upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-18 18:19:39 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 21

BUG/MEDIUM: jwe: fix timing side-channel and dead code in JWE decryption

Browse source 
Fix two issues in JWE token processing:

- Replace memcmp() with CRYPTO_memcmp() for authentication tag
  verification in build_and_check_tag() to prevent timing
  side-channel attacks. Also add a tag length validation check
  before the comparison to avoid potential buffer over-read when
  the decoded tag length doesn't match the expected HMAC half.

- Remove unreachable break statement after JWE_ALG_A256GCMKW case
  in decrypt_cek_aesgcmkw().
This commit is contained in:
David Carlier 2026-02-14 16:16:58 +00:00 committed by William Lallemand
parent 806c8c830d
commit fc89ff76c7
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/jwe.c
View file

@ -230,7 +230,6 @@ static int decrypt_cek_aesgcmkw(struct buffer *cek, struct buffer *aead_tag, str
case JWE_ALG_A128GCMKW: key_size = 128; break;
case JWE_ALG_A192GCMKW: key_size = 192; break;
case JWE_ALG_A256GCMKW: key_size = 256; break;
break;
default:
goto end;
}
@ -372,8 +371,12 @@ static int build_and_check_tag(jwe_enc enc, struct jwt_item items[JWE_ELT_MAX],
(unsigned char*)b_orig(hmac), (unsigned int*)&hmac->data))
goto end;
/* Double check that buffer lengths line up before the comparison */
if (unlikely(b_data(decoded_items[JWE_ELT_TAG]) != b_data(hmac) >> 1))
goto end;
/* Use the first half of the HMAC output M as the Authentication Tag output T */
retval = memcmp(b_orig(decoded_items[JWE_ELT_TAG]), b_orig(hmac), b_data(hmac) >> 1);
retval = CRYPTO_memcmp(b_orig(decoded_items[JWE_ELT_TAG]), b_orig(hmac), b_data(hmac) >> 1);
end:
free_trash_chunk(tag_data);