Added auth tag size validation to AesGcmNetCore decrypt to always ens…

…ure 16 bytes tags
dvsekhvalnov · Nov 6, 2024 · b9cf4dc · b9cf4dc
1 parent 18f15e8
commit b9cf4dc
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/UnitTests/SecurityVulnerabilitiesTest.cs b/UnitTests/SecurityVulnerabilitiesTest.cs
@@ -22,6 +22,8 @@ public class SecurityVulnerabilitiesTest
     {
         private readonly TestConsole Console;
 
+        private static readonly byte[] aes128Key = new byte[] { 194, 164, 235, 6, 138, 248, 171, 239, 24, 216, 11, 22, 137, 199, 215, 133 };
+
         public SecurityVulnerabilitiesTest(ITestOutputHelper output)
         {
             this.Console = new TestConsole(output);
@@ -205,5 +207,25 @@ public void DeflateBomb()
                 Console.Out.WriteLine(e.ToString());
             }
         }
+
+        [Fact]
+        public void TruncatedGcmAuthTag()
+        {
+            // given 
+            string token = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..PEXf1goWOF0SZRe_.Zp3CHYq4ZqM3_opMIy25O50gmQzw_p-nCOiW2ROuQSv80-aD-78n8m103kgPRPCsOt7qrckDRGSDACOBZGr2WovzSC-dxIcW3EsPqtibueyh0p3FY43h-bcbhPzXBdjQPaNTCY0o26wcEV_4FzPYdE9_ngRFIUe_7Kby-E2CWYLFc5D9RO9TLGN5dpHL6l4SOGbNz8M0o4aQuyJv3BV1wj_KswqyVcKBHjm0eh6RmFhoERxWjvt5yeo83bzxTfReVWAxXw.AVLr7JE1r1uiUSLj";
+
+            try
+            {
+                // when decrypt token with trunated AES GCM tag, it should fail
+                Jose.JWT.Decode(token, aes128Key);  
+                Assert.True(false, "Should fail with IntegrityException");
+
+            }
+            catch (ArgumentException e)
+            {
+                Console.Out.WriteLine(e.ToString());
+            }
+        }
+
     }
 }
diff --git a/jose-jwt/crypto/AesGcmNetCore.cs b/jose-jwt/crypto/AesGcmNetCore.cs
@@ -37,7 +37,9 @@ public static byte[][] Encrypt(byte[] key, byte[] iv, byte[] aad, byte[] plainTe
         /// <exception cref="CryptographicException">if decryption failed by any reason</exception>
         public static byte[] Decrypt(byte[] key, byte[] iv, byte[] aad, byte[] cipherText, byte[] authTag)
         {
-            using var gcm = new System.Security.Cryptography.AesGcm(key);
+            Ensure.ByteSize(authTag, System.Security.Cryptography.AesGcm.TagByteSizes.MaxSize, "Expected auth tag of length: {0} bytes, but got: {1} bytes", System.Security.Cryptography.AesGcm.TagByteSizes.MaxSize, authTag.Length);
+
+	    using var gcm = new System.Security.Cryptography.AesGcm(key);
 
             var plaintext = new byte[cipherText.Length];