From 641105bfbdce4e25a1634a0490e9800c12d97e67 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 22 Nov 2016 13:42:31 +0100
Subject: [PATCH] lib/krb5: move checksum vs. enctype checks into
 get_checksum_key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from Samba commit 05cc099499ef3a07d140981ef82937c842a3ffef)
---
 lib/krb5/crypto.c | 51 +++++++++++++++++++----------------------------
 1 file changed, 20 insertions(+), 31 deletions(-)

diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 1c30629db..aa7373424 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -316,6 +316,24 @@ get_checksum_key(krb5_context context,
 		 struct _krb5_key_data **key)
 {
     krb5_error_code ret = 0;
+    struct _krb5_checksum_type *kct = NULL;
+
+    if (crypto == NULL) {
+	krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+			       N_("Checksum type %s is keyed but no "
+			          "crypto context (key) was passed in", ""),
+			       ct->name);
+	return KRB5_BAD_ENCTYPE;
+    }
+    kct = crypto->et->keyed_checksum;
+    if (kct == NULL || kct->type != ct->type) {
+	krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+			       N_("Checksum type %s is keyed, but "
+			          "the key type %s passed didnt have that checksum "
+			          "type as the keyed type", ""),
+			       ct->name, crypto->et->name);
+	return KRB5_BAD_ENCTYPE;
+    }
 
     if(ct->flags & F_DERIVED)
 	ret = _get_derived_key(context, crypto, usage, key);
@@ -349,21 +367,12 @@ create_checksum (krb5_context context,
 {
     krb5_error_code ret;
     struct _krb5_key_data *dkey;
-    int keyed_checksum;
 
     if (ct->flags & F_DISABLED) {
 	krb5_clear_error_message (context);
 	return KRB5_PROG_SUMTYPE_NOSUPP;
     }
-    keyed_checksum = (ct->flags & F_KEYED) != 0;
-    if(keyed_checksum && crypto == NULL) {
-	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
-				N_("Checksum type %s is keyed but no "
-				   "crypto context (key) was passed in", ""),
-				ct->name);
-	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
-    }
-    if(keyed_checksum) {
+    if (ct->flags & F_KEYED) {
 	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
 	if (ret)
 	    return ret;
@@ -431,7 +440,6 @@ verify_checksum(krb5_context context,
 {
     krb5_error_code ret;
     struct _krb5_key_data *dkey;
-    int keyed_checksum;
     Checksum c;
     struct _krb5_checksum_type *ct;
 
@@ -452,26 +460,7 @@ verify_checksum(krb5_context context,
 
 	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
     }
-    keyed_checksum = (ct->flags & F_KEYED) != 0;
-    if(keyed_checksum) {
-	struct _krb5_checksum_type *kct;
-	if (crypto == NULL) {
-	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
-				   N_("Checksum type %s is keyed but no "
-				      "crypto context (key) was passed in", ""),
-				   ct->name);
-	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
-	}
-	kct = crypto->et->keyed_checksum;
-	if (kct == NULL || kct->type != ct->type) {
-	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
-				   N_("Checksum type %s is keyed, but "
-				      "the key type %s passed didnt have that checksum "
-				      "type as the keyed type", ""),
-				    ct->name, crypto->et->name);
-	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
-	}
-
+    if (ct->flags & F_KEYED) {
 	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
 	if (ret)
 	    return ret;