From bce3d19eb78e9343e01b5a019392f7b0932c5b63 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 2 Nov 2015 20:59:28 +0100 Subject: libpamtest: Handle NULL passwords in libpamtest --- src/libpamtest.c | 32 ++++++++++++++++++++------------ src/modules/pam_matrix.c | 5 +++++ tests/test_pam_wrapper.c | 23 +++++++++++++++++++++++ 3 files changed, 48 insertions(+), 12 deletions(-) diff --git a/src/libpamtest.c b/src/libpamtest.c index 6cac468..79363f9 100644 --- a/src/libpamtest.c +++ b/src/libpamtest.c @@ -174,7 +174,7 @@ static int pamtest_simple_conv(int num_msg, struct pam_response **response, void *appdata_ptr) { - int i; + int i, ri; int ret; struct pam_response *reply; const char *prompt; @@ -191,6 +191,7 @@ static int pamtest_simple_conv(int num_msg, if (reply == NULL) { return PAM_CONV_ERR; } + ri = 0; } for (i=0; i < num_msg; i++) { @@ -198,16 +199,18 @@ static int pamtest_simple_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: prompt = (const char *) \ cctx->data->in_echo_off[cctx->echo_off_idx]; - if (prompt == NULL) { - return PAM_CONV_ERR; - } if (reply != NULL) { - ret = add_to_reply(&reply[i], prompt); - if (ret != PAM_SUCCESS) { - /* FIXME - free data? */ - return ret; + if (prompt != NULL) { + ret = add_to_reply(&reply[ri], prompt); + if (ret != PAM_SUCCESS) { + /* FIXME - free data? */ + return ret; + } + } else { + reply[ri].resp = NULL; } + ri++; } cctx->echo_off_idx++; @@ -220,11 +223,16 @@ static int pamtest_simple_conv(int num_msg, } if (reply != NULL) { - ret = add_to_reply(&reply[i], prompt); - if (ret != PAM_SUCCESS) { - /* FIXME - free data? */ - return ret; + if (prompt != NULL) { + ret = add_to_reply(&reply[ri], prompt); + if (ret != PAM_SUCCESS) { + /* FIXME - free data? */ + return ret; + } + } else { + reply[ri].resp = NULL; } + ri++; } cctx->echo_on_idx++; diff --git a/src/modules/pam_matrix.c b/src/modules/pam_matrix.c index 21dd551..870625b 100644 --- a/src/modules/pam_matrix.c +++ b/src/modules/pam_matrix.c @@ -517,6 +517,11 @@ static int _pam_matrix_auth(struct pam_matrix_ctx *pctx) { int rv = PAM_AUTH_ERR; + if (pctx->pli.password == NULL) { + /* NULL passwords are not allowed */ + return PAM_CRED_ERR; + } + if (pctx->pli.password != NULL && pctx->pmi.password != NULL && strcmp(pctx->pli.password, pctx->pmi.password) == 0) { diff --git a/tests/test_pam_wrapper.c b/tests/test_pam_wrapper.c index f1143c6..7f14a91 100644 --- a/tests/test_pam_wrapper.c +++ b/tests/test_pam_wrapper.c @@ -263,6 +263,26 @@ static void test_pam_authenticate(void **state) assert_int_equal(perr, PAMTEST_ERR_OK); } +static void test_pam_authenticate_null_password(void **state) +{ + enum pamtest_err perr; + struct pamtest_conv_data conv_data; + const char *empty_authtoks[] = { + NULL, + }; + struct pam_testcase tests[] = { + pam_test(PAMTEST_AUTHENTICATE, PAM_CRED_ERR), + }; + + (void) state; /* unused */ + + ZERO_STRUCT(conv_data); + conv_data.in_echo_off = empty_authtoks; + + perr = run_pamtest("matrix", "trinity", &conv_data, tests); + assert_int_equal(perr, PAMTEST_ERR_OK); +} + static void test_pam_authenticate_err(void **state) { enum pamtest_err perr; @@ -882,6 +902,9 @@ int main(void) { cmocka_unit_test_setup_teardown(test_pam_authenticate, setup_passdb, teardown_passdb), + cmocka_unit_test_setup_teardown(test_pam_authenticate_null_password, + setup_passdb, + teardown_passdb), cmocka_unit_test_setup_teardown(test_pam_authenticate_err, setup_passdb, teardown_passdb), -- cgit v1.2.3