From 11cd204852f665670b5d4271eab86a3d9f5e5624 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 4 Aug 2020 02:35:05 +0200 Subject: Upgrade URLs to secure HTTP. --- lib/Net/IMAP/InterIMAP.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Net/IMAP/InterIMAP.pm') diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index b01e1a9..8b69e12 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -13,7 +13,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# along with this program. If not, see . #---------------------------------------------------------------------- package Net::IMAP::InterIMAP v0.0.5; -- cgit v1.2.3 From 1630f2387c52a0ac460922eda6535165fdb279d1 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 8 Dec 2020 16:03:23 +0100 Subject: libinterimap: 'debug' forces 'null-stderr' = 0. The standard error is never sent to /dev/null in debug mode. Closes: deb#968392 --- lib/Net/IMAP/InterIMAP.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Net/IMAP/InterIMAP.pm') diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index 8b69e12..bd14625 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -329,7 +329,7 @@ sub new($%) { open STDOUT, '>&', $s or $self->panic("Can't dup: $!"); my $stderr2; - if ($self->{'null-stderr'} // 0) { + if (($self->{'null-stderr'} // 0) and !($self->{debug} // 0)) { open $stderr2, '>&', *STDERR; open STDERR, '>', '/dev/null' or $self->panic("Can't open /dev/null: $!"); } -- cgit v1.2.3 From a1ef66a76b4a6651b7371a9fd1e35f2f99e85bfa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 15:06:37 +0100 Subject: libinterimap: SSL_fingerprint now supports a space-separate list of digests to pin. And succeeds if, and only if, the peer certificate SPKI matches one of the pinned digest values. Specifying multiple digest values can key useful in key rollover scenarios and/or when the server supports certificates of different types (for instance RSA+ECDSA). --- lib/Net/IMAP/InterIMAP.pm | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'lib/Net/IMAP/InterIMAP.pm') diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index bd14625..1a71f59 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -63,7 +63,7 @@ my %OPTIONS = ( 'null-stderr' => qr/\A(YES|NO)\z/i, compress => qr/\A(YES|NO)\z/i, SSL_protocols => qr/\A(!?$RE_SSL_PROTO(?: !?$RE_SSL_PROTO)*)\z/, - SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+)\z/, + SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+(?: (?:[A-Za-z0-9]+\$)?\p{AHex}+)*)\z/, SSL_cipherlist => qr/\A(\P{Control}+)\z/, SSL_verify => qr/\A(YES|NO)\z/i, SSL_CApath => qr/\A(\P{Control}+)\z/, @@ -1624,15 +1624,22 @@ sub _ssl_verify($$$) { .$algo.'$'.unpack('H*', Net::SSLeay::X509_digest($cert, $type))); } - if (defined (my $fpr = $self->{SSL_fingerprint})) { - (my $algo, $fpr) = $fpr =~ /^([^\$]+)\$(.*)/ ? ($1, $2) : ('sha256', $fpr); - my $digest = pack 'H*', ($fpr =~ tr/://rd); + if (defined (my $fprs = $self->{SSL_fingerprint})) { + my $rv = 0; + foreach my $fpr (split /\s+/, $fprs) { + (my $algo, $fpr) = $fpr =~ /^([^\$]+)\$(.*)/ ? ($1, $2) : ('sha256', $fpr); + my $digest = pack 'H*', ($fpr =~ tr/://rd); - my $type = Net::SSLeay::EVP_get_digestbyname($algo) - or $self->_ssl_error("Can't find MD value for name '$algo'"); + my $type = Net::SSLeay::EVP_get_digestbyname($algo) + or $self->_ssl_error("Can't find MD value for name '$algo'"); - my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert); - unless (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) { + my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert); + if (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) { + $rv = 1; + last; + } + } + unless ($rv) { $self->warn("Fingerprint doesn't match! MiTM in action?"); $ok = 0; } -- cgit v1.2.3