| From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Mon, 25 Apr 2022 17:59:15 +0200 |
| Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either |
| |
| Follow-up to 620ea21410030 |
| |
| Reported-by: Harry Sintonen |
| Closes #8751 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] |
| Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> |
| --- |
| lib/http.c | 10 +++++----- |
| lib/http.h | 6 ++++++ |
| lib/vtls/openssl.c | 3 ++- |
| 3 files changed, 13 insertions(+), 6 deletions(-) |
| |
| diff --git a/lib/http.c b/lib/http.c |
| index 0791dcf..4433824 100644 |
| --- a/lib/http.c |
| +++ b/lib/http.c |
| @@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, |
| } |
| |
| /* |
| - * allow_auth_to_host() tells if autentication, cookies or other "sensitive |
| - * data" can (still) be sent to this host. |
| + * Curl_allow_auth_to_host() tells if authentication, cookies or other |
| + * "sensitive data" can (still) be sent to this host. |
| */ |
| -static bool allow_auth_to_host(struct Curl_easy *data) |
| +bool Curl_allow_auth_to_host(struct Curl_easy *data) |
| { |
| struct connectdata *conn = data->conn; |
| return (!data->state.this_is_a_follow || |
| @@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, |
| |
| /* To prevent the user+password to get sent to other than the original host |
| due to a location-follow */ |
| - if(allow_auth_to_host(data) |
| + if(Curl_allow_auth_to_host(data) |
| #ifndef CURL_DISABLE_NETRC |
| || conn->bits.netrc |
| #endif |
| @@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, |
| checkprefix("Cookie:", compare)) && |
| /* be careful of sending this potentially sensitive header to |
| other hosts */ |
| - !allow_auth_to_host(data)) |
| + !Curl_allow_auth_to_host(data)) |
| ; |
| else { |
| #ifdef USE_HYPER |
| diff --git a/lib/http.h b/lib/http.h |
| index 07e963d..9000bae 100644 |
| --- a/lib/http.h |
| +++ b/lib/http.h |
| @@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, |
| bool proxytunnel); /* TRUE if this is the request setting |
| up the proxy tunnel */ |
| |
| +/* |
| + * Curl_allow_auth_to_host() tells if authentication, cookies or other |
| + * "sensitive data" can (still) be sent to this host. |
| + */ |
| +bool Curl_allow_auth_to_host(struct Curl_easy *data); |
| + |
| #endif /* HEADER_CURL_HTTP_H */ |
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c |
| index 616a510..e8633f4 100644 |
| --- a/lib/vtls/openssl.c |
| +++ b/lib/vtls/openssl.c |
| @@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, |
| #endif |
| |
| #ifdef USE_OPENSSL_SRP |
| - if(ssl_authtype == CURL_TLSAUTH_SRP) { |
| + if((ssl_authtype == CURL_TLSAUTH_SRP) && |
| + Curl_allow_auth_to_host(data)) { |
| char * const ssl_username = SSL_SET_OPTION(username); |
| |
| infof(data, "Using TLS-SRP username: %s", ssl_username); |