Skip to content

SIGSEGV when using encrypted private key with no password provided #16806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rzharkov opened this issue Mar 24, 2025 · 2 comments
Closed

SIGSEGV when using encrypted private key with no password provided #16806

rzharkov opened this issue Mar 24, 2025 · 2 comments
Labels
crash TLS

Comments

@rzharkov
Copy link

I did this

Hello,
There is a strlen(NUL) call when using an encrypted key with the CURLOPT_SSLKEY_BLOB option, without setting the CURLOPT_KEYPASSWD option value.

Backtrace of the simple "libcurl_test" program.

roman@OFFICE02:/tmp/libcurl_test$ LD_LIBRARY_PATH=/home/roman/.curl/lib/ gdb libcurl_test
GNU gdb (Ubuntu 12.1-0ubuntu122.04.2) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
https://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from libcurl_test...
(gdb) r
Starting program: /home/roman/tmp/libcurl_test/libcurl_test
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
74 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) bt
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1 0x00007ffff7f4dc82 in passwd_callback (buf=0x7fffffffc250 "", num=1024, encrypting=0, global_passwd=0x0) at vtls/openssl.c:939
#2 0x00007ffff7722194 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#3 0x00007ffff7721d3c in UI_process () from /lib/x86_64-linux-gnu/libcrypto.so.3
#4 0x00007ffff76d6808 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
...
...
...
#33 0x00005555555553e6 in main () at libcurl_test.cpp:115
(gdb) f 1
#1 0x00007ffff7f4dc82 in passwd_callback (buf=0x7fffffffc250 "", num=1024, encrypting=0, global_passwd=0x0) at vtls/openssl.c:939
939 int klen = curlx_uztosi(strlen((char *)global_passwd));
(gdb) p global_passwd
$1 = (void *) 0x0
(gdb)

Here is the source code:

#include <iostream>
#include <curl/curl.h>
#include <cstring>

int main()
{
  const char *cainfo = R""""(-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIUOGVSyS5IiA3HffJtBPQtXh/OQY0wDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlJVMRYwFAYDVQQIDA1SdXNzaWEgcmVnaW9uMQ8wDQYD
VQQHDAZNb3Njb3cxCzAJBgNVBAoMAkNBMQswCQYDVQQLDAJDQTESMBAGA1UEAwwJ
MTI3LjAuMC4xMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QHBvc3RncmVzcHJvLnJ1
MB4XDTI1MDMxNzA1MjA1NVoXDTM1MDMxNTA1MjA1NVowgYsxCzAJBgNVBAYTAlJV
MRYwFAYDVQQIDA1SdXNzaWEgcmVnaW9uMQ8wDQYDVQQHDAZNb3Njb3cxCzAJBgNV
BAoMAkNBMQswCQYDVQQLDAJDQTESMBAGA1UEAwwJMTI3LjAuMC4xMSUwIwYJKoZI
hvcNAQkBFhZzdXBwb3J0QHBvc3RncmVzcHJvLnJ1MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtbBMUeprvEFecgE82SarkfDvd+OIi5j7D1DB4F2PyqXh
qZu6hBBcV9ewGmmmBtaIGETxLx50aJj1bFPTNFo1zOwH9JFBEeiXq2W37V1i+q09
ESxj2jRW2JOcA5m6DgXWN3GCrg2zVTujQmKuUtSRnCP3/2B7xVENFC4SBbfOPIDx
xZf0LqPFS7Cz+nR8ynCBrFvcLjWnQh6c8gRzxWXe9hFNQj+VTyEjToNDqPNppQlt
lkPPh5r1sfmxLPLdJ7u/8lgcTUBKjAw0WBRCeoKbsIBlmzD2680NlWbYlJ/hu+dp
bBNe3EJ793jEr22TVfk9dANSCuqwHRnL8NSp7uZk5QIDAQABo1MwUTAdBgNVHQ4E
FgQUBsujTTZU80jds0DKDU0qj9ORE5QwHwYDVR0jBBgwFoAUBsujTTZU80jds0DK
DU0qj9ORE5QwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJ1W1
9DWIn+DvVPgX7DsL1ioLNVWHVZv+85FcRw7u9eGn6oESaFtJMJopUljhqHUOvEYf
51t+jj2o7Sh5S+adzaT8p/qF8NNHxzBCF3+2E4nFSaCsQjzszNBFkGGDQQKCviiO
n4WaP4FMEU8Fl13twpEiVkFodEPdrExCwus373kj/esdaErNcGy8sbUVKgxivd32
DHsR3kYXls+7FP06JJL7NX0Ji/6j+dT964Sz6q3PKBpLMSBvW3loAwhEfpE9t9V1
RjfXBWpcQqxTdO6YTP0YqrpJihV67nToaWKZMzp/zqsuuvDsXxda3vJNDdJ2ZJRA
Y7707nS0spc1qVPMSQ==
-----END CERTIFICATE-----
)"""";

  const char *cert = R""""(-----BEGIN CERTIFICATE-----
MIIDqzCCApMCFD/Dwl/xxe43eRI2reOjd/fPrdPvMA0GCSqGSIb3DQEBCwUAMIGL
MQswCQYDVQQGEwJSVTEWMBQGA1UECAwNUnVzc2lhIHJlZ2lvbjEPMA0GA1UEBwwG
TW9zY293MQswCQYDVQQKDAJDQTELMAkGA1UECwwCQ0ExEjAQBgNVBAMMCTEyNy4w
LjAuMTElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBwb3N0Z3Jlc3Byby5ydTAeFw0y
NTAzMTcwNTIwNTVaFw0yNjAzMTcwNTIwNTVaMIGXMQswCQYDVQQGEwJSVTEWMBQG
A1UECAwNUnVzc2lhIHJlZ2lvbjEPMA0GA1UEBwwGTW9zY293MREwDwYDVQQKDAhD
bGllbnQwMTERMA8GA1UECwwIQ2xpZW50MDExEjAQBgNVBAMMCTEyNy4wLjAuMTEl
MCMGCSqGSIb3DQEJARYWc3VwcG9ydEBwb3N0Z3Jlc3Byby5ydTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKeaYnGgLO5LcRAnNAIHuQCkL2sny01qfFAK
mPxhQWUwr+5kfQoD5VRRADDlTLYLY18FQZqn3eiVwgql7w/BTsqaHbZGvmNitENs
5suBX4q2Il4Dr41LQrmOpb6s+1BIjIYHucUa2t/nwq6MjRU5MtKLSqz9qvZWHZ83
cDOIVuL5aA/6M0BLYmsQL+RXy9vDPNo7Tat8l3GBRvPr27AB7DiEC9PnZIP9JHfc
xyx58thrVlwTQZdS5O4tjGJ/E7UcxlYbg3LumtDDiH/IAKo63qYw/HgDXe6CVxn9
Swqr7asBJ9kiz2CMtmVPpMdJXP7WOO9qh26OkKXIt3qXmX7YIA8CAwEAATANBgkq
hkiG9w0BAQsFAAOCAQEAcseLRHU54NrQEDg/kdWOWapAJkaI9oW925DrQLyqLOz4
o/ulIn1nzjhPi3UEW3Pvv2oriZJh56nQ9+iNxw/JEo3Mzs4P6Xyo9a9rjSRPo97R
AHRHJF9FDB8AiOqwyoVMANmH6fm6Ug0kfgEmKu6hSIIt3IOFGcrCAf5VAn9ayoAl
jC+xZ6odgr5+D/e8yx3JiS0mevbcNxev9eaDEk3FUrQ3QSnDzHR9me4hPS4vNtcm
ynAsNIGOBfGmna5KVUVm37hwGdZoy5qeXaMQk9moliPCfpcqtxQ2qHhNz79I5Zdd
GMNTQVzSHmuu8tw5W4GjNUQL2Wx5h/yuMD5dS+vCeQ==
-----END CERTIFICATE-----
)"""";

  const char *key = R""""(-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQOTKbaW/RJoVDy8/7
j4hqCwICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEAUbKN+KEXPIN0hk
YzN9IRwEggTQtcFSS4wPZG6hZ6boN04I2/hogL8FQdYG4IRx2v6EE8rCrSduEKFW
JfOujh1KG9iCiWuqeS9x6F877OwI6zyOfhkLEL8Ed0vgZ0rx0cOoJSpeSqw3Vnrh
kp0dEWo8MfXkTsUCPoWDU7KFDSUgmGzIWzrVzSudPQUR++6+O2R2wq6/Mti7rvyV
4qatBDwglwDL67Ub5GEMYRBfJa31Ts3Tmms4v/ZTxSw5ogGq9p92N+iqNw33gd+0
a8YMsjsqHZpxJUJLYFLZryapcP+y4NKv1DoNBv0AcX8xa0pJI5HZQlLIrWpjrI2h
epurHp2dghVs/zO//KDAm/xzzKMrU+wtWlxEfXniGiEigowhZUdVOZkSgeCHE3NJ
KTGG7Hqc7eNFGg42akhQHxTEPLrUL0nTzVcaYA/fqb1NBv9YZ4nv1H9FIXnMQWme
wZr6lLyJf2Twh5TBjHes9EaXJFLZVgDbHomBrLKDngdJ89eXlXPhiJuDkUw1BMaP
DlRulLgVC5rp7Rqwcd2lgJqlG9AZxmwxGSEQ0sTuD71KZfK2FRu4heYnkyAtln1Y
deWw3Y3HrWDE5o08+fD1wHuJrmUNNOiBqWLJL7p9Djm47QOUsyK4+eaNWZYtvGn9
AxG/fiSaa3shQumvLESAuDdA14AvNtH8FwhLLCWiQGg/95OgCYHy1cAH3CXMmH+1
IHMAGXKdmTD1TNYwGKtyk1t4m6VcfvIRySYBcaxgobywjhCGnaXiujZ3DfjcnABf
+Mssd3AB1h1UI1WFhyw+1CiR/qKRkgIjbAeP3IfoaOQbwJdUsbbWkbn5qoBI7yIa
Xt8C/rB0ziikFTENTCabAj3RoDjJVt9I8M44ucyc4sNf3Du3aaie/TUt1Mz14Ws/
ZKFZK5X+1dcIU92z2Pm2vWnnRgX/sYbL01C0e+f8irZRwbEbZjNhfwKlAxhdnXWh
YUMuBf5cRfV5X6LVJaQdx5/DfAhBmEA8Q3UF8sfGEXevx0Pq4tCIdgI0mSG1YTl8
dlUKk/7VBR4tWDBH3fpdEh7cemHZ8BWVmSR4Z2xWttL61UcytJ7T5nPqx25MEWyv
odqLwfLJI9hqLwIqBaS5VTYo7xcMqQWzDFVa2EX3qiHJqrmdvHNCJN7uwjtaxU9W
1pfCmH6emw5m7mgbebVoGauIKBrJ9naTSljlcgrs6hl7WFH4e9OXq+Rief7C1R38
m6MMVWS6ybqbSQufGMe7ONp6vlQgSXcjsEUeE9K0oneL2t/zXwDcQtxdACcJpLpk
8ZKFtSkhC3sNeOmRnqzVa3qJxPsmkRDlacdA21wg53alYDb+/Stw99hOFOQfe9BL
ASVOyZdKsOmzx2AiJ95cu/fcwRT8dRtLTPy4ppOy4CS0pOlyE5MVZZD9ibY1ThEF
N1gDMNfN9jPT27dmN1rkEEv/C3nYISbJYfxw1wriERvlMtl/YXt0l8yCTb5Nx+mj
73cLNOp+Q0Dd/ukEkzEgW4N6NlKfmtlfZhmlZh3SVkx/FJIwz+QxvIGXi9sh46g1
bYJaHOSXMC9ARqmQ3+9sQn/esWKcfxq4+CTB7G7qcWQ2plBW/ZH8ItwYnrrv37SE
Omt2JER5CtAl1eBi12P4U9OsKzZupOStnbFIPQ7zIHukB2Odh6SKctA=
-----END ENCRYPTED PRIVATE KEY-----
)"""";

  struct curl_blob blob;
  CURL *curl = curl_easy_init();
  if (curl) {
    CURLcode res;
    curl_easy_setopt(curl, CURLOPT_URL, "https://127.0.0.1:5002");

    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);

    curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");

    blob.data = (char *) cainfo;
    blob.flags = CURL_BLOB_COPY;
    blob.len = strlen(cainfo);
    curl_easy_setopt(curl, CURLOPT_CAINFO_BLOB, &blob);

    blob.data = (char *) cert;
    blob.flags = CURL_BLOB_COPY;
    blob.len = strlen(cert);
    curl_easy_setopt(curl, CURLOPT_SSLCERT_BLOB, &blob);

    blob.data = (char *) key;
    blob.flags = CURL_BLOB_COPY;
    blob.len = strlen(key);
    curl_easy_setopt(curl, CURLOPT_SSLKEY_BLOB, &blob);
//    curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "superpassword");

    res = curl_easy_perform(curl);
    curl_easy_cleanup(curl);

    if (res != CURLE_OK)
    {
      std::cout << "PERFORM " << res << "\t" << curl_easy_strerror(res) << "\n";
    }
    else
    {
      std::cout << "OK\n";
    }
  }
}

I expected the following

With the uncommented line "curl_easy_setopt(curl, CURLOPT_KEYPASSWD, "superpassword");" program works fine.

curl/libcurl version

curl 8.13.0-DEV (x86_64-pc-linux-gnu) libcurl/8.13.0-DEV OpenSSL/3.0.2 zlib/1.2.11 zstd/1.4.8 libpsl/0.21.0 OpenLDAP/2.5.18
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS Debug HSTS HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP TrackMemory UnixSockets zstd

curl 8.12.1-DEV (x86_64-pc-win32) libcurl/8.12.1-DEV OpenSSL/3.6.0 WinIDN
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI threadsafe UnixSockets

operating system

5.15.167.4-microsoft-standard-WSL2 (Ubuntu linux)

Windows 10
jay added a commit to jay/curl that referenced this issue Mar 24, 2025
@jay
openssl: fix crash on missing cert password
1e47883 
- Return 0 for password length if OpenSSL is expecting a certificate
  password but the user did not provide one.

Prior to this change libcurl would crash if OpenSSL called the certificate
password callback in libcurl but no password was provided (NULL).

Reported-by: Roman Zharkov

Fixes curl#16806
Closes #xxxx
@jay jay mentioned this issue Mar 24, 2025
Closed
@jay
Copy link
Member

jay commented Mar 24, 2025

Please try #16807

@rzharkov
Copy link
Author

Please try #16807

Thank you! Everything is OK.

As I expected: "PERFORM 58 Problem with the local SSL certificate".

@jay jay closed this as completed in e601668 Mar 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crash TLS
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl: fix crash on missing cert password jay/curl
2 participants
@jay @rzharkov