Merge branch '1.3'

src/drv_imap.c

@@ -1586,14 +1586,6 @@ get_cmd_result_p2( imap_store_t *ctx, imap_cmd_t *cmd, int response )
 
 /******************* imap_cancel_store *******************/
 
-
-static void
-imap_cleanup_store( imap_store_t *ctx )
-{
-	free_generic_messages( ctx->msgs );
-	free_string_list( ctx->boxes );
-}
-
 static void
 imap_cancel_store( store_t *gctx )
 {
@@ -1609,7 +1601,8 @@ imap_cancel_store( store_t *gctx )
 	free_list( ctx->ns_other );
 	free_list( ctx->ns_shared );
 	free_string_list( ctx->auth_mechs );
-	imap_cleanup_store( ctx );
+	free_generic_messages( ctx->msgs );
+	free_string_list( ctx->boxes );
 	imap_deref( ctx );
 }
 
@@ -1746,7 +1739,9 @@ imap_alloc_store( store_conf_t *conf, const char *label )
 	for (ctxp = &unowned; (ctx = (imap_store_t *)*ctxp); ctxp = &ctx->gen.next)
 		if (ctx->state != SST_BAD && ((imap_store_conf_t *)ctx->gen.conf)->server == srvc) {
 			*ctxp = ctx->gen.next;
-			imap_cleanup_store( ctx );
+			free_string_list( ctx->boxes );
+			ctx->boxes = NULL;
+			ctx->listed = 0;
 			/* One could ping the server here, but given that the idle timeout
 			 * is at least 30 minutes, this sounds pretty pointless. */
 			ctx->state = SST_HALF;
@@ -1921,7 +1916,7 @@ ensure_password( imap_server_conf_t *srvc )
 	if (cmd) {
 		FILE *fp;
 		int ret;
-		char buffer[2048];  // Hopefully more than enough room for XOAUTH2, etc. tokens
+		char buffer[8192];  // Hopefully more than enough room for XOAUTH2, etc. tokens
 
 		if (*cmd == '+') {
 			flushn();

src/drv_proxy.c

@@ -309,9 +309,11 @@ proxy_set_bad_callback( store_t *gctx, void (*cb)( void *aux ), void *aux )
 static void
 proxy_invoke_bad_callback( proxy_store_t *ctx )
 {
+	ctx->ref_count++;
 	debug( "%sCallback enter bad store\n", ctx->label );
 	ctx->bad_callback( ctx->bad_callback_aux );
-	debug( "%sCallback leave bad store\n", ctx->label ); \
+	debug( "%sCallback leave bad store\n", ctx->label );
+	proxy_store_deref( ctx );
 }
 
 //# EXCLUDE alloc_store

src/mbsync.1

@@ -379,17 +379,27 @@ if you want to trust only hand-picked certificates.
 \fBCertificateFile\fR \fIpath\fR
 File containing additional X.509 certificates used to verify server
 identities.
-These certificates are always trusted, regardless of validity.
-.br
-The certificates from this file are matched only against the received
-server certificate itself; CA certificates are \fBnot\fR supported here.
-Do \fBnot\fR specify the system's CA certificate store here; see
-\fBSystemCertificates\fR instead.
-.br
-The contents for this file may be obtained using the
-\fBmbsync-get-cert\fR tool; make sure to verify the fingerprints of the
-certificates before trusting them, or transfer them securely from the
-server's network (if it is trusted).
+It may contain two types of certificates:
+.RS
+.IP Host
+These certificates are matched only against the received server certificate
+itself.
+They are always trusted, regardless of validity.
+A typical use case would be forcing acceptance of an expired certificate.
+.br
+These certificates may be obtained using the \fBmbsync-get-cert\fR tool;
+make sure to verify their fingerprints before trusting them, or transfer
+them securely from the server's network (if it can be trusted beyond the
+server itself).
+.IP CA
+These certificates are used as trust anchors when building the certificate
+chain for the received server certificate.
+They are used to supplant or supersede the system's trust store, depending
+on the \fBSystemCertificates\fR setting;
+it is not necessary and not recommended to specify the system's trust store
+itself here.
+The trust chains are fully validated.
+.RE
 .
 .TP
 \fBClientCertificate\fR \fIpath\fR

src/socket.c

@@ -41,7 +41,7 @@
 # include <openssl/err.h>
 # include <openssl/x509v3.h>
 # if OPENSSL_VERSION_NUMBER < 0x10100000L \
-	|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070100fL)
+	|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070100fL)
 #  define X509_OBJECT_get0_X509(o) ((o)->data.x509)
 #  define X509_STORE_get0_objects(o) ((o)->objs)
 # endif
@@ -430,6 +430,32 @@ socket_close_internal( conn_t *sock )
 	sock->fd = -1;
 }
 
+#ifndef HAVE_IPV6
+struct addr_info {
+	struct addr_info *ai_next;
+	struct sockaddr_in ai_addr[1];
+};
+
+#define freeaddrinfo(ai) free( ai )
+
+static struct addr_info *
+init_addrinfo( struct hostent *he )
+{
+	uint naddr = 0;
+	for (char **addr = he->h_addr_list; *addr; addr++)
+		naddr++;
+	struct addr_info *caddr = nfcalloc( naddr * sizeof(struct addrinfo) );
+	struct addr_info *ret, **caddrp = &ret;
+	for (char **addr = he->h_addr_list; *addr; addr++, caddr++) {
+		caddr->ai_addr->sin_family = AF_INET;
+		memcpy( &caddr->ai_addr->sin_addr.s_addr, *addr, sizeof(struct in_addr) );
+		*caddrp = caddr;
+		caddrp = &caddr->ai_next;
+	}
+	return ret;
+}
+#endif
+
 void
 socket_connect( conn_t *sock, void (*cb)( int ok, void *aux ) )
 {
@@ -479,8 +505,6 @@ socket_connect( conn_t *sock, void (*cb)( int ok, void *aux ) )
 			return;
 		}
 		info( "\vok\n" );
-
-		sock->curr_addr = sock->addrs;
 #else
 		struct hostent *he;
 
@@ -493,8 +517,9 @@ socket_connect( conn_t *sock, void (*cb)( int ok, void *aux ) )
 		}
 		info( "\vok\n" );
 
-		sock->curr_addr = he->h_addr_list;
+		sock->addrs = init_addrinfo( he );
 #endif
+		sock->curr_addr = sock->addrs;
 		socket_connect_one( sock );
 	}
 }
@@ -506,16 +531,10 @@ socket_connect_one( conn_t *sock )
 #ifdef HAVE_IPV6
 	struct addrinfo *ai;
 #else
-	struct {
-		struct sockaddr_in ai_addr[1];
-	} ai[1];
+	struct addr_info *ai;
 #endif
 
-#ifdef HAVE_IPV6
 	if (!(ai = sock->curr_addr)) {
-#else
-	if (!*sock->curr_addr) {
-#endif
 		error( "No working address found for %s\n", sock->conf->host );
 		socket_connect_bail( sock );
 		return;
@@ -532,11 +551,6 @@ socket_connect_one( conn_t *sock )
 #endif
 	{
 		struct sockaddr_in *in = ((struct sockaddr_in *)ai->ai_addr);
-#ifndef HAVE_IPV6
-		memset( in, 0, sizeof(*in) );
-		in->sin_family = AF_INET;
-		in->sin_addr.s_addr = *((int *)*sock->curr_addr);
-#endif
 		in->sin_port = htons( sock->conf->port );
 		nfasprintf( &sock->name, "%s (%s:%hu)",
 		            sock->conf->host, inet_ntoa( in->sin_addr ), sock->conf->port );
@@ -579,11 +593,7 @@ socket_connect_next( conn_t *conn )
 	sys_error( "Cannot connect to %s", conn->name );
 	free( conn->name );
 	conn->name = 0;
-#ifdef HAVE_IPV6
 	conn->curr_addr = conn->curr_addr->ai_next;
-#else
-	conn->curr_addr++;
-#endif
 	socket_connect_one( conn );
 }
 
@@ -597,12 +607,10 @@ socket_connect_failed( conn_t *conn )
 static void
 socket_connected( conn_t *conn )
 {
-#ifdef HAVE_IPV6
 	if (conn->addrs) {
 		freeaddrinfo( conn->addrs );
 		conn->addrs = 0;
 	}
-#endif
 	conf_notifier( &conn->notify, 0, POLLIN );
 	socket_expect_read( conn, 0 );
 	conn->state = SCK_READY;
@@ -612,12 +620,10 @@ socket_connected( conn_t *conn )
 static void
 socket_cleanup_names( conn_t *conn )
 {
-#ifdef HAVE_IPV6
 	if (conn->addrs) {
 		freeaddrinfo( conn->addrs );
 		conn->addrs = 0;
 	}
-#endif
 	free( conn->name );
 	conn->name = 0;
 }

src/socket.h

@@ -73,7 +73,7 @@ typedef struct {
 #ifdef HAVE_IPV6
 	struct addrinfo *addrs, *curr_addr; /* needed during connect */
 #else
-	char **curr_addr; /* needed during connect */
+	struct addr_info *addrs, *curr_addr; /* needed during connect */
 #endif
 	char *name;
 #ifdef HAVE_LIBSSL