The PEM_read_bio_Parameters() function should not ask for a password

The PEM_read_bio_Parameters[_ex] function does not have the capability
of specifying a password callback. We should not use the fallback password
callback in this case because it will attempt to send a prompt for the
password which might not be the correct thing to do. We should just not
use a password in that case.

Fixes #21588

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21603)

diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index 3e76852c67a44a69ad74e3366a48012dda867a6b..284b144fd640fd313c8394a50d467315e13f1c0c 100644 (file)
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -366,10 +366,19 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x,
     return ret;
 }
 
+static int no_password_cb(char *buf, int num, int rwflag, void *userdata)
+{
+    return -1;
+}
+
 EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
                                      OSSL_LIB_CTX *libctx, const char *propq)
 {
-    return pem_read_bio_key(bp, x, NULL, NULL, libctx, propq,
+    /*
+     * PEM_read_bio_Parameters(_ex) should never ask for a password. Any attempt
+     * to get a password just fails.
+     */
+    return pem_read_bio_key(bp, x, no_password_cb, NULL, libctx, propq,
                             EVP_PKEY_KEY_PARAMETERS);
 }