krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails

Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

[jsutton@samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d6a472e953545ec3858ca969c1a4191e4f27ba63)

diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
index 922a8710eda2709c454440cd5dff2607add3f251..3e45125d35ed62dcc31dffd6d0853f2334f0878f 100644 (file)
--- a/source4/heimdal/lib/krb5/pac.c
+++ b/source4/heimdal/lib/krb5/pac.c
@@ -489,13 +489,13 @@ verify_checksum(krb5_context context,
     }
     ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
     if (ret != (int)cksum.checksum.length) {
-       ret = EINVAL;
+       ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
        krb5_set_error_message(context, ret, "PAC checksum missing checksum");
        goto out;
     }
 
     if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
-       ret = EINVAL;
+       ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
        krb5_set_error_message(context, ret, "Checksum type %d not keyed",
                               cksum.cksumtype);
        goto out;