Early this week, a new OpenSSL error code padding oracle dropped. Padding oracles are one of the most fun crypto vulnerabilities, so I gave this one the full treatment:
- a ten lines PoC and CLI test, obviously based on a patched Go
- an online one-click test
- an in-depth zero-to-decryption writeup on the CloudFlare blog
Yet Another Padding Oracle in OpenSSL CBC Ciphersuites (archive)
I'm pretty happy about the writeup. It comes with hand drawn diagrams :)
We chatted a bit with Juraj about how to extend this attack to full-message decryption (instead of only 16 bytes), and we are both pretty convinced that there's no way now.
The vulnerable code was introduced while fixing Lucky13 (not by Adam Langley's patch, but in a multi-purpose uncommented function with three levels of
#ifdef), and as Kenny Paterson points out, they even warned about it in the L13 paper!