Merge pull request #109 from btoews/po-fix

Remove padding oracle

Author: nov

lib/json/jwe.rb

@@ -43,9 +43,12 @@ def decrypt!(private_key_or_secret, algorithms = nil, encryption_methods = nil)
       raise UnexpectedAlgorithm.new('Unexpected alg header') unless algorithms.blank? || Array(algorithms).include?(alg)
       raise UnexpectedAlgorithm.new('Unexpected enc header') unless encryption_methods.blank? || Array(encryption_methods).include?(enc)
       self.private_key_or_secret = with_jwk_support private_key_or_secret
-      cipher.decrypt
       self.content_encryption_key = decrypt_content_encryption_key
       self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
+
+      verify_cbc_authentication_tag! if cbc?
+
+      cipher.decrypt
       cipher.key = encryption_key
       cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
       if gcm?
@@ -54,8 +57,15 @@ def decrypt!(private_key_or_secret, algorithms = nil, encryption_methods = nil)
         cipher.auth_tag = authentication_tag
         cipher.auth_data = auth_data
       end
-      self.plain_text = cipher.update(cipher_text) + cipher.final
-      verify_cbc_authentication_tag! if cbc?
+
+      begin
+        self.plain_text = cipher.update(cipher_text) + cipher.final
+      rescue OpenSSL::OpenSSLError
+        # Ensure that the same error is raised for invalid PKCS7 padding
+        # as for invalid signatures. This prevents padding-oracle attacks.
+        raise DecryptionFailed
+      end
+
       self
     end
 
@@ -244,7 +254,7 @@ def verify_cbc_authentication_tag!
         sha_digest, mac_key, secured_input
       )[0, sha_size / 2 / 8]
       unless secure_compare(authentication_tag, expected_authentication_tag)
-        raise DecryptionFailed.new('Invalid authentication tag')
+        raise DecryptionFailed
       end
     end
 

spec/json/jwe_spec.rb

@@ -91,22 +91,60 @@
     end
 
     shared_examples_for :verify_cbc_authentication_tag do
-      let(:jwe_string) do
+      let(:jwe_parts) do
         _jwe_ = JSON::JWE.new plain_text
         _jwe_.alg, _jwe_.enc = alg, enc
         _jwe_.encrypt! key
-        hdr, extra, iv, cipher_text, _ = _jwe_.to_s.split '.'
-        [hdr, extra, iv, cipher_text, ''].join '.'
+        _jwe_.to_s.split '.'
       end
 
-      it do
-        # fetching those variables outside of exception block to make sure
-        # we intercept exception in decrypt! and not in other place
-        j = jwe
-        k = key
-        expect do
-          j.decrypt! k
-        end.to raise_error JSON::JWE::DecryptionFailed
+      let(:hdr)         { jwe_parts[0] }
+      let(:extra)       { jwe_parts[1] }
+      let(:iv)          { jwe_parts[2] }
+      let(:cipher_text) { jwe_parts[3] }
+      let(:signature)   { jwe_parts[4] }
+
+      let(:jwe_string) { [hdr, extra, iv, cipher_text, signature].join '.' }
+
+      shared_examples_for :signature_verification_failure do
+        it do
+          # fetching those variables outside of exception block to make sure
+          # we intercept exception in decrypt! and not in other place
+          j = jwe
+          k = key
+          expect do
+            j.decrypt! k
+          end.to raise_error JSON::JWE::DecryptionFailed
+        end
+      end
+
+      describe "with missing signature" do
+        let(:signature) { "" }
+        it_behaves_like :signature_verification_failure
+      end
+
+      describe "with good pkcs7 padding and bad signature" do
+        let(:iv) do
+          good_padding_byte = 16 - (plain_text.bytesize % 16)
+          bad_padding_byte = 1
+          iv_bytes = Base64.urlsafe_decode64(super()).bytes
+          iv_bytes[-1] = iv_bytes[-1] ^ good_padding_byte ^ bad_padding_byte
+          Base64.urlsafe_encode64(iv_bytes.pack("C*"), padding: false)
+        end
+
+        it_behaves_like :signature_verification_failure
+      end
+
+      describe "with bad pkcs7 padding and bad signature" do
+        let(:iv) do
+          good_padding_byte = 16 - (plain_text.bytesize % 16)
+          bad_padding_byte = good_padding_byte - 1
+          iv_bytes = Base64.urlsafe_decode64(super()).bytes
+          iv_bytes[-1] = iv_bytes[-1] ^ good_padding_byte ^ bad_padding_byte
+          Base64.urlsafe_encode64(iv_bytes.pack("C*"), padding: false)
+        end
+
+        it_behaves_like :signature_verification_failure
       end
     end