The wolfSSL library is NOT vulnerable to these attacks, thanks to previous fixes we've made and our extensive testing.
These attacks were presented by Craig Young at BlackHat Asia 3/29/2019 (slides).
Both attacks target the MAC and Padding used for TLS v1.2 with AES CBC cipher suites. TLS padding occurs when a record is not 16-byte aligned and is padded with the length value. The MAC uses HMAC with SHA/SHA256 to calculate an authention code. For TLS the order of operation is MAC -> PAD -> ENCRYPT.
The attack requires a man-in-the-middle (MITM) position to employ the attack. It takes valid records and alters either MAC or Padding or cause TLS errors. If the TLS server responds differently to each of these errors then it can leak information about the plain text message.
The author Craig Young wrote a "padcheck" tool, which tests the following error cases:
- Invalid MAC with Valid Padding (0-length pad)
- Missing MAC with Incomplete/Invalid Padding (255-length pad)
- Typical POODLE condition (incorrect bytes followed by correct length)
- All padding bytes set to 0x80 (integer overflow attempt)
- Valid padding with an invalid MAC and a 0-length record
For wolfSSL we respond consistently with the same alert and close the socket for each ofl these conditions.
The recommendation from the author is to stop using AES CBC cipher suites and start using TLS v1.3, which is supported by wolfSSL. More information about wolfSSL and TLS 1.3 can be found here: https://www.wolfssl.com/docs/tls13/
For more information about wolfSSL, please contact facts@wolfssl.com.