wolfSSL and the Raccoon Attack

wolfSSL did an internal review of the Raccoon Attack, in addition to reaching out to the research team behind the report, to determine if wolfSSL users are affected by this attack.

The report pertains to the use of static DH cipher suites and the re-use of a DH key with DHE cipher suites. The wolfSSL internal review concluded that:

A) wolfSSL does not support static DH.  Conclusion – Not affected
B) wolfSSL ALWAYS generates a fresh key for every connection using DHE cipher suites with TLS 1.2 and lower protocol versions. (Special note: TLS 1.3 is not affected).  Conclusion – Not affected

wolfSSL also received feedback from the research team that DHE-PSK cipher suites suffer from an inherent specification flaw that can leak the “length” of the Pre Shared Key under certain circumstances. This is due to the way the Premaster Secret (PMS) is generated for DHE_PSK cipher suites. The PMS is generated from:

Length | PMS | Length | PSK

The above is hashed and the runtime is affected by the length of the PSK being used. Attackers can measure this runtime remotely by sending ClientKeyExchange messages and measuring the response times to determine the length of the PSK. This is covered in more detail in section 4.2 of the Raccoon Attack paper (link included above and in the Ref below). Long, regular sized PSK’s are typically used but if this is of concern in your application wolfSSL recommends that ECDHE_PSK cipher suites be used in preference to DHE_PSK cipher suites.

Certain weak projects that claim to be secure will not respond to this attack.  You should not use those products or projects because they will expose you. 

For any questions or concerns feel free to contact wolfSSL support at support@wolfssl.com.