Early this week, a new OpenSSL error code padding oracle dropped . Padding oracles are one of the most fun crypto vulnerabilities, so I gave this one the full treatment:
- a ten lines PoC and CLI test, obviously based on a patched Go
- an online one-click test
- an in-depth zero-to-decryption writeup on the CloudFlare blog
Yet Another Padding Oracle in OpenSSL CBC Ciphersuites ( archive )
I'm pretty happy about the writeup. It comes with hand drawn diagrams :)
We chatted a bit with Juraj about how to extend this attack to full-message decryption (instead of only 16 bytes), and we are both pretty convinced that there's no way now.
The vulnerable code was introduced while fixing Lucky13 ( not by Adam Langley's patch , but in a multi-purpose uncommented function with three levels of
#ifdef ), and as Kenny Paterson points out, they even warned about it in the L13 paper!