From 955c16cdfd211455e5cdbca28d55d9d77cf17836 Mon Sep 17 00:00:00 2001
From: Andreas Schultz <aschultz@tpip.net>
Date: Mon, 4 Mar 2013 22:12:31 +0100
Subject: ssl: add PSK-GCM suites

---
 lib/ssl/src/ssl_cipher.erl    | 51 ++++++++++++++++++++++++++++++++++++-------
 lib/ssl/src/ssl_cipher.hrl    | 18 +++++++++++++++
 lib/ssl/test/ssl_test_lib.erl |  9 ++++++--
 3 files changed, 68 insertions(+), 10 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 5769d53cdf..79b772d2a2 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -333,13 +333,20 @@ psk_suites({3, N}) ->
 
 psk_suites(N)
   when N >= 3 ->
-    psk_suites(0) ++
-	[?TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
-	 ?TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
-	 ?TLS_PSK_WITH_AES_256_CBC_SHA384,
-	 ?TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
-	 ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
-	 ?TLS_PSK_WITH_AES_128_CBC_SHA256];
+    [
+     ?TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+     ?TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+     ?TLS_PSK_WITH_AES_256_GCM_SHA384,
+     ?TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+     ?TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+     ?TLS_PSK_WITH_AES_256_CBC_SHA384,
+     ?TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+     ?TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+     ?TLS_PSK_WITH_AES_128_GCM_SHA256,
+     ?TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+     ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+     ?TLS_PSK_WITH_AES_128_CBC_SHA256
+    ] ++ psk_suites(0);
 
 psk_suites(_) ->
 	[?TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
@@ -491,6 +498,19 @@ suite_definition(?TLS_RSA_PSK_WITH_AES_256_CBC_SHA) ->
 
 %%% TLS 1.2 PSK Cipher Suites RFC 5487
 
+suite_definition(?TLS_PSK_WITH_AES_128_GCM_SHA256) ->
+    {psk, aes_128_gcm, null, sha256};
+suite_definition(?TLS_PSK_WITH_AES_256_GCM_SHA384) ->
+    {psk, aes_256_gcm, null, sha384};
+suite_definition(?TLS_DHE_PSK_WITH_AES_128_GCM_SHA256) ->
+    {dhe_psk, aes_128_gcm, null, sha256};
+suite_definition(?TLS_DHE_PSK_WITH_AES_256_GCM_SHA384) ->
+    {dhe_psk, aes_256_gcm, null, sha384};
+suite_definition(?TLS_RSA_PSK_WITH_AES_128_GCM_SHA256) ->
+    {rsa_psk, aes_128_gcm, null, sha256};
+suite_definition(?TLS_RSA_PSK_WITH_AES_256_GCM_SHA384) ->
+    {rsa_psk, aes_256_gcm, null, sha384};
+
 suite_definition(?TLS_PSK_WITH_AES_128_CBC_SHA256) ->
     {psk, aes_128_cbc, sha256, default_prf};
 suite_definition(?TLS_PSK_WITH_AES_256_CBC_SHA384) ->
@@ -758,6 +778,19 @@ suite({rsa_psk, aes_256_cbc,sha}) ->
 
 %%% TLS 1.2 PSK Cipher Suites RFC 5487
 
+suite({psk, aes_128_gcm, null}) ->
+    ?TLS_PSK_WITH_AES_128_GCM_SHA256;
+suite({psk, aes_256_gcm, null}) ->
+    ?TLS_PSK_WITH_AES_256_GCM_SHA384;
+suite({dhe_psk, aes_128_gcm, null}) ->
+    ?TLS_DHE_PSK_WITH_AES_128_GCM_SHA256;
+suite({dhe_psk, aes_256_gcm, null}) ->
+    ?TLS_DHE_PSK_WITH_AES_256_GCM_SHA384;
+suite({rsa_psk, aes_128_gcm, null}) ->
+    ?TLS_RSA_PSK_WITH_AES_128_GCM_SHA256;
+suite({rsa_psk, aes_256_gcm, null}) ->
+    ?TLS_RSA_PSK_WITH_AES_256_GCM_SHA384;
+
 suite({psk, aes_128_cbc, sha256}) ->
     ?TLS_PSK_WITH_AES_128_CBC_SHA256;
 suite({psk, aes_256_cbc, sha384}) ->
@@ -1608,7 +1641,9 @@ dhe_rsa_suites() ->
      ?TLS_DHE_RSA_WITH_AES_256_GCM_SHA384].
 
 psk_rsa_suites() ->
-    [?TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+    [?TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+     ?TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+     ?TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
      ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
      ?TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
      ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
diff --git a/lib/ssl/src/ssl_cipher.hrl b/lib/ssl/src/ssl_cipher.hrl
index e802600fef..747ca8cdcd 100644
--- a/lib/ssl/src/ssl_cipher.hrl
+++ b/lib/ssl/src/ssl_cipher.hrl
@@ -396,6 +396,24 @@
 
 %%% TLS 1.2 PSK Cipher Suites RFC 5487
 
+%%      TLS_PSK_WITH_AES_128_GCM_SHA256       = {0x00,0xA8};
+-define(TLS_PSK_WITH_AES_128_GCM_SHA256, <<?BYTE(16#00), ?BYTE(16#A8)>>).
+
+%%      TLS_PSK_WITH_AES_256_GCM_SHA384       = {0x00,0xA9};
+-define(TLS_PSK_WITH_AES_256_GCM_SHA384, <<?BYTE(16#00), ?BYTE(16#A9)>>).
+
+%%      TLS_DHE_PSK_WITH_AES_128_GCM_SHA256   = {0x00,0xAA};
+-define(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, <<?BYTE(16#00), ?BYTE(16#AA)>>).
+
+%%      TLS_DHE_PSK_WITH_AES_256_GCM_SHA384   = {0x00,0xAB};
+-define(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, <<?BYTE(16#00), ?BYTE(16#AB)>>).
+
+%%      TLS_RSA_PSK_WITH_AES_128_GCM_SHA256   = {0x00,0xAC};
+-define(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, <<?BYTE(16#00), ?BYTE(16#AC)>>).
+
+%%      TLS_RSA_PSK_WITH_AES_256_GCM_SHA384   = {0x00,0xAD};
+-define(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, <<?BYTE(16#00), ?BYTE(16#AD)>>).
+
 %%      TLS_PSK_WITH_AES_128_CBC_SHA256       = {0x00,0xAE};
 -define(TLS_PSK_WITH_AES_128_CBC_SHA256, <<?BYTE(16#00), ?BYTE(16#AE)>>).
 
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index dbbf8e90ca..9d3b0f4bf7 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -887,8 +887,13 @@ psk_suites() ->
 	 {rsa_psk, aes_128_cbc, sha},
 	 {rsa_psk, aes_256_cbc, sha},
 	 {rsa_psk, aes_128_cbc, sha256},
-	 {rsa_psk, aes_256_cbc, sha384}
-],
+	 {rsa_psk, aes_256_cbc, sha384},
+	 {psk, aes_128_gcm, null},
+	 {psk, aes_256_gcm, null},
+	 {dhe_psk, aes_128_gcm, null},
+	 {dhe_psk, aes_256_gcm, null},
+	 {rsa_psk, aes_128_gcm, null},
+	 {rsa_psk, aes_256_gcm, null}],
     ssl_cipher:filter_suites(Suites).
 
 psk_anon_suites() ->
-- 
cgit v1.2.3