Commit 9406cf1a82 for openssl.org

commit 9406cf1a82ab9c7f644cf08f837ecd3ad77b10aa
Author: Viktor Dukhovni <openssl-users@dukhovni.org>
Date:   Mon Apr 20 22:41:44 2026 +1000

    pkey(1) missing setup for interactive pass prompt

    The changes in #29324 neglected some setup needed for interactive
    password prompting, leading to a segfaul when pkey(1) is asked to
    encrypt, but not given an explicit `-pass` argument.

    The required plumbing is added.

    Fixes: #30889

    Reviewed-by: Matt Caswell <matt@openssl.foundation>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Wed Apr 22 07:04:47 2026
    (Merged from https://github.com/openssl/openssl/pull/30904)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index ce4fa9d383..fe1bc7e812 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2331,11 +2331,15 @@ int encode_private_key(BIO *out, const char *output_type, const EVP_PKEY *pkey,
     if (ectx == NULL)
         return 0;

-    if (cipher != NULL)
-        if (!OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(cipher), NULL)
-            || !OSSL_ENCODER_CTX_set_passphrase(ectx, (const unsigned char *)pass,
-                strlen(pass)))
+    if (cipher != NULL) {
+        if (!OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(cipher), NULL))
             goto end;
+        OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL);
+        if (pass != NULL
+            && !OSSL_ENCODER_CTX_set_passphrase(ectx,
+                (const unsigned char *)pass, strlen(pass)))
+            goto end;
+    }

     if (encopt != NULL) {
         int i, n = sk_OPENSSL_STRING_num(encopt);