From ba685ad5e5712fed4c3772df0372569b4e5ff428 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 19 Feb 2026 18:10:58 +0100
Subject: [PATCH] openssl: fix potential NULL dereference when loading certs
 (Windows)

This could happen if the first cert to be loaded missed EKU (Enhanced
Key Usage) data, when using native CA on Windows.

Fix by skipping certs without Enhanced Key Usage data.

Detected by clang-tidy:
```
lib/vtls/openssl.c:2922:15: warning: Access to field 'cUsageIdentifier'
 results in a dereference of a null pointer (loaded from variable
 'enhkey_usage') [clang-analyzer-core.NullDereference]
 2922 |           if(!enhkey_usage->cUsageIdentifier) {
      |               ^
```

Refs:
https://learn.microsoft.com/windows/win32/secgloss/e-gly
https://learn.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certgetenhancedkeyusage
https://gitlab.winehq.org/wine/wine/-/blob/wine-11.2/dlls/crypt32/cert.c?ref_type=tags#L3061-3164

Assisted-by: Stefan Eissing

Closes #20634
---
 lib/vtls/openssl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 8572f0ec13..04db896473 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2917,8 +2917,8 @@ static CURLcode ossl_win_load_store(struct Curl_easy *data,
        * depending on what is found. For more details see
        * CertGetEnhancedKeyUsage doc.
        */
-      if(CertGetEnhancedKeyUsage(pContext, 0, NULL, &req_size)) {
-        if(req_size && req_size > enhkey_usage_size) {
+      if(CertGetEnhancedKeyUsage(pContext, 0, NULL, &req_size) && req_size) {
+        if(req_size > enhkey_usage_size) {
           void *tmp = curlx_realloc(enhkey_usage, req_size);
 
           if(!tmp) {