rpms / erlang

Clone
Source Code
GIT

Blame otp-0010-ssl-Reenable-padding-check-for-TLS-1.0-and-provide-b.patch

c9s-sig-messaging-rabbitmq
  1.   564391e634bbbf4b21763c71485663bfb7a76e6b
  2.   otp-0010-ssl-Reenable-padding-check-for-TLS-1.0-and-provide-b.patch
Blob History Raw
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/doc/src/ssl.xml otp-OTP-17.4/lib/ssl/doc/src/ssl.xml
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/doc/src/ssl.xml	2015-08-05 16:52:39.988500514 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/doc/src/ssl.xml	2015-08-05 16:52:50.478441422 -0400
John Eckersberg 654b87 
@@ -4,7 +4,7 @@
John Eckersberg 654b87 
 <erlref>
John Eckersberg 654b87 
   <header>
John Eckersberg 654b87 
     <copyright>
John Eckersberg 654b87 
-      <year>1999</year><year>2014</year>
John Eckersberg 654b87 
+      <year>1999</year><year>2015</year>
John Eckersberg 654b87 
       <holder>Ericsson AB. All Rights Reserved.</holder>
John Eckersberg 654b87 
     </copyright>
John Eckersberg 654b87 
     <legalnotice>
John Eckersberg 654b87 
@@ -348,11 +348,23 @@
John Eckersberg 654b87
John Eckersberg 654b87 
       </item>
John Eckersberg 654b87
John Eckersberg 654b87 
+      <tag>{padding_check, boolean()}</tag>
John Eckersberg 654b87 
+      <item>
John Eckersberg 654b87 
+	
 This option only affects TLS-1.0 connections.
John Eckersberg 654b87 
+	If set to false it disables the block cipher padding check
John Eckersberg 654b87 
+	to be able to interoperate with legacy software.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+	<warning>
 Using this option makes TLS vulnerable to
John Eckersberg 654b87 
+	the Poodle attack
</warning>
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+      </item>
John Eckersberg 654b87 
+
John Eckersberg 654b87 
     </taglist>
John Eckersberg 654b87 
-
John Eckersberg 654b87 
+
John Eckersberg 654b87 
   </section>
John Eckersberg 654b87 
-
John Eckersberg 654b87 
-   <section>
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+  <section>
John Eckersberg 654b87 
     <title>SSL OPTION DESCRIPTIONS - CLIENT SIDE</title>
John Eckersberg 654b87
John Eckersberg 654b87 
     
Options described here are client specific or has a slightly different
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/src/dtls_record.erl otp-OTP-17.4/lib/ssl/src/dtls_record.erl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/src/dtls_record.erl	2015-08-05 16:52:39.989500508 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/src/dtls_record.erl	2015-08-05 16:52:50.478441422 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 2013-2014. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 2013-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -146,7 +146,7 @@
John Eckersberg 654b87 
 		   = ConnnectionStates0) ->
John Eckersberg 654b87 
     CompressAlg = SecParams#security_parameters.compression_algorithm,
John Eckersberg 654b87 
     {PlainFragment, Mac, ReadState1} = ssl_record:decipher(dtls_v1:corresponding_tls_version(Version),
John Eckersberg 654b87 
-							   CipherFragment, ReadState0),
John Eckersberg 654b87 
+							   CipherFragment, ReadState0, true),
John Eckersberg 654b87 
     MacHash = calc_mac_hash(ReadState1, Type, Version, Epoch, Seq, PlainFragment),
John Eckersberg 654b87 
     case ssl_record:is_correct_mac(Mac, MacHash) of
John Eckersberg 654b87 
 	true ->
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/src/ssl_cipher.erl otp-OTP-17.4/lib/ssl/src/ssl_cipher.erl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/src/ssl_cipher.erl	2015-08-05 16:52:39.989500508 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/src/ssl_cipher.erl	2015-08-05 16:52:50.479441417 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -33,8 +33,7 @@
John Eckersberg 654b87 
 -include_lib("public_key/include/public_key.hrl").
John Eckersberg 654b87
John Eckersberg 654b87 
 -export([security_parameters/2, security_parameters/3, suite_definition/1,
John Eckersberg 654b87 
-	 decipher/5, cipher/5,
John Eckersberg 654b87 
-	 suite/1, suites/1, all_suites/1,
John Eckersberg 654b87 
+	 decipher/6, cipher/5, suite/1, suites/1, all_suites/1,
John Eckersberg 654b87 
 	 ec_keyed_suites/0, anonymous_suites/0, psk_suites/1, srp_suites/0,
John Eckersberg 654b87 
 	 openssl_suite/1, openssl_suite_name/1, filter/2, filter_suites/1,
John Eckersberg 654b87 
 	 hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2]).
John Eckersberg 654b87 
@@ -143,17 +142,18 @@
John Eckersberg 654b87 
     {T, CS0#cipher_state{iv=NextIV}}.
John Eckersberg 654b87
John Eckersberg 654b87 
 %%--------------------------------------------------------------------
John Eckersberg 654b87 
--spec decipher(cipher_enum(), integer(), #cipher_state{}, binary(), ssl_record:ssl_version()) ->
John Eckersberg 654b87 
+-spec decipher(cipher_enum(), integer(), #cipher_state{}, binary(),
John Eckersberg 654b87 
+	       ssl_record:ssl_version(), boolean()) ->
John Eckersberg 654b87 
 		      {binary(), binary(), #cipher_state{}} | #alert{}.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% Description: Decrypts the data and the MAC using cipher described
John Eckersberg 654b87 
 %% by cipher_enum() and updating the cipher state.
John Eckersberg 654b87 
 %%-------------------------------------------------------------------
John Eckersberg 654b87 
-decipher(?NULL, _HashSz, CipherState, Fragment, _) ->
John Eckersberg 654b87 
+decipher(?NULL, _HashSz, CipherState, Fragment, _, _) ->
John Eckersberg 654b87 
     {Fragment, <<>>, CipherState};
John Eckersberg 654b87 
-decipher(?RC4, HashSz, CipherState, Fragment, _) ->
John Eckersberg 654b87 
+decipher(?RC4, HashSz, CipherState, Fragment, _, _) ->
John Eckersberg 654b87 
     State0 = case CipherState#cipher_state.state of
John Eckersberg 654b87 
-                 undefined -> crypto:stream_init(rc4, CipherState#cipher_state.key);
John Eckersberg 654b87 
+		 undefined -> crypto:stream_init(rc4, CipherState#cipher_state.key);
John Eckersberg 654b87 
                  S -> S
John Eckersberg 654b87 
              end,
John Eckersberg 654b87 
     try crypto:stream_decrypt(State0, Fragment) of
John Eckersberg 654b87 
@@ -171,23 +171,23 @@
John Eckersberg 654b87 
 	    ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
John Eckersberg 654b87 
     end;
John Eckersberg 654b87
John Eckersberg 654b87 
-decipher(?DES, HashSz, CipherState, Fragment, Version) ->
John Eckersberg 654b87 
+decipher(?DES, HashSz, CipherState, Fragment, Version, PaddingCheck) ->
John Eckersberg 654b87 
     block_decipher(fun(Key, IV, T) ->
John Eckersberg 654b87 
 			   crypto:block_decrypt(des_cbc, Key, IV, T)
John Eckersberg 654b87 
-		   end, CipherState, HashSz, Fragment, Version);
John Eckersberg 654b87 
-decipher(?'3DES', HashSz, CipherState, Fragment, Version) ->
John Eckersberg 654b87 
+		   end, CipherState, HashSz, Fragment, Version, PaddingCheck);
John Eckersberg 654b87 
+decipher(?'3DES', HashSz, CipherState, Fragment, Version, PaddingCheck) ->
John Eckersberg 654b87 
     block_decipher(fun(<<K1:8/binary, K2:8/binary, K3:8/binary>>, IV, T) ->
John Eckersberg 654b87 
 			   crypto:block_decrypt(des3_cbc, [K1, K2, K3], IV, T)
John Eckersberg 654b87 
-		   end, CipherState, HashSz, Fragment, Version);
John Eckersberg 654b87 
-decipher(?AES, HashSz, CipherState, Fragment, Version) ->
John Eckersberg 654b87 
+		   end, CipherState, HashSz, Fragment, Version, PaddingCheck);
John Eckersberg 654b87 
+decipher(?AES, HashSz, CipherState, Fragment, Version, PaddingCheck) ->
John Eckersberg 654b87 
     block_decipher(fun(Key, IV, T) when byte_size(Key) =:= 16 ->
John Eckersberg 654b87 
 			   crypto:block_decrypt(aes_cbc128, Key, IV, T);
John Eckersberg 654b87 
 		      (Key, IV, T) when byte_size(Key) =:= 32 ->
John Eckersberg 654b87 
 			   crypto:block_decrypt(aes_cbc256, Key, IV, T)
John Eckersberg 654b87 
-		   end, CipherState, HashSz, Fragment, Version).
John Eckersberg 654b87 
+		   end, CipherState, HashSz, Fragment, Version, PaddingCheck).
John Eckersberg 654b87
John Eckersberg 654b87 
 block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0,
John Eckersberg 654b87 
-	       HashSz, Fragment, Version) ->
John Eckersberg 654b87 
+	       HashSz, Fragment, Version, PaddingCheck) ->
John Eckersberg 654b87 
     try
John Eckersberg 654b87 
 	Text = Fun(Key, IV, Fragment),
John Eckersberg 654b87 
 	NextIV = next_iv(Fragment, IV),
John Eckersberg 654b87 
@@ -195,7 +195,7 @@
John Eckersberg 654b87 
 	Content = GBC#generic_block_cipher.content,
John Eckersberg 654b87 
 	Mac = GBC#generic_block_cipher.mac,
John Eckersberg 654b87 
 	CipherState1 = CipherState0#cipher_state{iv=GBC#generic_block_cipher.next_iv},
John Eckersberg 654b87 
-	case is_correct_padding(GBC, Version) of
John Eckersberg 654b87 
+	case is_correct_padding(GBC, Version, PaddingCheck) of
John Eckersberg 654b87 
 	    true ->
John Eckersberg 654b87 
 		{Content, Mac, CipherState1};
John Eckersberg 654b87 
 	    false ->
John Eckersberg 654b87 
@@ -1288,16 +1288,18 @@
John Eckersberg 654b87 
     #generic_stream_cipher{content=Content,
John Eckersberg 654b87 
 			   mac=Mac}.
John Eckersberg 654b87
John Eckersberg 654b87 
-%% For interoperability reasons we do not check the padding content in
John Eckersberg 654b87 
-%% SSL 3.0 and TLS 1.0 as it is not strictly required and breaks
John Eckersberg 654b87 
-%% interopability with for instance Google.
John Eckersberg 654b87 
 is_correct_padding(#generic_block_cipher{padding_length = Len,
John Eckersberg 654b87 
-					 padding = Padding}, {3, N})
John Eckersberg 654b87 
-  when N == 0; N == 1 ->
John Eckersberg 654b87 
-    Len == byte_size(Padding);
John Eckersberg 654b87 
-%% Padding must be check in TLS 1.1 and after
John Eckersberg 654b87 
+					 padding = Padding}, {3, 0}, _) ->
John Eckersberg 654b87 
+    Len == byte_size(Padding); %% Only length check is done in SSL 3.0 spec
John Eckersberg 654b87 
+%% For interoperability reasons it is possible to disable
John Eckersberg 654b87 
+%% the padding check when using TLS 1.0, as it is not strictly required
John Eckersberg 654b87 
+%% in the spec (only recommended), howerver this makes TLS 1.0 vunrable to the Poodle attack
John Eckersberg 654b87 
+%% so by default this clause will not match
John Eckersberg 654b87 
+is_correct_padding(GenBlockCipher, {3, 1}, false) ->
John Eckersberg 654b87 
+    is_correct_padding(GenBlockCipher, {3, 0}, false);
John Eckersberg 654b87 
+%% Padding must be checked in TLS 1.1 and after
John Eckersberg 654b87 
 is_correct_padding(#generic_block_cipher{padding_length = Len,
John Eckersberg 654b87 
-					 padding = Padding}, _) ->
John Eckersberg 654b87 
+					 padding = Padding}, _, _) ->
John Eckersberg 654b87 
     Len == byte_size(Padding) andalso
John Eckersberg 654b87 
 		list_to_binary(lists:duplicate(Len, Len)) == Padding.
John Eckersberg 654b87
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/src/ssl.erl otp-OTP-17.4/lib/ssl/src/ssl.erl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/src/ssl.erl	2015-08-05 16:52:39.989500508 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/src/ssl.erl	2015-08-05 16:52:50.479441417 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 1999-2014. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 1999-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -656,7 +656,8 @@
John Eckersberg 654b87 
 		    log_alert = handle_option(log_alert, Opts, true),
John Eckersberg 654b87 
 		    server_name_indication = handle_option(server_name_indication, Opts, undefined),
John Eckersberg 654b87 
 		    honor_cipher_order = handle_option(honor_cipher_order, Opts, false),
John Eckersberg 654b87 
-		    protocol = proplists:get_value(protocol, Opts, tls)
John Eckersberg 654b87 
+		    protocol = proplists:get_value(protocol, Opts, tls),
John Eckersberg 654b87 
+		    padding_check =  proplists:get_value(padding_check, Opts, true)
John Eckersberg 654b87 
 		   },
John Eckersberg 654b87
John Eckersberg 654b87 
     CbInfo  = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}),
John Eckersberg 654b87 
@@ -669,7 +670,7 @@
John Eckersberg 654b87 
 		  cb_info, renegotiate_at, secure_renegotiate, hibernate_after,
John Eckersberg 654b87 
 		  erl_dist, next_protocols_advertised,
John Eckersberg 654b87 
 		  client_preferred_next_protocols, log_alert,
John Eckersberg 654b87 
-		  server_name_indication, honor_cipher_order],
John Eckersberg 654b87 
+		  server_name_indication, honor_cipher_order, padding_check],
John Eckersberg 654b87
John Eckersberg 654b87 
     SockOpts = lists:foldl(fun(Key, PropList) ->
John Eckersberg 654b87 
 				   proplists:delete(Key, PropList)
John Eckersberg 654b87 
@@ -847,6 +848,8 @@
John Eckersberg 654b87 
     undefined;
John Eckersberg 654b87 
 validate_option(honor_cipher_order, Value) when is_boolean(Value) ->
John Eckersberg 654b87 
     Value;
John Eckersberg 654b87 
+validate_option(padding_check, Value) when is_boolean(Value) ->
John Eckersberg 654b87 
+    Value;
John Eckersberg 654b87 
 validate_option(Opt, Value) ->
John Eckersberg 654b87 
     throw({error, {options, {Opt, Value}}}).
John Eckersberg 654b87
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/src/ssl_internal.hrl otp-OTP-17.4/lib/ssl/src/ssl_internal.hrl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/src/ssl_internal.hrl	2015-08-05 16:52:39.990500503 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/src/ssl_internal.hrl	2015-08-05 16:52:50.479441417 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -117,7 +117,8 @@
John Eckersberg 654b87 
 	  server_name_indication = undefined,
John Eckersberg 654b87 
 	  %% Should the server prefer its own cipher order over the one provided by
John Eckersberg 654b87 
 	  %% the client?
John Eckersberg 654b87 
-	  honor_cipher_order = false
John Eckersberg 654b87 
+	  honor_cipher_order = false,
John Eckersberg 654b87 
+	  padding_check = true
John Eckersberg 654b87 
 	  }).
John Eckersberg 654b87
John Eckersberg 654b87 
 -record(socket_options,
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/src/ssl_record.erl otp-OTP-17.4/lib/ssl/src/ssl_record.erl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/src/ssl_record.erl	2015-08-05 16:52:39.989500508 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/src/ssl_record.erl	2015-08-05 16:52:50.479441417 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 2013-2014. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 2013-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -48,7 +48,7 @@
John Eckersberg 654b87 
 -export([compress/3, uncompress/3, compressions/0]).
John Eckersberg 654b87
John Eckersberg 654b87 
 %% Payload encryption/decryption
John Eckersberg 654b87 
--export([cipher/4, decipher/3, is_correct_mac/2]).
John Eckersberg 654b87 
+-export([cipher/4, decipher/4, is_correct_mac/2]).
John Eckersberg 654b87
John Eckersberg 654b87 
 -export_type([ssl_version/0, ssl_atom_version/0]).
John Eckersberg 654b87
John Eckersberg 654b87 
@@ -376,8 +376,9 @@
John Eckersberg 654b87 
     {CipherFragment, CipherS1} =
John Eckersberg 654b87 
 	ssl_cipher:cipher(BulkCipherAlgo, CipherS0, MacHash, Fragment, Version),
John Eckersberg 654b87 
     {CipherFragment,  WriteState0#connection_state{cipher_state = CipherS1}}.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
 %%--------------------------------------------------------------------
John Eckersberg 654b87 
--spec decipher(ssl_version(), binary(), #connection_state{}) -> {binary(), binary(), #connection_state{}} | #alert{}.
John Eckersberg 654b87 
+-spec decipher(ssl_version(), binary(), #connection_state{}, boolean()) -> {binary(), binary(), #connection_state{}} | #alert{}.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% Description: Payload decryption
John Eckersberg 654b87 
 %%--------------------------------------------------------------------
John Eckersberg 654b87 
@@ -387,8 +388,8 @@
John Eckersberg 654b87 
 							BulkCipherAlgo,
John Eckersberg 654b87 
 						    hash_size = HashSz},
John Eckersberg 654b87 
 			   cipher_state = CipherS0
John Eckersberg 654b87 
-			  } = ReadState) ->
John Eckersberg 654b87 
-    case ssl_cipher:decipher(BulkCipherAlgo, HashSz, CipherS0, CipherFragment, Version) of
John Eckersberg 654b87 
+			  } = ReadState, PaddingCheck) ->
John Eckersberg 654b87 
+    case ssl_cipher:decipher(BulkCipherAlgo, HashSz, CipherS0, CipherFragment, Version, PaddingCheck) of
John Eckersberg 654b87 
 	{PlainFragment, Mac, CipherS1} ->
John Eckersberg 654b87 
 	    CS1 = ReadState#connection_state{cipher_state = CipherS1},
John Eckersberg 654b87 
 	    {PlainFragment, Mac, CS1};
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/src/tls_connection.erl otp-OTP-17.4/lib/ssl/src/tls_connection.erl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/src/tls_connection.erl	2015-08-05 16:52:39.990500503 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/src/tls_connection.erl	2015-08-05 16:52:50.479441417 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -482,8 +482,9 @@
John Eckersberg 654b87 
 next_record(#state{protocol_buffers =
John Eckersberg 654b87 
 		       #protocol_buffers{tls_packets = [], tls_cipher_texts = [CT | Rest]}
John Eckersberg 654b87 
 		   = Buffers,
John Eckersberg 654b87 
-		   connection_states = ConnStates0} = State) ->
John Eckersberg 654b87 
-    case tls_record:decode_cipher_text(CT, ConnStates0) of
John Eckersberg 654b87 
+		   connection_states = ConnStates0,
John Eckersberg 654b87 
+		   ssl_options = #ssl_options{padding_check = Check}} = State) ->
John Eckersberg 654b87 
+    case tls_record:decode_cipher_text(CT, ConnStates0, Check) of
John Eckersberg 654b87 
 	{Plain, ConnStates} ->
John Eckersberg 654b87 
 	    {Plain, State#state{protocol_buffers =
John Eckersberg 654b87 
 				    Buffers#protocol_buffers{tls_cipher_texts = Rest},
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/src/tls_record.erl otp-OTP-17.4/lib/ssl/src/tls_record.erl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/src/tls_record.erl	2015-08-05 16:52:39.990500503 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/src/tls_record.erl	2015-08-05 16:52:50.480441411 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -34,7 +34,7 @@
John Eckersberg 654b87 
 -export([get_tls_records/2]).
John Eckersberg 654b87
John Eckersberg 654b87 
 %% Decoding
John Eckersberg 654b87 
--export([decode_cipher_text/2]).
John Eckersberg 654b87 
+-export([decode_cipher_text/3]).
John Eckersberg 654b87
John Eckersberg 654b87 
 %% Encoding
John Eckersberg 654b87 
 -export([encode_plain_text/4]).
John Eckersberg 654b87 
@@ -142,19 +142,21 @@
John Eckersberg 654b87 
     {CipherText, ConnectionStates#connection_states{current_write = WriteState#connection_state{sequence_number = Seq +1}}}.
John Eckersberg 654b87
John Eckersberg 654b87 
 %%--------------------------------------------------------------------
John Eckersberg 654b87 
--spec decode_cipher_text(#ssl_tls{}, #connection_states{}) ->
John Eckersberg 654b87 
+-spec decode_cipher_text(#ssl_tls{}, #connection_states{}, boolean()) ->
John Eckersberg 654b87 
 				{#ssl_tls{}, #connection_states{}}| #alert{}.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% Description: Decode cipher text
John Eckersberg 654b87 
 %%--------------------------------------------------------------------
John Eckersberg 654b87 
 decode_cipher_text(#ssl_tls{type = Type, version = Version,
John Eckersberg 654b87 
-			    fragment = CipherFragment} = CipherText, ConnnectionStates0) ->
John Eckersberg 654b87 
-    ReadState0 = ConnnectionStates0#connection_states.current_read,
John Eckersberg 654b87 
-    #connection_state{compression_state = CompressionS0,
John Eckersberg 654b87 
-		      sequence_number = Seq,
John Eckersberg 654b87 
-		      security_parameters = SecParams} = ReadState0,
John Eckersberg 654b87 
-    CompressAlg = SecParams#security_parameters.compression_algorithm,
John Eckersberg 654b87 
-    case ssl_record:decipher(Version, CipherFragment, ReadState0) of
John Eckersberg 654b87 
+			    fragment = CipherFragment} = CipherText,
John Eckersberg 654b87 
+		   #connection_states{current_read =
John Eckersberg 654b87 
+					  #connection_state{
John Eckersberg 654b87 
+					     compression_state = CompressionS0,
John Eckersberg 654b87 
+					     sequence_number = Seq,
John Eckersberg 654b87 
+					     security_parameters=
John Eckersberg 654b87 
+						 #security_parameters{compression_algorithm = CompressAlg}
John Eckersberg 654b87 
+					    } = ReadState0} = ConnnectionStates0, PaddingCheck) ->
John Eckersberg 654b87 
+    case ssl_record:decipher(Version, CipherFragment, ReadState0, PaddingCheck) of
John Eckersberg 654b87 
 	{PlainFragment, Mac, ReadState1} ->
John Eckersberg 654b87 
 	    MacHash = calc_mac_hash(Type, Version, PlainFragment, ReadState1),
John Eckersberg 654b87 
 	    case ssl_record:is_correct_mac(Mac, MacHash) of
John Eckersberg 654b87 
diff -Naur otp-OTP-17.4.orig/lib/ssl/test/ssl_cipher_SUITE.erl otp-OTP-17.4/lib/ssl/test/ssl_cipher_SUITE.erl
John Eckersberg 654b87 
--- otp-OTP-17.4.orig/lib/ssl/test/ssl_cipher_SUITE.erl	2015-08-05 16:52:39.990500503 -0400
John Eckersberg 654b87 
+++ otp-OTP-17.4/lib/ssl/test/ssl_cipher_SUITE.erl	2015-08-05 16:52:50.480441411 -0400
John Eckersberg 654b87 
@@ -1,7 +1,7 @@
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% %CopyrightBegin%
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
-%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
John Eckersberg 654b87 
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
John Eckersberg 654b87 
 %%
John Eckersberg 654b87 
 %% The contents of this file are subject to the Erlang Public License,
John Eckersberg 654b87 
 %% Version 1.1, (the "License"); you may not use this file except in
John Eckersberg 654b87 
@@ -38,7 +38,7 @@
John Eckersberg 654b87 
 suite() -> [{ct_hooks,[ts_install_cth]}].
John Eckersberg 654b87
John Eckersberg 654b87 
 all() ->
John Eckersberg 654b87 
-    [aes_decipher_good, aes_decipher_good_tls11, aes_decipher_fail, aes_decipher_fail_tls11].
John Eckersberg 654b87 
+    [aes_decipher_good, aes_decipher_fail, padding_test].
John Eckersberg 654b87
John Eckersberg 654b87 
 groups() ->
John Eckersberg 654b87 
     [].
John Eckersberg 654b87 
@@ -73,93 +73,123 @@
John Eckersberg 654b87 
 %% Test Cases --------------------------------------------------------
John Eckersberg 654b87 
 %%--------------------------------------------------------------------
John Eckersberg 654b87 
 aes_decipher_good() ->
John Eckersberg 654b87 
-    [{doc,"Decipher a known cryptotext."}].
John Eckersberg 654b87 
+    [{doc,"Decipher a known cryptotext using a correct key"}].
John Eckersberg 654b87
John Eckersberg 654b87 
 aes_decipher_good(Config) when is_list(Config) ->
John Eckersberg 654b87 
     HashSz = 32,
John Eckersberg 654b87 
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
John Eckersberg 654b87 
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
John Eckersberg 654b87 
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
John Eckersberg 654b87 
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
John Eckersberg 654b87 
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
John Eckersberg 654b87 
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
John Eckersberg 654b87 
-    Content = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56, "HELLO\n">>,
John Eckersberg 654b87 
-    Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
John Eckersberg 654b87 
-    Version = {3,0},
John Eckersberg 654b87 
-    {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
John Eckersberg 654b87 
-    Version1 = {3,1},
John Eckersberg 654b87 
-    {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
John Eckersberg 654b87 
-    ok.
John Eckersberg 654b87 
-
John Eckersberg 654b87 
-%%--------------------------------------------------------------------
John Eckersberg 654b87 
-
John Eckersberg 654b87 
-aes_decipher_good_tls11() ->
John Eckersberg 654b87 
-    [{doc,"Decipher a known TLS 1.1 cryptotext."}].
John Eckersberg 654b87 
-
John Eckersberg 654b87 
-%% the fragment is actuall a TLS 1.1 record, with
John Eckersberg 654b87 
-%% Version = TLS 1.1, we get the correct NextIV in #cipher_state
John Eckersberg 654b87 
-aes_decipher_good_tls11(Config) when is_list(Config) ->
John Eckersberg 654b87 
-    HashSz = 32,
John Eckersberg 654b87 
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
John Eckersberg 654b87 
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
John Eckersberg 654b87 
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
John Eckersberg 654b87 
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
John Eckersberg 654b87 
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
John Eckersberg 654b87 
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
John Eckersberg 654b87 
-    Content = <<"HELLO\n">>,
John Eckersberg 654b87 
-    NextIV = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
John Eckersberg 654b87 
-    Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
John Eckersberg 654b87 
-    Version = {3,2},
John Eckersberg 654b87 
-    {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
John Eckersberg 654b87 
-    Version1 = {3,2},
John Eckersberg 654b87 
-    {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
John Eckersberg 654b87 
-    ok.
John Eckersberg 654b87 
+    CipherState = correct_cipher_state(),
John Eckersberg 654b87 
+    decipher_check_good(HashSz, CipherState, {3,0}),
John Eckersberg 654b87 
+    decipher_check_good(HashSz, CipherState, {3,1}),
John Eckersberg 654b87 
+    decipher_check_good(HashSz, CipherState, {3,2}),
John Eckersberg 654b87 
+    decipher_check_good(HashSz, CipherState, {3,3}).
John Eckersberg 654b87
John Eckersberg 654b87 
 %%--------------------------------------------------------------------
John Eckersberg 654b87
John Eckersberg 654b87 
 aes_decipher_fail() ->
John Eckersberg 654b87 
-    [{doc,"Decipher a known cryptotext."}].
John Eckersberg 654b87 
+    [{doc,"Decipher a known cryptotext using a incorrect key"}].
John Eckersberg 654b87
John Eckersberg 654b87 
-%% same as above, last byte of key replaced
John Eckersberg 654b87 
 aes_decipher_fail(Config) when is_list(Config) ->
John Eckersberg 654b87 
     HashSz = 32,
John Eckersberg 654b87 
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
John Eckersberg 654b87 
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
John Eckersberg 654b87 
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
John Eckersberg 654b87 
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
John Eckersberg 654b87 
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
John Eckersberg 654b87 
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
John Eckersberg 654b87 
-    Version = {3,0},
John Eckersberg 654b87 
-    {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
John Eckersberg 654b87 
-    32 = byte_size(Content),
John Eckersberg 654b87 
-    32 = byte_size(Mac),
John Eckersberg 654b87 
-    Version1 = {3,1},
John Eckersberg 654b87 
-    {Content1, Mac1, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
John Eckersberg 654b87 
-    32 = byte_size(Content1),
John Eckersberg 654b87 
-    32 = byte_size(Mac1),
John Eckersberg 654b87 
-    ok.
John Eckersberg 654b87
John Eckersberg 654b87 
-%%--------------------------------------------------------------------
John Eckersberg 654b87 
-
John Eckersberg 654b87 
-aes_decipher_fail_tls11() ->
John Eckersberg 654b87 
-    [{doc,"Decipher a known TLS 1.1 cryptotext."}].
John Eckersberg 654b87 
-
John Eckersberg 654b87 
-%% same as above, last byte of key replaced
John Eckersberg 654b87 
-%% stricter padding checks in TLS 1.1 mean we get an alert instead
John Eckersberg 654b87 
-aes_decipher_fail_tls11(Config) when is_list(Config) ->
John Eckersberg 654b87 
-    HashSz = 32,
John Eckersberg 654b87 
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
John Eckersberg 654b87 
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
John Eckersberg 654b87 
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
John Eckersberg 654b87 
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
John Eckersberg 654b87 
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
John Eckersberg 654b87 
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
John Eckersberg 654b87 
-    Version = {3,2},
John Eckersberg 654b87 
-    #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} =
John Eckersberg 654b87 
-	ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
John Eckersberg 654b87 
-    Version1 = {3,3},
John Eckersberg 654b87 
-    #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} =
John Eckersberg 654b87 
-	ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
John Eckersberg 654b87 
-    ok.
John Eckersberg 654b87 
-
John Eckersberg 654b87 
-%%--------------------------------------------------------------------
John Eckersberg 654b87 
+    CipherState = incorrect_cipher_state(),
John Eckersberg 654b87 
+    decipher_check_fail(HashSz, CipherState, {3,0}),
John Eckersberg 654b87 
+    decipher_check_fail(HashSz, CipherState, {3,1}),
John Eckersberg 654b87 
+    decipher_check_fail(HashSz, CipherState, {3,2}),
John Eckersberg 654b87 
+    decipher_check_fail(HashSz, CipherState, {3,3}).
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+%%--------------------------------------------------------------------
John Eckersberg 654b87 
+padding_test(Config) when is_list(Config)  ->
John Eckersberg 654b87 
+    HashSz = 16,
John Eckersberg 654b87 
+    CipherState = correct_cipher_state(),
John Eckersberg 654b87 
+    pad_test(HashSz, CipherState, {3,0}),
John Eckersberg 654b87 
+    pad_test(HashSz, CipherState, {3,1}),
John Eckersberg 654b87 
+    pad_test(HashSz, CipherState, {3,2}),
John Eckersberg 654b87 
+    pad_test(HashSz, CipherState, {3,3}).
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+%%--------------------------------------------------------------------
John Eckersberg 654b87 
+% Internal functions  --------------------------------------------------------
John Eckersberg 654b87 
+%%--------------------------------------------------------------------
John Eckersberg 654b87 
+decipher_check_good(HashSz, CipherState, Version) ->
John Eckersberg 654b87 
+    {Content, NextIV, Mac} = content_nextiv_mac(Version),
John Eckersberg 654b87 
+    {Content, Mac,  #cipher_state{iv = NextIV}} =
John Eckersberg 654b87 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version, true).
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+decipher_check_fail(HashSz, CipherState, Version) ->
John Eckersberg 654b87 
+    {Content, NextIV, Mac} = content_nextiv_mac(Version),
John Eckersberg 654b87 
+    true = {Content, Mac, #cipher_state{iv = NextIV}} =/=
John Eckersberg 654b87 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version, true).
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+pad_test(HashSz, CipherState, {3,0} = Version) ->
John Eckersberg 654b87 
+    %% 3.0 does not have padding test
John Eckersberg 654b87 
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
John Eckersberg 654b87 
+    {Content, Mac, #cipher_state{iv = NextIV}} =
John Eckersberg 654b87 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, true),
John Eckersberg 654b87 
+    {Content, Mac, #cipher_state{iv = NextIV}} =
John Eckersberg 654b87 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, false);
John Eckersberg 654b87 
+pad_test(HashSz, CipherState, {3,1} = Version) ->
John Eckersberg 654b87 
+    %% 3.1 should have padding test, but may be disabled
John Eckersberg 654b87 
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
John Eckersberg 654b87 
+    BadCont = badpad_content(Content),
John Eckersberg 654b87 
+    {Content, Mac, #cipher_state{iv = NextIV}} =
John Eckersberg 654b87 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,1}) , {3,1}, false),
John Eckersberg 654b87 
+    {BadCont, Mac, #cipher_state{iv = NextIV}} =
John Eckersberg 654b87 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,1}), {3,1}, true);
John Eckersberg 654b87 
+pad_test(HashSz, CipherState, Version) ->
John Eckersberg 654b87 
+    %% 3.2 and 3.3 must have padding test
John Eckersberg 654b87 
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
John Eckersberg 654b87 
+    BadCont = badpad_content(Content),
John Eckersberg 654b87 
+    {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState,
John Eckersberg 654b87 
+									      badpad_aes_fragment(Version), Version, false),
John Eckersberg 654b87 
+    {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState,
John Eckersberg 654b87 
+								     badpad_aes_fragment(Version), Version, true).
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+aes_fragment({3,N}) when N == 0; N == 1->
John Eckersberg 654b87 
+    <<197,9,6,109,242,87,80,154,85,250,110,81,119,95,65,185,53,206,216,153,246,169,
John Eckersberg 654b87 
+      119,177,178,238,248,174,253,220,242,81,33,0,177,251,91,44,247,53,183,198,165,
John Eckersberg 654b87 
+      63,20,194,159,107>>;
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+aes_fragment(_) ->
John Eckersberg 654b87 
+    <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
John Eckersberg 654b87 
+      190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
John Eckersberg 654b87 
+      198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
John Eckersberg 654b87 
+      108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+badpad_aes_fragment({3,N})  when N == 0; N == 1 ->
John Eckersberg 654b87 
+    <<186,139,125,10,118,21,26,248,120,108,193,104,87,118,145,79,225,55,228,10,105,
John Eckersberg 654b87 
+      30,190,37,1,88,139,243,210,99,65,41>>;
John Eckersberg 654b87 
+badpad_aes_fragment(_) ->
John Eckersberg 654b87 
+    <<137,31,14,77,228,80,76,103,183,125,55,250,68,190,123,131,117,23,229,180,207,
John Eckersberg 654b87 
+      94,121,137,117,157,109,99,113,61,190,138,131,229,201,120,142,179,172,48,77,
John Eckersberg 654b87 
+      234,19,240,33,38,91,93>>.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+content_nextiv_mac({3,N})  when N == 0; N == 1 ->
John Eckersberg 654b87 
+    {<<"HELLO\n">>,
John Eckersberg 654b87 
+     <<33,0, 177,251, 91,44, 247,53, 183,198, 165,63, 20,194, 159,107>>,
John Eckersberg 654b87 
+     <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>};
John Eckersberg 654b87 
+content_nextiv_mac(_) ->
John Eckersberg 654b87 
+    {<<"HELLO\n">>,
John Eckersberg 654b87 
+     <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
John Eckersberg 654b87 
+     <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>}.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+badpad_content_nextiv_mac({3,N})  when N == 0; N == 1 ->
John Eckersberg 654b87 
+    {<<"HELLO\n">>,
John Eckersberg 654b87 
+     <<225,55,228,10,105,30,190,37,1,88,139,243,210,99,65,41>>,
John Eckersberg 654b87 
+      <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
John Eckersberg 654b87 
+    };
John Eckersberg 654b87 
+badpad_content_nextiv_mac(_) ->
John Eckersberg 654b87 
+    {<<"HELLO\n">>,
John Eckersberg 654b87 
+     <<133,211,45,189,179,229,56,86,11,178,239,159,14,160,253,140>>,
John Eckersberg 654b87 
+      <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
John Eckersberg 654b87 
+    }.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+badpad_content(Content) ->
John Eckersberg 654b87 
+    %% BadContent will fail mac test
John Eckersberg 654b87 
+    <<16#F0, Content/binary>>.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+correct_cipher_state() ->
John Eckersberg 654b87 
+    #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
John Eckersberg 654b87 
+		  key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>}.
John Eckersberg 654b87 
+
John Eckersberg 654b87 
+incorrect_cipher_state() ->
John Eckersberg 654b87 
+    #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
John Eckersberg 654b87 
+		  key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>}.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation