* Rewrite support for specific SSL encryption protocols, including

	a. Add a new variable: encryption-protocol-range, which can be
	   used to specify the minimum and maximum versions of the TLS
	   protocol that Alpine will attempt to use to encrypt its
	   communication with the server.
	b. Add support for the Server Name Identification (SNI) extension
	   needed for TLSv1.3.
	c. Remove the DTLS code. It was not being used.

2 files changed, 67 insertions, 0 deletions

diff --git a/alpine/alpine.c b/alpine/alpine.c
index bbccb793..11f3354e 100644
--- a/alpine/alpine.c
+++ b/alpine/alpine.c
@@ -646,6 +646,71 @@ main(int argc, char **argv)
 	  }
     }
 
+    if(ps_global->VAR_ENCRYPTION_RANGE
+	&& ps_global->VAR_ENCRYPTION_RANGE[0]){
+	char *min_s, *max_s, *s;
+	int   min_v, max_v;
+
+	if((s = strchr(ps_global->VAR_ENCRYPTION_RANGE, ',')) == NULL){
+	   snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+	     _("Bad encryption range: \"%s\": resetting to default"),
+	      ps_global->VAR_ENCRYPTION_RANGE);
+	   tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+	   init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+	   fs_give((void **) &ps_global->VAR_ENCRYPTION_RANGE);
+	   ps_global->VAR_ENCRYPTION_RANGE = cpystr(DF_ENCRYPTION_RANGE);
+	   s = strchr(ps_global->VAR_ENCRYPTION_RANGE, ','); /* try again */
+	}
+
+	if(s == NULL){
+	   snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+	     _("Bad default encryption range: \"%s\""), 
+		ps_global->VAR_ENCRYPTION_RANGE);
+	   tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+	   init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+	}
+	else {
+	   *s = ' ';
+	   get_pair(ps_global->VAR_ENCRYPTION_RANGE, &min_s, &max_s, 1, 0);
+	   *s = ',';
+
+	   min_v = pith_ssl_encryption_version(min_s);
+	   max_v = pith_ssl_encryption_version(max_s);
+
+	   if(min_v < 0 || max_v < 0){
+	      snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+		_("Bad encryption range: \"%s\": resetting to default"),
+	           ps_global->VAR_ENCRYPTION_RANGE);
+	      tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+	      init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+	      min_v = max_v = 0;
+	   }
+
+	   if(min_v > max_v){
+	      int bubble;
+	      snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+		_("Minimum encryption protocol (%s) bigger than maximum value (%s). Reversing..."),
+		   min_s, max_s);
+	      tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+	      init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+	      bubble = min_v;
+	      min_v = max_v;
+	      max_v = bubble;
+	   }
+
+	   if(max_v > 0 && max_v < (long) pith_ssl_encryption_version("tls1")){
+	      snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+		_("Security alert: SSL maximum encryption version was set to SSLv3."),
+	           ps_global->VAR_ENCRYPTION_RANGE);
+	      tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+	      init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+	   } 
+
+	   mail_parameters(NULL, SET_ENCRYPTION_RANGE_MIN, (void *) &min_v);
+           mail_parameters(NULL, SET_ENCRYPTION_RANGE_MAX, (void *) &max_v);
+	}
+    }
+
     /*
      * setup alternative authentication driver preference for IMAP opens
      */
diff --git a/alpine/confscroll.c b/alpine/confscroll.c
index ff8841fe..98e5768b 100644
--- a/alpine/confscroll.c
+++ b/alpine/confscroll.c
@@ -341,6 +341,7 @@ exclude_config_var(struct pine *ps, struct variable *var, int allow_hard_to_conf
       case V_GLOB_ADDRBOOK :
       case V_DISABLE_DRIVERS :
       case V_DISABLE_AUTHS :
+      case V_ENCRYPTION_RANGE :
       case V_REMOTE_ABOOK_METADATA :
       case V_REMOTE_ABOOK_HISTORY :
       case V_REMOTE_ABOOK_VALIDITY :
@@ -5767,6 +5768,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert)
 		        var == &ps->vars[V_NEWS_SPEC] ||
 		        var == &ps->vars[V_DISABLE_DRIVERS] ||
 		        var == &ps->vars[V_DISABLE_AUTHS] ||
+		        var == &ps->vars[V_ENCRYPTION_RANGE] ||
 		        var == &ps->vars[V_RSHPATH] ||
 		        var == &ps->vars[V_RSHCMD] ||
 		        var == &ps->vars[V_SSHCMD] ||