From: Jay Satiro <raysatiro@yahoo.com>
Date: Mon, 24 Mar 2025 06:48:01 +0000 (-0400)
Subject: openssl: fix crash on missing cert password
X-Git-Tag: curl-8_13_0~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e60166815448f1ce4cc27e59a16e5805e864113d;p=thirdparty%2Fcurl.git

openssl: fix crash on missing cert password

- Return 0 for password length if OpenSSL is expecting a certificate
  password but the user did not provide one.

Prior to this change libcurl would crash if OpenSSL called the certificate
password callback in libcurl but no password was provided (NULL).

Reported-by: Roman Zharkov

Fixes https://github.com/curl/curl/issues/16806
Closes https://github.com/curl/curl/pull/16807
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1beda3133a..4d5e1be29e 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -931,14 +931,14 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size)
 }
 
 static int passwd_callback(char *buf, int num, int encrypting,
-                           void *global_passwd)
+                           void *password)
 {
   DEBUGASSERT(0 == encrypting);
 
-  if(!encrypting && num >= 0) {
-    int klen = curlx_uztosi(strlen((char *)global_passwd));
+  if(!encrypting && num >= 0 && password) {
+    int klen = curlx_uztosi(strlen((char *)password));
     if(num > klen) {
-      memcpy(buf, global_passwd, klen + 1);
+      memcpy(buf, password, klen + 1);
       return klen;
     }
   }