Skip to content

Handle TLS CBC bad padding in DES3 without a padding oracle#448

Draft
yosuke-wolfssl wants to merge 1 commit into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_517
Draft

Handle TLS CBC bad padding in DES3 without a padding oracle#448
yosuke-wolfssl wants to merge 1 commit into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_517

Conversation

@yosuke-wolfssl

Copy link
Copy Markdown
Contributor

Handle TLS CBC bad padding in DES3 without a padding oracle

Summary

DES-EDE3-CBC in wolfProvider had no TLS 1.2 CBC record post-processing, so
decryption of a TLS record leaked whether padding was valid before the MAC was
checked — a Lucky13-style padding oracle. This adds constant-time padding
validation and MAC extraction to the DES3 TLS decrypt path, mirroring the
existing wp_aes_block implementation, and wires up the TLS cipher parameters
the record layer relies on.

Addresses F-517.

Changes

src/wp_des.c

  • New wp_des3_block_tls_dec_record() — constant-time TLS 1.2 CBC decrypt
    post-processing over the record [explicit_IV][payload][MAC][padding]:
    • MtE (MAC-then-Encrypt, macSize > 0): constant-time padding validation
      and MAC extraction using the rotation pattern from OpenSSL's
      tls1_cbc_remove_padding_and_mac() / ssl3_cbc_copy_mac(). On bad padding
      it substitutes a random MAC (via constant-time select) rather than
      failing early, so an attacker cannot distinguish bad-padding from bad-MAC —
      no oracle.
    • ETM / no-MAC (macSize == 0): strips the explicit IV and
      validates/removes padding; bad padding is a hard failure (the record layer
      already verified the MAC, so there is no oracle concern).
  • DES3 block context gains TLS MAC state (tlsmac, tlsmacsize,
    tlsmacAlloced), freed in freectx and deep-copied in dupctx to avoid a
    double-free between contexts.
  • Parameter plumbing so the record layer's EVP calls work: handle
    OSSL_CIPHER_PARAM_TLS_VERSION and OSSL_CIPHER_PARAM_TLS_MAC_SIZE on set,
    and expose OSSL_CIPHER_PARAM_TLS_MAC on get.

test/test_tls_cbc.c, test/unit.c, test/unit.h — new DES3 coverage:

  • test_des3_tls_cbc_bad_pad — MtE bad padding returns success with a
    randomized MAC (oracle defense).
  • test_des3_tls_cbc_mte — MtE valid record: recovered length, plaintext, and
    extracted MAC.
  • test_des3_tls_cbc_etm — ETM/no-MAC valid record: recovered length and
    content.
  • test_des3_tls_cbc_etm_bad_pad — ETM bad padding must fail (not
    substitute a MAC), covering the differing MtE/ETM semantics.
  • test_des3_tls_cbc_dec / test_des3_tls_cbc_mte_split — split-record decrypt
    across two EVP_CipherUpdate calls to exercise the buffered-block path; the
    MtE split test asserts l1 == 0 before the completing update so the
    exact-sized output buffer can't overrun.

Testing

  • Full test/unit.test suite passes (TESTSUITE SUCCESS), including all new
    DES3 TLS-CBC cases.
  • Each new assertion was validated with a negative control (injected corruption
    / simulated failure) to confirm it is non-vacuous.

@yosuke-wolfssl yosuke-wolfssl self-assigned this Jul 16, 2026
Copilot AI review requested due to automatic review settings July 16, 2026 00:49

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens DES-EDE3-CBC TLS 1.2 CBC record decryption in wolfProvider to avoid a Lucky13-style padding oracle by adding constant-time padding validation and (for MAC-then-Encrypt) constant-time MAC extraction with randomized-MAC substitution on bad padding, aligning behavior with the existing AES TLS-CBC implementation. It also adds DES3 TLS-CBC unit tests to cover MtE vs ETM/no-MAC semantics and split-record update paths.

Changes:

  • Add constant-time TLS 1.2 CBC decrypt post-processing for DES3, including MAC extraction/randomization for MtE and strict padding failure for ETM/no-MAC.
  • Plumb TLS cipher parameters for DES3 (TLS_VERSION, TLS_MAC_SIZE, TLS_MAC) and ensure context duplication/freeing handles TLS MAC state safely.
  • Add multiple DES3 TLS-CBC tests (valid/invalid padding, MtE/ETM, split updates) and register them in the unit test suite.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
src/wp_des.c Adds DES3 TLS-CBC constant-time padding/MAC handling and TLS param plumbing (TLS_MAC_SIZE/TLS_MAC).
test/test_tls_cbc.c Adds DES3 TLS-CBC test coverage for MtE/ETM modes, bad padding behavior, and split-update paths.
test/unit.c Registers the new DES3 TLS-CBC tests in the test suite.
test/unit.h Declares the new DES3 TLS-CBC test functions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/wp_des.c
Comment thread src/wp_des.c
Comment thread src/wp_des.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #448

Scan targets checked: wolfprovider-bugs, wolfprovider-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/wp_des.c
Comment thread test/test_tls_cbc.c Outdated
Comment thread test/test_tls_cbc.c Outdated
Comment thread src/wp_des.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #448

Scan targets checked: wolfprovider-bugs, wolfprovider-src

Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/wp_des.c
Comment thread test/test_tls_cbc.c Outdated
Comment thread src/wp_des.c
@yosuke-wolfssl
yosuke-wolfssl marked this pull request as draft July 17, 2026 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants