Added auth tag size validation to AesGcm decrypt to always ensure 16 …

…bytes tags
dvsekhvalnov · Nov 6, 2024 · 18f15e8 · 18f15e8
1 parent 9d09c4f
commit 18f15e8
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/UnitTestsNet46/SecurityVulnerabilitiesTest.cs b/UnitTestsNet46/SecurityVulnerabilitiesTest.cs
@@ -238,5 +238,24 @@ public void DeflateBomb()
                 Console.Out.WriteLine(e.ToString());
             }
         }
+
+        [Fact]
+        public void TruncatedGcmAuthTag()
+        {
+            // given 
+            string token = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..PEXf1goWOF0SZRe_.Zp3CHYq4ZqM3_opMIy25O50gmQzw_p-nCOiW2ROuQSv80-aD-78n8m103kgPRPCsOt7qrckDRGSDACOBZGr2WovzSC-dxIcW3EsPqtibueyh0p3FY43h-bcbhPzXBdjQPaNTCY0o26wcEV_4FzPYdE9_ngRFIUe_7Kby-E2CWYLFc5D9RO9TLGN5dpHL6l4SOGbNz8M0o4aQuyJv3BV1wj_KswqyVcKBHjm0eh6RmFhoERxWjvt5yeo83bzxTfReVWAxXw.AVLr7JE1r1uiUSLj";
+
+            try
+            {
+                // when decrypt token with trunated AES GCM tag, it should fail
+                Jose.JWT.Decode(token, aes128Key);  
+                Assert.True(false, "Should fail with IntegrityException");
+
+            }
+            catch (ArgumentException e)
+            {
+                Console.Out.WriteLine(e.ToString());
+            }
+        }
     }
 }
diff --git a/jose-jwt/crypto/AesGcm.cs b/jose-jwt/crypto/AesGcm.cs
@@ -8,7 +8,7 @@
 namespace Jose
 {
     public static class AesGcm
-    {
+    {       
         /// <summary>
         /// Performs AES encryption in GCM chaining mode over plain text
         /// </summary>
@@ -71,11 +71,14 @@ public static byte[] Decrypt(byte[] key, byte[] iv, byte[] aad, byte[] cipherTex
             IntPtr hKey, keyDataBuffer = ImportKey(hAlg, key, out hKey);
 
             byte[] plainText;
+            int expectedTagSize = MaxAuthTagSize(hAlg);
+
+            Ensure.ByteSize(authTag, expectedTagSize, "Expected auth tag of length: {0} bytes, but got: {1} bytes", expectedTagSize, authTag.Length);
 
             var authInfo = new BCrypt.BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO(iv, aad, authTag);
             using (authInfo)
             {
-                byte[] ivData = new byte[MaxAuthTagSize(hAlg)];
+                byte[] ivData = new byte[expectedTagSize];
 
                 int plainTextSize = 0;
 

diff --git a/jose-jwt/util/Ensure.cs b/jose-jwt/util/Ensure.cs
@@ -31,6 +31,12 @@ public static void BitSize(byte[] array, long expectedSize, string msg, params o
             if(expectedSize != array.Length * 8L)
                 throw new ArgumentException(string.Format(msg,args));
         }
+
+        public static void ByteSize(byte[] array, long expectedSize, string msg, params object[] args)
+        {
+            if(expectedSize != array.Length)
+                throw new ArgumentException(string.Format(msg,args));
+        }
 
         public static void BitSize(int actualSize, int expectedSize, string msg)
         {