diff --git a/kdc/digest.c b/kdc/digest.c
index 2ea21a41a..a8652891f 100644
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -586,9 +586,9 @@ _kdc_do_digest(krb5_context context,
 	if (ret)
 	    goto out;
 
-	ret = krb5_verify_checksum(context, crypto,
+	ret = _kdc_verify_checksum(context, crypto,
 				   KRB5_KU_DIGEST_OPAQUE,
-				   buf.data, buf.length, &res);
+				   &buf, &res);
 	free_Checksum(&res);
 	krb5_data_free(&buf);
 	krb5_crypto_destroy(context, crypto);
diff --git a/kdc/fast.c b/kdc/fast.c
index 79fb181ae..0e3644aee 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -475,10 +475,9 @@ fast_unwrap_request(astgs_request_t r)
     krb5_free_keyblock_contents(r->context, &armorkey);
 
     /* verify req-checksum of the outer body */
-    ret = krb5_verify_checksum(r->context, r->armor_crypto,
+    ret = _kdc_verify_checksum(r->context, r->armor_crypto,
 			       KRB5_KU_FAST_REQ_CHKSUM,
-			       r->req.req_body._save.data,
-			       r->req.req_body._save.length,
+			       &r->req.req_body._save,
 			       &fxreq.u.armored_data.req_checksum);
     if (ret) {
 	kdc_log(r->context, r->config, 2,
diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c
index 164167a7f..c1029f100 100644
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -110,8 +110,7 @@ pa_gss_verify_req_body_checksum(astgs_request_t r,
     heim_assert(ret || data.length,
                 "internal asn1 encoder error");
 
-    ret = krb5_verify_checksum(r->context, NULL, 0,
-                               data.data, data.length, checksum);
+    ret = _kdc_verify_checksum(r->context, NULL, 0, &data, checksum);
     krb5_data_free(&data);
 
     return ret;
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index d92e5d8ab..10b2c0fb3 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -791,6 +791,24 @@ out:
     return ret;
 }
 
+krb5_error_code
+_kdc_verify_checksum(krb5_context context,
+		     krb5_crypto crypto,
+		     krb5_key_usage usage,
+		     const krb5_data *data,
+		     Checksum *cksum)
+{
+    krb5_error_code ret;
+
+    ret = krb5_verify_checksum(context, crypto, usage,
+			       data->data, data->length,
+			       cksum);
+    if (ret == KRB5_PROG_SUMTYPE_NOSUPP)
+	ret = KRB5KDC_ERR_SUMTYPE_NOSUPP;
+
+    return ret;
+}
+
 static krb5_error_code
 tgs_check_authenticator(krb5_context context,
 			krb5_kdc_configuration *config,
@@ -830,11 +848,10 @@ tgs_check_authenticator(krb5_context context,
      * not require it to be keyed (as the authenticator is encrypted).
      */
     _krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM);
-    ret = krb5_verify_checksum(context,
+    ret = _kdc_verify_checksum(context,
 			       crypto,
 			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
-			       b->_save.data,
-			       b->_save.length,
+			       &b->_save,
 			       auth->cksum);
     krb5_crypto_destroy(context, crypto);
     if(ret){
@@ -1862,11 +1879,10 @@ server_lookup:
 		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	    }
 	    else {
-		ret = krb5_verify_checksum(context,
+		ret = _kdc_verify_checksum(context,
 					   crypto,
 					   KRB5_KU_OTHER_CKSUM,
-					   datack.data,
-					   datack.length,
+					   &datack,
 					   &self.cksum);
 	    }
 	    krb5_data_free(&datack);