|
 |
1c5d99 |
diff -up openssl-1.0.1e/apps/s_client.c.krb5keytab openssl-1.0.1e/apps/s_client.c
|
|
|
1c5d99 |
--- openssl-1.0.1e/apps/s_client.c.krb5keytab 2015-03-03 14:41:41.248686764 +0100
|
|
|
1c5d99 |
+++ openssl-1.0.1e/apps/s_client.c 2015-03-03 15:43:38.285048063 +0100
|
|
|
1c5d99 |
@@ -169,6 +169,10 @@ typedef unsigned int u_int;
|
|
|
1c5d99 |
#include "s_apps.h"
|
|
|
1c5d99 |
#include "timeouts.h"
|
|
|
1c5d99 |
|
|
|
1c5d99 |
+#ifndef OPENSSL_NO_KRB5
|
|
|
1c5d99 |
+static char *krb5svc=NULL;
|
|
|
1c5d99 |
+#endif
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
|
|
|
1c5d99 |
/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
|
|
|
1c5d99 |
#undef FIONBIO
|
|
|
1c5d99 |
@@ -348,6 +352,9 @@ static void sc_usage(void)
|
|
|
1c5d99 |
BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
|
|
|
1c5d99 |
BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
|
|
|
1c5d99 |
BIO_printf(bio_err," are supported.\n");
|
|
|
1c5d99 |
+#ifndef OPENSSL_NO_KRB5
|
|
|
1c5d99 |
+ BIO_printf(bio_err," -krb5svc arg - Kerberos service name\n");
|
|
|
1c5d99 |
+#endif
|
|
|
1c5d99 |
#ifndef OPENSSL_NO_ENGINE
|
|
|
1c5d99 |
BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
|
|
|
1c5d99 |
#endif
|
|
|
1c5d99 |
@@ -906,6 +913,13 @@ int MAIN(int argc, char **argv)
|
|
|
1c5d99 |
else if (strcmp(*argv,"-nbio") == 0)
|
|
|
1c5d99 |
{ c_nbio=1; }
|
|
|
1c5d99 |
#endif
|
|
|
1c5d99 |
+#ifndef OPENSSL_NO_KRB5
|
|
|
1c5d99 |
+ else if (strcmp(*argv,"-krb5svc") == 0)
|
|
|
1c5d99 |
+ {
|
|
|
1c5d99 |
+ if (--argc < 1) goto bad;
|
|
|
1c5d99 |
+ krb5svc= *(++argv);
|
|
|
1c5d99 |
+ }
|
|
|
1c5d99 |
+#endif
|
|
|
1c5d99 |
else if (strcmp(*argv,"-starttls") == 0)
|
|
|
1c5d99 |
{
|
|
|
1c5d99 |
if (--argc < 1) goto bad;
|
|
|
1c5d99 |
@@ -1266,6 +1280,8 @@ bad:
|
|
|
1c5d99 |
{
|
|
|
1c5d99 |
SSL_set0_kssl_ctx(con, kctx);
|
|
|
1c5d99 |
kssl_ctx_setstring(kctx, KSSL_SERVER, host);
|
|
|
1c5d99 |
+ if (krb5svc != NULL)
|
|
|
1c5d99 |
+ kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
|
|
|
1c5d99 |
}
|
|
|
1c5d99 |
#endif /* OPENSSL_NO_KRB5 */
|
|
|
1c5d99 |
/* SSL_set_cipher_list(con,"RC4-MD5"); */
|
|
|
1c5d99 |
diff -up openssl-1.0.1e/apps/s_server.c.krb5keytab openssl-1.0.1e/apps/s_server.c
|
|
|
1c5d99 |
--- openssl-1.0.1e/apps/s_server.c.krb5keytab 2015-03-03 14:41:41.198686492 +0100
|
|
|
1c5d99 |
+++ openssl-1.0.1e/apps/s_server.c 2015-03-03 16:14:14.827107550 +0100
|
|
|
1c5d99 |
@@ -201,6 +201,11 @@ typedef unsigned int u_int;
|
|
|
1c5d99 |
#include <fcntl.h>
|
|
|
1c5d99 |
#endif
|
|
|
1c5d99 |
|
|
|
1c5d99 |
+#ifndef OPENSSL_NO_KRB5
|
|
|
1c5d99 |
+static char *krb5svc=NULL;
|
|
|
1c5d99 |
+static char *keytab=NULL;
|
|
|
1c5d99 |
+#endif
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
#ifndef OPENSSL_NO_RSA
|
|
|
1c5d99 |
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
|
|
|
1c5d99 |
#endif
|
|
|
1c5d99 |
@@ -507,6 +512,10 @@ static void sv_usage(void)
|
|
|
1c5d99 |
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
|
|
|
1c5d99 |
BIO_printf(bio_err," -quiet - No server output\n");
|
|
|
1c5d99 |
BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n");
|
|
|
1c5d99 |
+#ifndef OPENSSL_NO_KRB5
|
|
|
1c5d99 |
+ BIO_printf(bio_err," -krb5svc arg - Kerberos service name\n");
|
|
|
1c5d99 |
+ BIO_printf(bio_err," -keytab arg - Kerberos keytab filename\n");
|
|
|
1c5d99 |
+#endif
|
|
|
1c5d99 |
#ifndef OPENSSL_NO_PSK
|
|
|
1c5d99 |
BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
|
|
|
1c5d99 |
BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
|
|
|
1c5d99 |
@@ -1121,6 +1130,18 @@ int MAIN(int argc, char *argv[])
|
|
|
1c5d99 |
if (--argc < 1) goto bad;
|
|
|
1c5d99 |
cipher= *(++argv);
|
|
|
1c5d99 |
}
|
|
|
1c5d99 |
+#ifndef OPENSSL_NO_KRB5
|
|
|
1c5d99 |
+ else if (strcmp(*argv,"-krb5svc") == 0)
|
|
|
1c5d99 |
+ {
|
|
|
1c5d99 |
+ if (--argc < 1) goto bad;
|
|
|
1c5d99 |
+ krb5svc= *(++argv);
|
|
|
1c5d99 |
+ }
|
|
|
1c5d99 |
+ else if (strcmp(*argv,"-keytab") == 0)
|
|
|
1c5d99 |
+ {
|
|
|
1c5d99 |
+ if (--argc < 1) goto bad;
|
|
|
1c5d99 |
+ keytab= *(++argv);
|
|
|
1c5d99 |
+ }
|
|
|
1c5d99 |
+#endif
|
|
|
1c5d99 |
else if (strcmp(*argv,"-CAfile") == 0)
|
|
|
1c5d99 |
{
|
|
|
1c5d99 |
if (--argc < 1) goto bad;
|
|
|
1c5d99 |
@@ -2019,8 +2040,10 @@ static int sv_body(char *hostname, int s
|
|
|
1c5d99 |
if ((kctx = kssl_ctx_new()) != NULL)
|
|
|
1c5d99 |
{
|
|
|
1c5d99 |
SSL_set0_kssl_ctx(con, kctx);
|
|
|
1c5d99 |
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
|
|
|
1c5d99 |
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
|
|
|
1c5d99 |
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
|
|
|
1c5d99 |
+ krb5svc == NULL ? KRB5SVC : krb5svc);
|
|
|
1c5d99 |
+ if (keytab != NULL)
|
|
|
1c5d99 |
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
|
|
|
1c5d99 |
}
|
|
|
1c5d99 |
#endif /* OPENSSL_NO_KRB5 */
|
|
|
1c5d99 |
if(context)
|
|
|
1c5d99 |
@@ -2613,8 +2636,11 @@ static int www_body(char *hostname, int
|
|
|
1c5d99 |
#ifndef OPENSSL_NO_KRB5
|
|
|
1c5d99 |
if ((kctx = kssl_ctx_new()) != NULL)
|
|
|
1c5d99 |
{
|
|
|
1c5d99 |
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
|
|
|
1c5d99 |
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
|
|
|
1c5d99 |
+ SSL_set0_kssl_ctx(con, kctx);
|
|
|
1c5d99 |
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
|
|
|
1c5d99 |
+ krb5svc == NULL ? KRB5SVC : krb5svc);
|
|
|
1c5d99 |
+ if (keytab != NULL)
|
|
|
1c5d99 |
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
|
|
|
1c5d99 |
}
|
|
|
1c5d99 |
#endif /* OPENSSL_NO_KRB5 */
|
|
|
1c5d99 |
if(context) SSL_set_session_id_context(con, context,
|
|
|
1c5d99 |
diff -up openssl-1.0.1e/doc/apps/s_client.pod.krb5keytab openssl-1.0.1e/doc/apps/s_client.pod
|
|
|
1c5d99 |
--- openssl-1.0.1e/doc/apps/s_client.pod.krb5keytab 2015-03-03 14:41:41.249686770 +0100
|
|
|
1c5d99 |
+++ openssl-1.0.1e/doc/apps/s_client.pod 2015-03-03 16:28:08.374701114 +0100
|
|
|
1c5d99 |
@@ -18,6 +18,8 @@ B<openssl> B<s_client>
|
|
|
1c5d99 |
[B<-CApath directory>]
|
|
|
1c5d99 |
[B<-CAfile filename>]
|
|
|
1c5d99 |
[B<-trusted_first>]
|
|
|
1c5d99 |
+[B<-krb5svc service>]
|
|
|
1c5d99 |
+[B<-keytab filename>]
|
|
|
1c5d99 |
[B<-reconnect>]
|
|
|
1c5d99 |
[B<-pause>]
|
|
|
1c5d99 |
[B<-showcerts>]
|
|
|
1c5d99 |
@@ -115,6 +117,17 @@ and to use when attempting to build the
|
|
|
1c5d99 |
Set various certificate chain valiadition option. See the
|
|
|
1c5d99 |
L<B<verify>|verify(1)> manual page for details.
|
|
|
1c5d99 |
|
|
|
1c5d99 |
+=item B<-krb5svc service>
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
+the Kerberos service name to use (default "host"). This means s_server
|
|
|
1c5d99 |
+will expect a ticket for the principal I<service>/hostname@REALM, and will
|
|
|
1c5d99 |
+need keys for that principal in its keytab.
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
+=item B<-keytab filename>
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
+the Kerberos "keytab" (key table) file, containing keys for the s_server
|
|
|
1c5d99 |
+service principal (Kerberos identity; see -krb5svc).
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
=item B<-reconnect>
|
|
|
1c5d99 |
|
|
|
1c5d99 |
reconnects to the same server 5 times using the same session ID, this can
|
|
|
1c5d99 |
diff -up openssl-1.0.1e/doc/apps/s_server.pod.krb5keytab openssl-1.0.1e/doc/apps/s_server.pod
|
|
|
1c5d99 |
--- openssl-1.0.1e/doc/apps/s_server.pod.krb5keytab 2015-03-03 14:41:41.200686503 +0100
|
|
|
1c5d99 |
+++ openssl-1.0.1e/doc/apps/s_server.pod 2015-03-03 16:29:35.631184313 +0100
|
|
|
1c5d99 |
@@ -34,6 +34,8 @@ B<openssl> B<s_server>
|
|
|
1c5d99 |
[B<-CApath directory>]
|
|
|
1c5d99 |
[B<-CAfile filename>]
|
|
|
1c5d99 |
[B<-trusted_first>]
|
|
|
1c5d99 |
+[B<-krb5svc service>]
|
|
|
1c5d99 |
+[B<-keytab filename>]
|
|
|
1c5d99 |
[B<-nocert>]
|
|
|
1c5d99 |
[B<-cipher cipherlist>]
|
|
|
1c5d99 |
[B<-quiet>]
|
|
|
1c5d99 |
@@ -181,6 +183,17 @@ Use certificates in CA file or CA direct
|
|
|
1c5d99 |
when building the trust chain to verify client certificates.
|
|
|
1c5d99 |
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
|
1c5d99 |
|
|
|
1c5d99 |
+=item B<-krb5svc service>
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
+the Kerberos service name to use (default "host"). This means s_server
|
|
|
1c5d99 |
+will expect a ticket for the principal I<service>/hostname@REALM, and will
|
|
|
1c5d99 |
+need keys for that principal in its keytab.
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
+=item B<-keytab filename>
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
+the Kerberos "keytab" (key table) file, containing keys for the s_server
|
|
|
1c5d99 |
+service principal (Kerberos identity; see -krb5svc).
|
|
|
1c5d99 |
+
|
|
|
1c5d99 |
=item B<-state>
|
|
|
1c5d99 |
|
|
|
1c5d99 |
prints out the SSL session states.
|