From fc89ff76c7038fef8aca51ca1d07c21e88458525 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 14 Feb 2026 16:16:58 +0000 Subject: [PATCH] BUG/MEDIUM: jwe: fix timing side-channel and dead code in JWE decryption Fix two issues in JWE token processing: - Replace memcmp() with CRYPTO_memcmp() for authentication tag verification in build_and_check_tag() to prevent timing side-channel attacks. Also add a tag length validation check before the comparison to avoid potential buffer over-read when the decoded tag length doesn't match the expected HMAC half. - Remove unreachable break statement after JWE_ALG_A256GCMKW case in decrypt_cek_aesgcmkw(). --- src/jwe.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/jwe.c b/src/jwe.c index befe7e21e..bfa73d901 100644 --- a/src/jwe.c +++ b/src/jwe.c @@ -230,7 +230,6 @@ static int decrypt_cek_aesgcmkw(struct buffer *cek, struct buffer *aead_tag, str case JWE_ALG_A128GCMKW: key_size = 128; break; case JWE_ALG_A192GCMKW: key_size = 192; break; case JWE_ALG_A256GCMKW: key_size = 256; break; - break; default: goto end; } @@ -372,8 +371,12 @@ static int build_and_check_tag(jwe_enc enc, struct jwt_item items[JWE_ELT_MAX], (unsigned char*)b_orig(hmac), (unsigned int*)&hmac->data)) goto end; + /* Double check that buffer lengths line up before the comparison */ + if (unlikely(b_data(decoded_items[JWE_ELT_TAG]) != b_data(hmac) >> 1)) + goto end; + /* Use the first half of the HMAC output M as the Authentication Tag output T */ - retval = memcmp(b_orig(decoded_items[JWE_ELT_TAG]), b_orig(hmac), b_data(hmac) >> 1); + retval = CRYPTO_memcmp(b_orig(decoded_items[JWE_ELT_TAG]), b_orig(hmac), b_data(hmac) >> 1); end: free_trash_chunk(tag_data);