Jacek Caban : secur32: Use VERS-ALL priority string only on recent gnutls versions.
Alexandre Julliard
julliard at winehq.org
Fri Dec 7 12:13:14 CST 2018
Module: wine
Branch: master
Commit: 179ee89e654a22eb4c49b238b3a7a209a10e921d
URL: https://source.winehq.org/git/wine.git/?a=commit;h=179ee89e654a22eb4c49b238b3a7a209a10e921d
Author: Jacek Caban <jacek at codeweavers.com>
Date: Fri Dec 7 15:30:16 2018 +0100
secur32: Use VERS-ALL priority string only on recent gnutls versions.
Signed-off-by: Jacek Caban <jacek at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/secur32/schannel_gnutls.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/dlls/secur32/schannel_gnutls.c b/dlls/secur32/schannel_gnutls.c
index a962c67..cb90d1c 100644
--- a/dlls/secur32/schannel_gnutls.c
+++ b/dlls/secur32/schannel_gnutls.c
@@ -199,7 +199,8 @@ DWORD schan_imp_enabled_protocols(void)
BOOL schan_imp_create_session(schan_imp_session *session, schan_credentials *cred)
{
gnutls_session_t *s = (gnutls_session_t*)session;
- char priority[128] = "NORMAL:%LATEST_RECORD_VERSION:-VERS-ALL", *p;
+ char priority[128] = "NORMAL:%LATEST_RECORD_VERSION", *p;
+ BOOL using_vers_all = FALSE, disabled;
unsigned i;
int err = pgnutls_init(s, cred->credential_use == SECPKG_CRED_INBOUND ? GNUTLS_SERVER : GNUTLS_CLIENT);
@@ -210,10 +211,26 @@ BOOL schan_imp_create_session(schan_imp_session *session, schan_credentials *cre
}
p = priority + strlen(priority);
- for(i = 0; i < ARRAY_SIZE(protocol_priority_flags); i++) {
- if (!(cred->enabled_protocols & protocol_priority_flags[i].enable_flag)) continue;
+
+ /* VERS-ALL is nice to use for forward compatibility. It was introduced before support for TLS1.3,
+ * so if TLS1.3 is supported, we may safely use it. Otherwise explicitly disable all known
+ * disabled protocols. */
+ if (supported_protocols & SP_PROT_TLS1_3_CLIENT)
+ {
+ strcpy(p, ":-VERS-ALL");
+ p += strlen(p);
+ using_vers_all = TRUE;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(protocol_priority_flags); i++)
+ {
+ if (!(supported_protocols & protocol_priority_flags[i].enable_flag)) continue;
+
+ disabled = !(cred->enabled_protocols & protocol_priority_flags[i].enable_flag);
+ if (using_vers_all && disabled) continue;
+
*p++ = ':';
- *p++ = '+';
+ *p++ = disabled ? '-' : '+';
strcpy(p, protocol_priority_flags[i].gnutls_flag);
p += strlen(p);
}
More information about the wine-cvs
mailing list