Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY VULNERABILITY: incorrect Authentication Tag length usage in AES GCM decryption #125

Open
zandbelt opened this issue Jul 12, 2023 · 1 comment · May be fixed by #126
Open

SECURITY VULNERABILITY: incorrect Authentication Tag length usage in AES GCM decryption #125

zandbelt opened this issue Jul 12, 2023 · 1 comment · May be fixed by #126

Comments

@zandbelt
Copy link
Contributor

zandbelt commented Jul 12, 2023

NOTE THAT AES GCM DECRYPTION IS SEVERELY BROKEN FOR ALL VERSIONS OF CJOSE < 0.6.2.2

The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, see: https://github.com/cisco/cjose/blob/0.6.1/src/jwe.c#L1228-L1229:

  // set the expected GCM-mode authentication tag
  if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)

However, the spec https://datatracker.ietf.org/doc/html/rfc7518#section-4.7 says that a fixed length of 16 octets must be applied:

The requested size of the Authentication Tag output MUST be 128 bits, regardless of the key size.

Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

See also: CVE-2023-37464 and GHSA-3rhg-3gf2-6xgj

zandbelt added a commit to OpenIDC/cjose that referenced this issue Jul 12, 2023
@zandbelt
Copy link
Contributor Author

zandbelt commented Jul 12, 2023

A fix for this vulnerability is available in the 0.6.2.x maintenance release fork here:
https://github.com/OpenIDC/cjose/releases/

zandbelt added a commit to OpenIDC/cjose that referenced this issue Jul 12, 2023
@zandbelt zandbelt changed the title incorrect Authentication Tag length usage in AES GCM decryption SECURITY VULNERABILITY: incorrect Authentication Tag length usage in AES GCM decryption Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant