net-imap 0.3.9 → 0.4.0

data/lib/net/imap/sasl/oauthbearer_authenticator.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require_relative "gs2_header"
+
+module Net
+  class IMAP < Protocol
+    module SASL
+
+      # Abstract base class for the SASL mechanisms defined in
+      # RFC7628[https://tools.ietf.org/html/rfc7628]:
+      # * OAUTHBEARER[rdoc-ref:OAuthBearerAuthenticator]
+      #   (OAuthBearerAuthenticator)
+      # * OAUTH10A
+      class OAuthAuthenticator
+        include GS2Header
+
+        # Authorization identity: an identity to act as or on behalf of.
+        #
+        # If no explicit authorization identity is provided, it is usually
+        # derived from the authentication identity.  For the OAuth-based
+        # mechanisms, the authentication identity is the identity established by
+        # the OAuth credential.
+        attr_reader :authzid
+
+        # Hostname to which the client connected.
+        attr_reader :host
+
+        # Service port to which the client connected.
+        attr_reader :port
+
+        # HTTP method.  (optional)
+        attr_reader :mthd
+
+        # HTTP path data.  (optional)
+        attr_reader :path
+
+        # HTTP post data.  (optional)
+        attr_reader :post
+
+        # The query string.  (optional)
+        attr_reader :qs
+
+        # Stores the most recent server "challenge".  When authentication fails,
+        # this may hold information about the failure reason, as JSON.
+        attr_reader :last_server_response
+
+        # Creates an RFC7628[https://tools.ietf.org/html/rfc7628] OAuth
+        # authenticator.
+        #
+        # === Options
+        #
+        # See child classes for required configuration parameter(s).  The
+        # following parameters are all optional, but protocols or servers may
+        # add requirements for #authzid, #host, #port, or any other parameter.
+        #
+        # * #authzid ― Identity to act as or on behalf of.
+        # * #host — Hostname to which the client connected.
+        # * #port — Service port to which the client connected.
+        # * #mthd — HTTP method
+        # * #path — HTTP path data
+        # * #post — HTTP post data
+        # * #qs   — HTTP query string
+        #
+        def initialize(authzid: nil, host: nil, port: nil,
+                       mthd: nil, path: nil, post: nil, qs: nil, **)
+          @authzid = authzid
+          @host    = host
+          @port    = port
+          @mthd    = mthd
+          @path    = path
+          @post    = post
+          @qs      = qs
+          @done    = false
+        end
+
+        # The {RFC7628 §3.1}[https://www.rfc-editor.org/rfc/rfc7628#section-3.1]
+        # formatted response.
+        def initial_client_response
+          kv_pairs = {
+            host: host, port: port, mthd: mthd, path: path, post: post, qs: qs,
+            auth: authorization, # authorization is implemented by subclasses
+          }.compact
+          [gs2_header, *kv_pairs.map {|kv| kv.join("=") }, "\1"].join("\1")
+        end
+
+        # Returns initial_client_response the first time, then "<tt>^A</tt>".
+        def process(data)
+          @last_server_response = data
+          done? ? "\1" : initial_client_response
+        ensure
+          @done = true
+        end
+
+        # Returns true when the initial client response was sent.
+        #
+        # The authentication should not succeed unless this returns true, but it
+        # does *not* indicate success.
+        def done?; @done end
+
+        # Value of the HTTP Authorization header
+        #
+        # <b>Implemented by subclasses.</b>
+        def authorization; raise "must be implemented by subclass" end
+
+      end
+
+      # Authenticator for the "+OAUTHBEARER+" SASL mechanism, specified in
+      # RFC7628[https://tools.ietf.org/html/rfc7628].  Authenticates using OAuth
+      # 2.0 bearer tokens, as described in
+      # RFC6750[https://tools.ietf.org/html/rfc6750].  Use via
+      # Net::IMAP#authenticate.
+      #
+      # RFC6750[https://tools.ietf.org/html/rfc6750] requires Transport Layer
+      # Security (TLS) to secure the protocol interaction between the client and
+      # the resource server.  TLS _MUST_ be used for +OAUTHBEARER+ to protect
+      # the bearer token.
+      class OAuthBearerAuthenticator < OAuthAuthenticator
+
+        # An OAuth2 bearer token, generally the access token.
+        attr_reader :oauth2_token
+
+        # :call-seq:
+        #   new(oauth2_token,  **options) -> authenticator
+        #   new(oauth2_token:, **options) -> authenticator
+        #
+        # Creates an Authenticator for the "+OAUTHBEARER+" SASL mechanism.
+        #
+        # Called by Net::IMAP#authenticate and similar methods on other clients.
+        #
+        # === Options
+        #
+        # Only +oauth2_token+ is required by the mechanism, however protocols
+        # and servers may add requirements for #authzid, #host, #port, or any
+        # other parameter.
+        #
+        # * #oauth2_token — An OAuth2 bearer token or access token. *Required.*
+        #   May be provided as either regular or keyword argument.
+        # * #authzid ― Identity to act as or on behalf of.
+        # * #host — Hostname to which the client connected.
+        # * #port — Service port to which the client connected.
+        # * See OAuthAuthenticator documentation for less common parameters.
+        #
+        def initialize(oauth2_token_arg = nil, oauth2_token: nil, **args, &blk)
+          super(**args, &blk) # handles authzid, host, port, etc
+          oauth2_token && oauth2_token_arg and
+            raise ArgumentError, "conflicting values for oauth2_token"
+          @oauth2_token = oauth2_token || oauth2_token_arg or
+            raise ArgumentError, "missing oauth2_token"
+        end
+
+        # :call-seq:
+        #   initial_response? -> true
+        #
+        # +OAUTHBEARER+ sends an initial client response.
+        def initial_response?; true end
+
+        # Value of the HTTP Authorization header
+        def authorization; "Bearer #{oauth2_token}" end
+
+      end
+    end
+
+  end
+end

data/lib/net/imap/sasl/plain_authenticator.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+# Authenticator for the "+PLAIN+" SASL mechanism, specified in
+# RFC-4616[https://tools.ietf.org/html/rfc4616].  See Net::IMAP#authenticate.
+#
+# +PLAIN+ authentication sends the password in cleartext.
+# RFC-3501[https://tools.ietf.org/html/rfc3501] encourages servers to disable
+# cleartext authentication until after TLS has been negotiated.
+# RFC-8314[https://tools.ietf.org/html/rfc8314] recommends TLS version 1.2 or
+# greater be used for all traffic, and deprecate cleartext access ASAP.  +PLAIN+
+# can be secured by TLS encryption.
+class Net::IMAP::SASL::PlainAuthenticator
+
+  NULL = -"\0".b
+  private_constant :NULL
+
+  # Authentication identity: the identity that matches the #password.
+  #
+  # RFC-2831[https://tools.ietf.org/html/rfc2831] uses the term +username+.
+  # "Authentication identity" is the generic term used by
+  # RFC-4422[https://tools.ietf.org/html/rfc4422].
+  # RFC-4616[https://tools.ietf.org/html/rfc4616] and many later RFCs abbreviate
+  # this to +authcid+.
+  attr_reader :username
+
+  # A password or passphrase that matches the #username.
+  attr_reader :password
+
+  # Authorization identity: an identity to act as or on behalf of.  The identity
+  # form is application protocol specific.  If not provided or left blank, the
+  # server derives an authorization identity from the authentication identity.
+  # The server is responsible for verifying the client's credentials and
+  # verifying that the identity it associates with the client's authentication
+  # identity is allowed to act as (or on behalf of) the authorization identity.
+  #
+  # For example, an administrator or superuser might take on another role:
+  #
+  #     imap.authenticate "PLAIN", "root", passwd, authzid: "user"
+  #
+  attr_reader :authzid
+
+  # :call-seq:
+  #   new(username,  password,  authzid: nil, **) -> authenticator
+  #   new(username:, password:, authzid: nil, **) -> authenticator
+  #
+  # Creates an Authenticator for the "+PLAIN+" SASL mechanism.
+  #
+  # Called by Net::IMAP#authenticate and similar methods on other clients.
+  #
+  # === Parameters
+  #
+  # * #username ― Identity whose +password+ is used.
+  # * #password ― Password or passphrase associated with this username+.
+  # * #authzid ― Alternate identity to act as or on behalf of.  Optional.
+  #
+  # See attribute documentation for more details.
+  def initialize(user = nil, pass = nil,
+                 username: nil, password: nil, authzid: nil, **)
+    [username, user].compact.count == 1 or
+      raise ArgumentError, "conflicting values for username"
+    [password, pass].compact.count == 1 or
+      raise ArgumentError, "conflicting values for password"
+    username ||= user or raise ArgumentError, "missing username"
+    password ||= pass or raise ArgumentError, "missing password"
+    raise ArgumentError, "username contains NULL" if username.include?(NULL)
+    raise ArgumentError, "password contains NULL" if password.include?(NULL)
+    raise ArgumentError, "authzid contains NULL"  if authzid&.include?(NULL)
+    @username = username
+    @password = password
+    @authzid  = authzid
+    @done = false
+  end
+
+  # :call-seq:
+  #   initial_response? -> true
+  #
+  # +PLAIN+ can send an initial client response.
+  def initial_response?; true end
+
+  # Responds with the client's credentials.
+  def process(data)
+    return "#@authzid\0#@username\0#@password"
+  ensure
+    @done = true
+  end
+
+  # Returns true when the initial client response was sent.
+  #
+  # The authentication should not succeed unless this returns true, but it
+  # does *not* indicate success.
+  def done?; @done end
+
+end

data/lib/net/imap/sasl/scram_algorithm.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Net
+  class IMAP
+    module SASL
+
+      # For method descriptions,
+      # see {RFC5802 §2.2}[https://www.rfc-editor.org/rfc/rfc5802#section-2.2]
+      # and {RFC5802 §3}[https://www.rfc-editor.org/rfc/rfc5802#section-3].
+      module ScramAlgorithm
+        def Normalize(str) SASL.saslprep(str) end
+
+        def Hi(str, salt, iterations)
+          length = digest.digest_length
+          OpenSSL::KDF.pbkdf2_hmac(
+            str,
+            salt:       salt,
+            iterations: iterations,
+            length: length,
+            hash: digest,
+          )
+        end
+
+        def H(str) digest.digest str end
+
+        def HMAC(key, data) OpenSSL::HMAC.digest(digest, key, data) end
+
+        def XOR(str1, str2)
+          str1.unpack("C*")
+            .zip(str2.unpack("C*"))
+            .map {|a, b| a ^ b }
+            .pack("C*")
+        end
+
+        def auth_message
+          [
+            client_first_message_bare,
+            server_first_message,
+            client_final_message_without_proof,
+          ]
+            .join(",")
+        end
+
+        def salted_password
+          Hi(Normalize(password), salt, iterations)
+        end
+
+        def client_key;       HMAC(salted_password, "Client Key") end
+        def server_key;       HMAC(salted_password, "Server Key") end
+        def stored_key;       H(client_key)                       end
+        def client_signature; HMAC(stored_key, auth_message)      end
+        def server_signature; HMAC(server_key, auth_message)      end
+        def client_proof;     XOR(client_key, client_signature)   end
+      end
+
+    end
+  end
+end

data/lib/net/imap/sasl/scram_authenticator.rb

@@ -0,0 +1,278 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "securerandom"
+
+require_relative "gs2_header"
+require_relative "scram_algorithm"
+
+module Net
+  class IMAP
+    module SASL
+
+      # Abstract base class for the "+SCRAM-*+" family of SASL mechanisms,
+      # defined in RFC5802[https://tools.ietf.org/html/rfc5802].  Use via
+      # Net::IMAP#authenticate.
+      #
+      # Directly supported:
+      # * +SCRAM-SHA-1+   --- ScramSHA1Authenticator
+      # * +SCRAM-SHA-256+ --- ScramSHA256Authenticator
+      #
+      # New +SCRAM-*+ mechanisms can easily be added for any hash algorithm
+      # supported by
+      # OpenSSL::Digest[https://ruby.github.io/openssl/OpenSSL/Digest.html].
+      # Subclasses need only set an appropriate +DIGEST_NAME+ constant.
+      #
+      # === SCRAM algorithm
+      #
+      # See the documentation and method definitions on ScramAlgorithm for an
+      # overview of the algorithm.  The different mechanisms differ only by
+      # which hash function that is used (or by support for channel binding with
+      # +-PLUS+).
+      #
+      # See also the methods on GS2Header.
+      #
+      # ==== Server messages
+      #
+      # As server messages are received, they are validated and loaded into
+      # the various attributes, e.g: #snonce, #salt, #iterations, #verifier,
+      # #server_error, etc.
+      #
+      # Unlike many other SASL mechanisms, the +SCRAM-*+ family supports mutual
+      # authentication and can return server error data in the server messages.
+      # If #process raises an Error for the server-final-message, then
+      # server_error may contain error details.
+      #
+      # === TLS Channel binding
+      #
+      # <em>The <tt>SCRAM-*-PLUS</tt> mechanisms and channel binding are not
+      # supported yet.</em>
+      #
+      # === Caching SCRAM secrets
+      #
+      # <em>Caching of salted_password, client_key, stored_key, and server_key
+      # is not supported yet.</em>
+      #
+      class ScramAuthenticator
+        include GS2Header
+        include ScramAlgorithm
+
+        # :call-seq:
+        #   new(username,  password,  **options) -> auth_ctx
+        #   new(username:, password:, **options) -> auth_ctx
+        #
+        # Creates an authenticator for one of the "+SCRAM-*+" SASL mechanisms.
+        # Each subclass defines #digest to match a specific mechanism.
+        #
+        # Called by Net::IMAP#authenticate and similar methods on other clients.
+        #
+        # === Parameters
+        #
+        # * #username ― Identity whose #password is used.  Aliased as #authcid.
+        # * #password ― Password or passphrase associated with this #username.
+        # * #authzid ― Alternate identity to act as or on behalf of.  Optional.
+        # * #min_iterations - Overrides the default value (4096).  Optional.
+        #
+        # See the documentation on the corresponding attributes for more.
+        def initialize(username_arg = nil, password_arg = nil,
+                       username: nil, password: nil, authcid: nil, authzid: nil,
+                       min_iterations: 4096, # see both RFC5802 and RFC7677
+                       cnonce: nil, # must only be set in tests
+                       **options)
+          @username = username || username_arg || authcid or
+            raise ArgumentError, "missing username (authcid)"
+          [username, username_arg, authcid].compact.count == 1 or
+            raise ArgumentError, "conflicting values for username (authcid)"
+          @password = password || password_arg or
+            raise ArgumentError, "missing password"
+          [password, password_arg].compact.count == 1 or
+            raise ArgumentError, "conflicting values for password"
+          @authzid = authzid
+
+          @min_iterations = Integer min_iterations
+          @min_iterations.positive? or
+            raise ArgumentError, "min_iterations must be positive"
+          @cnonce = cnonce || SecureRandom.base64(32)
+        end
+
+        # Authentication identity: the identity that matches the #password.
+        attr_reader :username
+        alias authcid username
+
+        # A password or passphrase that matches the #username.
+        attr_reader :password
+
+        # Authorization identity: an identity to act as or on behalf of.  The
+        # identity form is application protocol specific.  If not provided or
+        # left blank, the server derives an authorization identity from the
+        # authentication identity.  For example, an administrator or superuser
+        # might take on another role:
+        #
+        #     imap.authenticate "SCRAM-SHA-256", "root", passwd, authzid: "user"
+        #
+        # The server is responsible for verifying the client's credentials and
+        # verifying that the identity it associates with the client's
+        # authentication identity is allowed to act as (or on behalf of) the
+        # authorization identity.
+        attr_reader :authzid
+
+        # The minimal allowed iteration count.  Lower #iterations will raise an
+        # Error.
+        attr_reader :min_iterations
+
+        # The client nonce, generated by SecureRandom
+        attr_reader :cnonce
+
+        # The server nonce, which must start with #cnonce
+        attr_reader :snonce
+
+        # The salt used by the server for this user
+        attr_reader :salt
+
+        # The iteration count for the selected hash function and user
+        attr_reader :iterations
+
+        # An error reported by the server during the \SASL exchange.
+        #
+        # Does not include errors reported by the protocol, e.g.
+        # Net::IMAP::NoResponseError.
+        attr_reader :server_error
+
+        # Returns a new OpenSSL::Digest object, set to the appropriate hash
+        # function for the chosen mechanism.
+        #
+        # <em>The class's +DIGEST_NAME+ constant must be set to the name of an
+        # algorithm supported by OpenSSL::Digest.</em>
+        def digest; OpenSSL::Digest.new self.class::DIGEST_NAME end
+
+        # See {RFC5802 §7}[https://www.rfc-editor.org/rfc/rfc5802#section-7]
+        # +client-first-message+.
+        def initial_client_response
+          "#{gs2_header}#{client_first_message_bare}"
+        end
+
+        # responds to the server's challenges
+        def process(challenge)
+          case (@state ||= :initial_client_response)
+          when :initial_client_response
+            initial_client_response.tap { @state = :server_first_message }
+          when :server_first_message
+            recv_server_first_message challenge
+            final_message_with_proof.tap { @state = :server_final_message }
+          when :server_final_message
+            recv_server_final_message challenge
+            "".tap { @state = :done }
+          else
+            raise Error, "server sent after complete, %p" % [challenge]
+          end
+        rescue Exception => ex
+          @state = ex
+          raise
+        end
+
+        # Is the authentication exchange complete?
+        #
+        # If false, another server continuation is required.
+        def done?; @state == :done end
+
+        private
+
+        # Need to store this for auth_message
+        attr_reader :server_first_message
+
+        def format_message(hash) hash.map { _1.join("=") }.join(",") end
+
+        def recv_server_first_message(server_first_message)
+          @server_first_message = server_first_message
+          sparams = parse_challenge server_first_message
+          @snonce = sparams["r"] or
+            raise Error, "server did not send nonce"
+          @salt = sparams["s"]&.unpack1("m") or
+            raise Error, "server did not send salt"
+          @iterations = sparams["i"]&.then {|i| Integer i } or
+            raise Error, "server did not send iteration count"
+          min_iterations <= iterations or
+            raise Error, "too few iterations: %d" % [iterations]
+          mext = sparams["m"] and
+            raise Error, "mandatory extension: %p" % [mext]
+          snonce.start_with? cnonce or
+            raise Error, "invalid server nonce"
+        end
+
+        def recv_server_final_message(server_final_message)
+          sparams = parse_challenge server_final_message
+          @server_error = sparams["e"] and
+            raise Error, "server error: %s" % [server_error]
+          verifier = sparams["v"].unpack1("m") or
+            raise Error, "server did not send verifier"
+          verifier == server_signature or
+            raise Error, "server verify failed: %p != %p" % [
+              server_signature, verifier
+            ]
+        end
+
+        # See {RFC5802 §7}[https://www.rfc-editor.org/rfc/rfc5802#section-7]
+        # +client-first-message-bare+.
+        def client_first_message_bare
+          @client_first_message_bare ||=
+            format_message(n: gs2_saslname_encode(SASL.saslprep(username)),
+                           r: cnonce)
+        end
+
+        # See {RFC5802 §7}[https://www.rfc-editor.org/rfc/rfc5802#section-7]
+        # +client-final-message+.
+        def final_message_with_proof
+          proof = [client_proof].pack("m0")
+          "#{client_final_message_without_proof},p=#{proof}"
+        end
+
+        # See {RFC5802 §7}[https://www.rfc-editor.org/rfc/rfc5802#section-7]
+        # +client-final-message-without-proof+.
+        def client_final_message_without_proof
+          @client_final_message_without_proof ||=
+            format_message(c: [cbind_input].pack("m0"), # channel-binding
+                           r: snonce)                   # nonce
+        end
+
+        # See {RFC5802 §7}[https://www.rfc-editor.org/rfc/rfc5802#section-7]
+        # +cbind-input+.
+        #
+        # >>>
+        #   *TODO:* implement channel binding, appending +cbind-data+ here.
+        alias cbind_input gs2_header
+
+        # RFC5802 specifies "that the order of attributes in client or server
+        # messages is fixed, with the exception of extension attributes", but
+        # this parses it simply as a hash, without respect to order.  Note that
+        # repeated keys (violating the spec) will use the last value.
+        def parse_challenge(challenge)
+          challenge.split(/,/).to_h {|pair| pair.split(/=/, 2) }
+        rescue ArgumentError
+          raise Error, "unparsable challenge: %p" % [challenge]
+        end
+
+      end
+
+      # Authenticator for the "+SCRAM-SHA-1+" SASL mechanism, defined in
+      # RFC5802[https://tools.ietf.org/html/rfc5802].
+      #
+      # Uses the "SHA-1" digest algorithm from OpenSSL::Digest.
+      #
+      # See ScramAuthenticator.
+      class ScramSHA1Authenticator < ScramAuthenticator
+        DIGEST_NAME = "SHA1"
+      end
+
+      # Authenticator for the "+SCRAM-SHA-256+" SASL mechanism, defined in
+      # RFC7677[https://tools.ietf.org/html/rfc7677].
+      #
+      # Uses the "SHA-256" digest algorithm from OpenSSL::Digest.
+      #
+      # See ScramAuthenticator.
+      class ScramSHA256Authenticator < ScramAuthenticator
+        DIGEST_NAME = "SHA256"
+      end
+
+    end
+  end
+end

data/lib/net/imap/sasl/stringprep.rb

@@ -1,72 +1,12 @@
 # frozen_string_literal: true
 
-require_relative "stringprep_tables"
-
 module Net::IMAP::SASL
 
-  # Regexps and utility methods for implementing stringprep profiles.  The
-  # \StringPrep algorithm is defined by
-  # {RFC-3454}[https://www.rfc-editor.org/rfc/rfc3454.html].  Each
-  # codepoint table defined in the RFC-3454 appendices is matched by a Regexp
-  # defined in this module.
-  #--
-  # TODO: generic StringPrep mapping (not needed for SASLprep implementation)
-  #++
-  module StringPrep
-
-    # Returns a Regexp matching the given +table+ name.
-    def self.[](table)
-      TABLE_REGEXPS.fetch(table)
-    end
-
-    module_function
-
-    # Checks +string+ for any codepoint in +tables+. Raises a
-    # ProhibitedCodepoint describing the first matching table.
-    #
-    # Also checks bidirectional characters, when <tt>bidi: true</tt>, which may
-    # raise a BidiStringError.
-    #
-    # +profile+ is an optional string which will be added to any exception that
-    # is raised (it does not affect behavior).
-    def check_prohibited!(string, *tables, bidi: false, profile: nil)
-      tables = TABLE_TITLES.keys.grep(/^C/) if tables.empty?
-      tables |= %w[C.8] if bidi
-      table = tables.find {|t| TABLE_REGEXPS[t].match?(string) }
-      raise ProhibitedCodepoint.new(
-        table, string: string, profile: nil
-      ) if table
-      check_bidi!(string, profile: profile) if bidi
-    end
-
-    # Checks that +string+ obeys all of the "Bidirectional Characters"
-    # requirements in RFC-3454, §6:
-    #
-    # * The characters in \StringPrep\[\"C.8\"] MUST be prohibited
-    # * If a string contains any RandALCat character, the string MUST NOT
-    #   contain any LCat character.
-    # * If a string contains any RandALCat character, a RandALCat
-    #   character MUST be the first character of the string, and a
-    #   RandALCat character MUST be the last character of the string.
-    #
-    # This is usually combined with #check_prohibited!, so table "C.8" is only
-    # checked when <tt>c_8: true</tt>.
-    #
-    # Raises either ProhibitedCodepoint or BidiStringError unless all
-    # requirements are met.  +profile+ is an optional string which will be
-    # added to any exception that is raised (it does not affect behavior).
-    def check_bidi!(string, c_8: false, profile: nil)
-      check_prohibited!(string, "C.8", profile: profile) if c_8
-      if BIDI_FAILS_REQ2.match?(string)
-        raise BidiStringError.new(
-          BIDI_DESC_REQ2, string: string, profile: profile,
-        )
-      elsif BIDI_FAILS_REQ3.match?(string)
-        raise BidiStringError.new(
-          BIDI_DESC_REQ3, string: string, profile: profile,
-        )
-      end
-    end
+  # Alias for Net::IMAP::StringPrep::SASLprep.
+  SASLprep            = Net::IMAP::StringPrep::SASLprep
+  StringPrep          = Net::IMAP::StringPrep                      # :nodoc:
+  BidiStringError     = Net::IMAP::StringPrep::BidiStringError     # :nodoc:
+  ProhibitedCodepoint = Net::IMAP::StringPrep::ProhibitedCodepoint # :nodoc:
+  StringPrepError     = Net::IMAP::StringPrep::StringPrepError     # :nodoc:
 
-  end
 end