BUG/MEDIUM: jwe: fix timing side-channel and dead code in JWE decryption

Fix two issues in JWE token processing:

- Replace memcmp() with CRYPTO_memcmp() for authentication tag
  verification in build_and_check_tag() to prevent timing
  side-channel attacks. Also add a tag length validation check
  before the comparison to avoid potential buffer over-read when
  the decoded tag length doesn't match the expected HMAC half.

- Remove unreachable break statement after JWE_ALG_A256GCMKW case
  in decrypt_cek_aesgcmkw().

diff --git a/src/jwe.c b/src/jwe.c
index befe7e21eef15c7886bb884549d4e5b9e236eecc..bfa73d901dbae28b99528bfcca15ab540ded40f1 100644 (file)
--- a/src/jwe.c
+++ b/src/jwe.c
@@ -230,7 +230,6 @@ static int decrypt_cek_aesgcmkw(struct buffer *cek, struct buffer *aead_tag, str
        case JWE_ALG_A128GCMKW: key_size = 128; break;
        case JWE_ALG_A192GCMKW: key_size = 192; break;
        case JWE_ALG_A256GCMKW: key_size = 256; break;
-               break;
        default:
                goto end;
        }
@@ -372,8 +371,12 @@ static int build_and_check_tag(jwe_enc enc,  struct jwt_item items[JWE_ELT_MAX],
                  (unsigned char*)b_orig(hmac), (unsigned int*)&hmac->data))
                goto end;
 
+       /* Double check that buffer lengths line up before the comparison */
+       if (unlikely(b_data(decoded_items[JWE_ELT_TAG]) != b_data(hmac) >> 1))
+               goto end;
+
        /* Use the first half of the HMAC output M as the Authentication Tag output T */
-       retval = memcmp(b_orig(decoded_items[JWE_ELT_TAG]), b_orig(hmac), b_data(hmac) >> 1);
+       retval = CRYPTO_memcmp(b_orig(decoded_items[JWE_ELT_TAG]), b_orig(hmac), b_data(hmac) >> 1);
 
 end:
        free_trash_chunk(tag_data);