CVE-2023-37464 AES GCM decryption

AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE Resolves: rhbz#2223308
2023-07-21 11:13:41 +02:00 · 2023-07-21 11:13:41 +02:00 · 7b8e54694b
commit 7b8e54694b
parent 237d966f48
2 changed files with 98 additions and 1 deletions
--- a/0003-CVE-2023-37464.patch
+++ b/0003-CVE-2023-37464.patch
@ -0,0 +1,91 @@
 diff -up cjose-0.6.1/src/jwe.c.orig cjose-0.6.1/src/jwe.c
 --- cjose-0.6.1/src/jwe.c.orig	2023-07-19 16:23:44.658712950 +0200
 +++ cjose-0.6.1/src/jwe.c	2023-07-19 16:55:02.173914437 +0200
@@ -1227,6 +1227,12 @@ static bool _cjose_jwe_decrypt_dat_a256g
         goto _cjose_jwe_decrypt_dat_a256gcm_fail;
     }
 +    if (jwe->enc_auth_tag.raw_len != 16)
 +    {
 +        CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
 +        goto _cjose_jwe_decrypt_dat_a256gcm_fail;
 +    }
 +
     // set the expected GCM-mode authentication tag
     if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)
     {
 diff -up cjose-0.6.1/test/check_jwe.c.orig cjose-0.6.1/test/check_jwe.c
 --- cjose-0.6.1/test/check_jwe.c.orig	2018-04-12 00:39:58.000000000 +0200
 +++ cjose-0.6.1/test/check_jwe.c	2023-07-19 16:38:45.412336742 +0200
@@ -809,6 +809,63 @@ START_TEST(test_cjose_jwe_decrypt_aes)
 }
 END_TEST
 +START_TEST(test_cjose_jwe_decrypt_aes_gcm)
 +{
 +    cjose_err err;
 +
 +    const char *key = JWK_OCT_32;
 +    const char *plain1 = "Live long and prosper.";
 +    char *compact1 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.GpeKGEqd8KQ0v6JNea5aSA";
 +    char *compact2 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.Gp";
 +
 +    cjose_jwk_t *jwk = cjose_jwk_import(key, strlen(key), &err);
 +    ck_assert_msg(NULL != jwk,
 +                  "cjose_jwk_import failed: "
 +                  "%s, file: %s, function: %s, line: %ld",
 +                  err.message, err.file, err.function, err.line);
 +
 +    cjose_jwe_t *jwe1 = cjose_jwe_import(compact1, strlen(compact1), &err);
 +    ck_assert_msg(NULL != jwe1,
 +                  "cjose_jwe_import failed: "
 +                  "%s, file: %s, function: %s, line: %ld",
 +                  err.message, err.file, err.function, err.line);
 +
 +    uint8_t *plain2 = NULL;
 +    size_t plain2_len = 0;
 +    plain2 = cjose_jwe_decrypt(jwe1, jwk, &plain2_len, &err);
 +    ck_assert_msg(NULL != plain2,
 +                  "cjose_jwe_decrypt failed: "
 +                  "%s, file: %s, function: %s, line: %ld",
 +                  err.message, err.file, err.function, err.line);
 +
 +    ck_assert_msg(plain2_len == strlen(plain1),
 +                  "length of decrypted plaintext does not match length of original, "
 +                  "expected: %lu, found: %lu",
 +                  strlen(plain1), plain2_len);
 +    ck_assert_msg(strncmp(plain1, plain2, plain2_len) == 0, "decrypted plaintext does not match encrypted plaintext");
 +
 +    cjose_get_dealloc()(plain2);
 +    cjose_jwe_release(jwe1);
 +
 +    cjose_jwe_t *jwe2 = cjose_jwe_import(compact2, strlen(compact2), &err);
 +    ck_assert_msg(NULL != jwe2,
 +                   "cjose_jwe_import failed: "
 +                   "%s, file: %s, function: %s, line: %ld",
 +                   err.message, err.file, err.function, err.line);
 +
 +    uint8_t *plain3 = NULL;
 +    size_t plain3_len = 0;
 +    plain3 = cjose_jwe_decrypt(jwe2, jwk, &plain3_len, &err);
 +    ck_assert_msg(NULL == plain3,
 +                   "cjose_jwe_decrypt succeeded where it should have failed: "
 +                   "%s, file: %s, function: %s, line: %ld",
 +                   err.message, err.file, err.function, err.line);
 +
 +    cjose_jwe_release(jwe2);
 +    cjose_jwk_release(jwk);
 +}
 +END_TEST
 +
 START_TEST(test_cjose_jwe_decrypt_rsa)
 {
     struct cjose_jwe_decrypt_rsa
@@ -1210,6 +1267,7 @@ Suite *cjose_jwe_suite()
     tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_large);
     tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_many);
     tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes);
 +    tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes_gcm);
     tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_rsa);
     tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_header);
     tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_key);
--- a/cjose.spec
+++ b/cjose.spec
@ -1,6 +1,6 @@
 Name:           cjose
 Version:        0.6.1
-Release:        15%{?dist}
+Release:        16%{?dist}
 Summary:        C library implementing the Javascript Object Signing and Encryption (JOSE)
 License:        MIT
@ -10,6 +10,7 @@ Source0:  	https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version
 Patch1: concatkdf.patch
 Patch2: 0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
 Patch3: 0002-check-cjose_get_alloc.patch
 Patch4: 0003-CVE-2023-37464.patch
 BuildRequires:  gcc
 BuildRequires:  doxygen
@ -65,6 +66,11 @@ make check || (cat test/test-suite.log; exit 1)
 %changelog
 * Wed Jul 19 2023 <thalman@redhat.com> - 0.6.1-16
 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual
  Authentication Tag provided in the JWE
  Resolves: rhbz#2223308
 * Wed May 3 2023 <spoore@redhat.com> - 0.6.1-15
 - Rebuilt for gating
  Related: rhbz#2180445