Open zandbelt opened 1 year ago
NOTE THAT AES GCM DECRYPTION IS SEVERELY BROKEN FOR ALL VERSIONS OF CJOSE < 0.6.2.2
The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, see: https://github.com/cisco/cjose/blob/0.6.1/src/jwe.c#L1228-L1229:
// set the expected GCM-mode authentication tag if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)
However, the spec https://datatracker.ietf.org/doc/html/rfc7518#section-4.7 says that a fixed length of 16 octets must be applied:
The requested size of the Authentication Tag output MUST be 128 bits, regardless of the key size.
Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.
See also: CVE-2023-37464 and https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj
A fix for this vulnerability is available in the 0.6.2.x maintenance release fork here: https://github.com/OpenIDC/cjose/releases/
NOTE THAT AES GCM DECRYPTION IS SEVERELY BROKEN FOR ALL VERSIONS OF CJOSE < 0.6.2.2
The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, see: https://github.com/cisco/cjose/blob/0.6.1/src/jwe.c#L1228-L1229:
However, the spec https://datatracker.ietf.org/doc/html/rfc7518#section-4.7 says that a fixed length of 16 octets must be applied:
Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.
See also: CVE-2023-37464 and https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj