From: Greg Hudson Date: Fri, 24 Feb 2017 18:41:53 +0000 (-0500) Subject: Fix PKINIT two-component matching rule parsing X-Git-Tag: krb5-1.15.1-final~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb54f32ec84f945f1857bc289ca7ea37524424bb;p=thirdparty%2Fkrb5.git Fix PKINIT two-component matching rule parsing In pkinit_matching.c:parse_rule_set(), apply the default relation when parsing the second component of a rule, not the third. Otherwise we apply no default relation to two-component matching rules, effectively reducing such rules to their second components. Reported by Sumit Bose. (cherry picked from commit 67ae7bbe1ea7032d1cb79682be3a14e7e13ec64f) ticket: 8553 version_fixed: 1.15.1 --- diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c index a3bf3f4e21..a50c50c8dc 100644 --- a/src/plugins/preauth/pkinit/pkinit_matching.c +++ b/src/plugins/preauth/pkinit/pkinit_matching.c @@ -409,7 +409,7 @@ parse_rule_set(krb5_context context, } rs->num_crs = 0; while (remaining > 0) { - if (rs->relation == relation_none && rs->num_crs > 1) { + if (rs->relation == relation_none && rs->num_crs > 0) { pkiDebug("%s: Assuming AND relation for multiple components in rule '%s'\n", __FUNCTION__, rule_in); rs->relation = relation_and;