The PEM_read_bio_Parameters() function should not ask for a password

The PEM_read_bio_Parameters[_ex] function does not have the capability of specifying a password callback. We should not use the fallback password callback in this case because it will attempt to send a prompt for the password which might not be the correct thing to do. We should just not use a password in that case. Fixes #21588 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21603)
openssl · Aug 1, 2023 · 0d0791e · 0d0791e
1 parent 564e5b7
commit 0d0791e
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
@@ -366,10 +366,19 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x,
     return ret;
 }
 
+static int no_password_cb(char *buf, int num, int rwflag, void *userdata)
+{
+    return -1;
+}
+
 EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
                                      OSSL_LIB_CTX *libctx, const char *propq)
 {
-    return pem_read_bio_key(bp, x, NULL, NULL, libctx, propq,
+    /*
+     * PEM_read_bio_Parameters(_ex) should never ask for a password. Any attempt
+     * to get a password just fails.
+     */
+    return pem_read_bio_key(bp, x, no_password_cb, NULL, libctx, propq,
                             EVP_PKEY_KEY_PARAMETERS);
 }