Blame SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch

e078bf
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
e078bf
From: Daniel Stenberg <daniel@haxx.se>
e078bf
Date: Mon, 25 Apr 2022 16:24:33 +0200
e078bf
Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
e078bf
e078bf
To make it available after the connection ended.
e078bf
e078bf
Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
e078bf
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
e078bf
---
e078bf
 lib/connect.c | 1 +
e078bf
 lib/urldata.h | 6 +++++-
e078bf
 2 files changed, 6 insertions(+), 1 deletion(-)
e078bf
e078bf
diff --git a/lib/connect.c b/lib/connect.c
e078bf
index 64f9511..7518807 100644
e078bf
--- a/lib/connect.c
e078bf
+++ b/lib/connect.c
e078bf
@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
e078bf
   data->info.conn_scheme = conn->handler->scheme;
e078bf
   data->info.conn_protocol = conn->handler->protocol;
e078bf
   data->info.conn_primary_port = conn->port;
e078bf
+  data->info.conn_remote_port = conn->remote_port;
e078bf
   data->info.conn_local_port = local_port;
e078bf
 }
e078bf
 
e078bf
diff --git a/lib/urldata.h b/lib/urldata.h
e078bf
index f92052a..5218f76 100644
e078bf
--- a/lib/urldata.h
e078bf
+++ b/lib/urldata.h
e078bf
@@ -1167,7 +1167,11 @@ struct PureInfo {
e078bf
      reused, in the connection cache. */
e078bf
 
e078bf
   char conn_primary_ip[MAX_IPADR_LEN];
e078bf
-  int conn_primary_port;
e078bf
+  int conn_primary_port; /* this is the destination port to the connection,
e078bf
+                            which might have been a proxy */
e078bf
+  int conn_remote_port;  /* this is the "remote port", which is the port
e078bf
+                            number of the used URL, independent of proxy or
e078bf
+                            not */
e078bf
   char conn_local_ip[MAX_IPADR_LEN];
e078bf
   int conn_local_port;
e078bf
   const char *conn_scheme;
e078bf
-- 
e078bf
2.34.1
e078bf
e078bf
e078bf
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
e078bf
From: Daniel Stenberg <daniel@haxx.se>
e078bf
Date: Mon, 25 Apr 2022 16:24:33 +0200
e078bf
Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
e078bf
 auth
e078bf
e078bf
... unless explicitly permitted.
e078bf
e078bf
Bug: https://curl.se/docs/CVE-2022-27774.html
e078bf
Reported-by: Harry Sintonen
e078bf
Closes #8748
e078bf
e078bf
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
e078bf
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
e078bf
---
e078bf
 lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
e078bf
 1 file changed, 48 insertions(+), 1 deletion(-)
e078bf
e078bf
diff --git a/lib/transfer.c b/lib/transfer.c
e078bf
index 1f8019b..752fe14 100644
e078bf
--- a/lib/transfer.c
e078bf
+++ b/lib/transfer.c
e078bf
@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
e078bf
       return CURLE_OUT_OF_MEMORY;
e078bf
   }
e078bf
   else {
e078bf
-
e078bf
     uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
e078bf
     if(uc)
e078bf
       return Curl_uc_to_curlcode(uc);
e078bf
+
e078bf
+    /* Clear auth if this redirects to a different port number or protocol,
e078bf
+       unless permitted */
e078bf
+    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
e078bf
+      char *portnum;
e078bf
+      int port;
e078bf
+      bool clear = FALSE;
e078bf
+
e078bf
+      if(data->set.use_port && data->state.allow_port)
e078bf
+        /* a custom port is used */
e078bf
+        port = (int)data->set.use_port;
e078bf
+      else {
e078bf
+        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
e078bf
+                          CURLU_DEFAULT_PORT);
e078bf
+        if(uc) {
e078bf
+          free(newurl);
e078bf
+          return Curl_uc_to_curlcode(uc);
e078bf
+        }
e078bf
+        port = atoi(portnum);
e078bf
+        free(portnum);
e078bf
+      }
e078bf
+      if(port != data->info.conn_remote_port) {
e078bf
+        infof(data, "Clear auth, redirects to port from %u to %u",
e078bf
+              data->info.conn_remote_port, port);
e078bf
+        clear = TRUE;
e078bf
+      }
e078bf
+      else {
e078bf
+        char *scheme;
e078bf
+        const struct Curl_handler *p;
e078bf
+        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
e078bf
+        if(uc) {
e078bf
+          free(newurl);
e078bf
+          return Curl_uc_to_curlcode(uc);
e078bf
+        }
e078bf
+
e078bf
+        p = Curl_builtin_scheme(scheme);
e078bf
+        if(p && (p->protocol != data->info.conn_protocol)) {
e078bf
+          infof(data, "Clear auth, redirects scheme from %s to %s",
e078bf
+                data->info.conn_scheme, scheme);
e078bf
+          clear = TRUE;
e078bf
+        }
e078bf
+        free(scheme);
e078bf
+      }
e078bf
+      if(clear) {
e078bf
+        Curl_safefree(data->state.aptr.user);
e078bf
+        Curl_safefree(data->state.aptr.passwd);
e078bf
+      }
e078bf
+    }
e078bf
   }
e078bf
 
e078bf
   if(type == FOLLOW_FAKE) {
e078bf
-- 
e078bf
2.34.1
e078bf
e078bf
e078bf
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
e078bf
From: Daniel Stenberg <daniel@haxx.se>
e078bf
Date: Mon, 25 Apr 2022 16:24:33 +0200
e078bf
Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
e078bf
e078bf
 - Test 973 redirects from HTTP to FTP, clear auth
e078bf
 - Test 974 redirects from HTTP to HTTP different port, clear auth
e078bf
 - Test 975 redirects from HTTP to FTP, permitted to keep auth
e078bf
 - Test 976 redirects from HTTP to HTTP different port, permitted to keep
e078bf
   auth
e078bf
e078bf
Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
e078bf
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
e078bf
---
e078bf
 tests/data/Makefile.inc |  1 +
e078bf
 tests/data/test973      | 88 +++++++++++++++++++++++++++++++++++++++++
e078bf
 tests/data/test974      | 87 ++++++++++++++++++++++++++++++++++++++++
e078bf
 tests/data/test975      | 88 +++++++++++++++++++++++++++++++++++++++++
e078bf
 tests/data/test976      | 88 +++++++++++++++++++++++++++++++++++++++++
e078bf
 5 files changed, 352 insertions(+)
e078bf
 create mode 100644 tests/data/test973
e078bf
 create mode 100644 tests/data/test974
e078bf
 create mode 100644 tests/data/test975
e078bf
 create mode 100644 tests/data/test976
e078bf
e078bf
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
e078bf
index 7ae2cf8..175fc43 100644
e078bf
--- a/tests/data/Makefile.inc
e078bf
+++ b/tests/data/Makefile.inc
e078bf
@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
e078bf
 test945 test946 test947 test948 test949 test950 test951 test952 test953 \
e078bf
 test954 test955 test956 test957 test958 test959 test960 test961 test962 \
e078bf
 test963 test964 test965 test966 test967 test968 test969 test970 test971 \
e078bf
+test973 test974 test975 test976 \
e078bf
 \
e078bf
 test980 test981 test982 test983 test984 test985 test986 \
e078bf
 \
e078bf
diff --git a/tests/data/test973 b/tests/data/test973
e078bf
new file mode 100644
e078bf
index 0000000..6ced107
e078bf
--- /dev/null
e078bf
+++ b/tests/data/test973
e078bf
@@ -0,0 +1,88 @@
e078bf
+<testcase>
e078bf
+<info>
e078bf
+<keywords>
e078bf
+HTTP
e078bf
+FTP
e078bf
+--location
e078bf
+</keywords>
e078bf
+</info>
e078bf
+
e078bf
+#
e078bf
+# Server-side
e078bf
+<reply>
e078bf
+<data>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+</data>
e078bf
+<data2>
e078bf
+data
e078bf
+    to
e078bf
+      see
e078bf
+that FTP
e078bf
+works
e078bf
+  so does it?
e078bf
+</data2>
e078bf
+
e078bf
+<datacheck>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+data
e078bf
+    to
e078bf
+      see
e078bf
+that FTP
e078bf
+works
e078bf
+  so does it?
e078bf
+</datacheck>
e078bf
+
e078bf
+</reply>
e078bf
+
e078bf
+#
e078bf
+# Client-side
e078bf
+<client>
e078bf
+<server>
e078bf
+http
e078bf
+ftp
e078bf
+</server>
e078bf
+ <name>
e078bf
+HTTP with auth redirected to FTP w/o auth
e078bf
+ </name>
e078bf
+ <command>
e078bf
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
e078bf
+</command>
e078bf
+</client>
e078bf
+
e078bf
+#
e078bf
+# Verify data after the test has been "shot"
e078bf
+<verify>
e078bf
+<protocol>
e078bf
+GET /%TESTNUMBER HTTP/1.1
e078bf
+Host: %HOSTIP:%HTTPPORT
e078bf
+Authorization: Basic am9lOnNlY3JldA==
e078bf
+User-Agent: curl/%VERSION
e078bf
+Accept: */*
e078bf
+
e078bf
+USER anonymous
e078bf
+PASS ftp@example.com
e078bf
+PWD
e078bf
+CWD a
e078bf
+CWD path
e078bf
+EPSV
e078bf
+TYPE I
e078bf
+SIZE %TESTNUMBER0002
e078bf
+RETR %TESTNUMBER0002
e078bf
+QUIT
e078bf
+</protocol>
e078bf
+</verify>
e078bf
+</testcase>
e078bf
diff --git a/tests/data/test974 b/tests/data/test974
e078bf
new file mode 100644
e078bf
index 0000000..ac4e641
e078bf
--- /dev/null
e078bf
+++ b/tests/data/test974
e078bf
@@ -0,0 +1,87 @@
e078bf
+<testcase>
e078bf
+<info>
e078bf
+<keywords>
e078bf
+HTTP
e078bf
+--location
e078bf
+</keywords>
e078bf
+</info>
e078bf
+
e078bf
+#
e078bf
+# Server-side
e078bf
+<reply>
e078bf
+<data>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+</data>
e078bf
+<data2>
e078bf
+HTTP/1.1 200 OK
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 4
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+
e078bf
+hey
e078bf
+</data2>
e078bf
+
e078bf
+<datacheck>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+HTTP/1.1 200 OK
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 4
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+
e078bf
+hey
e078bf
+</datacheck>
e078bf
+
e078bf
+</reply>
e078bf
+
e078bf
+#
e078bf
+# Client-side
e078bf
+<client>
e078bf
+<server>
e078bf
+http
e078bf
+</server>
e078bf
+ <name>
e078bf
+HTTP with auth redirected to HTTP on a diff port w/o auth
e078bf
+ </name>
e078bf
+ <command>
e078bf
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
e078bf
+</command>
e078bf
+</client>
e078bf
+
e078bf
+#
e078bf
+# Verify data after the test has been "shot"
e078bf
+<verify>
e078bf
+<protocol>
e078bf
+GET http://firsthost.com/ HTTP/1.1
e078bf
+Host: firsthost.com
e078bf
+Authorization: Basic am9lOnNlY3JldA==
e078bf
+User-Agent: curl/%VERSION
e078bf
+Accept: */*
e078bf
+Proxy-Connection: Keep-Alive
e078bf
+
e078bf
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
e078bf
+Host: firsthost.com:9999
e078bf
+User-Agent: curl/%VERSION
e078bf
+Accept: */*
e078bf
+Proxy-Connection: Keep-Alive
e078bf
+
e078bf
+</protocol>
e078bf
+</verify>
e078bf
+</testcase>
e078bf
diff --git a/tests/data/test975 b/tests/data/test975
e078bf
new file mode 100644
e078bf
index 0000000..85e03e4
e078bf
--- /dev/null
e078bf
+++ b/tests/data/test975
e078bf
@@ -0,0 +1,88 @@
e078bf
+<testcase>
e078bf
+<info>
e078bf
+<keywords>
e078bf
+HTTP
e078bf
+FTP
e078bf
+--location-trusted
e078bf
+</keywords>
e078bf
+</info>
e078bf
+
e078bf
+#
e078bf
+# Server-side
e078bf
+<reply>
e078bf
+<data>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+</data>
e078bf
+<data2>
e078bf
+data
e078bf
+    to
e078bf
+      see
e078bf
+that FTP
e078bf
+works
e078bf
+  so does it?
e078bf
+</data2>
e078bf
+
e078bf
+<datacheck>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+data
e078bf
+    to
e078bf
+      see
e078bf
+that FTP
e078bf
+works
e078bf
+  so does it?
e078bf
+</datacheck>
e078bf
+
e078bf
+</reply>
e078bf
+
e078bf
+#
e078bf
+# Client-side
e078bf
+<client>
e078bf
+<server>
e078bf
+http
e078bf
+ftp
e078bf
+</server>
e078bf
+ <name>
e078bf
+HTTP with auth redirected to FTP allowing auth to continue
e078bf
+ </name>
e078bf
+ <command>
e078bf
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
e078bf
+</command>
e078bf
+</client>
e078bf
+
e078bf
+#
e078bf
+# Verify data after the test has been "shot"
e078bf
+<verify>
e078bf
+<protocol>
e078bf
+GET /%TESTNUMBER HTTP/1.1
e078bf
+Host: %HOSTIP:%HTTPPORT
e078bf
+Authorization: Basic am9lOnNlY3JldA==
e078bf
+User-Agent: curl/%VERSION
e078bf
+Accept: */*
e078bf
+
e078bf
+USER joe
e078bf
+PASS secret
e078bf
+PWD
e078bf
+CWD a
e078bf
+CWD path
e078bf
+EPSV
e078bf
+TYPE I
e078bf
+SIZE %TESTNUMBER0002
e078bf
+RETR %TESTNUMBER0002
e078bf
+QUIT
e078bf
+</protocol>
e078bf
+</verify>
e078bf
+</testcase>
e078bf
diff --git a/tests/data/test976 b/tests/data/test976
e078bf
new file mode 100644
e078bf
index 0000000..c4dd61e
e078bf
--- /dev/null
e078bf
+++ b/tests/data/test976
e078bf
@@ -0,0 +1,88 @@
e078bf
+<testcase>
e078bf
+<info>
e078bf
+<keywords>
e078bf
+HTTP
e078bf
+--location-trusted
e078bf
+</keywords>
e078bf
+</info>
e078bf
+
e078bf
+#
e078bf
+# Server-side
e078bf
+<reply>
e078bf
+<data>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+</data>
e078bf
+<data2>
e078bf
+HTTP/1.1 200 OK
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 4
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+
e078bf
+hey
e078bf
+</data2>
e078bf
+
e078bf
+<datacheck>
e078bf
+HTTP/1.1 301 redirect
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 0
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
e078bf
+
e078bf
+HTTP/1.1 200 OK
e078bf
+Date: Tue, 09 Nov 2010 14:49:00 GMT
e078bf
+Server: test-server/fake
e078bf
+Content-Length: 4
e078bf
+Connection: close
e078bf
+Content-Type: text/html
e078bf
+
e078bf
+hey
e078bf
+</datacheck>
e078bf
+
e078bf
+</reply>
e078bf
+
e078bf
+#
e078bf
+# Client-side
e078bf
+<client>
e078bf
+<server>
e078bf
+http
e078bf
+</server>
e078bf
+ <name>
e078bf
+HTTP with auth redirected to HTTP on a diff port --location-trusted
e078bf
+ </name>
e078bf
+ <command>
e078bf
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
e078bf
+</command>
e078bf
+</client>
e078bf
+
e078bf
+#
e078bf
+# Verify data after the test has been "shot"
e078bf
+<verify>
e078bf
+<protocol>
e078bf
+GET http://firsthost.com/ HTTP/1.1
e078bf
+Host: firsthost.com
e078bf
+Authorization: Basic am9lOnNlY3JldA==
e078bf
+User-Agent: curl/%VERSION
e078bf
+Accept: */*
e078bf
+Proxy-Connection: Keep-Alive
e078bf
+
e078bf
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
e078bf
+Host: firsthost.com:9999
e078bf
+Authorization: Basic am9lOnNlY3JldA==
e078bf
+User-Agent: curl/%VERSION
e078bf
+Accept: */*
e078bf
+Proxy-Connection: Keep-Alive
e078bf
+
e078bf
+</protocol>
e078bf
+</verify>
e078bf
+</testcase>
e078bf
-- 
e078bf
2.34.1
e078bf
e078bf
e078bf
From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
e078bf
From: Daniel Stenberg <daniel@haxx.se>
e078bf
Date: Mon, 25 Apr 2022 17:59:15 +0200
e078bf
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
e078bf
 either
e078bf
e078bf
Follow-up to 620ea21410030
e078bf
e078bf
Reported-by: Harry Sintonen
e078bf
Closes #8751
e078bf
e078bf
Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
e078bf
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
e078bf
---
e078bf
 lib/http.c         | 10 +++++-----
e078bf
 lib/http.h         |  6 ++++++
e078bf
 lib/vtls/openssl.c |  3 ++-
e078bf
 3 files changed, 13 insertions(+), 6 deletions(-)
e078bf
e078bf
diff --git a/lib/http.c b/lib/http.c
e078bf
index 0791dcf..4433824 100644
e078bf
--- a/lib/http.c
e078bf
+++ b/lib/http.c
e078bf
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
e078bf
 }
e078bf
 
e078bf
 /*
e078bf
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
e078bf
- * data" can (still) be sent to this host.
e078bf
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
e078bf
+ * "sensitive data" can (still) be sent to this host.
e078bf
  */
e078bf
-static bool allow_auth_to_host(struct Curl_easy *data)
e078bf
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
e078bf
 {
e078bf
   struct connectdata *conn = data->conn;
e078bf
   return (!data->state.this_is_a_follow ||
e078bf
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
e078bf
 
e078bf
   /* To prevent the user+password to get sent to other than the original host
e078bf
      due to a location-follow */
e078bf
-  if(allow_auth_to_host(data)
e078bf
+  if(Curl_allow_auth_to_host(data)
e078bf
      || conn->bits.netrc)
e078bf
     result = output_auth_headers(data, conn, authhost, request, path, FALSE);
e078bf
   else
e078bf
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
e078bf
                    checkprefix("Cookie:", compare)) &&
e078bf
                   /* be careful of sending this potentially sensitive header to
e078bf
                      other hosts */
e078bf
-                  !allow_auth_to_host(data))
e078bf
+                  !Curl_allow_auth_to_host(data))
e078bf
             ;
e078bf
           else {
e078bf
 #ifdef USE_HYPER
e078bf
diff --git a/lib/http.h b/lib/http.h
e078bf
index 07e963d..9000bae 100644
e078bf
--- a/lib/http.h
e078bf
+++ b/lib/http.h
e078bf
@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
e078bf
                       bool proxytunnel); /* TRUE if this is the request setting
e078bf
                                             up the proxy tunnel */
e078bf
 
e078bf
+/*
e078bf
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
e078bf
+ * "sensitive data" can (still) be sent to this host.
e078bf
+ */
e078bf
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
e078bf
+
e078bf
 #endif /* HEADER_CURL_HTTP_H */
e078bf
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
e078bf
index 1bafe96..97c5666 100644
e078bf
--- a/lib/vtls/openssl.c
e078bf
+++ b/lib/vtls/openssl.c
e078bf
@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
e078bf
 #endif
e078bf
 
e078bf
 #ifdef USE_OPENSSL_SRP
e078bf
-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
e078bf
+  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
e078bf
+     Curl_allow_auth_to_host(data)) {
e078bf
     char * const ssl_username = SSL_SET_OPTION(username);
e078bf
 
e078bf
     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
e078bf
-- 
e078bf
2.34.1
e078bf