// set the expected GCM-mode authentication tag
if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)
Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.
One should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC) if it is not possible to upgrade.
Impact
The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, see: https://github.com/cisco/cjose/blob/0.6.1/src/jwe.c#L1228-L1229:
However, the spec https://datatracker.ietf.org/doc/html/rfc7518#section-4.7 says that a fixed length of 16 octets must be applied:
Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.
Patches
Users should upgrade to a version >= 0.6.2.2 from:
https://github.com/OpenIDC/cjose/releases/tag/v0.6.2.2
Workarounds
One should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC) if it is not possible to upgrade.
References
cisco#125