curl: CVE-2021-22897: schannel cipher selection surprise

Summary:

Commit “schannel: support selecting ciphers” added support for selecting the ciphers with SCHANNEL. However, due to use of a static algIds array for ciphers in set_ssl_ciphers the last configured cipher list will override configuration used by other connections, leading to potential wrong configuration for them. This may have security implications if insecure cipher configuration is used where secure cipher configuration is expected.

Steps To Reproduce:

1.Create two or more separate curl handles with curl_easy_init
2. Set different cipher lists with curl_easy_setopt CURLOPT_SSL_CIPHER_LIST to the curl handles
3. Create simultaneous connections with there the separate curl handles

Instead of each connection using the specific cipher list some of them will share the wrong configuration. If/how this happens exactly depends on how the connection setup overlaps.

Note that to be vulnerable some existing application using libcurl would needs to use such mixed CURLOPT_SSL_CIPHER_LIST configuration with multiple curl handles to begin with. It is not really known how likely this really is, but it seems somewhat rare use case.

Supporting Material/References:

• Commit adding the vulnerable feature: https://github.com/curl/curl/commit/9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28

Impact

Potentially wrong cipher configuration used for connections.