The wolfSSL library is NOT vulnerable to these attacks, thanks to previous fixes we’ve made and our extensive testing.
Ongoing research regarding CBC padding oracle attacks against TLS will be presented in August 2019 at USENIX Security. These attacks were originally presented by Craig Young at BlackHat Asia in March 2019 (slides).
Both attacks target the MAC and Padding used for TLS v1.2 with AES CBC cipher suites. TLS padding occurs when a record is not 16-byte aligned and is padded with the length value. The MAC uses HMAC with SHA/SHA256 to calculate an authentication code. For TLS the order of operation is MAC -> PAD -> ENCRYPT.
The attack requires a man-in-the-middle (MITM) position to employ the attack. It takes valid records and alters either MAC or Padding or cause TLS errors. If the TLS server responds differently to each of these errors then it can leak information about the plain text message.
The author Craig Young wrote a “padcheck” tool, which tests the following error cases:
- Invalid MAC with Valid Padding (0-length pad)
- Missing MAC with Incomplete/Invalid Padding (255-length pad)
- Typical POODLE condition (incorrect bytes followed by correct length)
- All padding bytes set to 0x80 (integer overflow attempt)
- Valid padding with an invalid MAC and a 0-length record
For wolfSSL, we respond consistently with the same alert and close the socket for each of these conditions.
The recommendation from the author is to stop using AES CBC cipher suites and start using TLS v1.3, which is supported by wolfSSL. More information about wolfSSL and TLS 1.3 can be found here: https://www.wolfssl.com/docs/tls13/
For more information about wolfSSL, please contact facts@wolfssl.com.