From 924c47dd50a7b74136b8a60e9ea8d347ff65425b Mon Sep 17 00:00:00 2001
From: Eduardo Chappa <chappa@washington.edu>
Date: Sat, 29 Sep 2018 22:59:37 -0600
Subject:    * Add the /tls1_3 modifier to establish connections use the TLS
 protocol      version 1.3.

---
 imap/src/c-client/mail.c       | 24 ++++++++++----
 imap/src/c-client/mail.h       | 12 +++++--
 imap/src/osdep/nt/ssl_nt.c     | 73 ++++++++++++++++++++++++++++++------------
 imap/src/osdep/unix/ssl_unix.c | 67 ++++++++++++++++++++++++++++----------
 4 files changed, 130 insertions(+), 46 deletions(-)

(limited to 'imap')

diff --git a/imap/src/c-client/mail.c b/imap/src/c-client/mail.c
index 43db47aa..8ac8ba63 100644
--- a/imap/src/c-client/mail.c
+++ b/imap/src/c-client/mail.c
@@ -827,19 +827,29 @@ long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
 	else if (mailssldriver && !compare_cstring (s,"ssl") && !mb->tlsflag)
 	  mb->sslflag = mb->notlsflag = T;
 	else if (!compare_cstring(s, "tls1") 
-			&& !mb->tls1_1 && !mb->tls1_2 && !mb->dtls1)
+			&& !mb->tls1_1 && !mb->tls1_2 && !mb->tls1_3
+			&& !mb->dtls1 && !mb->dtls1_2)
 	  mb->sslflag = mb->notlsflag = mb->tls1 = T;
-#ifdef TLSV1_2
 	else if (!compare_cstring(s, "tls1_1") 
-			&& !mb->tls1 && !mb->tls1_2 && !mb->dtls1)
+			&& !mb->tls1 && !mb->tls1_2 && !mb->tls1_3
+			&& !mb->dtls1 && !mb->dtls1_2)
 	  mb->sslflag = mb->notlsflag = mb->tls1_1 = T;
 	else if (!compare_cstring(s, "tls1_2") 
-			&& !mb->tls1 && !mb->tls1_1 && !mb->dtls1)
+			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_3
+			&& !mb->dtls1 && !mb->dtls1_2)
 	  mb->sslflag = mb->notlsflag = mb->tls1_2 = T;
-#endif
+	else if (!compare_cstring(s, "tls1_3") 
+			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
+			&& !mb->dtls1 && !mb->dtls1_2)
+	  mb->sslflag = mb->notlsflag = mb->tls1_3 = T;
 	else if (!compare_cstring(s, "dtls1")
-			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2)
+			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
+			&& !mb->tls1_3 && !mb->dtls1_2)
 	  mb->sslflag = mb->notlsflag = mb->dtls1 = T;
+	else if (!compare_cstring(s, "dtls1_2")
+			&& !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
+			&& !mb->tls1_3 && !mb->dtls1)
+	  mb->sslflag = mb->notlsflag = mb->dtls1_2 = T;
 	else if (mailssldriver && !compare_cstring (s,"novalidate-cert"))
 	  mb->novalidate = T;
 				/* hack for compatibility with the past */
@@ -6220,7 +6230,9 @@ NETSTREAM *net_open (NETMBX *mb,NETDRIVER *dv,unsigned long port,
   flags |= mb->tls1 || mb->tlsflag ? NET_TRYTLS1   : 0;
   flags |= mb->tls1_1 ? NET_TRYTLS1_1 : 0;
   flags |= mb->tls1_2 ? NET_TRYTLS1_2 : 0;
+  flags |= mb->tls1_3 ? NET_TRYTLS1_3 : 0;
   flags |= mb->dtls1  ? NET_TRYDTLS1  : 0;
+  flags |= mb->dtls1_2  ? NET_TRYDTLS1_2  : 0;
   if (strlen (mb->host) >= NETMAXHOST) {
     sprintf (tmp,"Invalid host name: %.80s",mb->host);
     MM_LOG (tmp,ERROR);
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index fc3f3862..e5755e54 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -442,13 +442,17 @@
 				/* try SSL mode */
 #define NET_TRYSSL ((unsigned long) 0x8000000)
 				/* try TLS1 mode */
-#define NET_TRYTLS1   ((unsigned long) 0x1000000)
+#define NET_TRYTLS1   ((unsigned long) 0x4000000)
 				/* try TLS1_1 mode */
 #define NET_TRYTLS1_1 ((unsigned long) 0x2000000)
 				/* try TLS1_2 mode */
-#define NET_TRYTLS1_2 ((unsigned long) 0x4000000)
+#define NET_TRYTLS1_2 ((unsigned long) 0x1000000)
+				/* try TLS1_3 mode */
+#define NET_TRYTLS1_3 ((unsigned long) 0x800000)
 				/* try DTLS1 mode */
-#define NET_TRYDTLS1   ((unsigned long) 0x8000000)
+#define NET_TRYDTLS1   ((unsigned long) 0x400000)
+				/* try DTLS1_2 mode */
+#define NET_TRYDTLS1_2   ((unsigned long) 0x200000)
 
 /* Close options */
 
@@ -691,7 +695,9 @@ typedef struct net_mailbox {
   unsigned int tls1    : 1;	/* Use TLSv1 */
   unsigned int tls1_1  : 1;	/* Use TLSv1.1 */
   unsigned int tls1_2  : 1;	/* Use TLSV1.2 */
+  unsigned int tls1_3  : 1;	/* Use TLSV1.3 */
   unsigned int dtls1   : 1;	/* Use DTLSv1 */
+  unsigned int dtls1_2 : 1;	/* Use DTLSv1.2 */
   unsigned int trysslflag : 1;	/* try SSL driver first flag */
   unsigned int novalidate : 1;	/* don't validate certificates */
   unsigned int tlsflag : 1;	/* TLS flag */
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index d352980e..b4d7e1d2 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -37,15 +37,30 @@
 #ifdef OPENSSL_1_1_0
 #include <rsa.h>
 #include <bn.h>
+#ifdef TLSv1_client_method
+#undef TLSv1_client_method
+#endif /* TLSv1_client_method */
 #ifdef TLSv1_1_client_method
-#undef TLSv1_1_client_method
+#undef TLSv1_1_client_method   
 #endif /* TLSv1_1_client_method */
 #ifdef TLSv1_2_client_method
 #undef TLSv1_2_client_method
 #endif /* TLSv1_2_client_method */
+#ifdef DTLSv1_client_method
+#undef DTLSv1_client_method
+#endif /* DTLSv1_client_method */
+#ifdef DTLSv1_2_client_method
+#undef DTLSv1_2_client_method
+#endif /* DTLSv1_2_client_method */
+#define TLSv1_client_method   TLS_client_method
 #define TLSv1_1_client_method TLS_client_method
 #define TLSv1_2_client_method TLS_client_method
-#endif /* OPENSSL_1_1_0 */
+#define DTLSv1_client_method  DTLS_client_method
+#define DTLSv1_2_client_method DTLS_client_method
+#endif /* OPENSSL_1_1_0 */  
+#ifndef DTLSv1_2_client_method 
+#define DTLSv1_2_client_method DTLSv1_client_method
+#endif /* DTLSv1_2_client_method */
 #undef STRING
 #undef crypt
 
@@ -187,26 +202,44 @@ SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf)
  */
 const SSL_METHOD *ssl_connect_mthd(int flag)
 {
-#ifdef OPENSSL_1_1_0
-  if(flag & NET_TRYTLS1)
-    return TLS_client_method(); 
+  if (flag & NET_TRYTLS1)
+#ifndef OPENSSL_NO_TLS1_METHOD  
+     return TLSv1_client_method();   
 #else
-  if(flag & NET_TRYTLS1)
-    return TLSv1_client_method(); 
-#endif /* OPENSSL_1_1_0 */
-#ifdef TLSV1_2
-  else if(flag & NET_TRYTLS1_1) 
-	return TLSv1_1_client_method();
-  else if(flag & NET_TRYTLS1_2) 
-	return TLSv1_2_client_method();
-#endif /* TLSV1_2 */
-#ifdef OPENSSL_1_1_0
-  else if(flag & NET_TRYDTLS1)
-	return DTLS_client_method();
+     return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_METHOD */
+     
+  else if(flag & NET_TRYTLS1_1)
+#ifndef OPENSSL_NO_TLS1_1_METHOD
+     return TLSv1_1_client_method(); 
 #else
-  else if(flag & NET_TRYDTLS1)
-	return DTLSv1_client_method();
-#endif /* OPENSSL_1_1_0 */
+     return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_1_METHOD */
+ 
+  else if(flag & NET_TRYTLS1_2)
+#ifndef OPENSSL_NO_TLS1_2_METHOD
+     return TLSv1_2_client_method();
+#else
+     return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_2_METHOD */
+
+  else if(flag & NET_TRYTLS1_3) 
+     return TLS_client_method();   
+     
+  else if(flag & NET_TRYDTLS1) 
+#ifndef OPENSSL_NO_DTLS1_METHOD 
+     return DTLSv1_client_method();  
+#else
+     return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */ 
+ 
+  else if(flag & NET_TRYDTLS1_2)
+#ifndef OPENSSL_NO_DTLS1_METHOD 
+     return DTLSv1_2_client_method();
+#else
+     return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */ 
+
   else return SSLv23_client_method();
 }
 
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 4c4d6ef8..ffd37775 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -36,15 +36,30 @@
 #ifdef OPENSSL_1_1_0
 #include <rsa.h>
 #include <bn.h>
+#ifdef TLSv1_client_method
+#undef TLSv1_client_method
+#endif /* TLSv1_client_method */
 #ifdef TLSv1_1_client_method
 #undef TLSv1_1_client_method
 #endif /* TLSv1_1_client_method */
 #ifdef TLSv1_2_client_method
 #undef TLSv1_2_client_method
 #endif /* TLSv1_2_client_method */
+#ifdef DTLSv1_client_method
+#undef DTLSv1_client_method
+#endif /* DTLSv1_client_method */
+#ifdef DTLSv1_2_client_method
+#undef DTLSv1_2_client_method
+#endif /* DTLSv1_2_client_method */
+#define TLSv1_client_method   TLS_client_method
 #define TLSv1_1_client_method TLS_client_method
 #define TLSv1_2_client_method TLS_client_method
+#define DTLSv1_client_method  DTLS_client_method
+#define DTLSv1_2_client_method DTLS_client_method
 #endif /* OPENSSL_1_1_0 */
+#ifndef DTLSv1_2_client_method
+#define DTLSv1_2_client_method DTLSv1_client_method
+#endif /* DTLSv1_2_client_method */
 #undef STRING
 #undef crypt
 
@@ -186,26 +201,44 @@ SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf)
  */
 const SSL_METHOD *ssl_connect_mthd(int flag)
 {
-#ifdef OPENSSL_1_1_0
-  if(flag & NET_TRYTLS1)
-    return TLS_client_method(); 
+  if (flag & NET_TRYTLS1)
+#ifndef OPENSSL_NO_TLS1_METHOD
+     return TLSv1_client_method();
 #else
-  if(flag & NET_TRYTLS1)
-    return TLSv1_client_method(); 
-#endif /* OPENSSL_1_1_0 */
-#ifdef TLSV1_2
-  else if(flag & NET_TRYTLS1_1) 
-	return TLSv1_1_client_method();
-  else if(flag & NET_TRYTLS1_2) 
-	return TLSv1_2_client_method();
-#endif /* TLSV1_2 */
-#ifdef OPENSSL_1_1_0
-  else if(flag & NET_TRYDTLS1)
-	return DTLS_client_method();
+     return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_METHOD */
+
+  else if(flag & NET_TRYTLS1_1)
+#ifndef OPENSSL_NO_TLS1_1_METHOD
+     return TLSv1_1_client_method();
+#else
+     return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_1_METHOD */
+
+  else if(flag & NET_TRYTLS1_2)
+#ifndef OPENSSL_NO_TLS1_2_METHOD
+     return TLSv1_2_client_method();
 #else
+     return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_2_METHOD */
+
+  else if(flag & NET_TRYTLS1_3)
+     return TLS_client_method();
+
   else if(flag & NET_TRYDTLS1)
-	return DTLSv1_client_method();
-#endif /* OPENSSL_1_1_0 */
+#ifndef OPENSSL_NO_DTLS1_METHOD
+     return DTLSv1_client_method();
+#else
+     return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */
+
+  else if(flag & NET_TRYDTLS1_2)
+#ifndef OPENSSL_NO_DTLS1_METHOD
+     return DTLSv1_2_client_method();
+#else
+     return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */
+
   else return SSLv23_client_method();
 }
 
-- 
cgit v1.2.3-54-g00ecf