From d4ec818aab1b6052eef351209adadd6e4a504943 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sat, 17 Aug 2019 15:38:34 -0700
Subject: [PATCH] Add $ssl_use_tlsv1_3 config variable, default set.

---
 init.h            |  6 +++++
 mutt.h            |  1 +
 mutt_ssl.c        | 10 +++++++++
 mutt_ssl_gnutls.c | 57 ++++++++++++++++++++++++++---------------------
 4 files changed, 49 insertions(+), 25 deletions(-)

diff --git a/init.h b/init.h
index e24d7bcd..52f75938 100644
--- a/init.h
+++ b/init.h
@@ -3840,6 +3840,12 @@ struct option_t MuttVars[] = {
   ** If \fIset\fP , Mutt will use TLSv1.2 when communicating with servers that
   ** request it.
   */
+  { "ssl_use_tlsv1_3", DT_BOOL, R_NONE, {.l=OPTTLSV1_3}, {.l=1} },
+  /*
+  ** .pp
+  ** If \fIset\fP , Mutt will use TLSv1.3 when communicating with servers that
+  ** request it.
+  */
 #ifdef USE_SSL_OPENSSL
   { "ssl_usesystemcerts", DT_BOOL, R_NONE, {.l=OPTSSLSYSTEMCERTS}, {.l=1} },
   /*
diff --git a/mutt.h b/mutt.h
index ff257127..ce9056d7 100644
--- a/mutt.h
+++ b/mutt.h
@@ -450,6 +450,7 @@ enum
   OPTTLSV1,
   OPTTLSV1_1,
   OPTTLSV1_2,
+  OPTTLSV1_3,
   OPTSSLFORCETLS,
   OPTSSLVERIFYDATES,
   OPTSSLVERIFYHOST,
diff --git a/mutt_ssl.c b/mutt_ssl.c
index b48f319b..9df7096a 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -215,6 +215,10 @@ int mutt_ssl_starttls (CONNECTION* conn)
     dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
     goto bail_ssldata;
   }
+#ifdef SSL_OP_NO_TLSv1_3
+  if (!option(OPTTLSV1_3))
+    ssl_options |= SSL_OP_NO_TLSv1_3;
+#endif
 #ifdef SSL_OP_NO_TLSv1_2
   if (!option(OPTTLSV1_2))
     ssl_options |= SSL_OP_NO_TLSv1_2;
@@ -505,6 +509,12 @@ static int ssl_socket_open (CONNECTION * conn)
   {
     SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
   }
+#endif
+#ifdef SSL_OP_NO_TLSv1_3
+  if (!option(OPTTLSV1_3))
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_3);
+  }
 #endif
   if (!option(OPTSSLV2))
   {
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 94a3c6d2..71873766 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -287,63 +287,70 @@ err_crt:
 #if HAVE_GNUTLS_PRIORITY_SET_DIRECT
 static int tls_set_priority(tlssockdata *data)
 {
-  size_t nproto = 4;
-  char *priority;
-  size_t priority_size;
-  int err;
+  size_t nproto = 5;
+  BUFFER *priority = NULL;
+  int err, rv = -1;
 
-  priority_size = SHORT_STRING + mutt_strlen (SslCiphers);
-  priority = safe_malloc (priority_size);
+  priority = mutt_buffer_pool_get ();
 
-  priority[0] = 0;
   if (SslCiphers)
-    safe_strcat (priority, priority_size, SslCiphers);
+    mutt_buffer_strcpy (priority, SslCiphers);
   else
-    safe_strcat (priority, priority_size, "NORMAL");
+    mutt_buffer_strcpy (priority, "NORMAL");
 
-  if (! option(OPTTLSV1_2))
+  if (!option(OPTTLSV1_3))
   {
     nproto--;
-    safe_strcat (priority, priority_size, ":-VERS-TLS1.2");
+    mutt_buffer_addstr (priority, ":-VERS-TLS1.3");
   }
-  if (! option(OPTTLSV1_1))
+  if (!option(OPTTLSV1_2))
   {
     nproto--;
-    safe_strcat (priority, priority_size, ":-VERS-TLS1.1");
+    mutt_buffer_addstr (priority, ":-VERS-TLS1.2");
   }
-  if (! option(OPTTLSV1))
+  if (!option(OPTTLSV1_1))
   {
     nproto--;
-    safe_strcat (priority, priority_size, ":-VERS-TLS1.0");
+    mutt_buffer_addstr (priority, ":-VERS-TLS1.1");
   }
-  if (! option(OPTSSLV3))
+  if (!option(OPTTLSV1))
   {
     nproto--;
-    safe_strcat (priority, priority_size, ":-VERS-SSL3.0");
+    mutt_buffer_addstr (priority, ":-VERS-TLS1.0");
+  }
+  if (!option(OPTSSLV3))
+  {
+    nproto--;
+    mutt_buffer_addstr (priority, ":-VERS-SSL3.0");
   }
 
   if (nproto == 0)
   {
     mutt_error (_("All available protocols for TLS/SSL connection disabled"));
-    FREE (&priority);
-    return -1;
+    goto cleanup;
   }
 
-  if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0)
+  if ((err = gnutls_priority_set_direct (data->state, mutt_b2s (priority), NULL)) < 0)
   {
-    mutt_error ("gnutls_priority_set_direct(%s): %s", priority, gnutls_strerror(err));
+    mutt_error ("gnutls_priority_set_direct(%s): %s", mutt_b2s (priority), gnutls_strerror(err));
     mutt_sleep (2);
-    FREE (&priority);
-    return -1;
+    goto cleanup;
   }
 
-  FREE (&priority);
-  return 0;
+  rv = 0;
+
+cleanup:
+  mutt_buffer_pool_release (&priority);
+  return rv;
 }
 #else
 /* This array needs to be large enough to hold all the possible values support
  * by Mutt.  The initialized values are just placeholders--the array gets
  * overwrriten in tls_negotiate() depending on the $ssl_use_* options.
+ *
+ * Note: gnutls_protocol_set_priority() was removed in GnuTLS version
+ * 3.4 (2015-04).  TLS 1.3 support wasn't added until version 3.6.5.
+ * Therefore, no attempt is made to support $ssl_use_tlsv1_3 in this code.
  */
 static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0};
 
-- 
2.40.0