From 67ae7bbe1ea7032d1cb79682be3a14e7e13ec64f Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 24 Feb 2017 13:41:53 -0500
Subject: [PATCH] Fix PKINIT two-component matching rule parsing

In pkinit_matching.c:parse_rule_set(), apply the default relation when
parsing the second component of a rule, not the third.  Otherwise we
apply no default relation to two-component matching rules, effectively
reducing such rules to their second components.  Reported by Sumit
Bose.

ticket: 8553 (new)
target_version: 1.15-next
target_version: 1.14-next
tags: pullup
---
 src/plugins/preauth/pkinit/pkinit_matching.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index a3bf3f4e21..a50c50c8dc 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -409,7 +409,7 @@ parse_rule_set(krb5_context context,
     }
     rs->num_crs = 0;
     while (remaining > 0) {
-        if (rs->relation == relation_none && rs->num_crs > 1) {
+        if (rs->relation == relation_none && rs->num_crs > 0) {
             pkiDebug("%s: Assuming AND relation for multiple components in rule '%s'\n",
                      __FUNCTION__, rule_in);
             rs->relation = relation_and;
-- 
2.47.2