RFC 2712 redefines the codes for use of Kerberos 5 in SSL/TLS.
authorRichard Levitte <levitte@openssl.org>
Thu, 10 Oct 2002 07:59:03 +0000 (07:59 +0000)
committerRichard Levitte <levitte@openssl.org>
Thu, 10 Oct 2002 07:59:03 +0000 (07:59 +0000)
PR: 189

CHANGES
ssl/s3_lib.c
ssl/ssl.h
ssl/ssl3.h

diff --git a/CHANGES b/CHANGES
index 6bf38c2..78c3dc9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -279,6 +279,9 @@ TODO: bug: pad  x  with leading zeros if necessary
  
  Changes between 0.9.6g and 0.9.7  [XX xxx 2002]
 
+  *) Change the SSL kerb5 codes to match RFC 2712.
+     [Richard Levitte]
+
   *) Make -nameopt work fully for req and add -reqopt switch.
      [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
 
index afc81a2..e0e1176 100644 (file)
@@ -538,6 +538,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_STRENGTHS,
        },
 
+#if 0
 /* Cipher 1E */
        {
        0,
@@ -551,55 +552,70 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
+#endif
 
 #ifndef OPENSSL_NO_KRB5
 /* The Kerberos ciphers
 ** 20000107 VRS: And the first shall be last,
 ** in hopes of avoiding the lynx ssl renegotiation problem.
 */
-/* Cipher 21 VRS */
+/* Cipher 1E VRS */
        {
        1,
-       SSL3_TXT_KRB5_DES_40_CBC_SHA,
-       SSL3_CK_KRB5_DES_40_CBC_SHA,
+       SSL3_TXT_KRB5_DES_64_CBC_SHA,
+       SSL3_CK_KRB5_DES_64_CBC_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-       SSL_EXPORT|SSL_EXP40,
+       SSL_NOT_EXP|SSL_LOW,
        0,
-       40,
+       56,
        56,
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
 
-/* Cipher 22 VRS */
+/* Cipher 1F VRS */
        {
        1,
-       SSL3_TXT_KRB5_DES_40_CBC_MD5,
-       SSL3_CK_KRB5_DES_40_CBC_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
-       SSL_EXPORT|SSL_EXP40,
+       SSL3_TXT_KRB5_DES_192_CBC3_SHA,
+       SSL3_CK_KRB5_DES_192_CBC3_SHA,
+       SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
+       SSL_NOT_EXP|SSL_HIGH,
        0,
-       40,
-       56,
+       112,
+       168,
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
 
-/* Cipher 23 VRS */
+/* Cipher 20 VRS */
        {
        1,
-       SSL3_TXT_KRB5_DES_64_CBC_SHA,
-       SSL3_CK_KRB5_DES_64_CBC_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-       SSL_NOT_EXP|SSL_LOW,
+       SSL3_TXT_KRB5_RC4_128_SHA,
+       SSL3_CK_KRB5_RC4_128_SHA,
+       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
+       SSL_NOT_EXP|SSL_MEDIUM,
        0,
-       56,
-       56,
+       128,
+       128,
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
 
-/* Cipher 24 VRS */
+/* Cipher 21 VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
+       SSL3_CK_KRB5_IDEA_128_CBC_SHA,
+       SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
+/* Cipher 22 VRS */
        {
        1,
        SSL3_TXT_KRB5_DES_64_CBC_MD5,
@@ -613,12 +629,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_STRENGTHS,
        },
 
-/* Cipher 25 VRS */
+/* Cipher 23 VRS */
        {
        1,
-       SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-       SSL3_CK_KRB5_DES_192_CBC3_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
+       SSL3_TXT_KRB5_DES_192_CBC3_MD5,
+       SSL3_CK_KRB5_DES_192_CBC3_MD5,
+       SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        112,
@@ -627,16 +643,114 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_STRENGTHS,
        },
 
+/* Cipher 24 VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_RC4_128_MD5,
+       SSL3_CK_KRB5_RC4_128_MD5,
+       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
+/* Cipher 25 VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
+       SSL3_CK_KRB5_IDEA_128_CBC_MD5,
+       SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
 /* Cipher 26 VRS */
        {
        1,
-       SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-       SSL3_CK_KRB5_DES_192_CBC3_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL3_TXT_KRB5_DES_40_CBC_SHA,
+       SSL3_CK_KRB5_DES_40_CBC_SHA,
+       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
        0,
-       112,
-       168,
+       40,
+       56,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
+/* Cipher 27 VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_RC2_40_CBC_SHA,
+       SSL3_CK_KRB5_RC2_40_CBC_SHA,
+       SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
+       0,
+       40,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
+/* Cipher 28 VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_RC4_40_CBC_SHA,
+       SSL3_CK_KRB5_RC4_40_CBC_SHA,
+       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
+/* Cipher 29 VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_DES_40_CBC_MD5,
+       SSL3_CK_KRB5_DES_40_CBC_MD5,
+       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
+       0,
+       40,
+       56,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
+/* Cipher 2A VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_RC2_40_CBC_MD5,
+       SSL3_CK_KRB5_RC2_40_CBC_MD5,
+       SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
+       0,
+       40,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+
+/* Cipher 2B VRS */
+       {
+       1,
+       SSL3_TXT_KRB5_RC4_40_CBC_MD5,
+       SSL3_CK_KRB5_RC4_40_CBC_MD5,
+       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
+       0,
+       128,
+       128,
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
index 49e3c52..46c3bc7 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -209,6 +209,22 @@ extern "C" {
 
 /*    VRS Additional Kerberos5 entries
  */
+#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
+#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
+#define SSL_TXT_KRB5_RC4_128_SHA      SSL3_TXT_KRB5_RC4_128_SHA
+#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
+#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5       
+#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA       
+#define SSL_TXT_KRB5_RC4_128_MD5      SSL3_TXT_KRB5_RC4_128_MD5
+#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA 
+
+#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA 
+#define SSL_TXT_KRB5_RC2_40_CBC_SHA   SSL3_TXT_KRB5_RC2_40_CBC_SHA 
+#define SSL_TXT_KRB5_RC4_40_SHA              SSL3_TXT_KRB5_RC4_40_SHA
+#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5 
+#define SSL_TXT_KRB5_RC2_40_CBC_MD5   SSL3_TXT_KRB5_RC2_40_CBC_MD5 
+#define SSL_TXT_KRB5_RC4_40_MD5              SSL3_TXT_KRB5_RC4_40_MD5
+
 #define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
 #define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
 #define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
index 59211fe..4be44b1 100644 (file)
@@ -161,23 +161,29 @@ extern "C" {
 
 #define SSL3_CK_FZA_DMS_NULL_SHA               0x0300001C
 #define SSL3_CK_FZA_DMS_FZA_SHA                        0x0300001D
+#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
+        to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
+        of the ietf-tls list */
 #define SSL3_CK_FZA_DMS_RC4_SHA                        0x0300001E
+#endif
 
 /*    VRS Additional Kerberos5 entries
  */
-#define SSL3_CK_KRB5_DES_40_CBC_SHA            0x03000021
-#define SSL3_CK_KRB5_DES_40_CBC_MD5            0x03000022
-#define SSL3_CK_KRB5_DES_64_CBC_SHA            0x03000023
-#define SSL3_CK_KRB5_DES_64_CBC_MD5            0x03000024
-#define SSL3_CK_KRB5_DES_192_CBC3_SHA          0x03000025
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5          0x03000026
-
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA           "EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5           "EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_64_CBC_SHA           "KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5           "KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_SHA         "KRB5-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5         "KRB5-DES-CBC3-MD5"
+#define SSL3_CK_KRB5_DES_64_CBC_SHA            0x0300001E
+#define SSL3_CK_KRB5_DES_192_CBC3_SHA          0x0300001F
+#define SSL3_CK_KRB5_RC4_128_SHA               0x03000020
+#define SSL3_CK_KRB5_IDEA_128_CBC_SHA          0x03000021
+#define SSL3_CK_KRB5_DES_64_CBC_MD5            0x03000022
+#define SSL3_CK_KRB5_DES_192_CBC3_SHA          0x03000023
+#define SSL3_CK_KRB5_RC4_128_MD5               0x03000024
+#define SSL3_CK_KRB5_IDEA_128_CBC_SHA          0x03000025
+
+#define SSL3_CK_KRB5_DES_40_CBC_SHA            0x03000026
+#define SSL3_CK_KRB5_RC2_40_CBC_SHA            0x03000027
+#define SSL3_CK_KRB5_RC4_40_SHA                        0x03000028
+#define SSL3_CK_KRB5_DES_40_CBC_MD5            0x03000029
+#define SSL3_CK_KRB5_RC2_40_CBC_MD5            0x0300002A
+#define SSL3_CK_KRB5_RC4_40_MD5                        0x0300002B
 
 #define SSL3_TXT_RSA_NULL_MD5                  "NULL-MD5"
 #define SSL3_TXT_RSA_NULL_SHA                  "NULL-SHA"
@@ -214,6 +220,22 @@ extern "C" {
 #define SSL3_TXT_FZA_DMS_FZA_SHA               "FZA-FZA-CBC-SHA"
 #define SSL3_TXT_FZA_DMS_RC4_SHA               "FZA-RC4-SHA"
 
+#define SSL3_TXT_KRB5_DES_64_CBC_SHA           "KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_192_CBC3_SHA         "KRB5-DES-CBC3-SHA"
+#define SSL3_TXT_KRB5_RC4_128_SHA              "KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA         "KRB5-IDEA-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_64_CBC_MD5           "KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_DES_192_CBC3_SHA         "KRB5-DES-CBC3-SHA"
+#define SSL3_TXT_KRB5_RC4_128_MD5              "KRB5-RC4-MD5"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA                 "KRB5-IDEA-CBC-SHA"
+
+#define SSL3_TXT_KRB5_DES_40_CBC_SHA           "EXP-KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_RC2_40_CBC_SHA           "EXP-KRB5-RC2-CBC-SHA"
+#define SSL3_TXT_KRB5_RC4_40_SHA               "EXP-KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_DES_40_CBC_MD5           "EXP-KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_DES_40_CBC_MD5           "EXP-KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_RC4_40_MD5               "EXP-KRB5-RC4-MD5"
+
 #define SSL3_SSL_SESSION_ID_LENGTH             32
 #define SSL3_MAX_SSL_SESSION_ID_LENGTH         32