Don't call a prompter function if it's NULL, as it can be, depending on which code path we were called from. Part of the larger responder retrofit coming in 1.12 (RT#7680). --- krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ krb5-1.11.3/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -673,6 +673,8 @@ get_key_cb(char *buf, int size, int rwfl krb5_error_code retval; char *prompt; + if (data->id_cryptoctx->prompter == NULL) + return -1; if (asprintf(&prompt, "%s %s", _("Pass phrase for"), data->filename) < 0) return -1; rdat.data = buf; @@ -3739,10 +3741,15 @@ pkinit_login(krb5_context context, prompt_type = KRB5_PROMPT_TYPE_PREAUTH; /* PROMPTER_INVOCATION */ - k5int_set_prompt_types(context, &prompt_type); - r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, - NULL, NULL, 1, &kprompt); - k5int_set_prompt_types(context, 0); + if (id_cryptoctx->prompter == NULL) { + r = KRB5_LIBOS_CANTREADPWD; + rdat.data = NULL; + } else { + k5int_set_prompt_types(context, &prompt_type); + r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, + NULL, NULL, 1, &kprompt); + k5int_set_prompt_types(context, 0); + } free(prompt); } @@ -4307,10 +4314,15 @@ pkinit_get_certs_pkcs12(krb5_context con prompt_type = KRB5_PROMPT_TYPE_PREAUTH; /* PROMPTER_INVOCATION */ - k5int_set_prompt_types(context, &prompt_type); - r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, - NULL, NULL, 1, &kprompt); - k5int_set_prompt_types(context, 0); + if (*id_cryptoctx->prompter == NULL) { + retval = KRB5_LIBOS_CANTREADPWD; + goto cleanup; + } else { + k5int_set_prompt_types(context, &prompt_type); + r = (*id_cryptoctx->prompter)(context, id_cryptoctx->prompter_data, + NULL, NULL, 1, &kprompt); + k5int_set_prompt_types(context, 0); + } ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); if (ret == 0) {