Fix PKINIT two-component matching rule parsing

In pkinit_matching.c:parse_rule_set(), apply the default relation when
parsing the second component of a rule, not the third.  Otherwise we
apply no default relation to two-component matching rules, effectively
reducing such rules to their second components.  Reported by Sumit
Bose.

ticket: 8553 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup

diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index a3bf3f4e21aafdf3f8de8431a4a1d70259f627e3..a50c50c8dc9290405604008bbac38a7029810d44 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -409,7 +409,7 @@ parse_rule_set(krb5_context context,
     }
     rs->num_crs = 0;
     while (remaining > 0) {
-        if (rs->relation == relation_none && rs->num_crs > 1) {
+        if (rs->relation == relation_none && rs->num_crs > 0) {
             pkiDebug("%s: Assuming AND relation for multiple components in rule '%s'\n",
                      __FUNCTION__, rule_in);
             rs->relation = relation_and;