From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 24 Feb 2017 18:41:53 +0000 (-0500)
Subject: Fix PKINIT two-component matching rule parsing
X-Git-Tag: krb5-1.16-beta1~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F611%2Fhead;p=thirdparty%2Fkrb5.git

Fix PKINIT two-component matching rule parsing

In pkinit_matching.c:parse_rule_set(), apply the default relation when
parsing the second component of a rule, not the third.  Otherwise we
apply no default relation to two-component matching rules, effectively
reducing such rules to their second components.  Reported by Sumit
Bose.

ticket: 8553 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
---

diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index a3bf3f4e21..a50c50c8dc 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -409,7 +409,7 @@ parse_rule_set(krb5_context context,
     }
     rs->num_crs = 0;
     while (remaining > 0) {
-        if (rs->relation == relation_none && rs->num_crs > 1) {
+        if (rs->relation == relation_none && rs->num_crs > 0) {
             pkiDebug("%s: Assuming AND relation for multiple components in rule '%s'\n",
                      __FUNCTION__, rule_in);
             rs->relation = relation_and;