krb5_error_code ret;
krb5_keytab_entry ent;
krb5_kt_cursor cursor;
+ krb5_boolean similar;
+ krb5_enctype req_etype = req->ticket->enc_part.enctype;
#ifdef LEAN_CLIENT
return KRB5KRB_AP_WRONG_PRINC;
goto cleanup;
while ((ret = krb5_kt_next_entry(context, keytab, &ent, &cursor)) == 0) {
- if (ent.key.enctype == req->ticket->enc_part.enctype &&
+ ret = krb5_c_enctype_compare(context, ent.key.enctype, req_etype,
+ &similar);
+ if (ret == 0 && similar &&
krb5_sname_match(context, server, ent.principal)) {
+ /* Coerce inexact matches to the request enctype. */
+ ent.key.enctype = req_etype;
ret = try_one_entry(context, req, &ent, keyblock_out);
if (ret == 0) {
TRACE_RD_REQ_DECRYPT_ANY(context, ent.principal, &ent.key);