From 4fb0be3870406d70a93452e0aa6d51bc5bd128b2 Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Mon, 13 Jun 2016 11:08:09 +0200
Subject: [PATCH] add tests for empty OTP validation

also fix around so ldap case checks with length of the authorized token,
not the length of the passed in id.
---
 pam_yubico.c     |  2 +-
 tests/pam_test.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/pam_yubico.c b/pam_yubico.c
index 2e119cc..733c7cf 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -357,7 +357,7 @@ authorize_user_token_ldap (struct cfg *cfg,
 		  /* Only values containing this prefix are considered. */
 		  if ((!cfg->yubi_attr_prefix || !strncmp (cfg->yubi_attr_prefix, vals[i]->bv_val, yubi_attr_prefix_len)))
 		    {
-		      if(!strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (token_id)))
+		      if(!strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (vals[i]->bv_val + yubi_attr_prefix_len)))
 		        {
 		          DBG (("Token Found :: %s", vals[i]->bv_val));
 		          retval = 1;
diff --git a/tests/pam_test.c b/tests/pam_test.c
index 7e5459d..6be0d1f 100644
--- a/tests/pam_test.c
+++ b/tests/pam_test.c
@@ -64,6 +64,8 @@ static struct data {
   {"foo", "vvincrediblltrerdegkkrkkneieultcjdghrejjbckh"},
   {"foo", "vvincredibletrerdegkkrkkneieultcjdghrejjbckl"},
   {"test", "ccccccbchvthlivuitriujjifivbvtrjkjfirllluurj"},
+  {"foo", ""},
+  {"bar", ""},
 };
 
 
@@ -194,6 +196,26 @@ static int test_authenticate3(void) {
   return pam_sm_authenticate(4, 0, sizeof(cfg) / sizeof(char*), cfg);
 }
 
+static int test_authenticate4(void) {
+  const char *cfg[] = {
+    "id=1",
+    "urllist=http://localhost:"YKVAL_PORT1"/wsapi/2/verify;http://localhost:"YKVAL_PORT2"/wsapi/2/verify",
+    "authfile="AUTHFILE,
+    "debug",
+  };
+  return pam_sm_authenticate(5, 0, sizeof(cfg) / sizeof(char*), cfg);
+}
+
+static int test_authenticate5(void) {
+  const char *cfg[] = {
+    "id=1",
+    "urllist=http://localhost:"YKVAL_PORT1"/wsapi/2/verify;http://localhost:"YKVAL_PORT2"/wsapi/2/verify",
+    "authfile="AUTHFILE,
+    "debug",
+  };
+  return pam_sm_authenticate(6, 0, sizeof(cfg) / sizeof(char*), cfg);
+}
+
 static int test_fail_authenticate1(void) {
   const char *cfg[] = {
     "id=1",
@@ -244,6 +266,14 @@ static int test_authenticate_ldap3(void) {
   return pam_sm_authenticate(4, 0, sizeof(ldap_cfg2) / sizeof(char*), ldap_cfg2);
 }
 
+static int test_authenticate_ldap4(void) {
+  return pam_sm_authenticate(5, 0, sizeof(ldap_cfg) / sizeof(char*), ldap_cfg);
+}
+
+static int test_authenticate_ldap5(void) {
+  return pam_sm_authenticate(6, 0, sizeof(ldap_cfg) / sizeof(char*), ldap_cfg);
+}
+
 static pid_t run_mock(const char *port, const char *type) {
   pid_t pid = fork();
   if(pid == 0) {
@@ -287,6 +317,14 @@ int main(void) {
     ret = 6;
     goto out;
   }
+  if(test_authenticate4() != PAM_AUTH_ERR) {
+    ret = 7;
+    goto out;
+  }
+  if(test_authenticate5() != PAM_USER_UNKNOWN) {
+    ret = 8;
+    goto out;
+  }
 #ifdef HAVE_LIBLDAP
   if(test_authenticate_ldap1() != PAM_SUCCESS) {
     ret = 1001;
@@ -308,6 +346,14 @@ int main(void) {
     ret = 1005;
     goto out;
   }
+  if(test_authenticate_ldap4() != PAM_AUTH_ERR) {
+    ret = 1006;
+    goto out;
+  }
+  if(test_authenticate_ldap5() != PAM_USER_UNKNOWN) {
+    ret = 1007;
+    goto out;
+  }
 #endif
 
 out: