Allow zero-length PEM passwords in callback paths (#3073)

geedo0 · github-actions[bot] · web-flow · commit e5747bd5da06 · 2026-03-11T07:37:00.000-04:00
### Description of changes: 
Four sites incorrectly rejected empty passwords by checking
pass_len &lt;= 0 instead of pass_len &lt; 0 after invoking the password
callback. The callback returns negative on error and 0 for a valid
empty password, so the check should be &lt; 0.

### Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any
testing steps to be verified by the reviewer?

CI

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

---------

Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
@@ -322,7 +322,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
         callback = PEM_def_callback;
       }
       pass_len = (*callback)(buf, PEM_BUFSIZE, 1, u);
-      if (pass_len <= 0) {
+      if (pass_len < 0) {
         OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
         goto err;
       }
@@ -397,7 +397,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
     callback = PEM_def_callback;
   }
   pass_len = callback(buf, PEM_BUFSIZE, 0, u);
-  if (pass_len <= 0) {
+  if (pass_len < 0) {
     OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);
     return 0;
   }
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
@@ -117,7 +117,7 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,
         cb = PEM_def_callback;
       }
       pass_len = cb(buf, PEM_BUFSIZE, 1, u);
-      if (pass_len <= 0) {
+      if (pass_len < 0) {
         OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);
         PKCS8_PRIV_KEY_INFO_free(p8inf);
         return 0;
@@ -164,7 +164,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
     cb = PEM_def_callback;
   }
   pass_len = cb(psbuf, PEM_BUFSIZE, 0, u);
-  if (pass_len <= 0) {
+  if (pass_len < 0) {
     OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);
     X509_SIG_free(p8);
     return NULL;
diff --git a/crypto/pem/pem_test.cc b/crypto/pem/pem_test.cc
@@ -467,3 +467,61 @@ TEST(PEMTest, WriteReadTraditionalPem) {
   EXPECT_FALSE(PEM_write_bio_PrivateKey_traditional(
       write_bio.get(), pkey.get(), nullptr, nullptr, 0, nullptr, nullptr));
 }
+
+TEST(PEMTest, WriteReadECPemEmptyPassword) {
+  bssl::UniquePtr<EC_KEY> ec_key(EC_KEY_new());
+  ASSERT_TRUE(ec_key);
+  bssl::UniquePtr<EC_GROUP> ec_group(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
+  ASSERT_TRUE(ec_group);
+  ASSERT_TRUE(EC_KEY_set_group(ec_key.get(), ec_group.get()));
+
+#if defined(BORINGSSL_FIPS)
+  ASSERT_TRUE(EC_KEY_generate_key_fips(ec_key.get()));
+#else
+  ASSERT_TRUE(EC_KEY_generate_key(ec_key.get()));
+#endif
+
+  bssl::UniquePtr<BIO> write_bio(BIO_new(BIO_s_mem()));
+  ASSERT_TRUE(write_bio);
+  const EVP_CIPHER* cipher = EVP_get_cipherbynid(NID_aes_256_cbc);
+  ASSERT_TRUE(cipher);
+  ASSERT_TRUE(PEM_write_bio_ECPrivateKey(write_bio.get(), ec_key.get(), cipher, nullptr, 0, pem_password_callback, (void*)""));
+
+  const uint8_t* content = nullptr;
+  size_t content_len = 0;
+  BIO_mem_contents(write_bio.get(), &content, &content_len);
+
+  bssl::UniquePtr<BIO> read_bio(BIO_new_mem_buf(content, content_len) );
+  ASSERT_TRUE(read_bio);
+  bssl::UniquePtr<EC_KEY> ec_key_read(PEM_read_bio_ECPrivateKey(read_bio.get(), nullptr, pem_password_callback, (void*)""));
+  ASSERT_TRUE(ec_key_read);
+  const BIGNUM* orig_priv_key = EC_KEY_get0_private_key(ec_key.get());
+  const BIGNUM* read_priv_key = EC_KEY_get0_private_key(ec_key_read.get());
+  ASSERT_EQ(0, BN_cmp(orig_priv_key, read_priv_key));
+}
+
+TEST(PEMTest, WriteReadPKCS8DerEmptyPassword) {
+  bssl::UniquePtr<EC_KEY> ec_key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+  ASSERT_TRUE(ec_key);
+  ASSERT_TRUE(EC_KEY_generate_key(ec_key.get()));
+  bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
+  ASSERT_TRUE(pkey);
+  ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(pkey.get(), ec_key.get()));
+
+  bssl::UniquePtr<BIO> write_bio(BIO_new(BIO_s_mem()));
+  ASSERT_TRUE(write_bio);
+  ASSERT_TRUE(i2d_PKCS8PrivateKey_bio(write_bio.get(), pkey.get(), EVP_aes_256_cbc(), nullptr, 0, pem_password_callback, (void*)""));
+
+  const uint8_t* content = nullptr;
+  size_t content_len = 0;
+  BIO_mem_contents(write_bio.get(), &content, &content_len);
+
+  bssl::UniquePtr<BIO> read_bio(BIO_new_mem_buf(content, content_len) );
+  ASSERT_TRUE(read_bio);
+  bssl::UniquePtr<EVP_PKEY> pkey_read(d2i_PKCS8PrivateKey_bio(read_bio.get(), nullptr, pem_password_callback, (void*)""));
+  ASSERT_TRUE(pkey_read);
+
+  const EC_KEY* read_ec = EVP_PKEY_get0_EC_KEY(pkey_read.get());
+  ASSERT_TRUE(read_ec);
+  ASSERT_EQ(0, BN_cmp(EC_KEY_get0_private_key(ec_key.get()), EC_KEY_get0_private_key(read_ec)));
+}

Original file line number	Diff line number	Diff line change
`@@ -322,7 +322,7 @@ int PEM_ASN1_write_bio(i2d_of_void i2d, const char name, BIO bp, void x,`
`322`	`322`	`callback = PEM_def_callback;`
`323`	`323`	`}`
`324`	`324`	`pass_len = (*callback)(buf, PEM_BUFSIZE, 1, u);`
`325`		`- if (pass_len <= 0) {`
	`325`	`+ if (pass_len < 0) {`
`326`	`326`	`OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);`
`327`	`327`	`goto err;`
`328`	`328`	`}`
`@@ -397,7 +397,7 @@ int PEM_do_header(EVP_CIPHER_INFO cipher, unsigned char data, long *plen,`
`397`	`397`	`callback = PEM_def_callback;`
`398`	`398`	`}`
`399`	`399`	`pass_len = callback(buf, PEM_BUFSIZE, 0, u);`
`400`		`- if (pass_len <= 0) {`
	`400`	`+ if (pass_len < 0) {`
`401`	`401`	`OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);`
`402`	`402`	`return 0;`
`403`	`403`	`}`