From 50f4fdaa40ab3195377f22243c3ba4287389d207 Mon Sep 17 00:00:00 2001
From: Eduardo Chappa <chappa@washington.edu>
Date: Fri, 17 Jul 2020 01:43:23 -0600
Subject:   * Experimental: Attempt to implement the Encryption Range in
 Windows. It works     in Windows 10, and it should work in Windows 8.1. It
 needs testing in     Windows 7 and Windows Vista.

---
 alpine/alpine.c             |   3 +-
 alpine/confscroll.c         |   4 --
 imap/src/osdep/nt/ssl_win.c | 116 ++++++++++++++++++++++++++++++++++++++++----
 include/config.wnt.h        |   2 -
 pith/conf.c                 |  66 +++++++++++++++++++------
 pith/conf.h                 |   2 -
 pith/conftype.h             |   2 -
 pith/pine.hlp               |   6 ++-
 8 files changed, 162 insertions(+), 39 deletions(-)

diff --git a/alpine/alpine.c b/alpine/alpine.c
index 55bd581b..a2585af8 100644
--- a/alpine/alpine.c
+++ b/alpine/alpine.c
@@ -662,7 +662,6 @@ main(int argc, char **argv)
 	  }
     }
 
-#ifdef DF_ENCRYPTION_RANGE
     if(ps_global->VAR_ENCRYPTION_RANGE
 	&& ps_global->VAR_ENCRYPTION_RANGE[0]){
 	char *min_s, *max_s, *s;
@@ -725,7 +724,7 @@ main(int argc, char **argv)
            mail_parameters(NULL, SET_ENCRYPTION_RANGE_MAX, (void *) &max_v);
 	}
     }
-#endif /* DF_ENCRYPTION_RANGE */
+
 
     /*
      * setup alternative authentication driver preference for IMAP opens
diff --git a/alpine/confscroll.c b/alpine/confscroll.c
index c8760eb7..67b15704 100644
--- a/alpine/confscroll.c
+++ b/alpine/confscroll.c
@@ -343,9 +343,7 @@ exclude_config_var(struct pine *ps, struct variable *var, int allow_hard_to_conf
       case V_GLOB_ADDRBOOK :
       case V_DISABLE_DRIVERS :
       case V_DISABLE_AUTHS :
-#ifdef DF_ENCRYPTION_RANGE
       case V_ENCRYPTION_RANGE :
-#endif
       case V_REMOTE_ABOOK_METADATA :
       case V_REMOTE_ABOOK_HISTORY :
       case V_REMOTE_ABOOK_VALIDITY :
@@ -5780,9 +5778,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert)
 		        var == &ps->vars[V_NEWS_SPEC] ||
 		        var == &ps->vars[V_DISABLE_DRIVERS] ||
 		        var == &ps->vars[V_DISABLE_AUTHS] ||
-#ifdef DF_ENCRYPTION_RANGE
 		        var == &ps->vars[V_ENCRYPTION_RANGE] ||
-#endif
 #if !defined(_WINDOWS) || defined(ENABLE_WINDOWS_UNIXSSL_CERTS)
 			var == &ps->vars[V_SSLCAPATH] ||
 			var == &ps->vars[V_SSLCAFILE] ||
diff --git a/imap/src/osdep/nt/ssl_win.c b/imap/src/osdep/nt/ssl_win.c
index 5b8606a1..a6af01e3 100644
--- a/imap/src/osdep/nt/ssl_win.c
+++ b/imap/src/osdep/nt/ssl_win.c
@@ -1,5 +1,5 @@
 /* ========================================================================
- * Copyright 2018 Eduardo Chappa
+ * Copyright 2018-2020 Eduardo Chappa
  * Copyright 2008-2009 Mark Crispin
  * ========================================================================
  */
@@ -153,7 +153,84 @@ SSLSTREAM *ssl_open (char *host,char *service,unsigned long port)
   return stream ? ssl_start (stream,host,port) : NIL;
 }
 
-  
+#ifdef SP_PROT_SSL3
+  #ifdef MIN_ENCRYPTION
+  #undef MIN_ENCRYPTION
+  #endif /* MIN_ENCRYPTION */
+  #define MIN_ENCRYPTION SP_PROT_SSL3
+  #ifdef MAX_ENCRYPTION
+  #undef MAX_ENCRYPTION
+  #endif /* MAX_ENCRYPTION */
+  #define MAX_ENCRYPTION SP_PROT_SSL3
+#endif /* SP_PROT_SSL3 */
+#ifdef SP_PROT_TLS1
+  #ifndef MIN_ENCRYPTION
+  #define MIN_ENCRYPTION SP_PROT_TLS1
+  #endif /* MIN_ENCRYPTION */
+  #ifdef MAX_ENCRYPTION
+  #undef MAX_ENCRYPTION
+  #endif /* MAX_ENCRYPTION */
+  #define MAX_ENCRYPTION SP_PROT_TLS1
+#endif /* SP_PROT_TLS1 */
+#ifdef SP_PROT_TLS1_1
+  #ifndef MIN_ENCRYPTION
+  #define MIN_ENCRYPTION SP_PROT_TLS1_1
+  #endif /* MIN_ENCRYPTION */
+  #ifdef MAX_ENCRYPTION
+  #undef MAX_ENCRYPTION
+  #endif /* MAX_ENCRYPTION */
+  #define MAX_ENCRYPTION SP_PROT_TLS1_1
+#endif /* SP_PROT_TLS1_1 */
+#ifdef SP_PROT_TLS1_2
+  #ifndef MIN_ENCRYPTION
+  #define MIN_ENCRYPTION SP_PROT_TLS1_2
+  #endif /* MIN_ENCRYPTION */
+  #ifdef MAX_ENCRYPTION
+  #undef MAX_ENCRYPTION
+  #endif /* MAX_ENCRYPTION */
+  #define MAX_ENCRYPTION SP_PROT_TLS1_2
+#endif /* SP_PROT_TLS1_2 */
+
+typedef struct ssl_versions_s {
+        char *name;
+        int   version;
+} SSL_VERSIONS_S;
+
+SSL_VERSIONS_S ssl_versions[] = {
+   { "no_min", MIN_ENCRYPTION },
+#ifdef SP_PROT_SSL3
+   { "ssl3",   SP_PROT_SSL3 },
+#endif /* SP_PROT_SSL3 */
+#ifdef SP_PROT_TLS1
+   { "tls1",   SP_PROT_TLS1 },
+#endif /* SP_PROT_TLS1 */
+#ifdef SP_PROT_TLS1_1
+   { "tls1_1", SP_PROT_TLS1_1 },
+#endif /* SP_PROT_TLS1_1 */
+#ifdef SP_PROT_TLS1_2
+   { "tls1_2", SP_PROT_TLS1_2 },
+#endif /* SP_PROT_TLS1_2 */
+   { "no_max", MAX_ENCRYPTION },  /* set this last in the list */
+   { NULL, 0 },
+};
+
+int
+pith_ssl_encryption_version(char *s)
+{
+  int i;
+
+  if (s == NULL || *s == '\0')
+     return -1;
+
+  for (i = 0; ssl_versions[i].name != NULL; i++)
+      if (strcmp(ssl_versions[i].name, s) == 0)
+	break;
+
+  if (strcmp(s, "no_max") == 0) i--;
+
+  return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1;
+}
+
 /* SSL authenticated open
  * Accepts: host name
  *	    service name
@@ -201,6 +278,9 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags)
   PWSTR whost = NIL;
   char *buf = (char *) fs_get (ssltsz);
   unsigned long size = 0;
+  int minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
+  int maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
+  int i, client_request, range;
   sslcertificatequery_t scq =
     (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
   sslfailure_t sf = (sslfailure_t) mail_parameters (NIL,GET_SSLFAILURE,NIL);
@@ -210,7 +290,30 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags)
 				/* initialize TLS credential */
   memset (&tlscred,0,sizeof (SCHANNEL_CRED));
   tlscred.dwVersion = SCHANNEL_CRED_VERSION;
-  tlscred.grbitEnabledProtocols = SP_PROT_TLS1;
+  client_request = (flags & NET_TRYTLS1) ? SP_PROT_TLS1
+		    : (flags & NET_TRYTLS1_1) ? SP_PROT_TLS1_1
+		    : (flags & NET_TRYTLS1_2) ? SP_PROT_TLS1_2
+		    : 0;
+  /*
+   * if no special request, negotiate the maximum the client is configured
+   * to negotiate.
+   */
+  if(client_request == 0)
+    client_request = maxv;
+
+  if(client_request < minv || client_request > maxv)
+    return NIL;         /* out of range? bail out */
+
+  if (flags & NET_TRYTLS1) range = SP_PROT_TLS1;
+  else if (flags & NET_TRYTLS1_1) range = SP_PROT_TLS1_1;
+  else if (flags & NET_TRYTLS1_2) range = SP_PROT_TLS1_2;
+  else {
+     for(i = 0, range; ssl_versions[i].name != NULL; i++)
+      range |= (ssl_versions[i].version >= minv 
+		&& ssl_versions[i].version <= maxv)
+	      ? ssl_versions[i].version : 0;
+  }
+  tlscred.grbitEnabledProtocols = range;
 
 				/* acquire credentials */
   if (sft->AcquireCredentialsHandle
@@ -497,13 +600,6 @@ static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size,
   return ret;
 }
 
-/* not implemented yet */
-int pith_ssl_encryption_version(char *s)
-{
-return 0;
-}
-
-
 char *ssl_getsize(SSLSTREAM* stream, unsigned long size)
 {
     char *ret = NIL;
diff --git a/include/config.wnt.h b/include/config.wnt.h
index 65f1533b..2734bff5 100644
--- a/include/config.wnt.h
+++ b/include/config.wnt.h
@@ -571,8 +571,6 @@
 #define DEFAULT_SSLCAPATH "C:\\libressl\\ssl\\certs"
 #define DEFAULT_SSLCAFILE "C:\\libressl\\ssl\\certs\\cert.pem"
 #endif /* WXPBUILD */
-#else
-#undef DF_ENCRYPTION_RANGE
 #endif /* defined(ENABLE_WINDOWS_UNIXSSL) &&  defined(WXPBUILD) */ 
 
 /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
diff --git a/pith/conf.c b/pith/conf.c
index cbbe7558..f856c961 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -756,10 +756,8 @@ static struct variable variables[] = {
 	NULL,			cf_text_disable_drivers},
 {"disable-these-authenticators",	0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0,
 	NULL,			cf_text_disable_auths},
-#ifdef DF_ENCRYPTION_RANGE
 {"encryption-protocol-range",		0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
 	NULL,			cf_text_encryption_range},
-#endif
 {"remote-abook-metafile",		0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0,
 	NULL,			cf_text_remote_abook_metafile},
 {"remote-abook-history",		0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
@@ -1621,9 +1619,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
 
     GLO_PRINTER			= cpystr(DF_DEFAULT_PRINTER);
     GLO_ELM_STYLE_SAVE		= cpystr(DF_ELM_STYLE_SAVE);
-#ifdef DF_ENCRYPTION_RANGE
     GLO_ENCRYPTION_RANGE	= cpystr(DF_ENCRYPTION_RANGE);
-#endif
     GLO_SAVE_BY_SENDER		= cpystr(DF_SAVE_BY_SENDER);
     GLO_HEADER_IN_REPLY		= cpystr(DF_HEADER_IN_REPLY);
     GLO_INBOX_PATH		= cpystr("inbox");
@@ -2353,9 +2349,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
     set_current_val(&vars[V_FORCED_ABOOK_ENTRY], TRUE, TRUE);
     set_current_val(&vars[V_DISABLE_DRIVERS], TRUE, TRUE);
     set_current_val(&vars[V_DISABLE_AUTHS], TRUE, TRUE);
-#ifdef DF_ENCRYPTION_RANGE
     set_current_val(&vars[V_ENCRYPTION_RANGE], TRUE, TRUE);
-#endif
 
     set_current_val(&vars[V_VIEW_HEADERS], TRUE, TRUE);
     /* strip spaces and colons */
@@ -7893,10 +7887,8 @@ config_help(int var, int feature)
 	return(h_config_disable_drivers);
       case V_DISABLE_AUTHS :
 	return(h_config_disable_auths);
-#ifdef DF_ENCRYPTION_RANGE
       case V_ENCRYPTION_RANGE :
 	return(h_config_encryption_range);
-#endif
       case V_REMOTE_ABOOK_METADATA :
 	return(h_config_abook_metafile);
       case V_REPLY_STRING :
@@ -8218,6 +8210,12 @@ printer_value_check_and_adjust(void)
     return(!ok);
 }
 
+#ifdef _WINDOWS
+#include <schannel.h>
+#include <Schnlsp.h>
+#else
+#include <openssl/ssl.h>
+#endif /* _WINDOWS */
 
 char **
 get_supported_options(void)
@@ -8269,14 +8267,50 @@ get_supported_options(void)
       config[cnt] = cpystr(_("  TLS and SSL"));
       tmp[0] = tmp[1] = ' ';
       tmp[2] = '\0';
-      strcat(tmp, "TLSv1, ");
-      strcat(tmp, "TLSv1.1, ");
-      strcat(tmp, "TLSv1.2, ");
-#ifdef TLS1_3_VERSION
-      strcat(tmp, "TLSv1.3, ");
-#endif /* TLS1_3_VERSION */
-      tmp[strlen(tmp)-2] = '.';
-      tmp[strlen(tmp)-1] = '\0';
+#ifdef _WINDOWS
+  #ifdef SP_PROT_SSL3
+     strcat(tmp, "SSLv3, ");
+  #endif /* SP_PROT_SSL3 */
+  #ifdef SP_PROT_TLS1
+     strcat(tmp, "TLSv1, ");
+  #endif /* SP_PROT_TLS1 */
+  #ifdef SP_PROT_TLS1_1
+     strcat(tmp, "TLSv1.1, ");
+  #endif /* SP_PROT_TLS1 */
+  #ifdef SP_PROT_TLS1_2
+     strcat(tmp, "TLSv1.2, ");
+  #endif /* SP_PROT_TLS1_2 */
+  #ifdef SP_PROT_TLS1_3
+     strcat(tmp, "TLSv1.3, ");
+  #endif /* SP_PROT_TLS1_3 */
+#else
+  #ifdef SSL3_VERSION
+      #ifndef OPENSSL_NO_SSL3_METHOD
+        strcat(tmp, "SSLv3, ");
+      #endif /* OPENSSL_NO_SSL3_METHOD */
+  #endif /* SSL3_VERSION */
+  #ifdef TLS1_VERSION
+      #ifndef OPENSSL_NO_TLS1_METHOD
+        strcat(tmp, "TLSv1, ");
+      #endif /* OPENSSL_NO_TLS1_METHOD */
+  #endif /* TLS1_VERSION */
+  #ifdef TLS1_1_VERSION
+      #ifndef OPENSSL_NO_TLS1_1_METHOD
+        strcat(tmp, "TLSv1.1, ");
+      #endif /* OPENSSL_NO_TLS1_1_METHOD */
+  #endif /* TLS1_1_VERSION */
+  #ifdef TLS1_2_VERSION
+      #ifndef OPENSSL_NO_TLS1_2_METHOD
+        strcat(tmp, "TLSv1.2, ");
+      #endif /* OPENSSL_NO_TLS1_2_METHOD */
+  #endif /* TLS1_2_VERSION */
+  #ifdef TLS1_3_VERSION
+      #ifndef OPENSSL_NO_TLS1_3_METHOD
+        strcat(tmp, "TLSv1.3, ");
+      #endif /* OPENSSL_NO_TLS1_3_METHOD */
+  #endif /* TLS1_3_VERSION */
+#endif /* _WINDOWS */
+    tmp[strlen(tmp)-2] = '\0';
     }
     else
       config[cnt] = cpystr(_("  None (no TLS or SSL)"));
diff --git a/pith/conf.h b/pith/conf.h
index bd72563b..100224bc 100644
--- a/pith/conf.h
+++ b/pith/conf.h
@@ -267,10 +267,8 @@
 #define GLO_REMOTE_ABOOK_HISTORY     vars[V_REMOTE_ABOOK_HISTORY].global_val.p
 #define VAR_REMOTE_ABOOK_VALIDITY    vars[V_REMOTE_ABOOK_VALIDITY].current_val.p
 #define GLO_REMOTE_ABOOK_VALIDITY    vars[V_REMOTE_ABOOK_VALIDITY].global_val.p
-#ifdef DF_ENCRYPTION_RANGE
 #define GLO_ENCRYPTION_RANGE         vars[V_ENCRYPTION_RANGE].global_val.p
 #define VAR_ENCRYPTION_RANGE	     vars[V_ENCRYPTION_RANGE].current_val.p
-#endif
   /* Elm style save is obsolete in Pine 3.81 (see saved msg name rule) */
 #define VAR_ELM_STYLE_SAVE           vars[V_ELM_STYLE_SAVE].current_val.p
 #define GLO_ELM_STYLE_SAVE           vars[V_ELM_STYLE_SAVE].global_val.p
diff --git a/pith/conftype.h b/pith/conftype.h
index 3f0f1e3c..4ea7993e 100644
--- a/pith/conftype.h
+++ b/pith/conftype.h
@@ -174,9 +174,7 @@ typedef	enum {    V_PERSONAL_NAME = 0
 		, V_NEW_VER_QUELL
 		, V_DISABLE_DRIVERS
 		, V_DISABLE_AUTHS
-#ifdef DF_ENCRYPTION_RANGE
 		, V_ENCRYPTION_RANGE
-#endif
 		, V_REMOTE_ABOOK_METADATA
 		, V_REMOTE_ABOOK_HISTORY
 		, V_REMOTE_ABOOK_VALIDITY
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 2435d516..c6c1a2e4 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 493 2020-07-10 00:56:09
+Alpine Commit 494 2020-07-17 01:43:03
 ============= h_news =================
 <HTML>
 <HEAD>
@@ -237,6 +237,10 @@ problems you find with this release.
 <LI> Alpine will not write debug files unless started with the option -d, 
      so for example &quot;alpine -d 2&quot; will generate a debug file at level 2, 
      but just issuing the alpine command will not write any debug to a file.
+
+<LI> Experimental: Attempt to implement the Encryption Range in Windows. It works
+     in Windows 10, and it should work in Windows 8.1. It needs testing in
+     Windows 7 and Windows Vista.
 </UL>
 
 <P>
-- 
cgit v1.2.3-54-g00ecf