From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Mon, 20 Apr 2026 12:41:44 +0000 (+1000)
Subject: pkey(1) missing setup for interactive pass prompt
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9406cf1a82ab9c7f644cf08f837ecd3ad77b10aa;p=thirdparty%2Fopenssl.git

pkey(1) missing setup for interactive pass prompt

The changes in #29324 neglected some setup needed for interactive
password prompting, leading to a segfaul when pkey(1) is asked to
encrypt, but not given an explicit `-pass` argument.

The required plumbing is added.

Fixes: #30889

Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Apr 22 07:04:47 2026
(Merged from https://github.com/openssl/openssl/pull/30904)
---

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index ce4fa9d3836..fe1bc7e8120 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2331,11 +2331,15 @@ int encode_private_key(BIO *out, const char *output_type, const EVP_PKEY *pkey,
     if (ectx == NULL)
         return 0;
 
-    if (cipher != NULL)
-        if (!OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(cipher), NULL)
-            || !OSSL_ENCODER_CTX_set_passphrase(ectx, (const unsigned char *)pass,
-                strlen(pass)))
+    if (cipher != NULL) {
+        if (!OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(cipher), NULL))
             goto end;
+        OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL);
+        if (pass != NULL
+            && !OSSL_ENCODER_CTX_set_passphrase(ectx,
+                (const unsigned char *)pass, strlen(pass)))
+            goto end;
+    }
 
     if (encopt != NULL) {
         int i, n = sk_OPENSSL_STRING_num(encopt);