diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-09-11 01:02:57 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-09-11 01:02:57 +0200 |
| commit | 77753445ddc78013159a6d44301a1b342af4a2d1 (patch) | |
| tree | e2fb87745f2118a7703ba5954ceb1c81ee0c5dcf | |
| parent | b099ebf5b8d5f73168d075c5d97a6242efb67a8e (diff) | |
| parent | cd7d385b4a27d028a7c7f92e1cd781b65b8ca5eb (diff) | |
Merge branch 'master' into debian
| -rw-r--r-- | Changelog | 8 | ||||
| -rwxr-xr-x | interimap | 5 | ||||
| -rw-r--r-- | lib/Net/IMAP/InterIMAP.pm | 195 |
3 files changed, 115 insertions, 93 deletions
@@ -1,4 +1,4 @@ -interimap (0.2) upstream +interimap (0.2) upstream; * Add support for the IMAP COMPRESS extension [RFC4978]. By default enabled for the remote server, and disabled for the local server. @@ -10,6 +10,12 @@ interimap (0.2) upstream default if both the local and remote servers advertize "BINARY". Can be disabled by adding 'use-binary=NO' to the default section in the configuration file. + * Exit with return value 0 when receiving a SIGTERM. + * Print IMAP traffic stats when receiving a SIGHUP. + * Add SSL options SINGLE_ECDH_USE, SINGLE_DH_USE, NO_SSLv2, NO_SSLv3 + and NO_COMPRESSION to the compiled-in CTX options. + * Use SSL_MODE_AUTO_RETRY to avoid SSL_read failures during a + handshake. -- Guilhem Moulin <guilhem@guilhem.org> Wed, 09 Sep 2015 00:44:35 +0200 @@ -118,8 +118,9 @@ sub cleanup() { close $LOGGER_FD if defined $LOGGER_FD; $DBH->disconnect() if defined $DBH; } -$SIG{$_} = sub { msg(undef, $!); cleanup(); exit 1; } foreach qw/INT TERM/; -$SIG{$_} = sub { msg(undef, $!); cleanup(); exit 0; } foreach qw/HUP/; +$SIG{INT} = sub { msg(undef, $!); cleanup(); exit 1; }; +$SIG{TERM} = sub { cleanup(); exit 0; }; +$SIG{HUP} = sub { $_->stats() foreach grep defined, ($lIMAP, $rIMAP); }; ############################################################################# diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index 3b9e10e..65a0c10 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -20,7 +20,7 @@ package Net::IMAP::InterIMAP v0.0.2; use warnings; use strict; -use Compress::Zlib qw/Z_OK Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/; +use Compress::Zlib qw/Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/; use Config::Tiny (); use Errno 'EWOULDBLOCK'; use IO::Select (); @@ -221,6 +221,15 @@ sub new($%) { my $self = { @_ }; bless $self, $class; + foreach (keys %$self) { + next unless defined $self->{$_}; + if (uc $self->{$_} eq 'YES') { + $self->{$_} = 1; + } elsif (uc $self->{$_} eq 'NO') { + $self->{$_} = 0; + } + } + # the IMAP state: one of 'UNAUTH', 'AUTH', 'SELECTED' or 'LOGOUT' # (cf RFC 3501 section 3) $self->{_STATE} = ''; @@ -246,7 +255,7 @@ sub new($%) { open STDOUT, '>&', $wd or $self->panic("Can't dup: $!"); my $stderr2; - if (uc ($self->{'null-stderr'} // 'NO') eq 'YES') { + if ($self->{'null-stderr'} // 0) { open $stderr2, '>&', *STDERR; open STDERR, '>', '/dev/null' or $self->panic("Can't open /dev/null: $!"); } @@ -271,28 +280,13 @@ sub new($%) { } } else { + require 'IO/Socket/INET.pm'; my %args = (Proto => 'tcp', Blocking => 1); $args{PeerHost} = $self->{host} // $self->fail("Missing option host"); $args{PeerPort} = $self->{port} // $self->fail("Missing option port"); - my $socket; - if ($self->{type} eq 'imap') { - require 'IO/Socket/INET.pm'; - $socket = IO::Socket::INET->new(%args) or $self->fail("Cannot bind: $@"); - } - else { - require 'IO/Socket/SSL.pm'; - if (defined (my $vrfy = delete $self->{SSL_verify_trusted_peer})) { - $args{SSL_verify_mode} = 0 if uc $vrfy eq 'NO'; - } - my $fpr = delete $self->{SSL_fingerprint}; - $args{$_} = $self->{$_} foreach grep /^SSL_/, keys %$self; - $socket = IO::Socket::SSL->new(%args) - or $self->fail("Failed connect or SSL handshake: $!\n$IO::Socket::SSL::SSL_ERROR"); - - # ensure we're talking to the right server - $self->_fingerprint_match($socket, $fpr) if defined $fpr; - } + my $socket = IO::Socket::INET->new(%args) or $self->fail("Cannot bind: $@"); + $self->_start_ssl($socket) if $self->{type} eq 'imaps'; $socket->sockopt(SO_KEEPALIVE, 1); $self->{$_} = $socket for qw/STDOUT STDIN/; @@ -347,31 +341,17 @@ sub new($%) { $self->{_STATE} = 'UNAUTH'; my @caps = $self->capabilities(); - if ($self->{type} eq 'imap' and uc $self->{STARTTLS} ne 'NO') { # RFC 2595 section 5.1 + if ($self->{type} eq 'imap' and $self->{STARTTLS}) { # RFC 2595 section 5.1 $self->fail("Server did not advertise STARTTLS capability.") unless grep {$_ eq 'STARTTLS'} @caps; - - require 'IO/Socket/SSL.pm'; - $self->_send('STARTTLS'); - - my %sslargs; - if (defined (my $vrfy = delete $self->{SSL_verify_trusted_peer})) { - $sslargs{SSL_verify_mode} = 0 if uc $vrfy eq 'NO'; - } - my $fpr = delete $self->{SSL_fingerprint}; - $sslargs{$_} = $self->{$_} foreach grep /^SSL_/, keys %$self; - IO::Socket::SSL->start_SSL($self->{STDIN}, %sslargs) - or $self->fail("Failed SSL handshake: $!\n$IO::Socket::SSL::SSL_ERROR"); - - # ensure we're talking to the right server - $self->_fingerprint_match($self->{STDIN}, $fpr) if defined $fpr; + $self->_start_ssl($self->{STDIN}) if $self->{type} eq 'imaps'; # refresh the previous CAPABILITY list since the previous one could have been spoofed delete $self->{_CAPABILITIES}; @caps = $self->capabilities(); } - my @mechs = ('LOGIN', grep defined, map { /^AUTH=(.+)/ ? $1 : undef } @caps); + my @mechs = ('LOGIN', grep defined, map { /^AUTH=(.+)/i ? $1 : undef } @caps); my $mech = (grep defined, map {my $m = $_; (grep {$m eq $_} @mechs) ? $m : undef} split(/ /, $self->{auth}))[0]; $self->fail("Failed to choose an authentication mechanism") unless defined $mech; @@ -411,9 +391,9 @@ sub new($%) { $self->{_STATE} = 'AUTH'; # Don't send the COMPRESS command before STARTTLS or AUTH, as per RFC 4978 - if (uc ($self->{compress} // 'NO') eq 'YES') { + if ($self->{compress} // 1 and + my @algos = grep defined, map { /^COMPRESS=(.+)/i ? uc $1 : undef } @{$self->{_CAPABILITIES}}) { my @supported = qw/DEFLATE/; # supported compression algorithms - my @algos = grep defined, map { /^COMPRESS=(.+)/ ? uc $1 : undef } @{$self->{_CAPABILITIES}}; my $algo = first { my $x = $_; grep {$_ eq $x} @algos } @supported; if (!defined $algo) { $self->warn("Couldn't find a suitable compression algorithm. Not enabling compression."); @@ -425,16 +405,11 @@ sub new($%) { $self->panic($IMAP_text) unless $r eq 'OK'; if ($algo eq 'DEFLATE') { - my ($status, $d, $i); my %args = ( -WindowBits => 0 - MAX_WBITS ); - ($d, $status) = Compress::Zlib::deflateInit(%args); - $self->panic("Can't create deflation stream: ", $d->msg()) - unless defined $d and $status == Z_OK; - - ($i, $status) = Compress::Zlib::inflateInit(%args); - $self->panic("Can't create inflation stream: ", $i->msg()) - unless defined $i and $status == Z_OK; - @$self{qw/_Z_DEFLATE _Z_INFLATE/} = ($d, $i); + $self->{_Z_DEFLATE} = Compress::Zlib::deflateInit(%args) // + $self->panic("Can't create deflation stream"); + $self->{_Z_INFLATE} = Compress::Zlib::inflateInit(%args) // + $self->panic("Can't create inflation stream"); } else { $self->fail("Unsupported compression algorithm: $algo"); @@ -458,6 +433,22 @@ sub new($%) { } +# Print traffic statistics +sub stats($) { + my $self = shift; + my $msg = 'IMAP traffic (bytes):'; + $msg .= ' recv '._kibi($self->{_OUTCOUNT}); + $msg .= ' (compr. '._kibi($self->{_OUTRAWCOUNT}). + ', factor '.sprintf('%.2f', $self->{_OUTRAWCOUNT}/$self->{_OUTCOUNT}).')' + if defined $self->{_Z_DEFLATE} and $self->{_OUTCOUNT} > 0; + $msg .= ' sent '._kibi($self->{_INCOUNT}); + $msg .= ' (compr. '._kibi($self->{_INRAWCOUNT}). + ', factor '.sprintf('%.2f', $self->{_INRAWCOUNT}/$self->{_INCOUNT}).')' + if defined $self->{_Z_DEFLATE} and $self->{_INCOUNT} > 0; + $self->log($msg); +} + + # Log out when the Net::IMAP::InterIMAP object is destroyed. sub DESTROY($) { my $self = shift; @@ -467,16 +458,7 @@ sub DESTROY($) { $self->{$_}->close() if defined $self->{$_} and $self->{$_}->opened(); } - unless ($self->{quiet}) { - my $msg = "Connection closed"; - $msg .= " in=$self->{_INCOUNT}"; - $msg .= " (raw=$self->{_INRAWCOUNT}, ratio ".sprintf('%.2f', $self->{_INRAWCOUNT}/$self->{_INCOUNT}).")" - if defined $self->{_INRAWCOUNT} and $self->{_INCOUNT} > 0 and $self->{_INCOUNT} != $self->{_INRAWCOUNT}; - $msg .= ", out=$self->{_OUTCOUNT}"; - $msg .= " (raw=$self->{_OUTRAWCOUNT}, ratio ".sprintf('%.2f', $self->{_OUTRAWCOUNT}/$self->{_OUTCOUNT}).")" - if defined $self->{_OUTRAWCOUNT} and $self->{_OUTCOUNT} > 0 and $self->{_OUTCOUNT} != $self->{_OUTRAWCOUNT}; - $self->log($msg); - } + $self->stats() unless $self->{quiet}; } @@ -1208,17 +1190,51 @@ sub push_flag_updates($$@) { # Private methods -# $self->_fingerprint_match($socket, $fingerprint) -# Croak unless the fingerprint of the peer certificate of the -# IO::Socket::SSL object doesn't match the given $fingerprint. -sub _fingerprint_match($$$) { - my ($self, $socket, $fpr) = @_; +# $self->_start_ssl($socket) +# Upgrade the $socket to IO::Socket::SSL. +sub _start_ssl($$) { + my ($self, $socket) = @_; + require 'IO/Socket/SSL.pm'; + require 'Net/SSLeay.pm'; + + my %sslargs = (SSL_create_ctx_callback => sub($) { + my $ctx = shift; + my $rv; + + # https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html + $rv = Net::SSLeay::CTX_get_options($ctx) + | Net::SSLeay::OP_SINGLE_ECDH_USE() + | Net::SSLeay::OP_SINGLE_DH_USE() + | Net::SSLeay::OP_NO_SSLv2() + | Net::SSLeay::OP_NO_SSLv3() + | Net::SSLeay::OP_NO_COMPRESSION(); + Net::SSLeay::CTX_set_options($ctx, $rv); + + # https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html + $rv = Net::SSLeay::CTX_get_mode($ctx) + | Net::SSLeay::MODE_AUTO_RETRY() # don't fail SSL_read on renegociation + | Net::SSLeay::MODE_RELEASE_BUFFERS(); + Net::SSLeay::CTX_set_mode($ctx, $rv); + }); + + my $fpr = delete $self->{SSL_fingerprint}; + my $vrfy = delete $self->{SSL_verify_trusted_peer}; + $sslargs{SSL_verify_mode} = ($vrfy // 1) ? Net::SSLeay::VERIFY_PEER() : Net::SSLeay::VERIFY_NONE(); + $sslargs{$_} = $self->{$_} foreach grep /^SSL_/, keys %$self; + + IO::Socket::SSL->start_SSL($socket, %sslargs) + or $self->fail("Failed SSL handshake: $!\n$IO::Socket::SSL::SSL_ERROR"); + + # ensure we're talking to the right server + if (defined $fpr) { + my $algo = $fpr =~ /^([^\$]+)\$/ ? $1 : 'sha256'; + my $fpr2 = $socket->get_fingerprint($algo); + $fpr =~ s/.*\$//; + $fpr2 =~ s/.*\$//; + $self->fail("Fingerprint don't match! MiTM in action?") + unless uc $fpr eq uc $fpr2; + } - my $algo = $fpr =~ /^([^\$]+)\$/ ? $1 : 'sha256'; - my $fpr2 = $socket->get_fingerprint($algo); - $fpr =~ s/.*\$//; - $fpr2 =~ s/.*\$//; - $self->fail("Fingerprint don't match! MiTM in action?") unless uc $fpr eq uc $fpr2; } @@ -1242,21 +1258,12 @@ sub _getline($;$) { # (read at most 2^14 bytes, the maximum length of an SSL # frame, to ensure to guaranty that there is no pending data) my $n = $stdout->sysread(my $buf,16384,0); - unless (defined $n) { - next unless $! == EWOULDBLOCK and - (ref $stdout ne 'IO::Socket::SSL' or - # sysread might fail if must finish a SSL handshake first - ($IO::Socket::SSL::SSL_ERROR == Net::SSLeay::ERROR_WANT_READ() or - $IO::Socket::SSL::SSL_ERROR == Net::SSLeay::ERROR_WANT_WRITE())); - $self->panic("Can't read: $!") - } + $self->panic("Can't read: $!") unless defined $n; $self->fail("0 bytes read (got EOF)") unless $n > 0; # EOF $self->{_OUTRAWCOUNT} += $n; if (defined (my $i = $self->{_Z_INFLATE})) { - my ($out, $status) = $i->inflate($buf); - $self->panic("Inflation failed: ", $i->msg()) unless $status == Z_OK; - $buf = $out; + $buf = $i->inflate($buf) // $self->panic("Inflation failed: ", $i->msg()); } $self->{_OUTBUF} = $buf; } @@ -1345,9 +1352,7 @@ sub _write($@) { sub _z_flush($;$) { my ($self,$t) = @_; my $d = $self->{_Z_DEFLATE} // return; - my ($out, $status) = $d->flush($t); - $self->panic("Can't flush deflation stream: ", $d->msg()) unless $status == Z_OK; - $self->_write($out); + $self->_write( $d->flush($t) // $self->panic("Can't flush deflation stream: ", $d->msg()) ); } @@ -1378,9 +1383,8 @@ sub _send_cmd($) { $line = substr($command, $offset, $idx-1-$offset); $litlen = $litplus ? ($line =~ s/\{([0-9]+)\}\z/{$1+}/ ? $1 : $self->panic()) : ($line =~ /\{([0-9]+)\}\z/ ? $1 : $self->panic()); - $z_flush2 = ($litlen > 4096 and # large literal - (uc ($self->{'use-binary'} // 'YES') eq 'NO' - or $line =~ /~\{[0-9]+\}\z/) # literal8, RFC 3516 BINARY + $z_flush2 = ($litlen > 4096 and # large literal + ($self->{'use-binary'} // 1 or $line =~ /~\{[0-9]+\}\z/) # literal8, RFC 3516 BINARY ) ? 1 : 0; } $self->logger('C: ', ($offset == 0 ? "$tag " : '[...]'), $line) if $self->{debug}; @@ -1393,11 +1397,7 @@ sub _send_cmd($) { else { for (my $i = 0; $i <= $#data; $i++) { $self->_z_flush(Z_FULL_FLUSH) if $i == 0 and $z_flush; - - my ($out, $status) = $d->deflate($data[$i]); - $self->panic("Deflation failed: ", $d->msg()) unless $status == Z_OK; - $self->_write($out); - + $self->_write( $d->deflate($data[$i]) // $self->panic("Deflation failed: ", $d->msg()) ); $self->_z_flush(Z_FULL_FLUSH) if $i == 0 and $z_flush; } } @@ -1555,6 +1555,21 @@ sub _select_or_examine($$$;$$) { } +sub _kibi($) { + my $n = shift; + if ($n < 1024) { + $n; + } elsif ($n < 1048576) { + sprintf '%.2fK', $n / 1024.; + } elsif ($n < 1073741824) { + sprintf '%.2fM', $n / 1048576.; + } else { + sprintf '%.2fG', $n / 1073741824.; + } + +} + + ############################################################################# # Parsing methods |