From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 17 Oct 2025 09:18:49 +0000 (+0200)
Subject: openssl: better return code checks when logging cert data
X-Git-Tag: rc-8_17_0-3~151
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2a4de8a607d3c7f52918ef50ab6411c753fa2ce;p=thirdparty%2Fcurl.git

openssl: better return code checks when logging cert data

Pointed out by ZeroPath

Closes #19094
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 533acdaf8d..04bab2cbf1 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4845,6 +4845,8 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
     certstack = SSL_get_peer_cert_chain(ssl);
   else
     certstack = SSL_get0_verified_chain(ssl);
+  if(!certstack)
+    return;
   num_cert_levels = sk_X509_num(certstack);
 
   for(cert_level = 0; cert_level < num_cert_levels; cert_level++) {
@@ -4860,12 +4862,17 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
     const char *type_name;
 
     current_cert = sk_X509_value(certstack, cert_level);
+    if(!current_cert)
+      continue;
+
+    current_pkey = X509_get0_pubkey(current_cert);
+    if(!current_pkey)
+      continue;
 
     X509_get0_signature(NULL, &palg_cert, current_cert);
     X509_ALGOR_get0(&paobj_cert, NULL, NULL, palg_cert);
     OBJ_obj2txt(cert_algorithm, sizeof(cert_algorithm), paobj_cert, 0);
 
-    current_pkey = X509_get0_pubkey(current_cert);
     key_bits = EVP_PKEY_bits(current_pkey);
 #ifndef HAVE_OPENSSL3
 #define EVP_PKEY_get_security_bits EVP_PKEY_security_bits