Some of the Kerberos code had dissapeared. Reapply.

[oweals/openssl.git] / ssl / s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 93a87c4f124456d66dd0d50203a1c1922a7304d5..413e2e65515eb8a28c458679ad584680e38049fe 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -64,7 +64,7 @@
 #include "ssl_locl.h"
 
 #ifndef OPENSSL_NO_KRB5
-#include "kssl.h"
+#include "kssl_lcl.h"
 #endif
 
 static SSL_METHOD *ssl3_get_client_method(int ver);
@@ -766,7 +766,12 @@ static int ssl3_get_server_certificate(SSL *s)
                }
 
        i=ssl_verify_cert_chain(s,sk);
-       if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
+       if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
+#ifndef OPENSSL_NO_KRB5
+                && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+                != (SSL_aKRB5|SSL_kKRB5)
+#endif /* OPENSSL_NO_KRB5 */
+                )
                {
                al=ssl_verify_alarm_type(s->verify_result);
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);