|
|
cfec1a |
diff -up openssl-1.0.2j/apps/s_client.c.krb5keytab openssl-1.0.2j/apps/s_client.c
|
|
|
cfec1a |
--- openssl-1.0.2j/apps/s_client.c.krb5keytab 2017-01-05 17:02:05.481441088 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2j/apps/s_client.c 2017-01-05 17:08:28.311073180 +0100
|
|
|
cfec1a |
@@ -171,6 +171,10 @@ typedef unsigned int u_int;
|
|
|
cfec1a |
#include "s_apps.h"
|
|
|
cfec1a |
#include "timeouts.h"
|
|
|
cfec1a |
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
+static char *krb5svc = NULL;
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
+
|
|
|
cfec1a |
#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
|
|
|
cfec1a |
/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
|
|
|
cfec1a |
# undef FIONBIO
|
|
|
cfec1a |
@@ -400,6 +404,9 @@ static void sc_usage(void)
|
|
|
cfec1a |
BIO_printf(bio_err,
|
|
|
cfec1a |
" only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " are supported.\n");
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
+ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
#ifndef OPENSSL_NO_ENGINE
|
|
|
cfec1a |
BIO_printf(bio_err,
|
|
|
cfec1a |
" -engine id - Initialise and use the specified engine\n");
|
|
|
cfec1a |
@@ -1069,6 +1076,13 @@ int MAIN(int argc, char **argv)
|
|
|
cfec1a |
c_nbio = 1;
|
|
|
cfec1a |
}
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
+ else if (strcmp(*argv, "-krb5svc") == 0) {
|
|
|
cfec1a |
+ if (--argc < 1)
|
|
|
cfec1a |
+ goto bad;
|
|
|
cfec1a |
+ krb5svc= *(++argv);
|
|
|
cfec1a |
+ }
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
else if (strcmp(*argv, "-starttls") == 0) {
|
|
|
cfec1a |
if (--argc < 1)
|
|
|
cfec1a |
goto bad;
|
|
|
cfec1a |
@@ -1435,6 +1449,8 @@ int MAIN(int argc, char **argv)
|
|
|
cfec1a |
if (con && (kctx = kssl_ctx_new()) != NULL) {
|
|
|
cfec1a |
SSL_set0_kssl_ctx(con, kctx);
|
|
|
cfec1a |
kssl_ctx_setstring(kctx, KSSL_SERVER, host);
|
|
|
cfec1a |
+ if (krb5svc != NULL)
|
|
|
cfec1a |
+ kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
|
|
|
cfec1a |
}
|
|
|
cfec1a |
#endif /* OPENSSL_NO_KRB5 */
|
|
|
cfec1a |
/* SSL_set_cipher_list(con,"RC4-MD5"); */
|
|
|
cfec1a |
diff -up openssl-1.0.2j/apps/s_server.c.krb5keytab openssl-1.0.2j/apps/s_server.c
|
|
|
cfec1a |
--- openssl-1.0.2j/apps/s_server.c.krb5keytab 2017-01-05 17:02:05.482441111 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2j/apps/s_server.c 2017-01-05 17:16:36.458078609 +0100
|
|
|
cfec1a |
@@ -206,6 +206,11 @@ typedef unsigned int u_int;
|
|
|
cfec1a |
# include <fcntl.h>
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
+static char *krb5svc = NULL;
|
|
|
cfec1a |
+static char *keytab = NULL;
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
+
|
|
|
cfec1a |
#ifndef OPENSSL_NO_RSA
|
|
|
cfec1a |
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
@@ -579,6 +584,10 @@ static void sv_usage(void)
|
|
|
cfec1a |
BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -quiet - No server output\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
+ BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
|
|
|
cfec1a |
+ BIO_printf(bio_err, " -keytab arg - Kerberos keytab filename\n");
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
#ifndef OPENSSL_NO_PSK
|
|
|
cfec1a |
BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n");
|
|
|
cfec1a |
@@ -1326,6 +1335,17 @@ int MAIN(int argc, char *argv[])
|
|
|
cfec1a |
goto bad;
|
|
|
cfec1a |
vfyCAfile = *(++argv);
|
|
|
cfec1a |
}
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
+ else if (strcmp(*argv, "-krb5svc") == 0) {
|
|
|
cfec1a |
+ if (--argc < 1)
|
|
|
cfec1a |
+ goto bad;
|
|
|
cfec1a |
+ krb5svc = *(++argv);
|
|
|
cfec1a |
+ } else if (strcmp(*argv, "-keytab") == 0) {
|
|
|
cfec1a |
+ if (--argc < 1)
|
|
|
cfec1a |
+ goto bad;
|
|
|
cfec1a |
+ keytab = *(++argv);
|
|
|
cfec1a |
+ }
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
#ifdef FIONBIO
|
|
|
cfec1a |
else if (strcmp(*argv, "-nbio") == 0) {
|
|
|
cfec1a |
s_nbio = 1;
|
|
|
cfec1a |
@@ -2226,8 +2246,10 @@ static int sv_body(char *hostname, int s
|
|
|
cfec1a |
#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
if ((kctx = kssl_ctx_new()) != NULL) {
|
|
|
cfec1a |
SSL_set0_kssl_ctx(con, kctx);
|
|
|
cfec1a |
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
|
|
|
cfec1a |
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
|
|
|
cfec1a |
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
|
|
|
cfec1a |
+ krb5svc == NULL ? KRB5SVC : krb5svc);
|
|
|
cfec1a |
+ if (keytab != NULL)
|
|
|
cfec1a |
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
|
|
|
cfec1a |
}
|
|
|
cfec1a |
#endif /* OPENSSL_NO_KRB5 */
|
|
|
cfec1a |
if (context)
|
|
|
cfec1a |
@@ -2836,8 +2858,11 @@ static int www_body(char *hostname, int
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
#ifndef OPENSSL_NO_KRB5
|
|
|
cfec1a |
if ((kctx = kssl_ctx_new()) != NULL) {
|
|
|
cfec1a |
- kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
|
|
|
cfec1a |
- kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
|
|
|
cfec1a |
+ SSL_set0_kssl_ctx(con, kctx);
|
|
|
cfec1a |
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
|
|
|
cfec1a |
+ krb5svc == NULL ? KRB5SVC : krb5svc);
|
|
|
cfec1a |
+ if (keytab != NULL)
|
|
|
cfec1a |
+ kssl_ctx_setstring(kctx, KSSL_KEYTAB, keytab);
|
|
|
cfec1a |
}
|
|
|
cfec1a |
#endif /* OPENSSL_NO_KRB5 */
|
|
|
cfec1a |
if (context)
|
|
|
cfec1a |
diff -up openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab openssl-1.0.2j/doc/apps/s_client.pod
|
|
|
cfec1a |
--- openssl-1.0.2j/doc/apps/s_client.pod.krb5keytab 2016-09-26 11:49:07.000000000 +0200
|
|
|
cfec1a |
+++ openssl-1.0.2j/doc/apps/s_client.pod 2017-01-05 17:21:30.562709291 +0100
|
|
|
cfec1a |
@@ -43,6 +43,7 @@ B<openssl> B<s_client>
|
|
|
cfec1a |
[B<-fallback_scsv>]
|
|
|
cfec1a |
[B<-bugs>]
|
|
|
cfec1a |
[B<-cipher cipherlist>]
|
|
|
cfec1a |
+[B<-krb5svc service>]
|
|
|
cfec1a |
[B<-serverpref>]
|
|
|
cfec1a |
[B<-starttls protocol>]
|
|
|
cfec1a |
[B<-engine id>]
|
|
|
cfec1a |
@@ -228,6 +229,12 @@ command for more information.
|
|
|
cfec1a |
|
|
|
cfec1a |
use the server's cipher preferences; only used for SSLV2.
|
|
|
cfec1a |
|
|
|
cfec1a |
+=item B<-krb5svc service>
|
|
|
cfec1a |
+
|
|
|
cfec1a |
+the Kerberos service name to use (default "host"). This means s_server
|
|
|
cfec1a |
+will expect a ticket for the principal I<service>/hostname@REALM, and will
|
|
|
cfec1a |
+need keys for that principal in its keytab.
|
|
|
cfec1a |
+
|
|
|
cfec1a |
=item B<-starttls protocol>
|
|
|
cfec1a |
|
|
|
cfec1a |
send the protocol-specific message(s) to switch to TLS for communication.
|
|
|
cfec1a |
diff -up openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab openssl-1.0.2j/doc/apps/s_server.pod
|
|
|
cfec1a |
--- openssl-1.0.2j/doc/apps/s_server.pod.krb5keytab 2017-01-05 17:02:05.482441111 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2j/doc/apps/s_server.pod 2017-01-05 17:20:54.769902331 +0100
|
|
|
cfec1a |
@@ -37,6 +37,8 @@ B<openssl> B<s_server>
|
|
|
cfec1a |
[B<-nocert>]
|
|
|
cfec1a |
[B<-cipher cipherlist>]
|
|
|
cfec1a |
[B<-serverpref>]
|
|
|
cfec1a |
+[B<-krb5svc service>]
|
|
|
cfec1a |
+[B<-keytab filename>]
|
|
|
cfec1a |
[B<-quiet>]
|
|
|
cfec1a |
[B<-no_tmp_rsa>]
|
|
|
cfec1a |
[B<-ssl2>]
|
|
|
cfec1a |
@@ -246,6 +248,17 @@ the B<ciphers> command for more informat
|
|
|
cfec1a |
|
|
|
cfec1a |
use the server's cipher preferences, rather than the client's preferences.
|
|
|
cfec1a |
|
|
|
cfec1a |
+=item B<-krb5svc service>
|
|
|
cfec1a |
+
|
|
|
cfec1a |
+the Kerberos service name to use (default "host"). This means s_server
|
|
|
cfec1a |
+will expect a ticket for the principal I<service>/hostname@REALM, and will
|
|
|
cfec1a |
+need keys for that principal in its keytab.
|
|
|
cfec1a |
+
|
|
|
cfec1a |
+=item B<-keytab filename>
|
|
|
cfec1a |
+
|
|
|
cfec1a |
+the Kerberos "keytab" (key table) file, containing keys for the s_server
|
|
|
cfec1a |
+service principal (Kerberos identity; see -krb5svc).
|
|
|
cfec1a |
+
|
|
|
cfec1a |
=item B<-tlsextdebug>
|
|
|
cfec1a |
|
|
|
cfec1a |
print out a hex dump of any TLS extensions received from the server.
|