Don't ask empty responder questions in PKINIT

When putting together the set of identity prompts for a responder challenge, if we don't need a PIN or password of some kind, don't ask an empty question. [ghudson@mit.edu: squashed commits, modified commit message, merged PKCS11 test with current Python script]
author: Nalin Dahyabhai <nalin@dahyabhai.net> 2013-07-19 11:33:20 -0400
committer: Greg Hudson <ghudson@mit.edu> 2013-07-22 12:25:31 -0400
commit: b37a0be87e5146d730b89abd1378a3043d5015b2 (patch)
tree: 32392f8837c320b186ce146384045afce3150fd4 /src/plugins
parent: 744d6f873393b6bbd12e1c1884738676a089fa65 (diff)
download: krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.gz
krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.xz
krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index f708856c1..9d7d7bd6e 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1126,6 +1126,13 @@ pkinit_client_prep_questions(krb5_context context,
         continue;
     n = i;
 
+    /* Make sure we don't just return an empty challenge. */
+    if (n == 0) {
+        pkiDebug("%s: no questions to ask\n", __FUNCTION__);
+        retval = 0;
+        goto cleanup;
+    }
+
     /* Create the top-level object. */
     retval = k5_json_object_create(&jval);
     if (retval != 0)
author	Nalin Dahyabhai <nalin@dahyabhai.net>	2013-07-19 11:33:20 -0400
committer	Greg Hudson <ghudson@mit.edu>	2013-07-22 12:25:31 -0400
commit	b37a0be87e5146d730b89abd1378a3043d5015b2 (patch)
tree	32392f8837c320b186ce146384045afce3150fd4 /src/plugins
parent	744d6f873393b6bbd12e1c1884738676a089fa65 (diff)
download	krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.gz krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.tar.xz krb5-b37a0be87e5146d730b89abd1378a3043d5015b2.zip