ssl: Renable padding check

author: Ingela Anderton Andin <ingela@erlang.org> 2015-03-13 09:13:46 +0100
committer: Ingela Anderton Andin <ingela@erlang.org> 2015-03-13 10:51:28 +0100
commit: fbe08ea2c744b7eaf47085c0ccda2f224cc2b5ba (patch)
tree: 4899f29052ff6696eb5a4583ba75c1acfbfbf0ae
parent: 5a137003f1eb045a39c18438ecc1b22081747487 (diff)
download: erlang-fbe08ea2c744b7eaf47085c0ccda2f224cc2b5ba.tar.gz
2 files changed, 124 insertions, 162 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 567690a413..81354721b7 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -668,14 +668,12 @@ generic_stream_cipher_from_bin(T, HashSz) ->
     #generic_stream_cipher{content=Content,
 			   mac=Mac}.
 
-%% For interoperability reasons we do not check the padding content in
-%% SSL 3.0 and TLS 1.0 as it is not strictly required and breaks
-%% interopability with for instance Google. 
+%% SSL 3.0 has no padding check
 is_correct_padding(#generic_block_cipher{padding_length = Len,
 										 padding = Padding}, {3, N})
-  when N == 0; N == 1 ->
+  when N == 0 ->
     Len == byte_size(Padding); 
-%% Padding must be check in TLS 1.1 and after  
+%% Padding should/must be check in TLS-1.0/TLS 1.1 and after  
 is_correct_padding(#generic_block_cipher{padding_length = Len,
 										 padding = Padding}, _) ->
     Len == byte_size(Padding) andalso
diff --git a/lib/ssl/test/ssl_cipher_SUITE.erl b/lib/ssl/test/ssl_cipher_SUITE.erl
index ea1d9dc90c..b69eeee110 100644
--- a/lib/ssl/test/ssl_cipher_SUITE.erl
+++ b/lib/ssl/test/ssl_cipher_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -31,16 +31,19 @@
 
 -define(TIMEOUT, 600000).
 
-%% Test server callback functions
 %%--------------------------------------------------------------------
-%% Function: init_per_suite(Config) -> Config
-%% Config - [tuple()]
-%%   A list of key/value pairs, holding the test case configuration.
-%% Description: Initialization before the whole suite
-%%
-%% Note: This function is free to add any key/value pairs to the Config
-%% variable, but should NOT alter/remove any existing entries.
+%% Common Test interface functions -----------------------------------
 %%--------------------------------------------------------------------
+
+suite() -> 
+    [].
+
+all() ->
+    [aes_decipher_good, aes_decipher_fail, padding_test].
+
+groups() ->
+    [].
+
 init_per_suite(Config) ->
     try crypto:start() of
 	ok ->
@@ -48,174 +51,135 @@ init_per_suite(Config) ->
     catch _:_  ->
 	    {skip, "Crypto did not start"}
     end.
-%%--------------------------------------------------------------------
-%% Function: end_per_suite(Config) -> _
-%% Config - [tuple()]
-%%   A list of key/value pairs, holding the test case configuration.
-%% Description: Cleanup after the whole suite
-%%--------------------------------------------------------------------
+
 end_per_suite(_Config) ->
     ssl:stop(),
     application:stop(crypto).
 
-%%--------------------------------------------------------------------
-%% Function: init_per_testcase(TestCase, Config) -> Config
-%% Case - atom()
-%%   Name of the test case that is about to be run.
-%% Config - [tuple()]
-%%   A list of key/value pairs, holding the test case configuration.
-%%
-%% Description: Initialization before each test case
-%%
-%% Note: This function is free to add any key/value pairs to the Config
-%% variable, but should NOT alter/remove any existing entries.
-%% Description: Initialization before each test case
-%%--------------------------------------------------------------------
-init_per_testcase(_TestCase, Config0) ->
-    Config = lists:keydelete(watchdog, 1, Config0),
-    Dog = ssl_test_lib:timetrap(?TIMEOUT),
-    [{watchdog, Dog} | Config].
-
-%%--------------------------------------------------------------------
-%% Function: end_per_testcase(TestCase, Config) -> _
-%% Case - atom()
-%%   Name of the test case that is about to be run.
-%% Config - [tuple()]
-%%   A list of key/value pairs, holding the test case configuration.
-%% Description: Cleanup after each test case
-%%--------------------------------------------------------------------
-end_per_testcase(_TestCase, Config) ->
-    Dog = ?config(watchdog, Config),
-    case Dog of 
-	undefined ->
-	    ok;
-	_ ->
-	    test_server:timetrap_cancel(Dog)
-    end.
-
-%%--------------------------------------------------------------------
-%% Function: all(Clause) -> TestCases
-%% Clause - atom() - suite | doc
-%% TestCases - [Case] 
-%% Case - atom()
-%%   Name of a test case.
-%% Description: Returns a list of all test cases in this test suite
-%%--------------------------------------------------------------------
-suite() -> [{ct_hooks,[ts_install_cth]}].
-
-all() -> 
-    [aes_decipher_good, aes_decipher_good_tls11, aes_decipher_fail, aes_decipher_fail_tls11].
-
-groups() -> 
-    [].
-
 init_per_group(_GroupName, Config) ->
     Config.
 
 end_per_group(_GroupName, Config) ->
     Config.
 
+init_per_testcase(_TestCase, Config0) ->
+    Config = lists:keydelete(watchdog, 1, Config0),
+    Dog = ct:timetrap(?TIMEOUT),
+    [{watchdog, Dog} | Config].
 
-%% Test cases starts here.
-%%--------------------------------------------------------------------
-aes_decipher_good(doc) -> 
-    ["Decipher a known cryptotext."];
-
-aes_decipher_good(suite) -> 
-    [];
-
-aes_decipher_good(Config) when is_list(Config) ->
-    HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Content = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56, "HELLO\n">>,
-    Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
-    Version = {3,0},
-    {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-    Version1 = {3,1},
-    {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-    ok.
+end_per_testcase(_TestCase, Config) ->
+    Config.
 
 %%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+aes_decipher_good() ->
+    [{doc,"Decipher a known cryptotext using a correct key"}].
 
-aes_decipher_good_tls11(doc) ->
-    ["Decipher a known TLS 1.1 cryptotext."];
-
-aes_decipher_good_tls11(suite) ->
-    [];
-
-%% the fragment is actuall a TLS 1.1 record, with
-%% Version = TLS 1.1, we get the correct NextIV in #cipher_state
-aes_decipher_good_tls11(Config) when is_list(Config) ->
+aes_decipher_good(Config) when is_list(Config) ->
     HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Content = <<"HELLO\n">>,
-    NextIV = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
-    Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
-    Version = {3,2},
-    {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-    Version1 = {3,2},
-    {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-    ok.
+    CipherState = correct_cipher_state(),
+    decipher_check_good(HashSz, CipherState, {3,0}),
+    decipher_check_good(HashSz, CipherState, {3,1}),
+    decipher_check_good(HashSz, CipherState, {3,2}),
+    decipher_check_good(HashSz, CipherState, {3,3}).
 
 %%--------------------------------------------------------------------
 
-aes_decipher_fail(doc) -> 
-    ["Decipher a known cryptotext."];
-
-aes_decipher_fail(suite) -> 
-    [];
+aes_decipher_fail() ->
+    [{doc,"Decipher a known cryptotext using a incorrect key"}].
 
-%% same as above, last byte of key replaced
 aes_decipher_fail(Config) when is_list(Config) ->
     HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Version = {3,0},
-    {Content, Mac, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-    32 = byte_size(Content),
-    32 = byte_size(Mac),
-    Version1 = {3,1},
-    {Content1, Mac1, _} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-    32 = byte_size(Content1),
-    32 = byte_size(Mac1),
-    ok.
 
-%%--------------------------------------------------------------------
-
-aes_decipher_fail_tls11(doc) ->
-    ["Decipher a known TLS 1.1 cryptotext."];
-
-aes_decipher_fail_tls11(suite) ->
-    [];
-
-%% same as above, last byte of key replaced
-%% stricter padding checks in TLS 1.1 mean we get an alert instead
-aes_decipher_fail_tls11(Config) when is_list(Config) ->
-    HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Version = {3,2},
-    #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version),
-    Version1 = {3,3},
-    #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} = ssl_cipher:decipher(?AES, HashSz, CipherState, Fragment, Version1),
-    ok.
+    CipherState = incorrect_cipher_state(),
+    decipher_check_fail(HashSz, CipherState, {3,0}),
+    decipher_check_fail(HashSz, CipherState, {3,1}),
+    decipher_check_fail(HashSz, CipherState, {3,2}),
+    decipher_check_fail(HashSz, CipherState, {3,3}).
 
 %%--------------------------------------------------------------------
+padding_test(Config) when is_list(Config)  ->
+    HashSz = 16,
+    CipherState = correct_cipher_state(),
+    pad_test(HashSz, CipherState, {3,0}),
+    pad_test(HashSz, CipherState, {3,1}),
+    pad_test(HashSz, CipherState, {3,2}),
+    pad_test(HashSz, CipherState, {3,3}).
+
+%%--------------------------------------------------------------------    
+% Internal functions  --------------------------------------------------------
+%%--------------------------------------------------------------------
+decipher_check_good(HashSz, CipherState, Version) ->
+    {Content, NextIV, Mac} = content_nextiv_mac(Version),
+    {Content, Mac,  #cipher_state{iv = NextIV}} = 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version).
+
+decipher_check_fail(HashSz, CipherState, Version) ->
+    {Content, NextIV, Mac} = content_nextiv_mac(Version),
+    true = {Content, Mac, #cipher_state{iv = NextIV}} =/= 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, aes_fragment(Version), Version).
+
+pad_test(HashSz, CipherState, {3,0} = Version) ->
+    %% 3.0 does not have padding test
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
+    {Content, Mac, #cipher_state{iv = NextIV}} = 
+	ssl_cipher:decipher(?AES, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0});    
+
+pad_test(HashSz, CipherState, Version) ->
+    %% 3.1, 3.2 and 3.3 must have padding test
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
+    BadCont = badpad_content(Content),
+    {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES, HashSz, CipherState, 
+								     badpad_aes_fragment(Version), Version).
+
+aes_fragment({3,N}) when N == 0; N == 1->
+    <<197,9,6,109,242,87,80,154,85,250,110,81,119,95,65,185,53,206,216,153,246,169,
+      119,177,178,238,248,174,253,220,242,81,33,0,177,251,91,44,247,53,183,198,165,
+      63,20,194,159,107>>;
+	
+aes_fragment(_) ->
+    <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
+      190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
+      198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
+      108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>.
+
+badpad_aes_fragment({3,N})  when N == 0; N == 1 ->
+    <<186,139,125,10,118,21,26,248,120,108,193,104,87,118,145,79,225,55,228,10,105,
+      30,190,37,1,88,139,243,210,99,65,41>>;
+badpad_aes_fragment(_) ->
+    <<137,31,14,77,228,80,76,103,183,125,55,250,68,190,123,131,117,23,229,180,207,
+      94,121,137,117,157,109,99,113,61,190,138,131,229,201,120,142,179,172,48,77,
+      234,19,240,33,38,91,93>>.
+
+content_nextiv_mac({3,N})  when N == 0; N == 1 ->
+    {<<"HELLO\n">>,
+     <<33,0, 177,251, 91,44, 247,53, 183,198, 165,63, 20,194, 159,107>>,
+     <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>};
+content_nextiv_mac(_) ->
+    {<<"HELLO\n">>,
+     <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
+     <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>}.
+
+badpad_content_nextiv_mac({3,N})  when N == 0; N == 1 ->
+    {<<"HELLO\n">>,
+     <<225,55,228,10,105,30,190,37,1,88,139,243,210,99,65,41>>,
+      <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
+    };
+badpad_content_nextiv_mac(_) ->
+    {<<"HELLO\n">>,
+     <<133,211,45,189,179,229,56,86,11,178,239,159,14,160,253,140>>,
+      <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
+    }.
+
+badpad_content(Content) ->
+    %% BadContent will fail mac test 
+    <<16#F0, Content/binary>>.
+  
+correct_cipher_state() ->
+    #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
+		  key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>}.
+
+incorrect_cipher_state() ->
+    #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
+		  key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>}.
author	Ingela Anderton Andin <ingela@erlang.org>	2015-03-13 09:13:46 +0100
committer	Ingela Anderton Andin <ingela@erlang.org>	2015-03-13 10:51:28 +0100
commit	fbe08ea2c744b7eaf47085c0ccda2f224cc2b5ba (patch)
tree	4899f29052ff6696eb5a4583ba75c1acfbfbf0ae
parent	5a137003f1eb045a39c18438ecc1b22081747487 (diff)
download	erlang-fbe08ea2c744b7eaf47085c0ccda2f224cc2b5ba.tar.gz