Skip to content

Backport: Avoid using the same digest across calls (#697) #701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 29, 2025
Merged

Backport: Avoid using the same digest across calls (#697) #701

merged 1 commit into from
Jun 29, 2025

Conversation

anakinj
Copy link
Member

@anakinj anakinj commented Jun 29, 2025

Backport #697 to the 2.10 branch

Checklist

Before the PR can be merged be sure the following are checked:

  • There are tests for the fix or feature added/changed
  • A description of the changes and a reference to the PR has been added to CHANGELOG.md. More details in the CONTRIBUTING.md

@anakinj anakinj force-pushed the backport-697 branch 2 times, most recently from fe83c63 to 1ccbcc3 Compare June 29, 2025 09:03
@headius @anakinj
Avoid using the same digest across calls (jwt#697)
f853932 
* Avoid using the same digest across calls

JWT appears to reuse these JWA instances across threads, which
can lead to them stepping on each other via the shared
OpenSSL::Digest instance. This causes decoding to fail
verification, likely because the digest contains an amalgam of
data from the different threads.

This patch creates a new OpenSSL::Digest for each use, avoiding
the threading issue.

Note that the HMAC JWA already calls OpenSSL::HMAC.digest,
avoiding the shared state, and the others do not use digest.

The original code does not fail on CRuby most likely because only
one thread at a time can be calculating a digest against a given
OpenSSL::Digest instance, due to the VM lock.

Fixes jwt#696

Addresses the issue reported in jruby/jruby#8504 by @mohamedhafez

* Add jwt#697 to changelog

* Modify Rsa digest name test for new structure

The @digest instance variable now contains the name to the digest
to be used.

See jwt#697

* Add test for concurrent encode/decode using ECDSA

This is adapted from the script in jwt#696 and provides a test for
the ECDSA part of the fix in jwt#697.

* Fixes for Rubocop
@anakinj anakinj merged commit 67dc9d3 into jwt:2-10-stable Jun 29, 2025
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anakinj @headius