104
89
crypto:aes_cbc_128_encrypt(Key, IV, T);
105
90
(Key, IV, T) when byte_size(Key) =:= 32 ->
106
91
crypto:aes_cbc_256_encrypt(Key, IV, T)
107
end, block_size(aes_128_cbc), CipherState, Mac, Fragment);
92
end, block_size(aes_128_cbc), CipherState, Mac, Fragment).
108
93
%% cipher(?IDEA, CipherState, Mac, Fragment) ->
109
94
%% block_cipher(fun(Key, IV, T) ->
110
95
%% crypto:idea_cbc_encrypt(Key, IV, T)
111
96
%% end, block_size(idea_cbc), CipherState, Mac, Fragment);
112
cipher(?RC2, CipherState, Mac, Fragment) ->
113
block_cipher(fun(Key, IV, T) ->
114
crypto:rc2_40_cbc_encrypt(Key, IV, T)
115
end, block_size(rc2_cbc_40), CipherState, Mac, Fragment).
117
98
block_cipher(Fun, BlockSz, #cipher_state{key=Key, iv=IV} = CS0,
119
100
TotSz = byte_size(Mac) + erlang:iolist_size(Fragment) + 1,
120
101
{PaddingLength, Padding} = get_padding(TotSz, BlockSz),
121
102
L = [Fragment, Mac, PaddingLength, Padding],
125
103
T = Fun(Key, IV, L),
127
104
NextIV = next_iv(T, IV),
128
105
{T, CS0#cipher_state{iv=NextIV}}.
130
107
%%--------------------------------------------------------------------
131
%% Function: decipher(Method, CipherState, Mac, Data) ->
132
%% {Decrypted, UpdateCipherState}
134
%% Method - integer() (as defined in ssl_cipher.hrl)
135
%% CipherState, UpdatedCipherState - #cipher_state{}
136
%% Data, Encrypted - binary()
138
%% Description: Decrypts the data and the mac using method, updating
108
-spec decipher(cipher_enum(), integer(), #cipher_state{}, binary(), tls_version()) ->
109
{binary(), binary(), #cipher_state{}} | #alert{}.
111
%% Description: Decrypts the data and the MAC using cipher described
112
%% by cipher_enum() and updating the cipher state.
140
113
%%-------------------------------------------------------------------
141
decipher(?NULL, _HashSz, CipherState, Fragment) ->
114
decipher(?NULL, _HashSz, CipherState, Fragment, _) ->
142
115
{Fragment, <<>>, CipherState};
143
decipher(?RC4, HashSz, CipherState, Fragment) ->
144
?DBG_TERM(CipherState#cipher_state.key),
116
decipher(?RC4, HashSz, CipherState, Fragment, _) ->
145
117
State0 = case CipherState#cipher_state.state of
146
118
undefined -> crypto:rc4_set_key(CipherState#cipher_state.key);
151
{State1, T} = crypto:rc4_encrypt_with_state(State0, Fragment),
153
GSC = generic_stream_cipher_from_bin(T, HashSz),
154
#generic_stream_cipher{content=Content, mac=Mac} = GSC,
155
{Content, Mac, CipherState#cipher_state{state=State1}};
156
decipher(?DES, HashSz, CipherState, Fragment) ->
157
block_decipher(fun(Key, IV, T) ->
158
crypto:des_cbc_decrypt(Key, IV, T)
159
end, CipherState, HashSz, Fragment);
160
decipher(?DES40, HashSz, CipherState, Fragment) ->
161
block_decipher(fun(Key, IV, T) ->
162
crypto:des_cbc_decrypt(Key, IV, T)
163
end, CipherState, HashSz, Fragment);
164
decipher(?'3DES', HashSz, CipherState, Fragment) ->
121
try crypto:rc4_encrypt_with_state(State0, Fragment) of
123
GSC = generic_stream_cipher_from_bin(Text, HashSz),
124
#generic_stream_cipher{content = Content, mac = Mac} = GSC,
125
{Content, Mac, CipherState#cipher_state{state = State}}
128
%% This is a DECRYPTION_FAILED but
129
%% "differentiating between bad_record_mac and decryption_failed
130
%% alerts may permit certain attacks against CBC mode as used in
131
%% TLS [CBCATT]. It is preferable to uniformly use the
132
%% bad_record_mac alert to hide the specific type of the error."
133
?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
136
decipher(?DES, HashSz, CipherState, Fragment, Version) ->
137
block_decipher(fun(Key, IV, T) ->
138
crypto:des_cbc_decrypt(Key, IV, T)
139
end, CipherState, HashSz, Fragment, Version);
140
decipher(?'3DES', HashSz, CipherState, Fragment, Version) ->
165
141
block_decipher(fun(<<K1:8/binary, K2:8/binary, K3:8/binary>>, IV, T) ->
166
142
crypto:des3_cbc_decrypt(K1, K2, K3, IV, T)
167
end, CipherState, HashSz, Fragment);
168
decipher(?AES, HashSz, CipherState, Fragment) ->
143
end, CipherState, HashSz, Fragment, Version);
144
decipher(?AES, HashSz, CipherState, Fragment, Version) ->
169
145
block_decipher(fun(Key, IV, T) when byte_size(Key) =:= 16 ->
170
146
crypto:aes_cbc_128_decrypt(Key, IV, T);
171
147
(Key, IV, T) when byte_size(Key) =:= 32 ->
172
148
crypto:aes_cbc_256_decrypt(Key, IV, T)
173
end, CipherState, HashSz, Fragment);
174
%% decipher(?IDEA, HashSz, CipherState, Fragment) ->
149
end, CipherState, HashSz, Fragment, Version).
150
%% decipher(?IDEA, HashSz, CipherState, Fragment, Version) ->
175
151
%% block_decipher(fun(Key, IV, T) ->
176
152
%% crypto:idea_cbc_decrypt(Key, IV, T)
177
%% end, CipherState, HashSz, Fragment);
178
decipher(?RC2, HashSz, CipherState, Fragment) ->
179
block_decipher(fun(Key, IV, T) ->
180
crypto:rc2_40_cbc_decrypt(Key, IV, T)
181
end, CipherState, HashSz, Fragment).
153
%% end, CipherState, HashSz, Fragment, Version);
183
155
block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0,
188
T = Fun(Key, IV, Fragment),
190
GBC = generic_block_cipher_from_bin(T, HashSz),
191
ok = check_padding(GBC), %% TODO kolla ocks�...
192
Content = GBC#generic_block_cipher.content,
193
Mac = GBC#generic_block_cipher.mac,
194
CipherState1 = CipherState0#cipher_state{iv=next_iv(Fragment, IV)},
195
{Content, Mac, CipherState1}.
156
HashSz, Fragment, Version) ->
157
try Fun(Key, IV, Fragment) of
159
GBC = generic_block_cipher_from_bin(Text, HashSz),
160
case is_correct_padding(GBC, Version) of
162
Content = GBC#generic_block_cipher.content,
163
Mac = GBC#generic_block_cipher.mac,
164
CipherState1 = CipherState0#cipher_state{iv=next_iv(Fragment, IV)},
165
{Content, Mac, CipherState1};
167
?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
171
%% This is a DECRYPTION_FAILED but
172
%% "differentiating between bad_record_mac and decryption_failed
173
%% alerts may permit certain attacks against CBC mode as used in
174
%% TLS [CBCATT]. It is preferable to uniformly use the
175
%% bad_record_mac alert to hide the specific type of the error."
176
?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
197
178
%%--------------------------------------------------------------------
198
%% Function: suites(Version) -> [Suite]
200
%% Version = version()
201
%% Suite = binary() from ssl_cipher.hrl
179
-spec suites(tls_version()) -> [cipher_suite()].
203
181
%% Description: Returns a list of supported cipher suites.
204
182
%%--------------------------------------------------------------------
208
186
ssl_tls1:suites().
210
188
%%--------------------------------------------------------------------
211
%% Function: suite_definition(CipherSuite) ->
212
%% {KeyExchange, Cipher, Hash, Exportable}
215
%% CipherSuite - as defined in ssl_cipher.hrl
216
%% KeyExchange - rsa | dh_dss | dh_rsa | dh_anon | dhe_dss | dhe_rsa
217
%% krb5 | *_export (old ssl)
218
%% Cipher - null | rc4_128 | idea_cbc | des_cbc | '3des_ede_cbc'
219
%% des40_cbc | dh_dss | aes_128_cbc | aes_256_cbc |
220
%% rc2_cbc_40 | rc4_40
221
%% Hash - null | md5 | sha
222
%% Exportable - export | no_export | ignore(?)
224
%% Description: Returns a security parameters record where the
225
%% cipher values has been updated according to <CipherSuite>
226
%% Note: since idea is unsupported on the openssl version used by
227
%% crypto (as of OTP R12B), we've commented away the idea stuff
189
-spec anonymous_suites() -> [cipher_suite()].
191
%% Description: Returns a list of the anonymous cipher suites, only supported
192
%% if explicitly set by user. Intended only for testing.
193
%%--------------------------------------------------------------------
194
anonymous_suites() ->
195
[?TLS_DH_anon_WITH_RC4_128_MD5,
196
?TLS_DH_anon_WITH_DES_CBC_SHA,
197
?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
198
?TLS_DH_anon_WITH_AES_128_CBC_SHA,
199
?TLS_DH_anon_WITH_AES_256_CBC_SHA].
201
%%--------------------------------------------------------------------
202
-spec suite_definition(cipher_suite()) -> erl_cipher_suite().
204
%% Description: Return erlang cipher suite definition.
205
%% Note: Currently not supported suites are commented away.
206
%% They should be supported or removed in the future.
228
207
%%-------------------------------------------------------------------
229
208
%% TLS v1.1 suites
230
209
suite_definition(?TLS_NULL_WITH_NULL_NULL) ->
231
{null, null, null, ignore};
232
suite_definition(?TLS_RSA_WITH_NULL_MD5) ->
233
{rsa, null, md5, ignore};
234
suite_definition(?TLS_RSA_WITH_NULL_SHA) ->
235
{rsa, null, sha, ignore};
236
suite_definition(?TLS_RSA_WITH_RC4_128_MD5) -> % ok
237
{rsa, rc4_128, md5, no_export};
238
suite_definition(?TLS_RSA_WITH_RC4_128_SHA) -> % ok
239
{rsa, rc4_128, sha, no_export};
240
%% suite_definition(?TLS_RSA_WITH_IDEA_CBC_SHA) -> % unsupported
241
%% {rsa, idea_cbc, sha, no_export};
242
suite_definition(?TLS_RSA_WITH_DES_CBC_SHA) -> % ok
243
{rsa, des_cbc, sha, no_export};
211
%% suite_definition(?TLS_RSA_WITH_NULL_MD5) ->
213
%% suite_definition(?TLS_RSA_WITH_NULL_SHA) ->
215
suite_definition(?TLS_RSA_WITH_RC4_128_MD5) ->
217
suite_definition(?TLS_RSA_WITH_RC4_128_SHA) ->
219
%% suite_definition(?TLS_RSA_WITH_IDEA_CBC_SHA) ->
220
%% {rsa, idea_cbc, sha};
221
suite_definition(?TLS_RSA_WITH_DES_CBC_SHA) ->
244
223
suite_definition(?TLS_RSA_WITH_3DES_EDE_CBC_SHA) ->
245
{rsa, '3des_ede_cbc', sha, no_export};
246
suite_definition(?TLS_DH_DSS_WITH_DES_CBC_SHA) ->
247
{dh_dss, des_cbc, sha, no_export};
248
suite_definition(?TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA) ->
249
{dh_dss, '3des_ede_cbc', sha, no_export};
250
suite_definition(?TLS_DH_RSA_WITH_DES_CBC_SHA) ->
251
{dh_rsa, des_cbc, sha, no_export};
252
suite_definition(?TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA) ->
253
{dh_rsa, '3des_ede_cbc', sha, no_export};
224
{rsa, '3des_ede_cbc', sha};
254
225
suite_definition(?TLS_DHE_DSS_WITH_DES_CBC_SHA) ->
255
{dhe_dss, des_cbc, sha, no_export};
226
{dhe_dss, des_cbc, sha};
256
227
suite_definition(?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) ->
257
{dhe_dss, '3des_ede_cbc', sha, no_export};
228
{dhe_dss, '3des_ede_cbc', sha};
258
229
suite_definition(?TLS_DHE_RSA_WITH_DES_CBC_SHA) ->
259
{dhe_rsa, des_cbc, sha, no_export};
230
{dhe_rsa, des_cbc, sha};
260
231
suite_definition(?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) ->
261
{dhe_rsa, '3des_ede_cbc', sha, no_export};
232
{dhe_rsa, '3des_ede_cbc', sha};
234
%%% TSL V1.1 AES suites
235
suite_definition(?TLS_RSA_WITH_AES_128_CBC_SHA) ->
236
{rsa, aes_128_cbc, sha};
237
suite_definition(?TLS_DHE_DSS_WITH_AES_128_CBC_SHA) ->
238
{dhe_dss, aes_128_cbc, sha};
239
suite_definition(?TLS_DHE_RSA_WITH_AES_128_CBC_SHA) ->
240
{dhe_rsa, aes_128_cbc, sha};
241
suite_definition(?TLS_RSA_WITH_AES_256_CBC_SHA) ->
242
{rsa, aes_256_cbc, sha};
243
suite_definition(?TLS_DHE_DSS_WITH_AES_256_CBC_SHA) ->
244
{dhe_dss, aes_256_cbc, sha};
245
suite_definition(?TLS_DHE_RSA_WITH_AES_256_CBC_SHA) ->
246
{dhe_rsa, aes_256_cbc, sha};
248
%%% DH-ANON deprecated by TLS spec and not available
249
%%% by default, but good for testing purposes.
262
250
suite_definition(?TLS_DH_anon_WITH_RC4_128_MD5) ->
263
{dh_anon, rc4_128, md5, no_export};
251
{dh_anon, rc4_128, md5};
264
252
suite_definition(?TLS_DH_anon_WITH_DES_CBC_SHA) ->
265
{dh_anon, des40_cbc, sha, no_export};
253
{dh_anon, des_cbc, sha};
266
254
suite_definition(?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA) ->
267
{dh_anon, '3des_ede_cbc', sha, no_export};
269
%%% TSL V1.1 AES suites
270
suite_definition(?TLS_RSA_WITH_AES_128_CBC_SHA) -> % ok
271
{rsa, aes_128_cbc, sha, ignore};
272
suite_definition(?TLS_DH_DSS_WITH_AES_128_CBC_SHA) ->
273
{dh_dss, aes_128_cbc, sha, ignore};
274
suite_definition(?TLS_DH_RSA_WITH_AES_128_CBC_SHA) ->
275
{dh_rsa, aes_128_cbc, sha, ignore};
276
suite_definition(?TLS_DHE_DSS_WITH_AES_128_CBC_SHA) ->
277
{dhe_dss, aes_128_cbc, sha, ignore};
278
suite_definition(?TLS_DHE_RSA_WITH_AES_128_CBC_SHA) ->
279
{dhe_rsa, aes_128_cbc, sha, ignore};
255
{dh_anon, '3des_ede_cbc', sha};
280
256
suite_definition(?TLS_DH_anon_WITH_AES_128_CBC_SHA) ->
281
{dh_anon, aes_128_cbc, sha, ignore};
282
suite_definition(?TLS_RSA_WITH_AES_256_CBC_SHA) -> % ok
283
{rsa, aes_256_cbc, sha, ignore};
284
suite_definition(?TLS_DH_DSS_WITH_AES_256_CBC_SHA) ->
285
{dh_dss, aes_256_cbc, sha, ignore};
286
suite_definition(?TLS_DH_RSA_WITH_AES_256_CBC_SHA) ->
287
{dh_rsa, aes_256_cbc, sha, ignore};
288
suite_definition(?TLS_DHE_DSS_WITH_AES_256_CBC_SHA) ->
289
{dhe_dss, aes_256_cbc, sha, ignore};
290
suite_definition(?TLS_DHE_RSA_WITH_AES_256_CBC_SHA) ->
291
{dhe_rsa, aes_256_cbc, sha, ignore};
257
{dh_anon, aes_128_cbc, sha};
292
258
suite_definition(?TLS_DH_anon_WITH_AES_256_CBC_SHA) ->
293
{dh_anon, aes_256_cbc, sha, ignore};
295
%% TSL V1.1 KRB SUITES
296
suite_definition(?TLS_KRB5_WITH_DES_CBC_SHA) ->
297
{krb5, des_cbc, sha, ignore};
298
suite_definition(?TLS_KRB5_WITH_3DES_EDE_CBC_SHA) ->
299
{krb5, '3des_ede_cbc', sha, ignore};
300
suite_definition(?TLS_KRB5_WITH_RC4_128_SHA) ->
301
{krb5, rc4_128, sha, ignore};
302
%% suite_definition(?TLS_KRB5_WITH_IDEA_CBC_SHA) ->
303
%% {krb5, idea_cbc, sha, ignore};
304
suite_definition(?TLS_KRB5_WITH_DES_CBC_MD5) ->
305
{krb5, des_cbc, md5, ignore};
306
suite_definition(?TLS_KRB5_WITH_3DES_EDE_CBC_MD5) ->
307
{krb5, '3des_ede_cbc', md5, ignore};
308
suite_definition(?TLS_KRB5_WITH_RC4_128_MD5) ->
309
{krb5, rc4_128, md5, ignore};
310
%% suite_definition(?TLS_KRB5_WITH_IDEA_CBC_MD5) ->
311
%% {krb5, idea_cbc, md5, ignore};
313
suite_definition(?TLS_RSA_EXPORT1024_WITH_RC4_56_MD5) ->
314
{rsa, rc4_56, md5, export};
315
suite_definition(?TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5) ->
316
{rsa, rc2_cbc_56, md5, export};
317
suite_definition(?TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA) ->
318
{rsa, des_cbc, sha, export};
319
suite_definition(?TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA) ->
320
{dhe_dss, des_cbc, sha, export};
321
suite_definition(?TLS_RSA_EXPORT1024_WITH_RC4_56_SHA) ->
322
{rsa, rc4_56, sha, export};
323
suite_definition(?TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA) ->
324
{dhe_dss, rc4_56, sha, export};
325
suite_definition(?TLS_DHE_DSS_WITH_RC4_128_SHA) ->
326
{dhe_dss, rc4_128, sha, export};
328
%% Export suites TLS 1.0 OR SSLv3-only servers.
329
suite_definition(?TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA) ->
330
{krb5_export, des40_cbc, sha, export};
331
suite_definition(?TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA) ->
332
{krb5_export, rc2_cbc_40, sha, export};
333
suite_definition(?TLS_KRB5_EXPORT_WITH_RC4_40_SHA) ->
334
{krb5_export, des40_cbc, sha, export};
335
suite_definition(?TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5) ->
336
{krb5_export, des40_cbc, md5, export};
337
suite_definition(?TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5) ->
338
{krb5_export, rc2_cbc_40, md5, export};
339
suite_definition(?TLS_KRB5_EXPORT_WITH_RC4_40_MD5) ->
340
{krb5_export, rc2_cbc_40, md5, export};
341
suite_definition(?TLS_RSA_EXPORT_WITH_RC4_40_MD5) -> % ok
342
{rsa, rc4_40, md5, export};
343
suite_definition(?TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) -> % ok
344
{rsa, rc2_cbc_40, md5, export};
345
suite_definition(?TLS_RSA_EXPORT_WITH_DES40_CBC_SHA) ->
346
{rsa, des40_cbc, sha, export};
347
suite_definition(?TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA) ->
348
{dh_dss, des40_cbc, sha, export};
349
suite_definition(?TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA) ->
350
{dh_rsa, des40_cbc, sha, export};
351
suite_definition(?TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA) ->
352
{dhe_dss, des40_cbc, sha, export};
353
suite_definition(?TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA) ->
354
{dhe_rsa, des40_cbc, sha, export};
355
suite_definition(?TLS_DH_anon_EXPORT_WITH_RC4_40_MD5) ->
356
{dh_anon, rc4_40, md5, export};
357
suite_definition(?TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA) ->
358
{dh_anon, des40_cbc, sha, export}.
259
{dh_anon, aes_256_cbc, sha}.
261
%%--------------------------------------------------------------------
262
-spec suite(erl_cipher_suite()) -> cipher_suite().
264
%% Description: Return TLS cipher suite definition.
265
%%--------------------------------------------------------------------
360
267
%% TLS v1.1 suites
361
suite({rsa, null, md5, ignore}) ->
362
?TLS_RSA_WITH_NULL_MD5;
363
suite({rsa, null, sha, ignore}) ->
364
?TLS_RSA_WITH_NULL_SHA;
365
suite({rsa, rc4_128, md5, no_export}) ->
268
%%suite({rsa, null, md5}) ->
269
%% ?TLS_RSA_WITH_NULL_MD5;
270
%%suite({rsa, null, sha}) ->
271
%% ?TLS_RSA_WITH_NULL_SHA;
272
suite({rsa, rc4_128, md5}) ->
366
273
?TLS_RSA_WITH_RC4_128_MD5;
367
suite({rsa, rc4_128, sha, no_export}) ->
274
suite({rsa, rc4_128, sha}) ->
368
275
?TLS_RSA_WITH_RC4_128_SHA;
369
%% suite({rsa, idea_cbc, sha, no_export}) ->
276
%% suite({rsa, idea_cbc, sha}) ->
370
277
%% ?TLS_RSA_WITH_IDEA_CBC_SHA;
371
suite({rsa, des_cbc, sha, no_export}) ->
278
suite({rsa, des_cbc, sha}) ->
372
279
?TLS_RSA_WITH_DES_CBC_SHA;
373
suite({rsa, '3des_ede_cbc', sha, no_export}) ->
280
suite({rsa, '3des_ede_cbc', sha}) ->
374
281
?TLS_RSA_WITH_3DES_EDE_CBC_SHA;
375
suite({dh_dss, des_cbc, sha, no_export}) ->
376
?TLS_DH_DSS_WITH_DES_CBC_SHA;
377
suite({dh_dss, '3des_ede_cbc', sha, no_export}) ->
378
?TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA;
379
suite({dh_rsa, des_cbc, sha, no_export}) ->
380
?TLS_DH_RSA_WITH_DES_CBC_SHA;
381
suite({dh_rsa, '3des_ede_cbc', sha, no_export}) ->
382
?TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA;
383
suite({dhe_dss, des_cbc, sha, no_export}) ->
282
suite({dhe_dss, des_cbc, sha}) ->
384
283
?TLS_DHE_DSS_WITH_DES_CBC_SHA;
385
suite({dhe_dss, '3des_ede_cbc', sha, no_export}) ->
284
suite({dhe_dss, '3des_ede_cbc', sha}) ->
386
285
?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA;
387
suite({dhe_rsa, des_cbc, sha, no_export}) ->
286
suite({dhe_rsa, des_cbc, sha}) ->
388
287
?TLS_DHE_RSA_WITH_DES_CBC_SHA;
389
suite({dhe_rsa, '3des_ede_cbc', sha, no_export}) ->
288
suite({dhe_rsa, '3des_ede_cbc', sha}) ->
390
289
?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
391
suite({dh_anon, rc4_128, md5, no_export}) ->
290
suite({dh_anon, rc4_128, md5}) ->
392
291
?TLS_DH_anon_WITH_RC4_128_MD5;
393
suite({dh_anon, des40_cbc, sha, no_export}) ->
292
suite({dh_anon, des_cbc, sha}) ->
394
293
?TLS_DH_anon_WITH_DES_CBC_SHA;
395
suite({dh_anon, '3des_ede_cbc', sha, no_export}) ->
294
suite({dh_anon, '3des_ede_cbc', sha}) ->
396
295
?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
398
297
%%% TSL V1.1 AES suites
399
suite({rsa, aes_128_cbc, sha, ignore}) ->
298
suite({rsa, aes_128_cbc, sha}) ->
400
299
?TLS_RSA_WITH_AES_128_CBC_SHA;
401
suite({dh_dss, aes_128_cbc, sha, ignore}) ->
402
?TLS_DH_DSS_WITH_AES_128_CBC_SHA;
403
suite({dh_rsa, aes_128_cbc, sha, ignore}) ->
404
?TLS_DH_RSA_WITH_AES_128_CBC_SHA;
405
suite({dhe_dss, aes_128_cbc, sha, ignore}) ->
300
suite({dhe_dss, aes_128_cbc, sha}) ->
406
301
?TLS_DHE_DSS_WITH_AES_128_CBC_SHA;
407
suite({dhe_rsa, aes_128_cbc, sha, ignore}) ->
302
suite({dhe_rsa, aes_128_cbc, sha}) ->
408
303
?TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
409
suite({dh_anon, aes_128_cbc, sha, ignore}) ->
304
suite({dh_anon, aes_128_cbc, sha}) ->
410
305
?TLS_DH_anon_WITH_AES_128_CBC_SHA;
411
suite({rsa, aes_256_cbc, sha, ignore}) ->
306
suite({rsa, aes_256_cbc, sha}) ->
412
307
?TLS_RSA_WITH_AES_256_CBC_SHA;
413
suite({dh_dss, aes_256_cbc, sha, ignore}) ->
414
?TLS_DH_DSS_WITH_AES_256_CBC_SHA;
415
suite({dh_rsa, aes_256_cbc, sha, ignore}) ->
416
?TLS_DH_RSA_WITH_AES_256_CBC_SHA;
417
suite({dhe_dss, aes_256_cbc, sha, ignore}) ->
308
suite({dhe_dss, aes_256_cbc, sha}) ->
418
309
?TLS_DHE_DSS_WITH_AES_256_CBC_SHA;
419
suite({dhe_rsa, aes_256_cbc, sha, ignore}) ->
310
suite({dhe_rsa, aes_256_cbc, sha}) ->
420
311
?TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
421
suite({dh_anon, aes_256_cbc, sha, ignore}) ->
422
?TLS_DH_anon_WITH_AES_256_CBC_SHA;
424
%% TSL V1.1 KRB SUITES
425
suite({krb5, des_cbc, sha, ignore}) ->
426
?TLS_KRB5_WITH_DES_CBC_SHA;
427
suite({krb5_cbc, '3des_ede_cbc', sha, ignore}) ->
428
?TLS_KRB5_WITH_3DES_EDE_CBC_SHA;
429
suite({krb5, rc4_128, sha, ignore}) ->
430
?TLS_KRB5_WITH_RC4_128_SHA;
431
%% suite({krb5_cbc, idea_cbc, sha, ignore}) ->
432
%% ?TLS_KRB5_WITH_IDEA_CBC_SHA;
433
suite({krb5_cbc, md5, ignore}) ->
434
?TLS_KRB5_WITH_DES_CBC_MD5;
435
suite({krb5_ede_cbc, des_cbc, md5, ignore}) ->
436
?TLS_KRB5_WITH_3DES_EDE_CBC_MD5;
437
suite({krb5_128, rc4_128, md5, ignore}) ->
438
?TLS_KRB5_WITH_RC4_128_MD5;
439
%% suite({krb5, idea_cbc, md5, ignore}) ->
440
%% ?TLS_KRB5_WITH_IDEA_CBC_MD5;
442
%% Export suites TLS 1.0 OR SSLv3-only servers.
443
suite({rsa, rc4_40, md5, export}) ->
444
?TLS_RSA_EXPORT_WITH_RC4_40_MD5;
445
suite({rsa, rc2_cbc_40, md5, export}) ->
446
?TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5;
447
suite({rsa, des40_cbc, sha, export}) ->
448
?TLS_RSA_EXPORT_WITH_DES40_CBC_SHA;
449
suite({rsa, rc4_56, md5, export}) ->
450
?TLS_RSA_EXPORT1024_WITH_RC4_56_MD5;
451
suite({rsa, rc2_cbc_56, md5, export}) ->
452
?TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5;
453
suite({rsa, des_cbc, sha, export}) ->
454
?TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA;
455
suite({dhe_dss, des_cbc, sha, export}) ->
456
?TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA;
457
suite({rsa, rc4_56, sha, export}) ->
458
?TLS_RSA_EXPORT1024_WITH_RC4_56_SHA;
459
suite({dhe_dss, rc4_56, sha, export}) ->
460
?TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA;
461
suite({dhe_dss, rc4_128, sha, export}) ->
462
?TLS_DHE_DSS_WITH_RC4_128_SHA;
463
suite({krb5_export, des40_cbc, sha, export}) ->
464
?TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA;
465
suite({krb5_export, rc2_cbc_40, sha, export}) ->
466
?TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA;
467
suite({krb5_export, rc4_cbc_40, sha, export}) ->
468
?TLS_KRB5_EXPORT_WITH_RC4_40_SHA;
469
suite({krb5_export, des40_cbc, md5, export}) ->
470
?TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5;
471
suite({krb5_export, rc2_cbc_40, md5, export}) ->
472
?TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5;
473
suite({krb5_export, rc4_cbc_40, md5, export}) ->
474
?TLS_KRB5_EXPORT_WITH_RC4_40_MD5;
475
suite({rsa_export, rc4_cbc_40, md5, export}) ->
476
?TLS_RSA_EXPORT_WITH_RC4_40_MD5;
477
suite({rsa_export, rc2_cbc_40, md5, export}) ->
478
?TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5;
479
suite({rsa_export, des40_cbc, sha, export}) ->
480
?TLS_RSA_EXPORT_WITH_DES40_CBC_SHA;
481
suite({dh_dss_export, des40_cbc, sha, export}) ->
482
?TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA;
483
suite({dh_rsa_export, des40_cbc, sha, export}) ->
484
?TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA;
485
suite({dhe_dss_export, des40_cbc, sha, export}) ->
486
?TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA;
487
suite({dhe_rsa_export, des40_cbc, sha, export}) ->
488
?TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA;
489
suite({dh_anon_export, rc4_40, md5, export}) ->
490
?TLS_DH_anon_EXPORT_WITH_RC4_40_MD5;
491
suite({dh_anon_export, des40_cbc, sha, export}) ->
492
?TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA.
312
suite({dh_anon, aes_256_cbc, sha}) ->
313
?TLS_DH_anon_WITH_AES_256_CBC_SHA.
315
%%--------------------------------------------------------------------
316
-spec openssl_suite(openssl_cipher_suite()) -> cipher_suite().
318
%% Description: Return TLS cipher suite definition.
319
%%--------------------------------------------------------------------
495
320
%% translate constants <-> openssl-strings
496
%% TODO: Is there a pattern in the nameing
497
%% that is useable to make a nicer function defention?
499
321
openssl_suite("DHE-RSA-AES256-SHA") ->
500
322
?TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
501
323
openssl_suite("DHE-DSS-AES256-SHA") ->