mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

CLEANUP: jwt: Remove the use of a trash buffer in jwt_jwsverify_hmac()

Browse Source 
The OpenSSL documentation (https://www.openssl.org/docs/man1.1.0/man3/HMAC.html)
specifies:

> It places the result in md (which must have space for the output of the hash
> function, which is no more than EVP_MAX_MD_SIZE bytes). If md is NULL, the
> digest is placed in a static array. The size of the output is placed in
> md_len, unless it is NULL. Note: passing a NULL value for md to use the
> static array is not thread safe.

`EVP_MAX_MD_SIZE` appears to be defined as `64`, so let's simply use a stack
buffer to avoid the whole memory management.
This commit is contained in:
Tim Duesterhus 2021-10-18 18:40:28 +02:00 committed by Willy Tarreau
parent 24b8d693b2
commit c87d3c21bf
1 changed files with 1 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/jwt.c
View File

@ -175,19 +175,11 @@ static enum jwt_vrfy_status
jwt_jwsverify_hmac(const struct jwt_ctx *ctx, const struct buffer *decoded_signature) jwt_jwsverify_hmac(const struct jwt_ctx *ctx, const struct buffer *decoded_signature)
{ {
const EVP_MD *evp = NULL; const EVP_MD *evp = NULL;
unsigned char *signature = NULL; unsigned char signature[EVP_MAX_MD_SIZE];
unsigned int signature_length = 0; unsigned int signature_length = 0;
struct buffer *trash = NULL;
unsigned char *hmac_res = NULL; unsigned char *hmac_res = NULL;
enum jwt_vrfy_status retval = JWT_VRFY_KO; enum jwt_vrfy_status retval = JWT_VRFY_KO;
trash = alloc_trash_chunk();
if (!trash)
return JWT_VRFY_OUT_OF_MEMORY;
signature = (unsigned char*)trash->area;
signature_length = trash->size;
switch(ctx->alg) { switch(ctx->alg) {
case JWS_ALG_HS256: case JWS_ALG_HS256:
evp = EVP_sha256(); evp = EVP_sha256();
@ -208,8 +200,6 @@ jwt_jwsverify_hmac(const struct jwt_ctx *ctx, const struct buffer *decoded_signa
(CRYPTO_memcmp(decoded_signature->area, signature, signature_length) == 0)) (CRYPTO_memcmp(decoded_signature->area, signature, signature_length) == 0))
retval = JWT_VRFY_OK; retval = JWT_VRFY_OK;
free_trash_chunk(trash);
return retval; return retval;
} }