git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Tue, 26 May 2026 14:20:52 +0000 (16:20 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Tue, 26 May 2026 16:14:21 +0000 (18:14 +0200)
commit	4e7518ed21adc7d42c5459deea3a18e51fb9c997
tree	ec5d1aeed344406d8cf5e62fb765fb45ecc0cc55	tree \| snapshot
parent	ce9371a768a6df6591bd8cc4c44c61f5a3049925	commit \| diff

BUG/MINOR: jwe: enforce GCM tag length to 128 bits

Two fixes addressing cryptographic and parsing correctness issues:

1. Enforce 16-byte GCM authentication tag in decrypt_ciphertext()

   The base64url-decoded 5th JWE component (authentication tag) was passed
   directly to EVP_CTRL_AEAD_SET_TAG with its attacker-controlled length.
   OpenSSL accepts 1-16 byte GCM tags and only verifies that many bytes, so
   a 1-byte tag reduces forgery work factor to ~256. RFC 7518 mandates 128-bit
   (16 byte) tags for A*GCM. The CBC-HMAC path already enforced correct length,
   confirming this was an oversight.

   Fix: Add (*aead_tag)->data != 16 check before the GCM branch in
   decrypt_ciphertext(), rejecting any non-16-byte tag.

   Introduced by 416b87d5db (JWE A*GCM support).

2. Enforce 16-byte GCMKW tag in parse_jose() decode_jose_field()

   The $.tag field from the attacker-supplied protected header in A*GCMKW
   key-wrap was similarly decoded without length enforcement. Fix: Add a
   size != 16 check for fields named ".tag" in decode_jose_field() when
   called from the GCMKW path.

   Introduced by 026652a7eb (GCMKW tag field parsing).