Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

merge for v2 #939

Merged
merged 2 commits into from
Jun 14, 2023
Merged

merge for v2 #939

merged 2 commits into from
Jun 14, 2023

Conversation

lestrrat
Copy link
Collaborator

No description provided.

lestrrat and others added 2 commits June 14, 2023 17:06
### Summary

Decrypting AES-CBC encrypted JWE has Potential Padding Oracle Attack Vulnerability.

### Details

On [v2.0.10](https://github.com/lestrrat-go/jwx/releases/tag/v2.0.10), decrypting AES-CBC encrypted JWE may return an error "failed to generate plaintext from decrypted blocks: invalid padding":

https://github.com/lestrrat-go/jwx/blob/8840ffd4afc5839f591ff0e9ba9034af52b1643e/jwe/internal/aescbc/aescbc.go#L210-L213

```go
	plaintext, err := unpad(buf, c.blockCipher.BlockSize())
	if err != nil {
		return nil, fmt.Errorf(`failed to generate plaintext from decrypted blocks: %w`, err)
	}
```

Reporting padding error causes [Padding Oracle Attack](https://en.wikipedia.org/wiki/Padding_oracle_attack) Vulnerability.
RFC 7516 JSON Web Encryption (JWE) says that we MUST NOT do this.

> 11.5.  Timing Attacks
> To mitigate the attacks described in RFC 3218 [RFC3218], the
> recipient MUST NOT distinguish between format, padding, and length
> errors of encrypted keys.  It is strongly recommended, in the event
> of receiving an improperly formatted key, that the recipient
> substitute a randomly generated CEK and proceed to the next step, to
> mitigate timing attacks.

In addition, the time to remove padding depends on the length of the padding.
It may leak the length of the padding by Timing Attacks.

https://github.com/lestrrat-go/jwx/blob/796b2a9101cf7e7cb66455e4d97f3c158ee10904/jwe/internal/aescbc/aescbc.go#L33-L66

```go
func unpad(buf []byte, n int) ([]byte, error) {
	lbuf := len(buf)
	rem := lbuf % n

	// First, `buf` must be a multiple of `n`
	if rem != 0 {
		return nil, fmt.Errorf("input buffer must be multiple of block size %d", n)
	}

	// Find the last byte, which is the encoded padding
	// i.e. 0x1 == 1 byte worth of padding
	last := buf[lbuf-1]

	// This is the number of padding bytes that we expect
	expected := int(last)

	if expected == 0 || /* we _have_ to have padding here. therefore, 0x0 is not an option */
		expected > n || /* we also must make sure that we don't go over the block size (n) */
		expected > lbuf /* finally, it can't be more than the buffer itself. unlikely, but could happen */ {
		return nil, fmt.Errorf(`invalid padding byte at the end of buffer`)
	}

	// start i = 1 because we have already established that expected == int(last) where
	// last = buf[lbuf-1].
	//
	// we also don't check against lbuf-i in range, because we have established expected <= lbuf
	for i := 1; i < expected; i++ {
		if buf[lbuf-i] != last {
			return nil, fmt.Errorf(`invalid padding`)
		}
	}

	return buf[:lbuf-expected], nil
}
```

To mitigate Timing Attacks, it MUST be done in constant time.

### Impact

The authentication tag is verified, so it is not an immediate attack.

Co-authored-by: ICHINOSE Shogo <shogo82148@gmail.com>
@codecov
Copy link

codecov bot commented Jun 14, 2023

Codecov Report

Merging #939 (a86a658) into v2 (43ca140) will decrease coverage by 0.29%.
The diff coverage is 72.39%.

@@            Coverage Diff             @@
##               v2     #939      +/-   ##
==========================================
- Coverage   71.78%   71.50%   -0.29%     
==========================================
  Files          90       92       +2     
  Lines        9662    13553    +3891     
==========================================
+ Hits         6936     9691    +2755     
- Misses       1928     3049    +1121     
- Partials      798      813      +15     
Impacted Files Coverage Δ
formatkind_string_gen.go 100.00% <ø> (ø)
internal/json/goccy.go 100.00% <ø> (ø)
jwa/secp2561k.go 100.00% <ø> (ø)
jwe/compress.go 0.00% <0.00%> (ø)
jwe/headers_gen.go 66.01% <ø> (-1.71%) ⬇️
jwe/internal/cipher/cipher.go 62.06% <0.00%> (+1.67%) ⬆️
jwe/io.go 53.33% <ø> (+9.58%) ⬆️
jwk/es256k.go 100.00% <ø> (ø)
jwk/io.go 42.10% <ø> (-1.65%) ⬇️
jwk/options_gen.go 75.86% <ø> (+11.15%) ⬆️
... and 63 more

... and 20 files with indirect coverage changes

@lestrrat lestrrat merged commit 6c41e38 into v2 Jun 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant