Hi All,
This is some preliminary information on whether BouncyCastle TLS API is
affected by SMACK (https://www.smacktls.com).
A paper is available (https://www.smacktls.com/smack.pdf) outlining the
analysis tools and various concrete attacks on several well-known TLS
implementations. BouncyCastle is not mentioned in the paper (implying
that BC TLS was not tested, rather than that it "passed"), and we were
not notified prior to public disclosure. So for the moment, we have been
reviewing the paper and analysing our code in light of the described
attacks.
At this stage, we do not believe that any version of our TLS API has any
exploitable vulnerabilities related to SMACK. Each of the
explicitly-described "deviant" handshakes would result in a fatal alert
being raised (and a handshake failure). We did find a few places where
the failure mode was less than ideal, and some changes have been pushed
to git accordingly.
The common theme of these attacks is abuse of the TLS (handshake) state
machine(s) by sending an invalid sequence of (otherwise valid) handshake
messages, with a view to confusing any implementation that does not
properly check the associated transitions. By design, BC is strict about
checking state machine transitions (a design inherited from MicroTLS,
the original implementation generously contributed to BC by Erik Tews).
Nevertheless, until we have been in contact with the authors, and
hopefully had a chance to run their tests directly on the BC
implementations, we cannot be more definitive.
Regards,
Pete Dettman
