From 7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Wed, 12 Jul 2023 10:52:45 +0200 Subject: [PATCH] use fixed authentication tag length of 16 octets in AES GCM decryption see: https://github.com/cisco/cjose/issues/125 Signed-off-by: Hans Zandbelt --- src/jwe.c | 6 +++++ test/check_jwe.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/src/jwe.c b/src/jwe.c index 48f0ac1..c3938e7 100644 --- a/src/jwe.c +++ b/src/jwe.c @@ -1286,6 +1286,12 @@ static bool _cjose_jwe_decrypt_dat_aes_gcm(cjose_jwe_t *jwe, cjose_err *err) goto _cjose_jwe_decrypt_dat_aes_gcm_fail; } + if (jwe->enc_auth_tag.raw_len != 16) + { + CJOSE_ERROR(err, CJOSE_ERR_CRYPTO); + goto _cjose_jwe_decrypt_dat_aes_gcm_fail; + } + // set the expected GCM-mode authentication tag if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1) { diff --git a/test/check_jwe.c b/test/check_jwe.c index 3d69a93..39621b1 100644 --- a/test/check_jwe.c +++ b/test/check_jwe.c @@ -967,6 +967,63 @@ START_TEST(test_cjose_jwe_decrypt_aes) } END_TEST +START_TEST(test_cjose_jwe_decrypt_aes_gcm) +{ + cjose_err err; + + const char *key = JWK_OCT_32; + const char *plain1 = "Live long and prosper."; + char *compact1 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.GpeKGEqd8KQ0v6JNea5aSA"; + char *compact2 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.Gp"; + + cjose_jwk_t *jwk = cjose_jwk_import(key, strlen(key), &err); + ck_assert_msg(NULL != jwk, + "cjose_jwk_import failed: " + "%s, file: %s, function: %s, line: %ld", + err.message, err.file, err.function, err.line); + + cjose_jwe_t *jwe1 = cjose_jwe_import(compact1, strlen(compact1), &err); + ck_assert_msg(NULL != jwe1, + "cjose_jwe_import failed: " + "%s, file: %s, function: %s, line: %ld", + err.message, err.file, err.function, err.line); + + uint8_t *plain2 = NULL; + size_t plain2_len = 0; + plain2 = cjose_jwe_decrypt(jwe1, jwk, &plain2_len, &err); + ck_assert_msg(NULL != plain2, + "cjose_jwe_decrypt failed: " + "%s, file: %s, function: %s, line: %ld", + err.message, err.file, err.function, err.line); + + ck_assert_msg(plain2_len == strlen(plain1), + "length of decrypted plaintext does not match length of original, " + "expected: %lu, found: %lu", + strlen(plain1), plain2_len); + ck_assert_msg(strncmp(plain1, plain2, plain2_len) == 0, "decrypted plaintext does not match encrypted plaintext"); + + cjose_get_dealloc()(plain2); + cjose_jwe_release(jwe1); + + cjose_jwe_t *jwe2 = cjose_jwe_import(compact2, strlen(compact2), &err); + ck_assert_msg(NULL != jwe2, + "cjose_jwe_import failed: " + "%s, file: %s, function: %s, line: %ld", + err.message, err.file, err.function, err.line); + + uint8_t *plain3 = NULL; + size_t plain3_len = 0; + plain3 = cjose_jwe_decrypt(jwe2, jwk, &plain3_len, &err); + ck_assert_msg(NULL == plain3, + "cjose_jwe_decrypt succeeded where it should have failed: " + "%s, file: %s, function: %s, line: %ld", + err.message, err.file, err.function, err.line); + + cjose_jwe_release(jwe2); + cjose_jwk_release(jwk); +} +END_TEST + START_TEST(test_cjose_jwe_decrypt_rsa) { struct cjose_jwe_decrypt_rsa @@ -1373,6 +1430,7 @@ Suite *cjose_jwe_suite() tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_large); tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_many); tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes); + tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes_gcm); tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_rsa); tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_header); tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_key);