From abcd0e9de6c232cdb2d5167f6ca9170a92da3cfd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 1 Feb 2007 20:28:49 +0000
Subject: [PATCH] Better logging and return status = FALSE when checksum
 doesn't match.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20120 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/digest.c | 65 +++++++++++++++++++++++++---------------------------
 1 file changed, 31 insertions(+), 34 deletions(-)

diff --git a/kdc/digest.c b/kdc/digest.c
index ab75e00c5..a16b978d2 100644
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -629,18 +629,18 @@ _kdc_do_digest(krb5_context context,
 		goto out;
 	    }
 
-	    ret = strcmp(mdx, ireq.u.digestRequest.responseData);
-	    free(mdx);
-	    if (ret != 0) {
-		krb5_set_error_string(context, 
-				      "CHAP reply mismatch for %s",
-				      ireq.u.digestRequest.username);
-		ret = EINVAL;
-		goto out;
-	    }
-
 	    r.element = choice_DigestRepInner_response;
-	    r.u.response.success = TRUE;
+
+	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+	    free(mdx);
+	    if (ret == 0) {
+		r.u.response.success = TRUE;
+	    } else {
+		kdc_log(context, config, 0, 
+			"CHAP reply mismatch for %s",
+			ireq.u.digestRequest.username);
+		r.u.response.success = FALSE;
+	    }
 
 	} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
 	    MD5_CTX ctx;
@@ -742,18 +742,17 @@ _kdc_do_digest(krb5_context context,
 		goto out;
 	    }
 
-	    ret = strcmp(mdx, ireq.u.digestRequest.responseData);
-	    free(mdx);
-	    if (ret != 0) {
-		krb5_set_error_string(context, 
-				      "Digest-MD5 reply mismatch for %s",
-				      ireq.u.digestRequest.username);
-		ret = EINVAL;
-		goto out;
-	    }
-
 	    r.element = choice_DigestRepInner_response;
-	    r.u.response.success = TRUE;
+	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+	    free(mdx);
+	    if (ret == 0) {
+		r.u.response.success = TRUE;
+	    } else {
+		kdc_log(context, config, 0, 
+			"DIGEST-MD5 reply mismatch for %s",
+			ireq.u.digestRequest.username);
+		r.u.response.success = FALSE;
+	    }
 
 	} else if (strcasecmp(ireq.u.digestRequest.type, "MS-CHAP-V2") == 0) {
 	    unsigned char md[SHA_DIGEST_LENGTH], challange[SHA_DIGEST_LENGTH];
@@ -857,19 +856,17 @@ _kdc_do_digest(krb5_context context,
 		goto out;
 	    }
 
-	    ret = strcmp(mdx, ireq.u.digestRequest.responseData);
-	    free(mdx);
-	    if (ret != 0) {
-		free(answer.data);
-		krb5_set_error_string(context, 
-				      "MS-CHAP-V2 reply mismatch for %s",
-				      ireq.u.digestRequest.username);
-		ret = EINVAL;
-		goto out;
-	    }
-
 	    r.element = choice_DigestRepInner_response;
-	    r.u.response.success = TRUE;
+	    ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
+	    free(mdx);
+	    if (ret == 0) {
+		r.u.response.success = TRUE;
+	    } else {
+		kdc_log(context, config, 0, 
+			"MS-CHAP-V2 reply mismatch for %s",
+			ireq.u.digestRequest.username);
+		r.u.response.success = FALSE;
+	    }
 
 	    /* GenerateAuthenticatorResponse */
 	    SHA1_Init(&ctx);