1From 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 25 Apr 2022 17:59:15 +0200 4Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either 5 6Follow-up to 620ea21410030 7 8Reported-by: Harry Sintonen 9Closes #8751 10--- 11 lib/http.c | 10 +++++----- 12 lib/http.h | 6 ++++++ 13 lib/vtls/openssl.c | 3 ++- 14 3 files changed, 13 insertions(+), 6 deletions(-) 15 16diff --git a/lib/http.c b/lib/http.c 17index f0476f3b9272..0d5c449bc72a 100644 18--- a/lib/http.c 19+++ b/lib/http.c 20@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, 21 } 22 23 /* 24- * allow_auth_to_host() tells if autentication, cookies or other "sensitive 25- * data" can (still) be sent to this host. 26+ * Curl_allow_auth_to_host() tells if authentication, cookies or other 27+ * "sensitive data" can (still) be sent to this host. 28 */ 29-static bool allow_auth_to_host(struct Curl_easy *data) 30+bool Curl_allow_auth_to_host(struct Curl_easy *data) 31 { 32 struct connectdata *conn = data->conn; 33 return (!data->state.this_is_a_follow || 34@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, 35 36 /* To prevent the user+password to get sent to other than the original host 37 due to a location-follow */ 38- if(allow_auth_to_host(data) 39+ if(Curl_allow_auth_to_host(data) 40 #ifndef CURL_DISABLE_NETRC 41 || conn->bits.netrc 42 #endif 43@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, 44 checkprefix("Cookie:", compare)) && 45 /* be careful of sending this potentially sensitive header to 46 other hosts */ 47- !allow_auth_to_host(data)) 48+ !Curl_allow_auth_to_host(data)) 49 ; 50 else { 51 #ifdef USE_HYPER 52diff --git a/lib/http.h b/lib/http.h 53index 0972261e63bd..c4ab3c22dec9 100644 54--- a/lib/http.h 55+++ b/lib/http.h 56@@ -364,4 +364,10 @@ Curl_http_output_auth(struct Curl_easy *data, 57 bool proxytunnel); /* TRUE if this is the request setting 58 up the proxy tunnel */ 59 60+/* 61+ * Curl_allow_auth_to_host() tells if authentication, cookies or other 62+ * "sensitive data" can (still) be sent to this host. 63+ */ 64+bool Curl_allow_auth_to_host(struct Curl_easy *data); 65+ 66 #endif /* HEADER_CURL_HTTP_H */ 67diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c 68index 5d8e2d39d8e2..3722005d44e9 100644 69--- a/lib/vtls/openssl.c 70+++ b/lib/vtls/openssl.c 71@@ -2924,7 +2924,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, 72 #endif 73 74 #ifdef USE_OPENSSL_SRP 75- if(ssl_authtype == CURL_TLSAUTH_SRP) { 76+ if((ssl_authtype == CURL_TLSAUTH_SRP) && 77+ Curl_allow_auth_to_host(data)) { 78 char * const ssl_username = SSL_SET_OPTION(username); 79 80 infof(data, "Using TLS-SRP username: %s", ssl_username); 81