More Kerberos SSL changes from Jeffrey Altman <jaltman@columbia.edu>

His comments are:

First, it corrects a problem introduced in the last patch where the
kssl_map_enc() would intentionally return NULL for valid ENCTYPE
values.  This was done to prevent verification of the kerberos 5
authenticator from being performed when Derived Key ciphers were
in use.  Unfortunately, the authenticator verification routine was
not the only place that function was used.  And it caused core dumps.

Second, it attempt to add to SSL_SESSION the Kerberos 5 Client
Principal Name.

1 files changed, 11 insertions, 0 deletions

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 5bfc8ccf6a..7430d84d75 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -558,6 +558,17 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
 				session->timeout=s->ctx->session_timeout;
 			}
 
+#ifndef OPENSSL_NO_KRB5
+                if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
+                    session->krb5_client_princ_len > 0)
+                {
+                    s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1);
+                    memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
+                            session->krb5_client_princ_len);
+                    s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '/0';
+                }
+#endif /* OPENSSL_NO_KRB5 */
+
 		/* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
 		CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
 		if (s->session != NULL)