aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-09-11 01:02:57 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-09-11 01:02:57 +0200
commit77753445ddc78013159a6d44301a1b342af4a2d1 (patch)
treee2fb87745f2118a7703ba5954ceb1c81ee0c5dcf
parentb099ebf5b8d5f73168d075c5d97a6242efb67a8e (diff)
parentcd7d385b4a27d028a7c7f92e1cd781b65b8ca5eb (diff)
Merge branch 'master' into debian
-rw-r--r--Changelog8
-rwxr-xr-xinterimap5
-rw-r--r--lib/Net/IMAP/InterIMAP.pm195
3 files changed, 115 insertions, 93 deletions
diff --git a/Changelog b/Changelog
index 5b010d2..754e0fd 100644
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,4 @@
-interimap (0.2) upstream
+interimap (0.2) upstream;
* Add support for the IMAP COMPRESS extension [RFC4978]. By default
enabled for the remote server, and disabled for the local server.
@@ -10,6 +10,12 @@ interimap (0.2) upstream
default if both the local and remote servers advertize "BINARY".
Can be disabled by adding 'use-binary=NO' to the default section in
the configuration file.
+ * Exit with return value 0 when receiving a SIGTERM.
+ * Print IMAP traffic stats when receiving a SIGHUP.
+ * Add SSL options SINGLE_ECDH_USE, SINGLE_DH_USE, NO_SSLv2, NO_SSLv3
+ and NO_COMPRESSION to the compiled-in CTX options.
+ * Use SSL_MODE_AUTO_RETRY to avoid SSL_read failures during a
+ handshake.
-- Guilhem Moulin <guilhem@guilhem.org> Wed, 09 Sep 2015 00:44:35 +0200
diff --git a/interimap b/interimap
index c5de2ce..4a8bde4 100755
--- a/interimap
+++ b/interimap
@@ -118,8 +118,9 @@ sub cleanup() {
close $LOGGER_FD if defined $LOGGER_FD;
$DBH->disconnect() if defined $DBH;
}
-$SIG{$_} = sub { msg(undef, $!); cleanup(); exit 1; } foreach qw/INT TERM/;
-$SIG{$_} = sub { msg(undef, $!); cleanup(); exit 0; } foreach qw/HUP/;
+$SIG{INT} = sub { msg(undef, $!); cleanup(); exit 1; };
+$SIG{TERM} = sub { cleanup(); exit 0; };
+$SIG{HUP} = sub { $_->stats() foreach grep defined, ($lIMAP, $rIMAP); };
#############################################################################
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 3b9e10e..65a0c10 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -20,7 +20,7 @@ package Net::IMAP::InterIMAP v0.0.2;
use warnings;
use strict;
-use Compress::Zlib qw/Z_OK Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/;
+use Compress::Zlib qw/Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/;
use Config::Tiny ();
use Errno 'EWOULDBLOCK';
use IO::Select ();
@@ -221,6 +221,15 @@ sub new($%) {
my $self = { @_ };
bless $self, $class;
+ foreach (keys %$self) {
+ next unless defined $self->{$_};
+ if (uc $self->{$_} eq 'YES') {
+ $self->{$_} = 1;
+ } elsif (uc $self->{$_} eq 'NO') {
+ $self->{$_} = 0;
+ }
+ }
+
# the IMAP state: one of 'UNAUTH', 'AUTH', 'SELECTED' or 'LOGOUT'
# (cf RFC 3501 section 3)
$self->{_STATE} = '';
@@ -246,7 +255,7 @@ sub new($%) {
open STDOUT, '>&', $wd or $self->panic("Can't dup: $!");
my $stderr2;
- if (uc ($self->{'null-stderr'} // 'NO') eq 'YES') {
+ if ($self->{'null-stderr'} // 0) {
open $stderr2, '>&', *STDERR;
open STDERR, '>', '/dev/null' or $self->panic("Can't open /dev/null: $!");
}
@@ -271,28 +280,13 @@ sub new($%) {
}
}
else {
+ require 'IO/Socket/INET.pm';
my %args = (Proto => 'tcp', Blocking => 1);
$args{PeerHost} = $self->{host} // $self->fail("Missing option host");
$args{PeerPort} = $self->{port} // $self->fail("Missing option port");
- my $socket;
- if ($self->{type} eq 'imap') {
- require 'IO/Socket/INET.pm';
- $socket = IO::Socket::INET->new(%args) or $self->fail("Cannot bind: $@");
- }
- else {
- require 'IO/Socket/SSL.pm';
- if (defined (my $vrfy = delete $self->{SSL_verify_trusted_peer})) {
- $args{SSL_verify_mode} = 0 if uc $vrfy eq 'NO';
- }
- my $fpr = delete $self->{SSL_fingerprint};
- $args{$_} = $self->{$_} foreach grep /^SSL_/, keys %$self;
- $socket = IO::Socket::SSL->new(%args)
- or $self->fail("Failed connect or SSL handshake: $!\n$IO::Socket::SSL::SSL_ERROR");
-
- # ensure we're talking to the right server
- $self->_fingerprint_match($socket, $fpr) if defined $fpr;
- }
+ my $socket = IO::Socket::INET->new(%args) or $self->fail("Cannot bind: $@");
+ $self->_start_ssl($socket) if $self->{type} eq 'imaps';
$socket->sockopt(SO_KEEPALIVE, 1);
$self->{$_} = $socket for qw/STDOUT STDIN/;
@@ -347,31 +341,17 @@ sub new($%) {
$self->{_STATE} = 'UNAUTH';
my @caps = $self->capabilities();
- if ($self->{type} eq 'imap' and uc $self->{STARTTLS} ne 'NO') { # RFC 2595 section 5.1
+ if ($self->{type} eq 'imap' and $self->{STARTTLS}) { # RFC 2595 section 5.1
$self->fail("Server did not advertise STARTTLS capability.")
unless grep {$_ eq 'STARTTLS'} @caps;
-
- require 'IO/Socket/SSL.pm';
- $self->_send('STARTTLS');
-
- my %sslargs;
- if (defined (my $vrfy = delete $self->{SSL_verify_trusted_peer})) {
- $sslargs{SSL_verify_mode} = 0 if uc $vrfy eq 'NO';
- }
- my $fpr = delete $self->{SSL_fingerprint};
- $sslargs{$_} = $self->{$_} foreach grep /^SSL_/, keys %$self;
- IO::Socket::SSL->start_SSL($self->{STDIN}, %sslargs)
- or $self->fail("Failed SSL handshake: $!\n$IO::Socket::SSL::SSL_ERROR");
-
- # ensure we're talking to the right server
- $self->_fingerprint_match($self->{STDIN}, $fpr) if defined $fpr;
+ $self->_start_ssl($self->{STDIN}) if $self->{type} eq 'imaps';
# refresh the previous CAPABILITY list since the previous one could have been spoofed
delete $self->{_CAPABILITIES};
@caps = $self->capabilities();
}
- my @mechs = ('LOGIN', grep defined, map { /^AUTH=(.+)/ ? $1 : undef } @caps);
+ my @mechs = ('LOGIN', grep defined, map { /^AUTH=(.+)/i ? $1 : undef } @caps);
my $mech = (grep defined, map {my $m = $_; (grep {$m eq $_} @mechs) ? $m : undef}
split(/ /, $self->{auth}))[0];
$self->fail("Failed to choose an authentication mechanism") unless defined $mech;
@@ -411,9 +391,9 @@ sub new($%) {
$self->{_STATE} = 'AUTH';
# Don't send the COMPRESS command before STARTTLS or AUTH, as per RFC 4978
- if (uc ($self->{compress} // 'NO') eq 'YES') {
+ if ($self->{compress} // 1 and
+ my @algos = grep defined, map { /^COMPRESS=(.+)/i ? uc $1 : undef } @{$self->{_CAPABILITIES}}) {
my @supported = qw/DEFLATE/; # supported compression algorithms
- my @algos = grep defined, map { /^COMPRESS=(.+)/ ? uc $1 : undef } @{$self->{_CAPABILITIES}};
my $algo = first { my $x = $_; grep {$_ eq $x} @algos } @supported;
if (!defined $algo) {
$self->warn("Couldn't find a suitable compression algorithm. Not enabling compression.");
@@ -425,16 +405,11 @@ sub new($%) {
$self->panic($IMAP_text) unless $r eq 'OK';
if ($algo eq 'DEFLATE') {
- my ($status, $d, $i);
my %args = ( -WindowBits => 0 - MAX_WBITS );
- ($d, $status) = Compress::Zlib::deflateInit(%args);
- $self->panic("Can't create deflation stream: ", $d->msg())
- unless defined $d and $status == Z_OK;
-
- ($i, $status) = Compress::Zlib::inflateInit(%args);
- $self->panic("Can't create inflation stream: ", $i->msg())
- unless defined $i and $status == Z_OK;
- @$self{qw/_Z_DEFLATE _Z_INFLATE/} = ($d, $i);
+ $self->{_Z_DEFLATE} = Compress::Zlib::deflateInit(%args) //
+ $self->panic("Can't create deflation stream");
+ $self->{_Z_INFLATE} = Compress::Zlib::inflateInit(%args) //
+ $self->panic("Can't create inflation stream");
}
else {
$self->fail("Unsupported compression algorithm: $algo");
@@ -458,6 +433,22 @@ sub new($%) {
}
+# Print traffic statistics
+sub stats($) {
+ my $self = shift;
+ my $msg = 'IMAP traffic (bytes):';
+ $msg .= ' recv '._kibi($self->{_OUTCOUNT});
+ $msg .= ' (compr. '._kibi($self->{_OUTRAWCOUNT}).
+ ', factor '.sprintf('%.2f', $self->{_OUTRAWCOUNT}/$self->{_OUTCOUNT}).')'
+ if defined $self->{_Z_DEFLATE} and $self->{_OUTCOUNT} > 0;
+ $msg .= ' sent '._kibi($self->{_INCOUNT});
+ $msg .= ' (compr. '._kibi($self->{_INRAWCOUNT}).
+ ', factor '.sprintf('%.2f', $self->{_INRAWCOUNT}/$self->{_INCOUNT}).')'
+ if defined $self->{_Z_DEFLATE} and $self->{_INCOUNT} > 0;
+ $self->log($msg);
+}
+
+
# Log out when the Net::IMAP::InterIMAP object is destroyed.
sub DESTROY($) {
my $self = shift;
@@ -467,16 +458,7 @@ sub DESTROY($) {
$self->{$_}->close() if defined $self->{$_} and $self->{$_}->opened();
}
- unless ($self->{quiet}) {
- my $msg = "Connection closed";
- $msg .= " in=$self->{_INCOUNT}";
- $msg .= " (raw=$self->{_INRAWCOUNT}, ratio ".sprintf('%.2f', $self->{_INRAWCOUNT}/$self->{_INCOUNT}).")"
- if defined $self->{_INRAWCOUNT} and $self->{_INCOUNT} > 0 and $self->{_INCOUNT} != $self->{_INRAWCOUNT};
- $msg .= ", out=$self->{_OUTCOUNT}";
- $msg .= " (raw=$self->{_OUTRAWCOUNT}, ratio ".sprintf('%.2f', $self->{_OUTRAWCOUNT}/$self->{_OUTCOUNT}).")"
- if defined $self->{_OUTRAWCOUNT} and $self->{_OUTCOUNT} > 0 and $self->{_OUTCOUNT} != $self->{_OUTRAWCOUNT};
- $self->log($msg);
- }
+ $self->stats() unless $self->{quiet};
}
@@ -1208,17 +1190,51 @@ sub push_flag_updates($$@) {
# Private methods
-# $self->_fingerprint_match($socket, $fingerprint)
-# Croak unless the fingerprint of the peer certificate of the
-# IO::Socket::SSL object doesn't match the given $fingerprint.
-sub _fingerprint_match($$$) {
- my ($self, $socket, $fpr) = @_;
+# $self->_start_ssl($socket)
+# Upgrade the $socket to IO::Socket::SSL.
+sub _start_ssl($$) {
+ my ($self, $socket) = @_;
+ require 'IO/Socket/SSL.pm';
+ require 'Net/SSLeay.pm';
+
+ my %sslargs = (SSL_create_ctx_callback => sub($) {
+ my $ctx = shift;
+ my $rv;
+
+ # https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
+ $rv = Net::SSLeay::CTX_get_options($ctx)
+ | Net::SSLeay::OP_SINGLE_ECDH_USE()
+ | Net::SSLeay::OP_SINGLE_DH_USE()
+ | Net::SSLeay::OP_NO_SSLv2()
+ | Net::SSLeay::OP_NO_SSLv3()
+ | Net::SSLeay::OP_NO_COMPRESSION();
+ Net::SSLeay::CTX_set_options($ctx, $rv);
+
+ # https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html
+ $rv = Net::SSLeay::CTX_get_mode($ctx)
+ | Net::SSLeay::MODE_AUTO_RETRY() # don't fail SSL_read on renegociation
+ | Net::SSLeay::MODE_RELEASE_BUFFERS();
+ Net::SSLeay::CTX_set_mode($ctx, $rv);
+ });
+
+ my $fpr = delete $self->{SSL_fingerprint};
+ my $vrfy = delete $self->{SSL_verify_trusted_peer};
+ $sslargs{SSL_verify_mode} = ($vrfy // 1) ? Net::SSLeay::VERIFY_PEER() : Net::SSLeay::VERIFY_NONE();
+ $sslargs{$_} = $self->{$_} foreach grep /^SSL_/, keys %$self;
+
+ IO::Socket::SSL->start_SSL($socket, %sslargs)
+ or $self->fail("Failed SSL handshake: $!\n$IO::Socket::SSL::SSL_ERROR");
+
+ # ensure we're talking to the right server
+ if (defined $fpr) {
+ my $algo = $fpr =~ /^([^\$]+)\$/ ? $1 : 'sha256';
+ my $fpr2 = $socket->get_fingerprint($algo);
+ $fpr =~ s/.*\$//;
+ $fpr2 =~ s/.*\$//;
+ $self->fail("Fingerprint don't match! MiTM in action?")
+ unless uc $fpr eq uc $fpr2;
+ }
- my $algo = $fpr =~ /^([^\$]+)\$/ ? $1 : 'sha256';
- my $fpr2 = $socket->get_fingerprint($algo);
- $fpr =~ s/.*\$//;
- $fpr2 =~ s/.*\$//;
- $self->fail("Fingerprint don't match! MiTM in action?") unless uc $fpr eq uc $fpr2;
}
@@ -1242,21 +1258,12 @@ sub _getline($;$) {
# (read at most 2^14 bytes, the maximum length of an SSL
# frame, to ensure to guaranty that there is no pending data)
my $n = $stdout->sysread(my $buf,16384,0);
- unless (defined $n) {
- next unless $! == EWOULDBLOCK and
- (ref $stdout ne 'IO::Socket::SSL' or
- # sysread might fail if must finish a SSL handshake first
- ($IO::Socket::SSL::SSL_ERROR == Net::SSLeay::ERROR_WANT_READ() or
- $IO::Socket::SSL::SSL_ERROR == Net::SSLeay::ERROR_WANT_WRITE()));
- $self->panic("Can't read: $!")
- }
+ $self->panic("Can't read: $!") unless defined $n;
$self->fail("0 bytes read (got EOF)") unless $n > 0; # EOF
$self->{_OUTRAWCOUNT} += $n;
if (defined (my $i = $self->{_Z_INFLATE})) {
- my ($out, $status) = $i->inflate($buf);
- $self->panic("Inflation failed: ", $i->msg()) unless $status == Z_OK;
- $buf = $out;
+ $buf = $i->inflate($buf) // $self->panic("Inflation failed: ", $i->msg());
}
$self->{_OUTBUF} = $buf;
}
@@ -1345,9 +1352,7 @@ sub _write($@) {
sub _z_flush($;$) {
my ($self,$t) = @_;
my $d = $self->{_Z_DEFLATE} // return;
- my ($out, $status) = $d->flush($t);
- $self->panic("Can't flush deflation stream: ", $d->msg()) unless $status == Z_OK;
- $self->_write($out);
+ $self->_write( $d->flush($t) // $self->panic("Can't flush deflation stream: ", $d->msg()) );
}
@@ -1378,9 +1383,8 @@ sub _send_cmd($) {
$line = substr($command, $offset, $idx-1-$offset);
$litlen = $litplus ? ($line =~ s/\{([0-9]+)\}\z/{$1+}/ ? $1 : $self->panic())
: ($line =~ /\{([0-9]+)\}\z/ ? $1 : $self->panic());
- $z_flush2 = ($litlen > 4096 and # large literal
- (uc ($self->{'use-binary'} // 'YES') eq 'NO'
- or $line =~ /~\{[0-9]+\}\z/) # literal8, RFC 3516 BINARY
+ $z_flush2 = ($litlen > 4096 and # large literal
+ ($self->{'use-binary'} // 1 or $line =~ /~\{[0-9]+\}\z/) # literal8, RFC 3516 BINARY
) ? 1 : 0;
}
$self->logger('C: ', ($offset == 0 ? "$tag " : '[...]'), $line) if $self->{debug};
@@ -1393,11 +1397,7 @@ sub _send_cmd($) {
else {
for (my $i = 0; $i <= $#data; $i++) {
$self->_z_flush(Z_FULL_FLUSH) if $i == 0 and $z_flush;
-
- my ($out, $status) = $d->deflate($data[$i]);
- $self->panic("Deflation failed: ", $d->msg()) unless $status == Z_OK;
- $self->_write($out);
-
+ $self->_write( $d->deflate($data[$i]) // $self->panic("Deflation failed: ", $d->msg()) );
$self->_z_flush(Z_FULL_FLUSH) if $i == 0 and $z_flush;
}
}
@@ -1555,6 +1555,21 @@ sub _select_or_examine($$$;$$) {
}
+sub _kibi($) {
+ my $n = shift;
+ if ($n < 1024) {
+ $n;
+ } elsif ($n < 1048576) {
+ sprintf '%.2fK', $n / 1024.;
+ } elsif ($n < 1073741824) {
+ sprintf '%.2fM', $n / 1048576.;
+ } else {
+ sprintf '%.2fG', $n / 1073741824.;
+ }
+
+}
+
+
#############################################################################
# Parsing methods