From 08e1bc5ce7120eac78377577acba2f811c3a0b2b Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 9 Apr 2021 22:13:05 +0200
Subject: [PATCH] fix: defer AES CBC w/ HMAC decryption after tag verification
 passes

---
 lib/jwa/aes_cbc_hmac_sha2.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/jwa/aes_cbc_hmac_sha2.js b/lib/jwa/aes_cbc_hmac_sha2.js
index 29a2fbea..f63dc32c 100644
--- a/lib/jwa/aes_cbc_hmac_sha2.js
+++ b/lib/jwa/aes_cbc_hmac_sha2.js
@@ -44,13 +44,17 @@ const decrypt = (size, sign, { [KEYOBJECT]: keyObject }, ciphertext, { iv, tag =
   const expectedTag = sign({ [KEYOBJECT]: macKey }, macData, tag).slice(0, keySize)
   const macCheckPassed = timingSafeEqual(tag, expectedTag)
 
+  if (!macCheckPassed) {
+    throw new JWEDecryptionFailed()
+  }
+
   let cleartext
   try {
     const cipher = createDecipheriv(`aes-${size}-cbc`, encKey, iv)
     cleartext = Buffer.concat([cipher.update(ciphertext), cipher.final()])
   } catch (err) {}
 
-  if (!cleartext || !macCheckPassed) {
+  if (!cleartext) {
     throw new JWEDecryptionFailed()
   }