Releases · benmcollins/libjwt

21 Dec 13:48

v2.1.1

f5eef78

Latest

jwt_decode_2(): Security vulnerability

This function had faulty logic based on some assumptions that it could trust the JWT in that if it was alg:none, it would not run the callback.

The assumption would allow an attacker to modify the JWT header and body and trick the function into returning without having retrieved a key from the cb, meaning no verification of the signature was done, and it retuned as if everything was successful.

The caller of jwt_decode_2 has no real way to know that their cb was never run.

As an aside, it was found that some of the test cases were assuming that you could call jwt_decode_2 with key_provider == NULL. This doesn't make much sense, considering there's no way to pass a key without a key_provider.

In this instance, if passed a JWT with alg:none, this was fine. If called with any other alg type, the code would attempt to run the NULL ``key_provider` and produce a SEGV.

RESOLUTION

jwt_decode_2 will always run the key_provider if passed, assuming there was not a previous error.
Always check key_provider for NULL before using it
If no key_provider, but JWT had alg != none, processing fails

NOTES:

jwt_decode() and jwt_decode_2() are being deprecated in favor more robust functionality.

Pre-built packages

Ubuntu ppa

Assets 3

10 Dec 16:25

benmcollins

v2.1.0

2863d88

v2.1.0

Full Changelog: v2.0.0...v2.1.0

Replaces Apple licensed internal base64 support with public domain code from libb64. It can still use the system libb64 if it's new enough. Reworked internal usage of the base64uri functions.

Rework a lot of the test cases to run across all available crypto ops.

Assets 3

09 Dec 13:52

benmcollins

v2.0.0

d5fb24d

v2.0.0

Full Changelog: v1.18.3...v2.0.0

Primary changes:

Use of libb64 for base64 if the library is detected
OpenSSL and GnuTLS support can be compiled together. New functions allow selecting which to use at runtime.

Assets 3