gnutls: don't leak the SRP credentials in redirects

Follow-up to 620ea21410 and 139a54ed0a Reported-by: Harry Sintonen Closes #8752
2022-04-26 07:46:19 +02:00 · 2022-04-26 07:46:19 +02:00 · 0935315562
commit 0935315562
parent d2a36beee6
1 changed files with 3 additions and 3 deletions
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@ -445,11 +445,11 @@ gtls_connect_step1(struct Curl_easy *data,
  }

 #ifdef USE_GNUTLS_SRP
-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+  if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
+     Curl_allow_auth_to_host(data)) {
    infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));

-    rc = gnutls_srp_allocate_client_credentials(
-           &backend->srp_client_cred);
+    rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
    if(rc != GNUTLS_E_SUCCESS) {
      failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
            gnutls_strerror(rc));