From 0a608964a4a8bb6fcdda12e7b805522aa9364c22 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Sat, 2 Oct 2010 12:13:19 -0700
Subject: [PATCH] only set error code in case of failure, add comment

---
 lib/krb5/crypto.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 7ae19b124..2502cc672 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -1880,12 +1880,19 @@ verify_checksum(krb5_context context,
 	    return ret;
     } else
 	dkey = NULL;
+
+    /*
+     * If checksum have a verify function, lets use that instead of
+     * calling ->checksum and then compare result.
+     */
+
     if(ct->verify) {
 	ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
-	krb5_set_error_message(context, ret, 
-			       N_("Decrypt integrity check failed for checksum "
-				  "type %s, key type %s", ""),
-			       ct->name, crypto->et->name);
+	if (ret)
+	    krb5_set_error_message(context, ret, 
+				   N_("Decrypt integrity check failed for checksum "
+				      "type %s, key type %s", ""),
+				   ct->name, crypto->et->name);
 	return ret;
     }