diff options
author | Morten Minde Neergaard <169057+xim@users.noreply.github.com> | 2021-03-12 12:40:22 +0100 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2021-04-22 17:40:19 -0400 |
commit | 67d3afa73f4cdb8a6c473f911c8af800121e0a49 (patch) | |
tree | 8ca42a8a4c1572ef77a25795c8339a54cfa5db7e | |
parent | 99383194de2f638215051dfc93605440633395fe (diff) | |
download | curl-67d3afa73f4cdb8a6c473f911c8af800121e0a49.tar.gz |
schannel: Support strong crypto option
- Support enabling strong crypto via optional user cipher list when
USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
versions that may be otherwise enabled for better interoperability."
Ref: https://curl.se/mail/lib-2021-02/0066.html
Ref: https://curl.se/docs/manpage.html#--ciphers
Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
Closes https://github.com/curl/curl/pull/6734
-rw-r--r-- | docs/CIPHERS.md | 6 | ||||
-rw-r--r-- | lib/vtls/schannel.c | 9 |
2 files changed, 15 insertions, 0 deletions
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md index 2190ff156..af8f2f4c4 100644 --- a/docs/CIPHERS.md +++ b/docs/CIPHERS.md @@ -514,3 +514,9 @@ and the request will fail. `CALG_ECMQV`, `CALG_ECDSA`, `CALG_ECDH_EPHEM`, + +As of curl 7.77.0, you can also pass `SCH_USE_STRONG_CRYPTO` as a cipher name +to [constrain the set of available ciphers as specified in the schannel +documentation](https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-server-2022). +Note that the supported ciphers in this case follows the OS version, so if you +are running an outdated OS you might still be supporting weak ciphers. diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 7d96cf7fc..9efbcc297 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -117,6 +117,10 @@ #define SP_PROT_TLS1_2_CLIENT 0x00000800 #endif +#ifndef SCH_USE_STRONG_CRYPTO +#define SCH_USE_STRONG_CRYPTO 0x00400000 +#endif + #ifndef SECBUFFER_ALERT #define SECBUFFER_ALERT 17 #endif @@ -335,6 +339,11 @@ set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) alg = get_alg_id_by_name(startCur); if(alg) algIds[algCount++] = alg; + else if(!strncmp(startCur, "USE_STRONG_CRYPTO", + sizeof("USE_STRONG_CRYPTO") - 1) || + !strncmp(startCur, "SCH_USE_STRONG_CRYPTO", + sizeof("SCH_USE_STRONG_CRYPTO") - 1)) + schannel_cred->dwFlags |= SCH_USE_STRONG_CRYPTO; else return CURLE_SSL_CIPHER; startCur = strchr(startCur, ':'); |