From a7ee7f647787e8dc9d3770213a43408b66f11741 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Fri, 21 Jul 2023 11:13:41 +0200
Subject: [PATCH] CVE-2023-37464 AES GCM decryption

AES GCM decryption uses the Tag length from the actual
Authentication Tag provided in the JWE

Resolves: rhbz#2223307
---
 ...ne-OPENSSL_API_COMPAT-to-0x10101000L.patch | 53 -----------
 0003-CVE-2023-37464.patch                     | 91 +++++++++++++++++++
 cjose.spec                                    |  8 +-
 3 files changed, 98 insertions(+), 54 deletions(-)
 delete mode 100644 0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
 create mode 100644 0003-CVE-2023-37464.patch

diff --git a/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch b/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
deleted file mode 100644
index 5a6278d..0000000
--- a/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From b339a18aa06c78d64ac33d891d400eac7b86fff3 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 17 May 2021 13:30:24 +0200
-Subject: [PATCH] Define OPENSSL_API_COMPAT to 0x10101000L
-
----
- src/jwe.c | 2 ++
- src/jwk.c | 2 ++
- src/jws.c | 2 ++
- 3 files changed, 6 insertions(+)
-
-diff --git a/src/jwe.c b/src/jwe.c
-index 822d408..d6f3149 100644
---- a/src/jwe.c
-+++ b/src/jwe.c
-@@ -5,6 +5,8 @@
-  * Copyright (c) 2014-2016 Cisco Systems, Inc.  All Rights Reserved.
-  */
- 
-+#define OPENSSL_API_COMPAT 0x10101000L
-+
- #include <cjose/base64.h>
- #include <cjose/header.h>
- #include <cjose/jwe.h>
-diff --git a/src/jwk.c b/src/jwk.c
-index 860f0e7..87408e9 100644
---- a/src/jwk.c
-+++ b/src/jwk.c
-@@ -5,6 +5,8 @@
-  * Copyright (c) 2014-2016 Cisco Systems, Inc.  All Rights Reserved.
-  */
- 
-+#define OPENSSL_API_COMPAT 0x10101000L
-+
- #include "include/jwk_int.h"
- #include "include/util_int.h"
- 
-diff --git a/src/jws.c b/src/jws.c
-index 4e03554..9d682a0 100644
---- a/src/jws.c
-+++ b/src/jws.c
-@@ -5,6 +5,8 @@
-  * Copyright (c) 2014-2016 Cisco Systems, Inc.  All Rights Reserved.
-  */
- 
-+#define OPENSSL_API_COMPAT 0x10101000L
-+
- #include <cjose/base64.h>
- #include <cjose/header.h>
- #include <cjose/jws.h>
--- 
-2.31.1
-
diff --git a/0003-CVE-2023-37464.patch b/0003-CVE-2023-37464.patch
new file mode 100644
index 0000000..0b77cba
--- /dev/null
+++ b/0003-CVE-2023-37464.patch
@@ -0,0 +1,91 @@
+diff -up cjose-0.6.1/src/jwe.c.orig cjose-0.6.1/src/jwe.c
+--- cjose-0.6.1/src/jwe.c.orig	2023-07-19 16:23:44.658712950 +0200
++++ cjose-0.6.1/src/jwe.c	2023-07-19 16:55:02.173914437 +0200
+@@ -1227,6 +1227,12 @@ static bool _cjose_jwe_decrypt_dat_a256g
+         goto _cjose_jwe_decrypt_dat_a256gcm_fail;
+     }
+ 
++    if (jwe->enc_auth_tag.raw_len != 16)
++    {
++        CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
++        goto _cjose_jwe_decrypt_dat_a256gcm_fail;
++    }
++
+     // set the expected GCM-mode authentication tag
+     if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)
+     {
+diff -up cjose-0.6.1/test/check_jwe.c.orig cjose-0.6.1/test/check_jwe.c
+--- cjose-0.6.1/test/check_jwe.c.orig	2018-04-12 00:39:58.000000000 +0200
++++ cjose-0.6.1/test/check_jwe.c	2023-07-19 16:38:45.412336742 +0200
+@@ -809,6 +809,63 @@ START_TEST(test_cjose_jwe_decrypt_aes)
+ }
+ END_TEST
+ 
++START_TEST(test_cjose_jwe_decrypt_aes_gcm)
++{
++    cjose_err err;
++
++    const char *key = JWK_OCT_32;
++    const char *plain1 = "Live long and prosper.";
++    char *compact1 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.GpeKGEqd8KQ0v6JNea5aSA";
++    char *compact2 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.Gp";
++
++    cjose_jwk_t *jwk = cjose_jwk_import(key, strlen(key), &err);
++    ck_assert_msg(NULL != jwk,
++                  "cjose_jwk_import failed: "
++                  "%s, file: %s, function: %s, line: %ld",
++                  err.message, err.file, err.function, err.line);
++
++    cjose_jwe_t *jwe1 = cjose_jwe_import(compact1, strlen(compact1), &err);
++    ck_assert_msg(NULL != jwe1,
++                  "cjose_jwe_import failed: "
++                  "%s, file: %s, function: %s, line: %ld",
++                  err.message, err.file, err.function, err.line);
++
++    uint8_t *plain2 = NULL;
++    size_t plain2_len = 0;
++    plain2 = cjose_jwe_decrypt(jwe1, jwk, &plain2_len, &err);
++    ck_assert_msg(NULL != plain2,
++                  "cjose_jwe_decrypt failed: "
++                  "%s, file: %s, function: %s, line: %ld",
++                  err.message, err.file, err.function, err.line);
++
++    ck_assert_msg(plain2_len == strlen(plain1),
++                  "length of decrypted plaintext does not match length of original, "
++                  "expected: %lu, found: %lu",
++                  strlen(plain1), plain2_len);
++    ck_assert_msg(strncmp(plain1, plain2, plain2_len) == 0, "decrypted plaintext does not match encrypted plaintext");
++
++    cjose_get_dealloc()(plain2);
++    cjose_jwe_release(jwe1);
++
++    cjose_jwe_t *jwe2 = cjose_jwe_import(compact2, strlen(compact2), &err);
++    ck_assert_msg(NULL != jwe2,
++                   "cjose_jwe_import failed: "
++                   "%s, file: %s, function: %s, line: %ld",
++                   err.message, err.file, err.function, err.line);
++
++    uint8_t *plain3 = NULL;
++    size_t plain3_len = 0;
++    plain3 = cjose_jwe_decrypt(jwe2, jwk, &plain3_len, &err);
++    ck_assert_msg(NULL == plain3,
++                   "cjose_jwe_decrypt succeeded where it should have failed: "
++                   "%s, file: %s, function: %s, line: %ld",
++                   err.message, err.file, err.function, err.line);
++
++    cjose_jwe_release(jwe2);
++    cjose_jwk_release(jwk);
++}
++END_TEST
++
+ START_TEST(test_cjose_jwe_decrypt_rsa)
+ {
+     struct cjose_jwe_decrypt_rsa
+@@ -1210,6 +1267,7 @@ Suite *cjose_jwe_suite()
+     tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_large);
+     tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_many);
+     tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes);
++    tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes_gcm);
+     tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_rsa);
+     tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_header);
+     tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_key);
diff --git a/cjose.spec b/cjose.spec
index bdb8e98..aa46140 100644
--- a/cjose.spec
+++ b/cjose.spec
@@ -1,6 +1,6 @@
 Name:           cjose
 Version:        0.6.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        C library implementing the Javascript Object Signing and Encryption (JOSE)
 
 License:        MIT
@@ -9,6 +9,7 @@ Source0:  	https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version
 
 Patch1: concatkdf.patch
 Patch2: 0002-check-cjose_get_alloc.patch
+Patch3: 0003-CVE-2023-37464.patch
 
 BuildRequires:  gcc
 BuildRequires:  doxygen
@@ -65,6 +66,11 @@ make check || (cat test/test-suite.log; exit 1)
 
 
 %changelog
+* Wed Jul 19 2023 <thalman@redhat.com> - 0.6.1-4
+- CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual
+  Authentication Tag provided in the JWE
+  Resolves: rhbz#2223308
+
 * Fri Mar 17 2023 <thalman@redhat.com> - 0.6.1-3
 - Random memory override
   Resolves: rhbz#2072469