summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/krb5')
-rw-r--r--src/lib/krb5/krb/rd_req_dec.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 4b952f5a9..fbd088d8a 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -167,6 +167,8 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req,
krb5_error_code ret;
krb5_keytab_entry ent;
krb5_kt_cursor cursor;
+ krb5_boolean similar;
+ krb5_enctype req_etype = req->ticket->enc_part.enctype;
#ifdef LEAN_CLIENT
return KRB5KRB_AP_WRONG_PRINC;
@@ -189,8 +191,12 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req,
goto cleanup;
while ((ret = krb5_kt_next_entry(context, keytab, &ent, &cursor)) == 0) {
- if (ent.key.enctype == req->ticket->enc_part.enctype &&
+ ret = krb5_c_enctype_compare(context, ent.key.enctype, req_etype,
+ &similar);
+ if (ret == 0 && similar &&
krb5_sname_match(context, server, ent.principal)) {
+ /* Coerce inexact matches to the request enctype. */
+ ent.key.enctype = req_etype;
ret = try_one_entry(context, req, &ent, keyblock_out);
if (ret == 0) {
TRACE_RD_REQ_DECRYPT_ANY(context, ent.principal, &ent.key);
generated by cgit (git 2.34.1) at 2025-02-23 09:15:56 +0000