* Rewrite support for specific SSL encryption protocols, including

	a. Add a new variable: encryption-protocol-range, which can be
	   used to specify the minimum and maximum versions of the TLS
	   protocol that Alpine will attempt to use to encrypt its
	   communication with the server.
	b. Add support for the Server Name Identification (SNI) extension
	   needed for TLSv1.3.
	c. Remove the DTLS code. It was not being used.

5 files changed, 32 insertions, 34 deletions

diff --git a/imap/src/c-client/imap4r1.c b/imap/src/c-client/imap4r1.c
index f443cb9b..b7423056 100644
--- a/imap/src/c-client/imap4r1.c
+++ b/imap/src/c-client/imap4r1.c
@@ -88,7 +88,7 @@ typedef struct imap_local {
   unsigned int tls1 : 1;	/* using TLSv1 over SSL */
   unsigned int tls1_1 : 1;	/* using TLSv1_1 over SSL */
   unsigned int tls1_2 : 1;	/* using TLSv1_2 over SSL */
-  unsigned int dtls1 : 1;	/* using DTLSv1 over SSL */
+  unsigned int tls1_3 : 1;	/* using TLSv1_3 over SSL */
   unsigned int novalidate : 1;	/* certificate not validated */
   unsigned int filter : 1;	/* filter SEARCH/SORT/THREAD results */
   unsigned int loser : 1;	/* server is a loser */
@@ -955,9 +955,9 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
 				/* save state for future recycling */
     if (mb.tlsflag) LOCAL->tlsflag = T;
     if (mb.tls1) LOCAL->tls1 = T;
-    if (mb.dtls1) LOCAL->dtls1 = T;
     if (mb.tls1_1) LOCAL->tls1_1 = T;
     if (mb.tls1_2) LOCAL->tls1_2 = T;
+    if (mb.tls1_3) LOCAL->tls1_3 = T;
     if (mb.tlssslv23) LOCAL->tlssslv23 = T;
     if (mb.notlsflag) LOCAL->notlsflag = T;
     if (mb.sslflag) LOCAL->sslflag = T;
@@ -979,7 +979,7 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
     if (LOCAL->tls1) strcat (tmp,"/tls1");
     if (LOCAL->tls1_1) strcat (tmp,"/tls1_1");
     if (LOCAL->tls1_2) strcat (tmp,"/tls1_2");
-    if (LOCAL->dtls1) strcat (tmp,"/dtls1");
+    if (LOCAL->tls1_3) strcat (tmp,"/tls1_3");
     if (LOCAL->tlssslv23) strcat (tmp,"/tls-sslv23");
     if (LOCAL->notlsflag) strcat (tmp,"/notls");
     if (LOCAL->sslflag) strcat (tmp,"/ssl");
diff --git a/imap/src/c-client/mail.c b/imap/src/c-client/mail.c
index ae828751..8f0373ed 100644
--- a/imap/src/c-client/mail.c
+++ b/imap/src/c-client/mail.c
@@ -36,6 +36,10 @@ char *UW_copyright = "Copyright 1988-2008 University of Washington\n\nLicensed u
 /* c-client global data */
 				/* version of this library */
 static char *mailcclientversion = CCLIENTVERSION;
+				/* Minimum in range of encryption supported */
+static int encryption_range_min = 0;
+				/* Maximum in range of encryption supported */
+static int encryption_range_max = 0;
 				/* app identity */
 static IDLIST *idapp = NIL;
 				/* list of mail drivers */
@@ -541,6 +545,16 @@ void *mail_parameters (MAILSTREAM *stream,long function,void *value)
   case GET_SSLFAILURE:
     ret = (void *) mailsslfailure;
     break;
+  case SET_ENCRYPTION_RANGE_MIN:
+    encryption_range_min =  *(int *) value;
+  case GET_ENCRYPTION_RANGE_MIN:
+    ret = (void *) &encryption_range_min;
+    break;
+  case SET_ENCRYPTION_RANGE_MAX:
+    encryption_range_max =  *(int *) value;
+  case GET_ENCRYPTION_RANGE_MAX:
+    ret = (void *) &encryption_range_max;
+    break;
   case SET_KINIT:
     mailkinit = (kinit_t) value;
   case GET_KINIT:
@@ -829,29 +843,17 @@ long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
 	else if (mailssldriver && !compare_cstring (s,"ssl") && !mb->tlsflag)
 	  mb->sslflag = mb->notlsflag = T;
 	else if (!compare_cstring(s, "tls1") 
-			&& !mb->tls1_1 && !mb->tls1_2 && !mb->tls1_3
-			&& !mb->dtls1 && !mb->dtls1_2)
+			&& !mb->tls1_1 && !mb->tls1_2 && !mb->tls1_3)
 	  mb->sslflag = mb->notlsflag = mb->tls1 = T;
 	else if (!compare_cstring(s, "tls1_1") 
-			&& !mb->tls1 && !mb->tls1_2 && !mb->tls1_3
-			&& !mb->dtls1 && !mb->dtls1_2)
+			&& !mb->tls1 && !mb->tls1_2 && !mb->tls1_3)
 	  mb->sslflag = mb->notlsflag = mb->tls1_1 = T;
 	else if (!compare_cstring(s, "tls1_2") 
-			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_3
-			&& !mb->dtls1 && !mb->dtls1_2)
+			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_3)
 	  mb->sslflag = mb->notlsflag = mb->tls1_2 = T;
 	else if (!compare_cstring(s, "tls1_3") 
-			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
-			&& !mb->dtls1 && !mb->dtls1_2)
+			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2)
 	  mb->sslflag = mb->notlsflag = mb->tls1_3 = T;
-	else if (!compare_cstring(s, "dtls1")
-			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
-			&& !mb->tls1_3 && !mb->dtls1_2)
-	  mb->sslflag = mb->notlsflag = mb->dtls1 = T;
-	else if (!compare_cstring(s, "dtls1_2")
-			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
-			&& !mb->tls1_3 && !mb->dtls1)
-	  mb->sslflag = mb->notlsflag = mb->dtls1_2 = T;
 	else if (mailssldriver && !compare_cstring (s,"novalidate-cert"))
 	  mb->novalidate = T;
 				/* hack for compatibility with the past */
@@ -1263,7 +1265,7 @@ MAILSTREAM *mail_open (MAILSTREAM *stream,char *name,long options)
 	if (mb.tls1) strcat (tmp,"/tls1");
 	if (mb.tls1_1) strcat (tmp,"/tls1_1");
 	if (mb.tls1_2) strcat (tmp,"/tls1_2");
-	if (mb.dtls1) strcat (tmp,"/dtls1");
+	if (mb.tls1_3) strcat (tmp,"/tls1_3");
 	if (mb.trysslflag) strcat (tmp,"/tryssl");
 	if (mb.novalidate) strcat (tmp,"/novalidate-cert");
 	strcat (tmp,"/pop3/loser}");
@@ -6233,8 +6235,6 @@ NETSTREAM *net_open (NETMBX *mb,NETDRIVER *dv,unsigned long port,
   flags |= mb->tls1_1 ? NET_TRYTLS1_1 : 0;
   flags |= mb->tls1_2 ? NET_TRYTLS1_2 : 0;
   flags |= mb->tls1_3 ? NET_TRYTLS1_3 : 0;
-  flags |= mb->dtls1  ? NET_TRYDTLS1  : 0;
-  flags |= mb->dtls1_2  ? NET_TRYDTLS1_2  : 0;
   if (strlen (mb->host) >= NETMAXHOST) {
     sprintf (tmp,"Invalid host name: %.80s",mb->host);
     MM_LOG (tmp,ERROR);
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index 73f6521c..58d2979c 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -230,6 +230,10 @@
 #define SET_SSLCLIENTKEY (long) 335
 #define GET_KERBEROS_CP_SVR_NAME (long) 336
 #define SET_KERBEROS_CP_SVR_NAME (long) 337
+#define GET_ENCRYPTION_RANGE_MIN (long) 338
+#define SET_ENCRYPTION_RANGE_MIN (long) 339
+#define GET_ENCRYPTION_RANGE_MAX (long) 340
+#define SET_ENCRYPTION_RANGE_MAX (long) 341
 
 	/* 4xx: network drivers */
 #define GET_MAXLOGINTRIALS (long) 400
@@ -449,10 +453,6 @@
 #define NET_TRYTLS1_2 ((unsigned long) 0x1000000)
 				/* try TLS1_3 mode */
 #define NET_TRYTLS1_3 ((unsigned long) 0x800000)
-				/* try DTLS1 mode */
-#define NET_TRYDTLS1   ((unsigned long) 0x400000)
-				/* try DTLS1_2 mode */
-#define NET_TRYDTLS1_2   ((unsigned long) 0x200000)
 
 /* Close options */
 
@@ -698,8 +698,6 @@ typedef struct net_mailbox {
   unsigned int tls1_1  : 1;	/* Use TLSv1.1 */
   unsigned int tls1_2  : 1;	/* Use TLSV1.2 */
   unsigned int tls1_3  : 1;	/* Use TLSV1.3 */
-  unsigned int dtls1   : 1;	/* Use DTLSv1 */
-  unsigned int dtls1_2 : 1;	/* Use DTLSv1.2 */
   unsigned int trysslflag : 1;	/* try SSL driver first flag */
   unsigned int novalidate : 1;	/* don't validate certificates */
   unsigned int tlsflag : 1;	/* TLS flag */
@@ -714,7 +712,7 @@ typedef struct net_mailbox {
 			: (M).tls1	? NET_TRYTLS1	\
 			: (M).tls1_1	? NET_TRYTLS1_1	\
 			: (M).tls1_2	? NET_TRYTLS1_2	\
-			: (M).dtls1	? NET_TRYDTLS1	\
+			: (M).tls1_3	? NET_TRYTLS1_3	\
 			: NET_TLSCLIENT)
 
 
diff --git a/imap/src/c-client/nntp.c b/imap/src/c-client/nntp.c
index 8fa32df1..b1d08024 100644
--- a/imap/src/c-client/nntp.c
+++ b/imap/src/c-client/nntp.c
@@ -70,9 +70,9 @@ typedef struct nntp_local {
   unsigned int notlsflag : 1;	/* TLS not used in session */
   unsigned int sslflag : 1;	/* SSL session */
   unsigned int tls1 : 1;	/* TLSv1 on SSL port */
-  unsigned int dtls1 : 1;	/* DTLSv1 on SSL port */
   unsigned int tls1_1 : 1;	/* TLSv1_1 on SSL port */
   unsigned int tls1_2 : 1;	/* TLSv1_2 on SSL port */
+  unsigned int tls1_3 : 1;	/* TLSv1_3 on SSL port */
   unsigned int novalidate : 1;	/* certificate not validated */
   unsigned int xover : 1;	/* supports XOVER */
   unsigned int xhdr : 1;	/* supports XHDR */
@@ -667,9 +667,9 @@ MAILSTREAM *nntp_mopen (MAILSTREAM *stream)
     if (LOCAL->notlsflag) mb.notlsflag = T;
     if (LOCAL->sslflag) mb.sslflag = T;
     if (LOCAL->tls1) mb.tls1 = T;
-    if (LOCAL->dtls1) mb.dtls1 = T;
     if (LOCAL->tls1_1) mb.tls1_1 = T;
     if (LOCAL->tls1_2) mb.tls1_2 = T;
+    if (LOCAL->tls1_3) mb.tls1_3 = T;
     if (LOCAL->novalidate) mb.novalidate = T;
     if (LOCAL->nntpstream->loser) mb.loser = T;
     if (stream->secure) mb.secflag = T;
@@ -694,7 +694,7 @@ MAILSTREAM *nntp_mopen (MAILSTREAM *stream)
     if (mb.tls1) strcat (tmp,"/tls1");
     if (mb.tls1_1) strcat (tmp,"/tls1_1");
     if (mb.tls1_2) strcat (tmp,"/tls1_2");
-    if (mb.dtls1) strcat (tmp,"/dtls1");
+    if (mb.tls1_3) strcat (tmp,"/tls1_3");
     if (mb.novalidate) strcat (tmp,"/novalidate-cert");
     if (mb.loser) strcat (tmp,"/loser");
     if (mb.secflag) strcat (tmp,"/secure");
@@ -765,9 +765,9 @@ MAILSTREAM *nntp_mopen (MAILSTREAM *stream)
   if (LOCAL->notlsflag) strcat (tmp,"/notls");
   if (LOCAL->sslflag) strcat (tmp,"/ssl");
   if (LOCAL->tls1) strcat (tmp,"/tls1");
-  if (LOCAL->dtls1) strcat (tmp,"/dtls1");
   if (LOCAL->tls1_1) strcat (tmp,"/tls1_1");
   if (LOCAL->tls1_2) strcat (tmp,"/tls1_2");
+  if (LOCAL->tls1_3) strcat (tmp,"/tls1_3");
   if (LOCAL->novalidate) strcat (tmp,"/novalidate-cert");
   if (LOCAL->nntpstream->loser) strcat (tmp,"/loser");
   if (stream->secure) strcat (tmp,"/secure");
diff --git a/imap/src/c-client/pop3.c b/imap/src/c-client/pop3.c
index 80f1858d..dfc4f925 100644
--- a/imap/src/c-client/pop3.c
+++ b/imap/src/c-client/pop3.c
@@ -424,7 +424,7 @@ MAILSTREAM *pop3_open (MAILSTREAM *stream)
       if (mb.tls1) strcat (tmp,"/tls1");
       if (mb.tls1_1) strcat (tmp,"/tls1_1");
       if (mb.tls1_2) strcat (tmp,"/tls1_2");
-      if (mb.dtls1) strcat (tmp,"/dtls1");
+      if (mb.tls1_3) strcat (tmp,"/tls1_3");
       if (mb.notlsflag) strcat (tmp,"/notls");
       if (mb.sslflag) strcat (tmp,"/ssl");
       if (mb.novalidate) strcat (tmp,"/novalidate-cert");