From b37a0be87e5146d730b89abd1378a3043d5015b2 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Fri, 19 Jul 2013 11:33:20 -0400
Subject: Don't ask empty responder questions in PKINIT

When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.

[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]
---
 src/plugins/preauth/pkinit/pkinit_clnt.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/plugins')

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index f708856c1..9d7d7bd6e 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1126,6 +1126,13 @@ pkinit_client_prep_questions(krb5_context context,
         continue;
     n = i;
 
+    /* Make sure we don't just return an empty challenge. */
+    if (n == 0) {
+        pkiDebug("%s: no questions to ask\n", __FUNCTION__);
+        retval = 0;
+        goto cleanup;
+    }
+
     /* Create the top-level object. */
     retval = k5_json_object_create(&jval);
     if (retval != 0)
-- 
cgit