Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY VULNERABILITY: incorrect Authentication Tag length usage in AES GCM decryption #125

Open
zandbelt opened this issue Jul 12, 2023 · 1 comment · May be fixed by #126
Open

SECURITY VULNERABILITY: incorrect Authentication Tag length usage in AES GCM decryption #125

zandbelt opened this issue Jul 12, 2023 · 1 comment · May be fixed by #126

Comments

@zandbelt
Copy link
Contributor

zandbelt commented Jul 12, 2023
edited
Loading

NOTE THAT AES GCM DECRYPTION IS SEVERELY BROKEN FOR ALL VERSIONS OF CJOSE < 0.6.2.2

The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, see: https://github.com/cisco/cjose/blob/0.6.1/src/jwe.c#L1228-L1229:

  // set the expected GCM-mode authentication tag
  if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)

However, the spec https://datatracker.ietf.org/doc/html/rfc7518#section-4.7 says that a fixed length of 16 octets must be applied:

The requested size of the Authentication Tag output MUST be 128 bits, regardless of the key size.

Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

See also: CVE-2023-37464 and GHSA-3rhg-3gf2-6xgj
zandbelt added a commit to OpenIDC/cjose that referenced this issue Jul 12, 2023
@zandbelt
use fixed authentication tag length of 16 octets in AES GCM decryption
7325e9a 
see: cisco#125

Signed-off-by: Hans Zandbelt <[email protected]>
@zandbelt
Copy link
Contributor Author

zandbelt commented Jul 12, 2023
edited
Loading

A fix for this vulnerability is available in the 0.6.2.x maintenance release fork here:
https://github.com/OpenIDC/cjose/releases/

zandbelt added a commit to OpenIDC/cjose that referenced this issue Jul 12, 2023
@zandbelt
use fixed authentication tag length of 16 octets in AES GCM decryption
19fa416 
see: cisco#125

Signed-off-by: Hans Zandbelt <[email protected]>
@zandbelt zandbelt linked a pull request Jul 12, 2023 that will close this issue
Open
@zandbelt zandbelt changed the title incorrect Authentication Tag length usage in AES GCM decryption SECURITY VULNERABILITY: incorrect Authentication Tag length usage in AES GCM decryption Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use fixed authentication tag length of 16 octets in AES GCM decryption OpenIDC/cjose
1 participant
@zandbelt