In sample_conv_jwt_decrypt_secret(), when a JWE token has an empty
encrypted-key section but the algorithm is not "dir" (e.g. A128KW),
neither branch initializes decrypted_cek. The NULL pointer is then
passed to decrypt_ciphertext() which dereferences it:
- For GCM encodings: aes_process() calls b_orig(NULL) -> SIGSEGV
- For CBC encodings: b_data(NULL) at jwe.c:463 -> SIGSEGV
A single HTTP request with a crafted Authorization header crashes the
worker process. Trigger token (JOSE header {"alg":"A128KW","enc":"A128GCM"},
empty CEK section between the two dots):
eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIn0..AAAAAAAAAAAAAAAA.AA.AA
Reachable in any configuration using the jwt_decrypt_secret converter.
The other two decrypt converters (jwt_decrypt_jwk, jwt_decrypt_cert)
already have the check.
This must be backported as far as JWE support exists.
---
src/jwe.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/jwe.c b/src/jwe.c
index 2cf4a7adcdfc..d7497888e7b0 100644
--- a/src/jwe.c
+++ b/src/jwe.c
@@ -718,6 +718,10 @@ static int sample_conv_jwt_decrypt_secret(const struct arg
*args, struct sample
goto end;
chunk_memcpy(decrypted_cek, secret_smp.data.u.str.area,
secret_smp.data.u.str.data);
+ } else {
+ /* Empty CEK with a non-"dir" algorithm: nothing we can use to
+ * derive a key. Bail out instead of passing NULL down. */
+ goto end;
}
/* Decode the encrypted content thanks to decrypted_cek secret */
--
2.53.0
