From 0d6e5944bc098a64380e9f22d1c41274335f869f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 21 Jun 2026 23:18:13 +0200
Subject: [PATCH] setopt: make CURLOPT_KEYPASSWD work for SSH-only builds

This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds

Mention this in the man page as well.

Follow-up to 52fa8d9
Pointed out by Codex Security
Closes #22121
---
 docs/libcurl/opts/CURLOPT_KEYPASSWD.md |  2 ++
 lib/setopt.c                           | 18 +++++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/docs/libcurl/opts/CURLOPT_KEYPASSWD.md b/docs/libcurl/opts/CURLOPT_KEYPASSWD.md
index d97a94716436..38f5120cae8c 100644
--- a/docs/libcurl/opts/CURLOPT_KEYPASSWD.md
+++ b/docs/libcurl/opts/CURLOPT_KEYPASSWD.md
@@ -9,6 +9,8 @@ See-also:
   - CURLOPT_SSLKEY (3)
 Protocol:
   - TLS
+  - SFTP
+  - SCP
 TLS-backend:
   - OpenSSL
   - mbedTLS
diff --git a/lib/setopt.c b/lib/setopt.c
index d07a794135fc..0c0d47a68025 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -1884,7 +1884,8 @@ static CURLcode setopt_ech(struct Curl_easy *data, const char *ptr)
 #define setopt_ech(x,y) CURLE_NOT_BUILT_IN
 #endif
 
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_SSH)
+/* One of the options is used for both TLS and SSH */
 static CURLcode setopt_cptr_ssl(struct Curl_easy *data, CURLoption option,
                                 char *ptr)
 {
@@ -1892,6 +1893,13 @@ static CURLcode setopt_cptr_ssl(struct Curl_easy *data, CURLoption option,
   struct UserDefined *s = &data->set;
 
   switch(option) {
+  case CURLOPT_KEYPASSWD:
+    /*
+     * String that holds the SSL or SSH private key password.
+     */
+    result = Curl_setstropt(&s->str[STRING_KEY_PASSWD], ptr);
+    break;
+#ifdef USE_SSL
   case CURLOPT_CAINFO:
     /*
      * Set CA info for SSL connection. Specify filename of the CA certificate
@@ -1965,11 +1973,6 @@ static CURLcode setopt_cptr_ssl(struct Curl_easy *data, CURLoption option,
      * String that holds file type of the SSL key to use
      */
     return Curl_setstropt(&s->str[STRING_KEY_TYPE], ptr);
-  case CURLOPT_KEYPASSWD:
-    /*
-     * String that holds the SSL or SSH private key password.
-     */
-    return Curl_setstropt(&s->str[STRING_KEY_PASSWD], ptr);
   case CURLOPT_SSLENGINE:
     /*
      * String that holds the SSL crypto engine.
@@ -2015,6 +2018,7 @@ static CURLcode setopt_cptr_ssl(struct Curl_easy *data, CURLoption option,
     return CURLE_NOT_BUILT_IN;
   case CURLOPT_ECH:
     return setopt_ech(data, ptr);
+#endif
   default:
     return CURLE_UNKNOWN_OPTION;
   }
@@ -2501,7 +2505,7 @@ static CURLcode setopt_cptr(struct Curl_easy *data, CURLoption option,
 #ifndef CURL_DISABLE_PROXY
     setopt_cptr_proxy,
 #endif
-#ifdef USE_SSL
+#if defined(USE_SSL) || defined(USE_SSH)
     setopt_cptr_ssl,
 #endif
 #ifdef USE_SSH