parent 468c000db0
commit ce16db4145
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/jwt.c
View File

@ -205,7 +205,7 @@ jwt_jwsverify_hmac(const struct jwt_ctx *ctx, const struct buffer *decoded_signa
ctx->jose.length + ctx->claims.length + 1, signature, &signature_length);
if (hmac_res && signature_length == decoded_signature->data &&
(memcmp(decoded_signature->area, signature, signature_length) == 0))
(CRYPTO_memcmp(decoded_signature->area, signature, signature_length) == 0))
retval = JWT_VRFY_OK;
free_trash_chunk(trash);