[29860] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.15]: Fix PKINIT two-component matching rule
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Feb 27 22:35:39 2017
Date: Mon, 27 Feb 2017 22:35:35 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201702280335.v1S3ZZRE019553@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/eb54f32ec84f945f1857bc289ca7ea37524424bb
commit eb54f32ec84f945f1857bc289ca7ea37524424bb
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Feb 24 13:41:53 2017 -0500
Fix PKINIT two-component matching rule parsing
In pkinit_matching.c:parse_rule_set(), apply the default relation when
parsing the second component of a rule, not the third. Otherwise we
apply no default relation to two-component matching rules, effectively
reducing such rules to their second components. Reported by Sumit
Bose.
(cherry picked from commit 67ae7bbe1ea7032d1cb79682be3a14e7e13ec64f)
ticket: 8553
version_fixed: 1.15.1
src/plugins/preauth/pkinit/pkinit_matching.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index a3bf3f4..a50c50c 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -409,7 +409,7 @@ parse_rule_set(krb5_context context,
}
rs->num_crs = 0;
while (remaining > 0) {
- if (rs->relation == relation_none && rs->num_crs > 1) {
+ if (rs->relation == relation_none && rs->num_crs > 0) {
pkiDebug("%s: Assuming AND relation for multiple components in rule '%s'\n",
__FUNCTION__, rule_in);
rs->relation = relation_and;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
