pkey(1) missing setup for interactive pass prompt

The changes in #29324 neglected some setup needed for interactive
password prompting, leading to a segfaul when pkey(1) is asked to
encrypt, but not given an explicit `-pass` argument.

The required plumbing is added.

Fixes: #30889
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 22 07:04:47 2026
(Merged from https://github.com/openssl/openssl/pull/30904)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index ce4fa9d38364b45ff33d3fe8ebeb2c1091656010..fe1bc7e812088a1437a419acf904087dbf476cd7 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2331,11 +2331,15 @@ int encode_private_key(BIO *out, const char *output_type, const EVP_PKEY *pkey,
     if (ectx == NULL)
         return 0;
 
-    if (cipher != NULL)
-        if (!OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(cipher), NULL)
-            || !OSSL_ENCODER_CTX_set_passphrase(ectx, (const unsigned char *)pass,
-                strlen(pass)))
+    if (cipher != NULL) {
+        if (!OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(cipher), NULL))
             goto end;
+        OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL);
+        if (pass != NULL
+            && !OSSL_ENCODER_CTX_set_passphrase(ectx,
+                (const unsigned char *)pass, strlen(pass)))
+            goto end;
+    }
 
     if (encopt != NULL) {
         int i, n = sk_OPENSSL_STRING_num(encopt);