[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 83/163: schannel: support selecting ciphers
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 83/163: schannel: support selecting ciphers |
Date: |
Sun, 05 Aug 2018 12:36:49 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28
Author: Robert Prag <address@hidden>
AuthorDate: Fri Jun 1 17:17:40 2018 -0700
schannel: support selecting ciphers
Given the contstraints of SChannel, I'm exposing these as the algorithms
themselves instead; while replicating the ciphersuite as specified by
OpenSSL would have been preferable, I found no way in the SChannel API
to do so.
To use this from the commandline, you need to pass the names of contants
defining the desired algorithms. For example, curl --ciphers
"CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM"
https://github.com The specific names come from wincrypt.h
Closes #2630
---
docs/CIPHERS.md | 51 ++++++++++++++++++++++
lib/vtls/schannel.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 172 insertions(+)
diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md
index 99d9f7dc7..2a1d8ca7e 100644
--- a/docs/CIPHERS.md
+++ b/docs/CIPHERS.md
@@ -434,3 +434,54 @@ but libcurl maps them to the following case-insensitive
names.
`ECDHE-PSK-CHACHA20-POLY1305`,
`DHE-PSK-CHACHA20-POLY1305`,
`EDH-RSA-DES-CBC3-SHA`,
+
+## WinSSL
+
+WinSSL allows the enabling and disabling of encryption algorithms, but not
specific ciphersuites. They are defined by Microsoft
(https://msdn.microsoft.com/en-us/library/windows/desktop/aa375549(v=vs.85).aspx)
+
+`CALG_MD2`,
+`CALG_MD4`,
+`CALG_MD5`,
+`CALG_SHA`,
+`CALG_SHA1`,
+`CALG_MAC`,
+`CALG_RSA_SIGN`,
+`CALG_DSS_SIGN`,
+`CALG_NO_SIGN`,
+`CALG_RSA_KEYX`,
+`CALG_DES`,
+`CALG_3DES_112`,
+`CALG_3DES`,
+`CALG_DESX`,
+`CALG_RC2`,
+`CALG_RC4`,
+`CALG_SEAL`,
+`CALG_DH_SF`,
+`CALG_DH_EPHEM`,
+`CALG_AGREEDKEY_ANY`,
+`CALG_HUGHES_MD5`,
+`CALG_SKIPJACK`,
+`CALG_TEK`,
+`CALG_CYLINK_MEK`,
+`CALG_SSL3_SHAMD5`,
+`CALG_SSL3_MASTER`,
+`CALG_SCHANNEL_MASTER_HASH`,
+`CALG_SCHANNEL_MAC_KEY`,
+`CALG_SCHANNEL_ENC_KEY`,
+`CALG_PCT1_MASTER`,
+`CALG_SSL2_MASTER`,
+`CALG_TLS1_MASTER`,
+`CALG_RC5`,
+`CALG_HMAC`,
+`CALG_TLS1PRF`,
+`CALG_HASH_REPLACE_OWF`,
+`CALG_AES_128`,
+`CALG_AES_192`,
+`CALG_AES_256`,
+`CALG_AES`,
+`CALG_SHA_256`,
+`CALG_SHA_384`,
+`CALG_SHA_512`,
+`CALG_ECDH`,
+`CALG_ECMQV`,
+`CALG_ECDSA`,
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index c50fd223a..0d69a40de 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -205,6 +205,118 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred,
struct connectdata *conn)
return CURLE_OK;
}
+/*longest is 26, buffer is slightly bigger*/
+#define LONGEST_ALG_ID 32
+#define CIPHEROPTION(X) \
+if(strcmp(#X, tmp) == 0) \
+ return X
+
+static int
+get_alg_id_by_name(char *name)
+{
+ char tmp[LONGEST_ALG_ID] = { 0 };
+ char *nameEnd = strchr(name, ':');
+ size_t n = nameEnd ? min(nameEnd - name, LONGEST_ALG_ID - 1) : \
+ min(strlen(name), LONGEST_ALG_ID - 1);
+ strncpy(tmp, name, n);
+ tmp[n] = 0;
+ CIPHEROPTION(CALG_MD2);
+ CIPHEROPTION(CALG_MD4);
+ CIPHEROPTION(CALG_MD5);
+ CIPHEROPTION(CALG_SHA);
+ CIPHEROPTION(CALG_SHA1);
+ CIPHEROPTION(CALG_MAC);
+ CIPHEROPTION(CALG_RSA_SIGN);
+ CIPHEROPTION(CALG_DSS_SIGN);
+/*ifdefs for the options that are defined conditionally in wincrypt.h*/
+#ifdef CALG_NO_SIGN
+ CIPHEROPTION(CALG_NO_SIGN);
+#endif
+ CIPHEROPTION(CALG_RSA_KEYX);
+ CIPHEROPTION(CALG_DES);
+ CIPHEROPTION(CALG_3DES_112);
+ CIPHEROPTION(CALG_3DES);
+ CIPHEROPTION(CALG_DESX);
+ CIPHEROPTION(CALG_RC2);
+ CIPHEROPTION(CALG_RC4);
+ CIPHEROPTION(CALG_SEAL);
+ CIPHEROPTION(CALG_DH_SF);
+ CIPHEROPTION(CALG_DH_EPHEM);
+ CIPHEROPTION(CALG_AGREEDKEY_ANY);
+ CIPHEROPTION(CALG_HUGHES_MD5);
+ CIPHEROPTION(CALG_SKIPJACK);
+ CIPHEROPTION(CALG_TEK);
+ CIPHEROPTION(CALG_CYLINK_MEK);
+ CIPHEROPTION(CALG_SSL3_SHAMD5);
+ CIPHEROPTION(CALG_SSL3_MASTER);
+ CIPHEROPTION(CALG_SCHANNEL_MASTER_HASH);
+ CIPHEROPTION(CALG_SCHANNEL_MAC_KEY);
+ CIPHEROPTION(CALG_SCHANNEL_ENC_KEY);
+ CIPHEROPTION(CALG_PCT1_MASTER);
+ CIPHEROPTION(CALG_SSL2_MASTER);
+ CIPHEROPTION(CALG_TLS1_MASTER);
+ CIPHEROPTION(CALG_RC5);
+ CIPHEROPTION(CALG_HMAC);
+ CIPHEROPTION(CALG_TLS1PRF);
+#ifdef CALG_HASH_REPLACE_OWF
+ CIPHEROPTION(CALG_HASH_REPLACE_OWF);
+#endif
+#ifdef CALG_AES_128
+ CIPHEROPTION(CALG_AES_128);
+#endif
+#ifdef CALG_AES_192
+ CIPHEROPTION(CALG_AES_192);
+#endif
+#ifdef CALG_AES_256
+ CIPHEROPTION(CALG_AES_256);
+#endif
+#ifdef CALG_AES
+ CIPHEROPTION(CALG_AES);
+#endif
+#ifdef CALG_SHA_256
+ CIPHEROPTION(CALG_SHA_256);
+#endif
+#ifdef CALG_SHA_384
+ CIPHEROPTION(CALG_SHA_384);
+#endif
+#ifdef CALG_SHA_512
+ CIPHEROPTION(CALG_SHA_512);
+#endif
+#ifdef CALG_ECDH
+ CIPHEROPTION(CALG_ECDH);
+#endif
+#ifdef CALG_ECMQV
+ CIPHEROPTION(CALG_ECMQV);
+#endif
+#ifdef CALG_ECDSA
+ CIPHEROPTION(CALG_ECDSA);
+#endif
+ return 0;
+}
+
+static CURLcode
+set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
+{
+ char *startCur = ciphers;
+ int algCount = 0;
+ static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/
+ while(startCur && (0 != *startCur) && (algCount < 45)) {
+ long alg = strtol(startCur, 0, 0);
+ if(!alg)
+ alg = get_alg_id_by_name(startCur);
+ if(alg)
+ algIds[algCount++] = alg;
+ else
+ return CURLE_SSL_CIPHER;
+ startCur = strchr(startCur, ':');
+ if(startCur)
+ startCur++;
+ }
+ schannel_cred->palgSupportedAlgs = algIds;
+ schannel_cred->cSupportedAlgs = algCount;
+ return CURLE_OK;
+}
+
#ifdef HAS_CLIENT_CERT_PATH
static CURLcode
get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
@@ -422,6 +534,15 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
return CURLE_SSL_CONNECT_ERROR;
}
+ if(SSL_CONN_CONFIG(cipher_list)) {
+ result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list));
+ if(CURLE_OK != result) {
+ failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG");
+ return result;
+ }
+ }
+
+
#ifdef HAS_CLIENT_CERT_PATH
/* client certificate */
if(data->set.ssl.cert) {
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 55/163: libcurl-security.3: refer to URL instead of in-source markdown file, (continued)
- [GNUnet-SVN] [gnurl] 55/163: libcurl-security.3: refer to URL instead of in-source markdown file, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 08/163: getinfo: add microsecond precise timers for various intervals, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 58/163: strictness: correct {infof, failf} format specifiers, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 73/163: system.h: add support for IBM xlc C compiler, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 120/163: configure: Add dependent libraries after crypto, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 85/163: Curl_debug: remove dead printhost code, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 42/163: cmake: check for getpwuid_r, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 52/163: os400: implement mime api EBCDIC wrappers, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 110/163: ConnectionExists: make sure conn->data is set when "taking" a connection, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 104/163: multi: fix memory leak when stopped during name resolve, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 83/163: schannel: support selecting ciphers,
gnunet <=
- [GNUnet-SVN] [gnurl] 68/163: build: remove the Borland specific makefiles, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 45/163: psl: use latest psl and refresh it periodically, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 71/163: spelling fixes, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 64/163: fnmatch: use the system one if available, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 90/163: mk-ca-bundle.pl: make -u delete certdata.txt if found not changed, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 142/163: KNOWN_BUGS: Stick to same family over SOCKS proxy, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 96/163: maketgz: fix sed issues on OSX, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 140/163: libssh: include line number in state change debug messages, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 106/163: CURLOPT_INTERFACE.3: interface names not supported on Windows, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 122/163: getnameinfo: not used, gnunet, 2018/08/05