Description of problem: After I found a side-channel issue in a JWT library I was working with, I reviewed other implementations and found similar issues in a dozen different Open Source projects. In the case of cpp-jwt, the problem is located here: https://github.com/arun11299/cpp-jwt/blob/10ef5735d842b31025f1257ae78899f50a40fb14/include/jwt/impl/algorithm.ipp#L66 The time operator == takes to complete depends on whether the characters in the provided base64url-encoded MAC matches the proper value. This could allow an attacker to mount a timing attack through measurement of response times and statistical analysis. Version-Release number of selected component (if applicable): As far as I can see, all versions are vulnerable. Additional info: One way to fix the issue is to use a contant-time comparison function such as OpenSSL's CRYPTO_memcmp(). Another possibility is to use Double HMAC Verification as described here: https://web.archive.org/web/20160203044316/https:/www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/ I have reported the issue to the maintainer of the original Open Source project separately.
Thanks for the report. Can you provide any potential fixes? I maintain the package but I am not a c++ dev by any stretch.
Created attachment 2017672 [details] Minimal fix
Sorry, I had thought I had provided a patch and now I see my mistake! Here it is.
Thank you for the patch.
FEDORA-2024-4caf912a53 (cpp-jwt-1.4-7.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-4caf912a53
FEDORA-2024-436b32f16c (cpp-jwt-1.4-7.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-436b32f16c
FEDORA-2024-4caf912a53 (cpp-jwt-1.4-7.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-436b32f16c (cpp-jwt-1.4-7.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2024-1cefeeb8f5 (cpp-jwt-1.4-7.el9) has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-1cefeeb8f5
FEDORA-2024-56fbd2cbfa (cpp-jwt-1.4-7.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-56fbd2cbfa
FEDORA-EPEL-2024-16cf23e0e6 (cpp-jwt-1.4-7.el8) has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-16cf23e0e6
FEDORA-2024-d76e37ba62 (cpp-jwt-1.4-7.fc38) has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-d76e37ba62
FEDORA-2024-56fbd2cbfa has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-56fbd2cbfa` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-56fbd2cbfa See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2024-1cefeeb8f5 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-1cefeeb8f5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2024-16cf23e0e6 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-16cf23e0e6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-d76e37ba62 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-d76e37ba62` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-d76e37ba62 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2024-1cefeeb8f5 (cpp-jwt-1.4-7.el9) has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-56fbd2cbfa (cpp-jwt-1.4-7.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2024-16cf23e0e6 (cpp-jwt-1.4-7.el8) has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-d76e37ba62 (cpp-jwt-1.4-7.fc38) has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.