libpamtest: Handle NULL passwords in libpamtest

3 files changed, 48 insertions, 12 deletions

diff --git a/src/libpamtest.c b/src/libpamtest.c
index 6cac468..79363f9 100644
--- a/src/libpamtest.c
+++ b/src/libpamtest.c
@@ -174,7 +174,7 @@ static int pamtest_simple_conv(int num_msg,
 			       struct pam_response **response,
 			       void *appdata_ptr)
 {
-	int i;
+	int i, ri;
 	int ret;
 	struct pam_response *reply;
 	const char *prompt;
@@ -191,6 +191,7 @@ static int pamtest_simple_conv(int num_msg,
 		if (reply == NULL) {
 			return PAM_CONV_ERR;
 		}
+		ri = 0;
 	}
 
 	for (i=0; i < num_msg; i++) {
@@ -198,16 +199,18 @@ static int pamtest_simple_conv(int num_msg,
 		case PAM_PROMPT_ECHO_OFF:
 			prompt = (const char *) \
 				   cctx->data->in_echo_off[cctx->echo_off_idx];
-			if (prompt == NULL) {
-				return PAM_CONV_ERR;
-			}
 
 			if (reply != NULL) {
-				ret = add_to_reply(&reply[i], prompt);
-				if (ret != PAM_SUCCESS) {
-					/* FIXME - free data? */
-					return ret;
+				if (prompt != NULL) {
+					ret = add_to_reply(&reply[ri], prompt);
+					if (ret != PAM_SUCCESS) {
+						/* FIXME - free data? */
+						return ret;
+					}
+				} else {
+					reply[ri].resp = NULL;
 				}
+				ri++;
 			}
 
 			cctx->echo_off_idx++;
@@ -220,11 +223,16 @@ static int pamtest_simple_conv(int num_msg,
 			}
 
 			if (reply != NULL) {
-				ret = add_to_reply(&reply[i], prompt);
-				if (ret != PAM_SUCCESS) {
-					/* FIXME - free data? */
-					return ret;
+				if (prompt != NULL) {
+					ret = add_to_reply(&reply[ri], prompt);
+					if (ret != PAM_SUCCESS) {
+						/* FIXME - free data? */
+						return ret;
+					}
+				} else {
+					reply[ri].resp = NULL;
 				}
+				ri++;
 			}
 
 			cctx->echo_on_idx++;
diff --git a/src/modules/pam_matrix.c b/src/modules/pam_matrix.c
index 21dd551..870625b 100644
--- a/src/modules/pam_matrix.c
+++ b/src/modules/pam_matrix.c
@@ -517,6 +517,11 @@ static int _pam_matrix_auth(struct pam_matrix_ctx *pctx)
 {
 	int rv = PAM_AUTH_ERR;
 
+	if (pctx->pli.password == NULL) {
+		/* NULL passwords are not allowed */
+		return PAM_CRED_ERR;
+	}
+
 	if (pctx->pli.password != NULL &&
 	    pctx->pmi.password != NULL &&
 	    strcmp(pctx->pli.password, pctx->pmi.password) == 0) {
diff --git a/tests/test_pam_wrapper.c b/tests/test_pam_wrapper.c
index f1143c6..7f14a91 100644
--- a/tests/test_pam_wrapper.c
+++ b/tests/test_pam_wrapper.c
@@ -263,6 +263,26 @@ static void test_pam_authenticate(void **state)
 	assert_int_equal(perr, PAMTEST_ERR_OK);
 }
 
+static void test_pam_authenticate_null_password(void **state)
+{
+	enum pamtest_err perr;
+	struct pamtest_conv_data conv_data;
+	const char *empty_authtoks[] = {
+		NULL,
+	};
+	struct pam_testcase tests[] = {
+		pam_test(PAMTEST_AUTHENTICATE, PAM_CRED_ERR),
+	};
+
+	(void) state;	/* unused */
+
+	ZERO_STRUCT(conv_data);
+	conv_data.in_echo_off = empty_authtoks;
+
+	perr = run_pamtest("matrix", "trinity", &conv_data, tests);
+	assert_int_equal(perr, PAMTEST_ERR_OK);
+}
+
 static void test_pam_authenticate_err(void **state)
 {
 	enum pamtest_err perr;
@@ -882,6 +902,9 @@ int main(void) {
 		cmocka_unit_test_setup_teardown(test_pam_authenticate,
 						setup_passdb,
 						teardown_passdb),
+		cmocka_unit_test_setup_teardown(test_pam_authenticate_null_password,
+						setup_passdb,
+						teardown_passdb),
 		cmocka_unit_test_setup_teardown(test_pam_authenticate_err,
 						setup_passdb,
 						teardown_passdb),