From e60166815448f1ce4cc27e59a16e5805e864113d Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Mon, 24 Mar 2025 02:48:01 -0400 Subject: [PATCH] openssl: fix crash on missing cert password - Return 0 for password length if OpenSSL is expecting a certificate password but the user did not provide one. Prior to this change libcurl would crash if OpenSSL called the certificate password callback in libcurl but no password was provided (NULL). Reported-by: Roman Zharkov Fixes https://github.com/curl/curl/issues/16806 Closes https://github.com/curl/curl/pull/16807 Conflict:context adapt Reference:https://github.com/curl/curl/commit/e60166815448f1ce4cc27e59a16e5805e864113d --- lib/vtls/openssl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1beda3133..4d5e1be29 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -931,14 +931,14 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size) } static int passwd_callback(char *buf, int num, int encrypting, - void *global_passwd) + void *password) { DEBUGASSERT(0 == encrypting); - if(!encrypting) { - int klen = curlx_uztosi(strlen((char *)global_passwd)); + if(!encrypting && num >= 0 && password) { + int klen = curlx_uztosi(strlen((char *)password)); if(num > klen) { - memcpy(buf, global_passwd, klen + 1); + memcpy(buf, password, klen + 1); return klen; } } -- 2.43.0