[erlang-patches] [PATCH] fix handling of ssl_cipher:block_decipher/5 failure

Ingela Anderton Andin <>
Tue Oct 4 18:13:59 CEST 2011


This patch is to late for R14B04, but I think it is a good patch and I 
want to include it for the next release.
I was just thinking that  should not the aes_decipher_fail-test test 
that the Contetent and Mac values are
not the expected ones and not only test that they are "something" of the 
expected size?

Regards Ingela Erlang/OTP team - Ericsson AB

Andreas Schultz wrote:
> Hi all,
> Included is a change to fix a badmatch error in
> ssl_cipher:generic_block_cipher_from_bin/2 and implement a CBC
> timming attack counter measure in ssl_cipher:block_decipher/5.
> Both changes are closely related.
>    git fetch :RoadRunnr/otp.git ssl-cbc-fix
> ssl_cipher:generic_block_cipher_from_bin/2 would generate a badmatch
> error when the padding length was greater than the overall data. This
> can happen when the decryption resulted in invalid data. It seems to
> me, that the try in block_decipher/5 was supposed to catch that, but
> it did not.
> Also, RFC 5246 suggests a counter measure for a CBC timing attack on
> the MAC calculation. This can easily be implemented by not generating
> the error alert in block_decipher/5 and invalidating the decoded text.
> It would also be possible to extend the return value of block_decipher
> with the result of the padding check and test that value later. However,
> this would also require changes to generic_block_cipher_from_bin/2.
> Thanks
> Andreas

More information about the erlang-patches mailing list