mbedTLS private-key blob null-termination asymmetry in lib/vtls/mbedtls.c (mbed_load_privkey)

## Summary: In lib/vtls/mbedtls.c, function mbed_load_privkey (lines 653-738) passes raw ssl_key_blob->data and ssl_key_blob->len directly to mbedtls_pk_parse_key() at lines 706-708 (mbedTLS 4.x branch) and 718-722 (mbedTLS 3.x branch), without ensuring null-termination. The mbedTLS API contract for mbedtls_pk_parse_key() requires PEM input to be null-terminated and keylen to equal strlen(key) + 1. The adjacent mbed_load_cacert (lines 512-518) and mbed_load_clicert (lines 626-631) handle this correctly using curlx_memdup0() and passing len + 1, but the private-key path does not. The path is reachable through public options CURLOPT_SSLKEY_BLOB and CURLOPT_PROXY_SSLKEY_BLOB, which use struct curl_blob (pointer-plus-length, no null-termination guarantee). I am not claiming a demonstrated out-of-bounds read or proof-of-concept; the defensible claim is API contract violation in a public-option path with asymmetric handling versus cert/CA blobs in the same file. Suggested fix: mirror the cert/CA pattern by detecting non-null-terminated PEM, duplicating via curlx_memdup0(), and passing blob->len + 1. ## Affected version curl from git, commit 2c81cf620e559b6c448dcfd8ef389f214746b533 (master, May 2026). Backend: USE_MBEDTLS with PEM private-key parsing enabled in linked mbedTLS. ## Steps To Reproduce: This report is based on static source analysis; no runtime exploit is demonstrated. To verify the asymmetry: 1. git clone https://github.com/curl/curl 2. cd curl && git checkout 2c81cf620e559b6c448dcfd8ef389f214746b533 3. Inspect lib/vtls/mbedtls.c lines 653-738 (mbed_load_privkey). 4. Note that lines 706-708 and 718-722 call mbedtls_pk_parse_key with raw ssl_key_blob->data and ssl_key_blob->len, with no curlx_memdup0 or len + 1. 5. Compare to lib/vtls/mbedtls.c lines 474-572 (mbed_load_cacert) and 574-651 (mbed_load_clicert), which check final byte, duplicate non-null-terminated PEM with curlx_memdup0, and pass len + 1. 6. Confirm reachability via lib/setopt.c (CURLOPT_SSLKEY_BLOB at 2843-2847, CURLOPT_PROXY_SSLKEY_BLOB at 2822-2826) and lib/vtls/vtls.c (Curl_ssl_conn_config_update at 345 and 386) where blobs[BLOB_KEY] is assigned to sslc->key_blob. ## Impact ## Summary: For non-null-terminated PEM private-key blob input, behavior is undefined per the mbedTLS API contract; possible outcomes include parse failure, out-of-bounds read, or other undefined behavior depending on linked mbedTLS internals. The path is reachable through public curl options. The asymmetry with cert/CA blob handling in the same file means curl currently enforces this contract for two of three blob types and does not for the third, creating inconsistent guarantees for application authors. I defer to the curl security team on whether this should be classified as a security issue or as a correctness/hardening fix.