curl
/
backport-002-CVE-2022-27774.patch

From 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 17:59:15 +0200
Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either

Follow-up to 620ea21410030

Reported-by: Harry Sintonen
Closes #8751
---
 lib/http.c         | 10 +++++-----
 lib/http.h         |  6 ++++++
 lib/vtls/openssl.c |  3 ++-
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/lib/http.c b/lib/http.c
index f0476f3b9272..0d5c449bc72a 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
 }

 /*
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
- * data" can (still) be sent to this host.
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
  */
-static bool allow_auth_to_host(struct Curl_easy *data)
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
 {
   struct connectdata *conn = data->conn;
   return (!data->state.this_is_a_follow ||
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,

   /* To prevent the user+password to get sent to other than the original host
      due to a location-follow */
-  if(allow_auth_to_host(data)
+  if(Curl_allow_auth_to_host(data)
 #ifndef CURL_DISABLE_NETRC
      || conn->bits.netrc
 #endif
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
                    checkprefix("Cookie:", compare)) &&
                   /* be careful of sending this potentially sensitive header to
                      other hosts */
-                  !allow_auth_to_host(data))
+                  !Curl_allow_auth_to_host(data))
             ;
           else {
 #ifdef USE_HYPER
diff --git a/lib/http.h b/lib/http.h
index 0972261e63bd..c4ab3c22dec9 100644
--- a/lib/http.h
+++ b/lib/http.h
@@ -364,4 +364,10 @@ Curl_http_output_auth(struct Curl_easy *data,
                       bool proxytunnel); /* TRUE if this is the request setting
                                             up the proxy tunnel */

+/*
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+ */
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
+
 #endif /* HEADER_CURL_HTTP_H */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 5d8e2d39d8e2..3722005d44e9 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2924,7 +2924,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
 #endif

 #ifdef USE_OPENSSL_SRP
-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
+  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+     Curl_allow_auth_to_host(data)) {
     char * const ssl_username = SSL_SET_OPTION(username);

     infof(data, "Using TLS-SRP username: %s", ssl_username);