diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..f087b429e2f81a9f37b28a8308e2210f84df6c9b --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.tar.gz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..7371d7633e69af09f91183b000b09512f42046f9 --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/dovecot diff --git a/CVE-2022-30550_1.patch b/CVE-2022-30550_1.patch deleted file mode 100644 index 04641c526e9b9899f9ac05135fc93414b4db78e3..0000000000000000000000000000000000000000 --- a/CVE-2022-30550_1.patch +++ /dev/null @@ -1,23 +0,0 @@ -From a1022072e2ce36f853873d910287f466165b184b Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Mon, 16 May 2022 14:58:45 +0200 -Subject: [PATCH] auth: Add a comment about updating userdb_find() - ---- - src/auth/userdb.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/auth/userdb.c b/src/auth/userdb.c -index 0849659102..830bc2dd64 100644 ---- a/src/auth/userdb.c -+++ b/src/auth/userdb.c -@@ -158,7 +158,8 @@ userdb_preinit(pool_t pool, const struct auth_userdb_settings *set) - userdb->id = ++auth_userdb_id; - userdb->iface = iface; - userdb->args = p_strdup(pool, set->args); -- -+ /* NOTE: if anything else than driver & args are added here, -+ userdb_find() also needs to be updated. */ - array_push_back(&userdb_modules, &userdb); - return userdb; - } diff --git a/CVE-2022-30550_2.patch b/CVE-2022-30550_2.patch deleted file mode 100644 index c980dde08b41cc6f383336b99bdc439337d2cc0c..0000000000000000000000000000000000000000 --- a/CVE-2022-30550_2.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 Mon Sep 17 00:00:00 2001 -From: Timo Sirainen -Date: Mon, 9 May 2022 15:23:33 +0300 -Subject: [PATCH] auth: Fix handling passdbs with identical driver/args but - different mechanisms/username_filter - -The passdb was wrongly deduplicated in this situation, causing wrong -mechanisms or username_filter setting to be used. This would be a rather -unlikely configuration though. - -Fixed by moving mechanisms and username_filter from struct passdb_module -to struct auth_passdb, which is where they should have been in the first -place. ---- - src/auth/auth-request.c | 6 +++--- - src/auth/auth.c | 18 ++++++++++++++++++ - src/auth/auth.h | 5 +++++ - src/auth/passdb.c | 15 ++------------- - src/auth/passdb.h | 4 ---- - 5 files changed, 28 insertions(+), 20 deletions(-) - -diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c -index cd08b1fa02..0ca29f3674 100644 ---- a/src/auth/auth-request.c -+++ b/src/auth/auth-request.c -@@ -534,8 +534,8 @@ auth_request_want_skip_passdb(struct auth_request *request, - struct auth_passdb *passdb) - { - /* if mechanism is not supported, skip */ -- const char *const *mechs = passdb->passdb->mechanisms; -- const char *const *username_filter = passdb->passdb->username_filter; -+ const char *const *mechs = passdb->mechanisms; -+ const char *const *username_filter = passdb->username_filter; - const char *username; - - username = request->fields.user; -@@ -548,7 +548,7 @@ auth_request_want_skip_passdb(struct auth_request *request, - return TRUE; - } - -- if (passdb->passdb->username_filter != NULL && -+ if (passdb->username_filter != NULL && - !auth_request_username_accepted(username_filter, username)) { - auth_request_log_debug(request, - request->mech != NULL ? AUTH_SUBSYS_MECH -diff --git a/src/auth/auth.c b/src/auth/auth.c -index f2f3fda20c..9f6c4ba60c 100644 ---- a/src/auth/auth.c -+++ b/src/auth/auth.c -@@ -99,6 +99,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set, - auth_passdb->override_fields_tmpl = - passdb_template_build(auth->pool, set->override_fields); - -+ if (*set->mechanisms == '\0') { -+ auth_passdb->mechanisms = NULL; -+ } else if (strcasecmp(set->mechanisms, "none") == 0) { -+ auth_passdb->mechanisms = (const char *const[]){ NULL }; -+ } else { -+ auth_passdb->mechanisms = -+ (const char *const *)p_strsplit_spaces(auth->pool, -+ set->mechanisms, " ,"); -+ } -+ -+ if (*set->username_filter == '\0') { -+ auth_passdb->username_filter = NULL; -+ } else { -+ auth_passdb->username_filter = -+ (const char *const *)p_strsplit_spaces(auth->pool, -+ set->username_filter, " ,"); -+ } -+ - /* for backwards compatibility: */ - if (set->pass) - auth_passdb->result_success = AUTH_DB_RULE_CONTINUE; -diff --git a/src/auth/auth.h b/src/auth/auth.h -index f700e29d5c..460a179765 100644 ---- a/src/auth/auth.h -+++ b/src/auth/auth.h -@@ -41,6 +41,11 @@ struct auth_passdb { - struct passdb_template *default_fields_tmpl; - struct passdb_template *override_fields_tmpl; - -+ /* Supported authentication mechanisms, NULL is all, {NULL} is none */ -+ const char *const *mechanisms; -+ /* Username filter, NULL is no filter */ -+ const char *const *username_filter; -+ - enum auth_passdb_skip skip; - enum auth_db_rule result_success; - enum auth_db_rule result_failure; -diff --git a/src/auth/passdb.c b/src/auth/passdb.c -index eb4ac8ae82..f5eed1af4f 100644 ---- a/src/auth/passdb.c -+++ b/src/auth/passdb.c -@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set) - passdb->id = ++auth_passdb_id; - passdb->iface = *iface; - passdb->args = p_strdup(pool, set->args); -- if (*set->mechanisms == '\0') { -- passdb->mechanisms = NULL; -- } else if (strcasecmp(set->mechanisms, "none") == 0) { -- passdb->mechanisms = (const char *const[]){NULL}; -- } else { -- passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,"); -- } -- -- if (*set->username_filter == '\0') { -- passdb->username_filter = NULL; -- } else { -- passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,"); -- } -+ /* NOTE: if anything else than driver & args are added here, -+ passdb_find() also needs to be updated. */ - array_push_back(&passdb_modules, &passdb); - return passdb; - } -diff --git a/src/auth/passdb.h b/src/auth/passdb.h -index 2e95328e5c..e466a9fdb6 100644 ---- a/src/auth/passdb.h -+++ b/src/auth/passdb.h -@@ -63,10 +63,6 @@ struct passdb_module { - /* Default password scheme for this module. - If default_cache_key is set, must not be NULL. */ - const char *default_pass_scheme; -- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/ -- const char *const *mechanisms; -- /* Username filter, NULL is no filter */ -- const char *const *username_filter; - - /* If blocking is set to TRUE, use child processes to access - this passdb. */ diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index c18dd47fbc003258e9e83cf0d981c3f53412fcf8..1fcc276228344fd6219b10c8a49a225af69087c4 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,33 +1,88 @@ -diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf ---- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 -+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100 -@@ -322,6 +322,7 @@ protocol !indexer-worker { - # them simultaneously. - #mbox_read_locks = fcntl - #mbox_write_locks = dotlock fcntl -+mbox_write_locks = fcntl - - # Maximum time to wait for lock (all of them) before aborting. - #mbox_lock_timeout = 5 mins -diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf ---- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100 -+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100 -@@ -3,7 +3,9 @@ - ## - - # SSL/TLS support: yes, no, required. --#ssl = yes -+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps -+# plain imap and pop3 are still allowed for local connections -+ssl = required +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in +--- dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in 2025-06-03 16:50:19.632050332 +0200 +@@ -24,16 +24,13 @@ protocols { + lmtp = yes + } + +-mail_home = /srv/mail/%{user} +-mail_driver = sdbox ++mail_home = /home/%{user} ++mail_driver = maildir + mail_path = ~/mail + +-mail_uid = vmail +-mail_gid = vmail +- +-# By default first_valid_uid is 500. If your vmail user's UID is smaller, ++# By default first_valid_uid is 1000. If your vmail user's UID is smaller, + # you need to modify this: +-#first_valid_uid = uid-number-of-vmail-user ++first_valid_uid = 1000 - # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before - # dropping root privileges, so keep the key file unreadable by anyone but -@@ -57,6 +59,7 @@ ssl_key = &1;\ +fi' + -diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in ---- dovecot-2.3.15/dovecot.service.in.initbysystemd 2021-06-21 20:21:49.250680889 +0200 -+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:22:46.935981920 +0200 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in.initbysystemd dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in.initbysystemd 2025-06-02 23:32:10.685195261 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot.service.in 2025-06-02 23:34:03.123174934 +0200 @@ -11,7 +11,8 @@ Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=https://doc.dovecot.org/ --After=local-fs.target network-online.target -+After=local-fs.target network-online.target dovecot-init.service +-After=local-fs.target network-online.target remote-fs.target time-sync.target ++After=local-fs.target network-online.target remote-fs.target time-sync.target dovecot-init.service +Requires=dovecot-init.service + Wants=network-online.target [Service] - Type=@systemdservicetype@ -diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am ---- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200 -+++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200 -@@ -21,6 +21,7 @@ EXTRA_DIST = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am.initbysystemd dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am.initbysystemd 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/Makefile.am 2025-06-02 23:33:22.221675050 +0200 +@@ -19,6 +19,7 @@ EXTRA_DIST = \ + update-version.sh \ run-test-valgrind.supp \ dovecot.service.in \ - dovecot.socket \ + dovecot-init.service \ - $(conf_DATA) - - noinst_DATA = dovecot-config -@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi + dovecot.socket \ + version \ + build-aux/git-abi-version-gen \ +@@ -67,7 +68,8 @@ dovecot-config: dovecot-config.in Makefi if WANT_SYSTEMD systemdsystemunit_DATA = \ dovecot.socket \ diff --git a/dovecot-2.3-pigeonhole-0.5.21.1.tar.gz b/dovecot-2.3-pigeonhole-0.5.21.1.tar.gz deleted file mode 100644 index 16608b23bca10216231bdaa4f50b74b28ebfa904..0000000000000000000000000000000000000000 Binary files a/dovecot-2.3-pigeonhole-0.5.21.1.tar.gz and /dev/null differ diff --git a/dovecot-2.3.15-fixvalcond.patch b/dovecot-2.3.15-fixvalcond.patch index 0f0488025bcd07e0eafdcd3e453a9b0b6486eee3..4ef54478168b1cd9051994ffff05634dbd9f18f2 100644 --- a/dovecot-2.3.15-fixvalcond.patch +++ b/dovecot-2.3.15-fixvalcond.patch @@ -1,19 +1,19 @@ -diff -up dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.21.1/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.17/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c ---- dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.21.1/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-11-02 21:51:36.109032050 +0100 -+++ dovecot-2.3.17/dovecot-2.3-pigeonhole-0.5.21.1/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-11-02 21:52:28.409344118 +0100 -@@ -114,7 +114,7 @@ static int sieve_dict_script_get_stream - (struct sieve_dict_script *)script; +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2025-06-02 23:36:21.897399891 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/src/lib-sieve/storage/dict/sieve-dict-script.c 2025-06-02 23:38:13.748569461 +0200 +@@ -102,7 +102,7 @@ sieve_dict_script_get_stream(struct siev + container_of(script, struct sieve_dict_script, script); struct sieve_dict_storage *dstorage = - (struct sieve_dict_storage *)script->storage; + container_of(storage, struct sieve_dict_storage, storage); - const char *path, *name = script->name, *data, *error; + const char *path, *name = script->name, *data, *error = NULL; int ret; dscript->data_pool = -diff -up dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.17/src/lib-storage/index/index-attribute.c ---- dovecot-2.3.17/src/lib-storage/index/index-attribute.c.fixvalcond 2021-10-27 13:09:04.000000000 +0200 -+++ dovecot-2.3.17/src/lib-storage/index/index-attribute.c 2021-11-02 21:51:36.109032050 +0100 -@@ -248,7 +248,7 @@ int index_storage_attribute_get(struct m +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c.fixvalcond 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-storage/index/index-attribute.c 2025-06-02 23:36:21.897571934 +0200 +@@ -250,7 +250,7 @@ int index_storage_attribute_get(struct m struct mail_attribute_value *value_r) { struct dict *dict; diff --git a/dovecot-2.3.15-opensslv3.patch b/dovecot-2.3.15-opensslv3.patch deleted file mode 100644 index fa6c44f67204d02ca8961284af0d12063a2af7e0..0000000000000000000000000000000000000000 --- a/dovecot-2.3.15-opensslv3.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c ---- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200 -+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200 -@@ -73,10 +73,30 @@ - 2key algo oid1symmetric algo namesalthash algoroundsE(RSA = i2d_PrivateKey, EC=Private Point)key id - **/ - -+#if OPENSSL_VERSION_MAJOR == 3 -+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key) -+{ -+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); -+ EVP_PKEY_set1_EC_KEY(key, eck); -+ EC_KEY_free(eck); -+ return eck; -+} -+ -+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key) -+{ -+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key); -+ EVP_PKEY_set1_EC_KEY(key, eck); -+ return eck; -+} -+ -+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 -+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3 -+#else - #ifndef HAVE_EVP_PKEY_get0 - #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec - #define EVP_PKEY_get0_RSA(x) x->pkey.rsa - #endif -+#endif - - #ifndef HAVE_OBJ_LENGTH - #define OBJ_length(o) ((o)->length) diff --git a/dovecot-2.3.21.1-link-icu-uc.patch b/dovecot-2.3.21.1-link-icu-uc.patch deleted file mode 100644 index c7d9a27ca201ea08a6e1d47d3290fe7a52eec463..0000000000000000000000000000000000000000 --- a/dovecot-2.3.21.1-link-icu-uc.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- dovecot-2.3.21.1/m4/want_icu.m4.orig 2024-10-27 21:48:06.430987100 +0800 -+++ dovecot-2.3.21.1/m4/want_icu.m4 2024-10-27 21:48:28.717847700 +0800 -@@ -1,7 +1,7 @@ - AC_DEFUN([DOVECOT_WANT_ICU], [ - if test "$want_icu" != "no"; then - if test "$PKG_CONFIG" != "" && $PKG_CONFIG --exists icu-i18n 2>/dev/null; then -- PKG_CHECK_MODULES(LIBICU, icu-i18n) -+ PKG_CHECK_MODULES(LIBICU, icu-i18n icu-uc) - have_icu=yes - AC_DEFINE(HAVE_LIBICU,, [Define if you want ICU normalization support for FTS]) - elif test "$want_icu" = "yes"; then diff --git a/dovecot-2.3.21.1.tar.gz b/dovecot-2.3.21.1.tar.gz deleted file mode 100644 index bf344de1c981a19d33fe3a13a0e35421466aca5e..0000000000000000000000000000000000000000 Binary files a/dovecot-2.3.21.1.tar.gz and /dev/null differ diff --git a/dovecot-2.4.1-4.tar.gz b/dovecot-2.4.1-4.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..47a78ec9fe901af9a99c273cffcf719c8d7ff605 --- /dev/null +++ b/dovecot-2.4.1-4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fb188603f419ed7aaa07794a8692098c3ec2660bb9c67d0efe24948cbb32ae00 +size 6288223 diff --git a/dovecot-2.4.1-gssapi.patch b/dovecot-2.4.1-gssapi.patch new file mode 100644 index 0000000000000000000000000000000000000000..9765eb91f8734ddfa13500aa5dd49598feec80fc --- /dev/null +++ b/dovecot-2.4.1-gssapi.patch @@ -0,0 +1,12 @@ +diff -up dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi dovecot-2.4.1-4/src/auth/mech-gssapi.c +--- dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi 2025-06-24 00:07:54.720275640 +0200 ++++ dovecot-2.4.1-4/src/auth/mech-gssapi.c 2025-06-24 00:10:04.541651871 +0200 +@@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_req + + if (data_size == 0) { + /* The client should go first */ +- auth_request_handler_reply_continue(request, NULL, 0); ++ auth_request_handler_reply_continue(request, uchar_empty_ptr, 0); + } else { + mech_gssapi_auth_continue(request, data, data_size); + } diff --git a/dovecot-2.4.1-nolibotp.patch b/dovecot-2.4.1-nolibotp.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c8dad5be80b1145037b61273932fab2578bcc5e --- /dev/null +++ b/dovecot-2.4.1-nolibotp.patch @@ -0,0 +1,202 @@ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c 2025-06-05 22:36:50.148155427 +0200 +@@ -20,8 +20,6 @@ + #include "password-scheme.h" + #include "passdb-cache.h" + #include "mech.h" +-#include "otp.h" +-#include "mech-otp-common.h" + #include "auth.h" + #include "auth-penalty.h" + #include "auth-token.h" +@@ -272,7 +270,6 @@ static void main_deinit(void) + + auth_policy_deinit(); + mech_register_deinit(&mech_reg); +- mech_otp_deinit(); + db_oauth2_deinit(); + mech_deinit(global_auth_settings); + settings_free(global_auth_settings); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c 2025-06-05 22:36:50.148435422 +0200 +@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo + extern const struct mech_module mech_cram_md5; + extern const struct mech_module mech_digest_md5; + extern const struct mech_module mech_external; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha1_plus; + extern const struct mech_module mech_scram_sha256; +@@ -217,7 +216,6 @@ void mech_init(const struct auth_setting + mech_register_module(&mech_gssapi_spnego); + #endif + } +- mech_register_module(&mech_otp); + mech_register_module(&mech_scram_sha1); + mech_register_module(&mech_scram_sha1_plus); + mech_register_module(&mech_scram_sha256); +@@ -247,7 +245,6 @@ void mech_deinit(const struct auth_setti + mech_unregister_module(&mech_gssapi_spnego); + #endif + } +- mech_unregister_module(&mech_otp); + mech_unregister_module(&mech_scram_sha1); + mech_unregister_module(&mech_scram_sha1_plus); + mech_unregister_module(&mech_scram_sha256); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp 2025-06-05 23:11:23.428522162 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c 2025-06-05 23:11:23.443511259 +0200 +@@ -72,7 +72,6 @@ void test_auth_init(void) + void test_auth_deinit(void) + { + auth_penalty_deinit(&auth_penalty); +- mech_otp_deinit(); + db_oauth2_deinit(); + auths_deinit(); + auth_token_deinit(); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c 2025-06-05 22:36:50.148639214 +0200 +@@ -24,7 +24,6 @@ extern const struct mech_module mech_dig + extern const struct mech_module mech_external; + extern const struct mech_module mech_login; + extern const struct mech_module mech_oauthbearer; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_plain; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha256; +@@ -60,10 +59,7 @@ request_handler_reply_mock_callback(stru + + if (request->passdb_result == PASSDB_RESULT_OK) + request->failed = FALSE; +- else if (request->mech == &mech_otp) { +- if (null_strcmp(request->fields.user, "otp_phase_2") == 0) +- request->failed = FALSE; +- } else if (request->mech == &mech_oauthbearer) { ++ else if (request->mech == &mech_oauthbearer) { + } + }; + +@@ -181,10 +177,6 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, +@@ -199,8 +191,6 @@ static void test_mechs(void) + {&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +@@ -212,7 +202,6 @@ static void test_mechs(void) + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, + {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, + +@@ -254,9 +243,7 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE}, + /* phase 2 */ +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp 2025-06-05 22:36:50.142606171 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-05 22:36:50.148822418 +0200 +@@ -13,7 +13,6 @@ + #include "randgen.h" + #include "sha1.h" + #include "sha2.h" +-#include "otp.h" + #include "str.h" + #include "password-scheme.h" + #include "password-scheme-private.h" +@@ -701,33 +700,6 @@ plain_md5_generate(const char *plaintext + *size_r = MD5_RESULTLEN; + } + +-static int otp_verify(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char *raw_password, size_t size, +- const char **error_r) +-{ +- const char *password, *generated; +- +- password = t_strndup(raw_password, size); +- if (password_generate_otp(plaintext, password, UINT_MAX, &generated) < 0) { +- *error_r = "Invalid OTP data in passdb"; +- return -1; +- } +- +- return strcasecmp(password, generated) == 0 ? 1 : 0; +-} +- +-static void +-otp_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, +- const unsigned char **raw_password_r, size_t *size_r) +-{ +- const char *password; +- +- if (password_generate_otp(plaintext, NULL, OTP_HASH_SHA1, &password) < 0) +- i_unreached(); +- *raw_password_r = (const unsigned char *)password; +- *size_r = strlen(password); +-} +- + static const struct password_scheme builtin_schemes[] = { + { + .name = "MD5", +@@ -891,13 +863,6 @@ static const struct password_scheme buil + .password_generate = plain_md5_generate, + }, + { +- .name = "OTP", +- .default_encoding = PW_ENCODING_NONE, +- .raw_password_len = 0, +- .password_verify = otp_verify, +- .password_generate = otp_generate, +- }, +- { + .name = "PBKDF2", + .default_encoding = PW_ENCODING_NONE, + .raw_password_len = 0, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h 2025-06-05 22:36:50.148942954 +0200 +@@ -98,9 +98,6 @@ void password_set_encryption_rounds(unsi + /* INTERNAL: */ + const char *password_generate_salt(size_t len); + const char *password_generate_md5_crypt(const char *pw, const char *salt); +-int password_generate_otp(const char *pw, const char *state_data, +- unsigned int algo, const char **result_r) +- ATTR_NULL(2); + + int scram_scheme_parse(const struct hash_method *hmethod, const char *name, + const unsigned char *credentials, size_t size, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c 2025-06-05 22:36:50.149077275 +0200 +@@ -107,7 +107,6 @@ static void test_password_schemes(void) + test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); + test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); + test_password_scheme("MD5-CRYPT", "{MD5-CRYPT}$1$GgvxyNz8$OjZhLh4P.gF1lxYEbLZ3e/", "test"); +- test_password_scheme("OTP", "{OTP}sha1 1024 ae6b49aa481f7233 f69fc7f98b8fbf54", "test"); + test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); + test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); + test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); diff --git a/dovecot-2.3.6-opensslhmac.patch b/dovecot-2.4.1-opensslhmac3.patch similarity index 58% rename from dovecot-2.3.6-opensslhmac.patch rename to dovecot-2.4.1-opensslhmac3.patch index 53f33216bdde20d8944f8d39b3c6553e8bde5ae8..d5e8a92467225b560735d30683d341ab58e9159f 100644 --- a/dovecot-2.3.6-opensslhmac.patch +++ b/dovecot-2.4.1-opensslhmac3.patch @@ -1,7 +1,7 @@ -diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/auth/auth-token.c ---- dovecot-2.3.18/src/auth/auth-token.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/auth-token.c 2022-02-09 09:27:15.887883359 +0100 -@@ -161,17 +161,17 @@ void auth_token_deinit(void) +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c 2025-07-30 11:45:19.801515296 +0200 +@@ -162,17 +162,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) { @@ -26,19 +26,30 @@ diff -up dovecot-2.3.18/src/auth/auth-token.c.opensslhmac dovecot-2.3.18/src/aut return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/auth/mech-cram-md5.c ---- dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/mech-cram-md5.c 2022-02-09 09:27:15.887883359 +0100 -@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am 2025-07-30 11:45:19.803705887 +0200 +@@ -66,6 +66,7 @@ auth_LDFLAGS = -export-dynamic + auth_libs = \ + ../lib-auth/libauth-crypt.la \ + $(AUTH_LUA_LIBS) \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_SQL) + + auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c 2025-07-30 11:45:19.801656370 +0200 +@@ -50,7 +50,7 @@ static bool verify_credentials(struct cr + const unsigned char *credentials, size_t size) { - unsigned char digest[MD5_RESULTLEN]; - struct hmac_context ctx; + struct orig_hmac_context ctx; const char *response_hex; if (size != CRAM_MD5_CONTEXTLEN) { -@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr +@@ -59,10 +59,10 @@ static bool verify_credentials(struct cr return FALSE; } @@ -52,82 +63,119 @@ diff -up dovecot-2.3.18/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.18/src/ response_hex = binary_to_hex(digest, sizeof(digest)); -diff -up dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac dovecot-2.3.18/src/auth/mech-scram.c ---- dovecot-2.3.18/src/auth/mech-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/mech-scram.c 2022-02-09 09:31:50.927146858 +0100 -@@ -93,7 +93,7 @@ get_scram_server_first(struct scram_auth - static const char *get_scram_server_final(struct scram_auth_request *request) - { - const struct hash_method *hmethod = request->hash_method; +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am 2025-07-30 11:45:19.803805844 +0200 +@@ -21,11 +21,13 @@ AM_CPPFLAGS = \ + $(BINARY_CFLAGS) + + imap_LDFLAGS = -export-dynamic \ ++ $(SSL_LIBS) \ + $(BINARY_LDFLAGS) + + imap_LDADD = \ + ../lib-imap-urlauth/libimap-urlauth.la \ + ../lib-compression/libcompression.la \ ++ $(SSL_LIBS) \ + $(LIBDOVECOT_STORAGE) \ + $(LIBDOVECOT) + imap_DEPENDENCIES = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am 2025-07-30 11:45:19.803904279 +0200 +@@ -22,6 +22,7 @@ imap_urlauth_CPPFLAGS = \ + imap_urlauth_LDFLAGS = -export-dynamic + + imap_urlauth_LDADD = $(LIBDOVECOT) \ ++ $(SSL_LIBS) + $(BINARY_LDFLAGS) + + imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS) +@@ -52,7 +53,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy + urlauth_libs = \ + $(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la + +-imap_urlauth_worker_LDADD = $(urlauth_libs) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) ++imap_urlauth_worker_LDADD = $(urlauth_libs) $(SSL_LIBS) $(LIBDOVECOT_STORAGE) $(LIBDOVECOT) + imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS) + + imap_urlauth_worker_SOURCES = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c 2025-07-30 11:45:19.801788468 +0200 +@@ -248,7 +248,7 @@ static string_t *auth_scram_get_client_f + unsigned char client_signature[hmethod->digest_size]; + unsigned char client_proof[hmethod->digest_size]; + unsigned char server_key[hmethod->digest_size]; - struct hmac_context ctx; + struct openssl_hmac_context ctx; - const char *auth_message; - unsigned char server_signature[hmethod->digest_size]; - string_t *str; -@@ -109,9 +109,9 @@ static const char *get_scram_server_fina - request->server_first_message, ",", - request->client_final_message_without_proof, NULL); + const void *cbind_input; + size_t cbind_input_size; + string_t *auth_message, *str; +@@ -307,9 +307,9 @@ static string_t *auth_scram_get_client_f + client->iter, salted_password); -- hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod); -- hmac_update(&ctx, auth_message, strlen(auth_message)); -- hmac_final(&ctx, server_signature); -+ openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod); -+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); -+ openssl_hmac_final(&ctx, server_signature); - - /* RFC 5802, Section 7: + /* ClientKey := HMAC(SaltedPassword, "Client Key") */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Client Key", 10); +- hmac_final(&ctx, client_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Client Key", 10); ++ openssl_hmac_final(&ctx, client_key); -@@ -292,7 +292,7 @@ parse_scram_client_first(struct scram_au - static bool verify_credentials(struct scram_auth_request *request) - { - const struct hash_method *hmethod = request->hash_method; -- struct hmac_context ctx; -+ struct openssl_hmac_context ctx; - const char *auth_message; - unsigned char client_key[hmethod->digest_size]; - unsigned char client_signature[hmethod->digest_size]; -@@ -310,9 +310,9 @@ static bool verify_credentials(struct sc - request->server_first_message, ",", - request->client_final_message_without_proof, NULL); + /* StoredKey := H(ClientKey) */ + hash_method_get_digest(hmethod, client_key, sizeof(client_key), +@@ -327,9 +327,9 @@ static string_t *auth_scram_get_client_f + str_append_str(auth_message, str); -- hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod); -- hmac_update(&ctx, auth_message, strlen(auth_message)); + /* ClientSignature := HMAC(StoredKey, AuthMessage) */ +- hmac_init(&ctx, stored_key, sizeof(stored_key), hmethod); +- hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); - hmac_final(&ctx, client_signature); -+ openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod); -+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_init(&ctx, stored_key, sizeof(stored_key), hmethod); ++ openssl_hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); + openssl_hmac_final(&ctx, client_signature); /* ClientProof := ClientKey XOR ClientSignature */ - const unsigned char *proof_data = request->proof->data; -diff -up dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme.c ---- dovecot-2.3.18/src/auth/password-scheme.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/password-scheme.c 2022-02-09 09:27:15.888883345 +0100 -@@ -639,11 +639,11 @@ static void - cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, - const unsigned char **raw_password_r, size_t *size_r) - { -- struct hmac_context ctx; -+ struct orig_hmac_context ctx; - unsigned char *context_digest; + for (k = 0; k < hmethod->digest_size; k++) +@@ -340,16 +340,16 @@ static string_t *auth_scram_get_client_f + safe_memset(client_signature, 0, sizeof(client_signature)); - context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN); -- hmac_init(&ctx, (const unsigned char *)plaintext, -+ orig_hmac_init(&ctx, (const unsigned char *)plaintext, - strlen(plaintext), &hash_method_md5); - hmac_md5_get_cram_context(&ctx, context_digest); + /* ServerKey := HMAC(SaltedPassword, "Server Key") */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Server Key", 10); +- hmac_final(&ctx, server_key); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Server Key", 10); ++ openssl_hmac_final(&ctx, server_key); -diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.18/src/auth/password-scheme-scram.c ---- dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/auth/password-scheme-scram.c 2022-02-09 09:27:15.888883345 +0100 -@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co - const unsigned char *salt, size_t salt_size, unsigned int i, - unsigned char *result) + /* ServerSignature := HMAC(ServerKey, AuthMessage) */ + client->server_signature = + p_malloc(client->pool, hmethod->digest_size); +- hmac_init(&ctx, server_key, sizeof(server_key), hmethod); +- hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); +- hmac_final(&ctx, client->server_signature); ++ openssl_hmac_init(&ctx, server_key, sizeof(server_key), hmethod); ++ openssl_hmac_update(&ctx, str_data(auth_message), str_len(auth_message)); ++ openssl_hmac_final(&ctx, client->server_signature); + + safe_memset(salted_password, 0, sizeof(salted_password)); + +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c 2025-07-30 11:45:19.801918022 +0200 +@@ -31,7 +31,7 @@ void auth_scram_hi(const struct hash_met + const unsigned char *salt, size_t salt_size, unsigned int i, + unsigned char *result) { - struct hmac_context ctx; + struct openssl_hmac_context ctx; unsigned char U[hmethod->digest_size]; unsigned int j, k; +@@ -51,18 +51,18 @@ void auth_scram_hi(const struct hash_met + */ + /* Calculate U1 */ - hmac_init(&ctx, str, str_size, hmethod); - hmac_update(&ctx, salt, salt_size); @@ -151,17 +199,17 @@ diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 for (k = 0; k < hmethod->digest_size; k++) result[k] ^= U[k]; } -@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho - const char *plaintext, const unsigned char *raw_password, - size_t size, const char **error_r) +@@ -75,7 +75,7 @@ void auth_scram_generate_key_data(const + unsigned char stored_key_r[], + unsigned char server_key_r[]) { - struct hmac_context ctx; + struct openssl_hmac_context ctx; - const char *salt_base64; - unsigned int iter_count; - const unsigned char *salt; -@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho - salt, salt_len, iter_count, salted_password); + unsigned char salt[16]; + unsigned char salted_password[hmethod->digest_size]; + unsigned char client_key[hmethod->digest_size]; +@@ -97,18 +97,18 @@ void auth_scram_generate_key_data(const + salt, sizeof(salt), rounds, salted_password); /* Calculate ClientKey */ - hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); @@ -173,17 +221,96 @@ diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 /* Calculate StoredKey */ hash_method_get_digest(hmethod, client_key, sizeof(client_key), -@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me - const unsigned char **raw_password_r, size_t *size_r) + stored_key_r); + + /* Calculate ServerKey */ +- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); +- hmac_update(&ctx, "Server Key", 10); +- hmac_final(&ctx, server_key_r); ++ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); ++ openssl_hmac_update(&ctx, "Server Key", 10); ++ openssl_hmac_final(&ctx, server_key_r); + + safe_memset(salted_password, 0, sizeof(salted_password)); + safe_memset(client_key, 0, sizeof(client_key)); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c 2025-07-30 11:45:19.802027357 +0200 +@@ -342,7 +342,7 @@ auth_scram_server_verify_credentials(str { - string_t *str; + const struct hash_method *hmethod = server->set.hash_method; + struct auth_scram_key_data *kdata = &server->key_data; - struct hmac_context ctx; + struct openssl_hmac_context ctx; - unsigned char salt[16]; - unsigned char salted_password[hmethod->digest_size]; + const char *auth_message; unsigned char client_key[hmethod->digest_size]; -@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me - sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password); + unsigned char client_signature[hmethod->digest_size]; +@@ -363,9 +363,9 @@ auth_scram_server_verify_credentials(str + server->server_first_message, ",", + server->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, kdata->stored_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, client_signature); ++ openssl_hmac_init(&ctx, kdata->stored_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, client_signature); + + /* ClientProof := ClientKey XOR ClientSignature */ + const unsigned char *proof_data = server->proof->data; +@@ -494,7 +494,7 @@ auth_scram_get_server_final(struct auth_ + { + const struct hash_method *hmethod = server->set.hash_method; + struct auth_scram_key_data *kdata = &server->key_data; +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *auth_message; + unsigned char server_signature[hmethod->digest_size]; + string_t *str; +@@ -510,9 +510,9 @@ auth_scram_get_server_final(struct auth_ + server->server_first_message, ",", + server->client_final_message_without_proof, NULL); + +- hmac_init(&ctx, kdata->server_key, hmethod->digest_size, hmethod); +- hmac_update(&ctx, auth_message, strlen(auth_message)); +- hmac_final(&ctx, server_signature); ++ openssl_hmac_init(&ctx, kdata->server_key, hmethod->digest_size, hmethod); ++ openssl_hmac_update(&ctx, auth_message, strlen(auth_message)); ++ openssl_hmac_final(&ctx, server_signature); + + /* RFC 5802, Section 7: + +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-07-30 11:45:19.802166177 +0200 +@@ -631,11 +631,11 @@ static void + cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, + const unsigned char **raw_password_r, size_t *size_r) + { +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + unsigned char *context_digest; + + context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN); +- hmac_init(&ctx, (const unsigned char *)plaintext, ++ orig_hmac_init(&ctx, (const unsigned char *)plaintext, + strlen(plaintext), &hash_method_md5); + hmac_md5_get_cram_context(&ctx, context_digest); + +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c 2025-07-30 11:45:19.802285591 +0200 +@@ -69,7 +69,7 @@ int scram_verify(const struct hash_metho + const char *plaintext, const unsigned char *raw_password, + size_t size, const char **error_r) + { +- struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + const char *salt_base64; + unsigned int iter_count; + const unsigned char *salt; +@@ -94,9 +94,9 @@ int scram_verify(const struct hash_metho + salt, salt_len, iter_count, salted_password); /* Calculate ClientKey */ - hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); @@ -195,22 +322,9 @@ diff -up dovecot-2.3.18/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3 /* Calculate StoredKey */ hash_method_get_digest(hmethod, client_key, sizeof(client_key), -@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me - base64_encode(stored_key, sizeof(stored_key), str); - - /* Calculate ServerKey */ -- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); -- hmac_update(&ctx, "Server Key", 10); -- hmac_final(&ctx, server_key); -+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod); -+ openssl_hmac_update(&ctx, "Server Key", 10); -+ openssl_hmac_final(&ctx, server_key); - str_append_c(str, ','); - base64_encode(server_key, sizeof(server_key), str); - -diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c ---- dovecot-2.3.18/src/lib/hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac.c 2022-02-09 09:27:15.888883345 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c 2025-07-30 11:46:43.346310291 +0200 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -222,7 +336,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c #include "lib.h" #include "hmac.h" #include "safe-memset.h" -@@ -14,10 +18,65 @@ +@@ -14,10 +18,103 @@ #include "hex-binary.h" @@ -239,11 +353,47 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c +#endif + + -+void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, - size_t key_len, const struct hash_method *meth) - { -- struct hmac_context_priv *ctx = &_ctx->u.priv; -+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key, //DONE ++ size_t key_len, const struct hash_method *meth) ++{ ++#ifdef USE_OPENSSL3_METHODS ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++ ++ ++ const EVP_MD *md; ++ const char *ebuf = NULL; ++ const char **error_r = &ebuf; ++ OSSL_PARAM params[2]; ++ ++ md = EVP_get_digestbyname(meth->name); ++ if(md == NULL) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ //return FALSE; ++ } ++ ++ ctx->mac = EVP_MAC_fetch(NULL, "HMAC", NULL); ++ ++ ctx->ctx = EVP_MAC_CTX_new(ctx->mac); ++ if (ctx->ctx == NULL) { ++ EVP_MAC_free(ctx->mac); ++ } ++ ++ params[0] = OSSL_PARAM_construct_utf8_string("digest", (char *)meth->name, 0); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (EVP_MAC_init(ctx->ctx, key, key_len, ++ params) == 0) { ++ if (error_r != NULL) { ++ *error_r = t_strdup_printf("Invalid digest %s", ++ meth->name); ++ } ++ } ++ ++#else ++ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; + + const EVP_MD *md; + const char *ebuf = NULL; @@ -267,11 +417,13 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c + dcrypt_openssl_error(error_r);*/ +#endif + /*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL); ++#endif +} + -+void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, -+ size_t key_len, const struct hash_method *meth) -+{ ++void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key, //DONE + size_t key_len, const struct hash_method *meth) + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; + static int no_fips = -1; + if (no_fips == -1) { + int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); @@ -290,22 +442,29 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c unsigned int i; unsigned char k_ipad[meth->block_size]; unsigned char k_opad[meth->block_size]; -@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx +@@ -54,9 +151,33 @@ void hmac_init(struct hmac_context *_ctx safe_memset(k_opad, 0, meth->block_size); } -void hmac_final(struct hmac_context *_ctx, unsigned char *digest) -+void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest) -+{ ++void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest) //FIXME + { +- struct hmac_context_priv *ctx = &_ctx->u.priv; + int ec; -+ unsigned char buf[HMAC_MAX_MD_CBLOCK]; -+ unsigned int outl; ++ unsigned char buf[EVP_MAX_MD_SIZE]; ++ size_t outl; +// const char *ebuf = NULL; +// const char **error_r = &ebuf; + + struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++#ifdef USE_OPENSSL3_METHODS ++ ec = EVP_MAC_final(ctx->ctx, buf, &outl, sizeof buf); ++ EVP_MAC_CTX_free(ctx->ctx); ++ EVP_MAC_free(ctx->mac); ++#else + ec = HMAC_Final(ctx->ctx, buf, &outl); + HMAC_CTX_free(ctx->ctx); ++#endif + if (ec == 1) + memcpy(digest, buf, outl); +// else @@ -313,19 +472,18 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c + +} + -+void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest) - { -- struct hmac_context_priv *ctx = &_ctx->u.priv; ++void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest) //DONE ++{ + struct orig_hmac_context_priv *ctx = &_ctx->u.priv; ctx->hash->result(ctx->ctx, digest); -@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct +@@ -64,53 +185,50 @@ void hmac_final(struct hmac_context *_ct ctx->hash->result(ctx->ctxo, digest); } -buffer_t *t_hmac_data(const struct hash_method *meth, -+buffer_t *openssl_t_hmac_data(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_data(const struct hash_method *meth, //FIXME const unsigned char *key, size_t key_len, const void *data, size_t data_len) { @@ -348,7 +506,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c } -buffer_t *t_hmac_buffer(const struct hash_method *meth, -+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth, //DONE const unsigned char *key, size_t key_len, const buffer_t *data) { @@ -357,7 +515,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c } -buffer_t *t_hmac_str(const struct hash_method *meth, -+buffer_t *openssl_t_hmac_str(const struct hash_method *meth, ++buffer_t *openssl_t_hmac_str(const struct hash_method *meth, //DONE const unsigned char *key, size_t key_len, const char *data) { @@ -366,7 +524,7 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c } -void hmac_hkdf(const struct hash_method *method, -+void openssl_hmac_hkdf(const struct hash_method *method, ++void openssl_hmac_hkdf(const struct hash_method *method, //FIXME const unsigned char *salt, size_t salt_len, const unsigned char *ikm, size_t ikm_len, const unsigned char *info, size_t info_len, @@ -388,17 +546,10 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c /* salt and info can be NULL */ i_assert(salt != NULL || salt_len == 0); -@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method - i_assert(ikm != NULL && ikm_len > 0); - i_assert(okm_r != NULL && okm_len > 0); - -- /* but they still need valid pointer, reduces -- complains from static analysers */ -- if (salt == NULL) -- salt = &uchar_nul; -- if (info == NULL) -- info = &uchar_nul; -- +@@ -126,28 +244,29 @@ void hmac_hkdf(const struct hash_method + if (info == NULL) + info = &uchar_nul; + - /* extract */ - hmac_init(&key_mac, salt, salt_len, method); - hmac_update(&key_mac, ikm, ikm_len); @@ -419,7 +570,6 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c - hmac_final(&info_mac, okm); - buffer_append(okm_r, okm, amt); - remain -= amt; -+ + md = EVP_get_digestbyname(method->name); + pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len); @@ -448,9 +598,9 @@ diff -up dovecot-2.3.18/src/lib/hmac.c.opensslhmac dovecot-2.3.18/src/lib/hmac.c - safe_memset(prk, 0, sizeof(prk)); - safe_memset(okm, 0, sizeof(okm)); } -diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.c ---- dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac-cram-md5.c 2022-02-09 09:27:15.888883345 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c 2025-07-30 11:45:19.802547733 +0200 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -477,9 +627,9 @@ diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.18/src/l const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/lib/hmac-cram-md5.h ---- dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac-cram-md5.h 2022-02-09 09:27:15.888883345 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h 2025-07-30 11:45:19.802643613 +0200 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -492,10 +642,10 @@ diff -up dovecot-2.3.18/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.18/src/l const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h ---- dovecot-2.3.18/src/lib/hmac.h.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/hmac.h 2022-02-09 09:27:15.888883345 +0100 -@@ -4,60 +4,97 @@ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h 2025-07-30 11:45:19.802751766 +0200 +@@ -4,60 +4,108 @@ #include "hash-method.h" #include "sha1.h" #include "sha2.h" @@ -507,15 +657,22 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx) -struct hmac_context_priv { ++ ++#define USE_OPENSSL3_METHODS 1 ++ +struct openssl_hmac_context_priv { ++#ifdef USE_OPENSSL3_METHODS ++ EVP_MAC *mac; ++ EVP_MAC_CTX *ctx; ++#else +#ifdef HAVE_HMAC_CTX_NEW + HMAC_CTX *ctx; +#else + HMAC_CTX ctx; +#endif ++#endif + const struct hash_method *hash; +}; -+ +struct orig_hmac_context_priv { char ctx[HMAC_MAX_CONTEXT_SIZE]; char ctxo[HMAC_MAX_CONTEXT_SIZE]; @@ -524,21 +681,21 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h -struct hmac_context { +struct openssl_hmac_context { -+ union { -+ struct openssl_hmac_context_priv priv; -+ uint64_t padding_requirement; -+ } u; -+}; -+ -+struct orig_hmac_context { union { - struct hmac_context_priv priv; -+ struct orig_hmac_context_priv priv; ++ struct openssl_hmac_context_priv priv; uint64_t padding_requirement; } u; }; -void hmac_init(struct hmac_context *ctx, const unsigned char *key, ++struct orig_hmac_context { ++ union { ++ struct orig_hmac_context_priv priv; ++ uint64_t padding_requirement; ++ } u; ++}; ++ +void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key, + size_t key_len, const struct hash_method *meth); +void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest); @@ -547,7 +704,11 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h +openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size) +{ + struct openssl_hmac_context_priv *ctx = &_ctx->u.priv; ++#ifdef USE_OPENSSL3_METHODS ++ EVP_MAC_update(ctx->ctx, data, size); ++#else + HMAC_Update(ctx->ctx, data, size); ++#endif +/* if (ec != 1) + { + const char *ebuf = NULL; @@ -606,12 +767,12 @@ diff -up dovecot-2.3.18/src/lib/hmac.h.opensslhmac dovecot-2.3.18/src/lib/hmac.h okm_buffer, okm_len); return okm_buffer; } -diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c 2022-02-09 09:27:15.888883345 +0100 -@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha - const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], - size_t *token_len_r) +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c 2025-07-30 11:45:19.802862354 +0200 +@@ -87,15 +87,15 @@ imap_urlauth_internal_generate( + const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], + size_t *token_len_r) { - struct hmac_context hmac; + struct openssl_hmac_context hmac; @@ -629,10 +790,10 @@ diff -up dovecot-2.3.18/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot- *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/Makefile.am ---- dovecot-2.3.18/src/lib/Makefile.am.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/Makefile.am 2022-02-09 09:27:15.889883331 +0100 -@@ -354,6 +354,9 @@ headers = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am 2025-07-30 11:45:19.802976508 +0200 +@@ -359,6 +359,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -642,34 +803,34 @@ diff -up dovecot-2.3.18/src/lib/Makefile.am.opensslhmac dovecot-2.3.18/src/lib/M test_programs = test-lib noinst_PROGRAMS = $(test_programs) -diff -up dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c ---- dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib-oauth2/oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 -@@ -144,14 +144,14 @@ oauth2_validate_hmac(const struct oauth2 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c 2025-07-30 11:45:19.803097425 +0200 +@@ -210,14 +210,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; - struct hmac_context ctx; ++ struct openssl_hmac_context ctx; + unsigned char digest[method->digest_size]; + - hmac_init(&ctx, key->data, key->used, method); - hmac_update(&ctx, blobs[0], strlen(blobs[0])); - hmac_update(&ctx, ".", 1); - hmac_update(&ctx, blobs[1], strlen(blobs[1])); -+ struct openssl_hmac_context ctx; +- hmac_final(&ctx, digest); + openssl_hmac_init(&ctx, key->data, key->used, method); + openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0])); + openssl_hmac_update(&ctx, ".", 1); + openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1])); - unsigned char digest[method->digest_size]; - -- hmac_final(&ctx, digest); + openssl_hmac_final(&ctx, digest); buffer_t *their_digest = t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); -diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c ---- dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c 2022-02-09 09:27:15.889883331 +0100 -@@ -248,7 +248,7 @@ static void save_key_azp_to(const char * +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c 2025-07-30 11:45:19.803224443 +0200 +@@ -250,7 +250,7 @@ static void save_key_azp_to(const char * static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -678,7 +839,7 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -258,7 +258,7 @@ static void sign_jwt_token_hs256(buffer_ +@@ -260,7 +260,7 @@ static void sign_jwt_token_hs256(buffer_ static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -687,7 +848,7 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -@@ -268,7 +268,7 @@ static void sign_jwt_token_hs384(buffer_ +@@ -270,7 +270,7 @@ static void sign_jwt_token_hs384(buffer_ static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key) { i_assert(key != NULL); @@ -696,9 +857,9 @@ diff -up dovecot-2.3.18/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3 tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5.c ---- dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/pkcs5.c 2022-02-09 09:27:15.889883331 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c 2025-07-30 11:45:19.803357132 +0200 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -733,9 +894,9 @@ diff -up dovecot-2.3.18/src/lib/pkcs5.c.opensslhmac dovecot-2.3.18/src/lib/pkcs5 for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/test-hmac.c ---- dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac 2022-02-02 12:42:23.000000000 +0100 -+++ dovecot-2.3.18/src/lib/test-hmac.c 2022-02-09 09:27:15.889883331 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c 2025-07-30 11:45:19.803460807 +0200 @@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { @@ -811,3 +972,33 @@ diff -up dovecot-2.3.18/src/lib/test-hmac.c.opensslhmac dovecot-2.3.18/src/lib/t vec->ikm_len, vec->info, vec->info_len, vec->okm_len); test_assert(tmp->used == vec->okm_len && +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am 2025-07-30 11:45:19.803606280 +0200 +@@ -30,13 +30,13 @@ test_libs = \ + $(DLLIB) + + test_var_expand_crypt_SOURCES = test-var-expand-crypt.c +-test_var_expand_crypt_LDADD = $(test_libs) ++test_var_expand_crypt_LDADD = $(test_libs) $(SSL_LIBS) + test_var_expand_crypt_DEPENDENCIES = $(module_LTLIBRARIES) + if HAVE_WHOLE_ARCHIVE + test_var_expand_crypt_LDFLAGS = -export-dynamic -Wl,$(LD_WHOLE_ARCHIVE),../lib/.libs/liblib.a,../lib-json/.libs/libjson.a,../lib-ssl-iostream/.libs/libssl_iostream.a,$(LD_NO_WHOLE_ARCHIVE) + endif + +-test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) \ ++test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) $(SSL_CFLAGS) \ + -DDCRYPT_BUILD_DIR=\"$(top_builddir)/src/lib-dcrypt\" + + check-local: +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am 2025-07-30 11:45:19.804003916 +0200 +@@ -29,6 +29,7 @@ submission_LDADD = \ + $(urlauth_libs) \ + $(LIBDOVECOT_STORAGE) \ + $(LIBDOVECOT) \ ++ $(SSL_LIBS) \ + $(MODULE_LIBS) + submission_DEPENDENCIES = \ + $(urlauth_libs) \ diff --git a/dovecot-pigeonhole-2.4.1-4.tar.gz b/dovecot-pigeonhole-2.4.1-4.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..2bf112f14ff3aeba1e97deceb5623ae80dd6c856 --- /dev/null +++ b/dovecot-pigeonhole-2.4.1-4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b016b79503543f1d6047e7bc93ef6d2fb5bfc3d697cab1418c5dc488b1974e0e +size 2014526 diff --git a/dovecot.spec b/dovecot.spec index 4bbf57a31249fa458cb555617764c157d2fbc8a2..688ceb157ac0d5bd2390cc6931e37e0fec56a44e 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -5,49 +5,55 @@ %global _hardened_build 1 Name: dovecot -Version: 2.3.21.1 -Release: 4 -Summary: Dovecot Secure imap server +Version: 2.4.1 +%global prever -4 +Release: 1 +Summary: Secure imap and pop3 server License: MIT AND LGPL-2.1-only URL: https://www.dovecot.org/ Epoch: 1 -Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}.tar.gz +Source: https://www.dovecot.org/releases/2.4/%{name}-%{version}%{?prever}.tar.gz Source1: dovecot.init Source2: dovecot.pam -%global pigeonholever %{lua: print(string.format("0.5.%s",string.sub(rpm.expand("%{version}"), 5)))} -Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz +%global pigeonholever %{version}%{?prever} +Source8: https://pigeonhole.dovecot.org/releases/2.4/dovecot-pigeonhole-%{pigeonholever}.tar.gz Source9: dovecot.sysconfig Source10: dovecot.tmpfilesd Source11: prestartscript Source12: dovecot.conf.5 Source16: dovecot.sysusers -Patch0: dovecot-2.0-defaultconfig.patch -Patch1: dovecot-1.0.beta2-mkcert-permissions.patch -Patch2: dovecot-1.0.rc7-mkcert-paths.patch - +Patch1: dovecot-2.0-defaultconfig.patch +Patch2: dovecot-1.0.beta2-mkcert-permissions.patch +Patch3: dovecot-1.0.rc7-mkcert-paths.patch + #wait for network -Patch3: dovecot-2.1.10-waitonline.patch - -Patch4: dovecot-2.2.20-initbysystemd.patch -Patch5: dovecot-2.2.22-systemd_w_protectsystem.patch -Patch6: dovecot-2.3.11-bigkey.patch -Patch7: dovecot-2.3.6-opensslhmac.patch -Patch8: dovecot-2.3.15-fixvalcond.patch -Patch9: dovecot-2.3.15-valbasherr.patch - -Patch11: CVE-2022-30550_1.patch -Patch12: CVE-2022-30550_2.patch -Patch13: dovecot-2.3.15-opensslv3.patch -Patch14: dovecot-2.3.21.1-link-icu-uc.patch +Patch6: dovecot-2.1.10-waitonline.patch + +Patch8: dovecot-2.2.20-initbysystemd.patch +Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch +Patch15: dovecot-2.3.11-bigkey.patch + +# do not use own implementation of HMAC, use OpenSSL for certification purposes +# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces +# hard to break circular dependency between lib and lib-dcrypt +Patch16: dovecot-2.4.1-opensslhmac3.patch + +# FTBFS +Patch17: dovecot-2.3.15-fixvalcond.patch +Patch18: dovecot-2.3.15-valbasherr.patch + +# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +Patch23: dovecot-2.4.1-nolibotp.patch +Patch24: dovecot-2.4.1-gssapi.patch BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel BuildRequires: mariadb-connector-c-devel libxcrypt-devel openldap-devel krb5-devel -BuildRequires: quota-devel xz-devel gettext-devel clucene-core-devel libcurl-devel expat-devel +BuildRequires: quota-devel xz-devel gettext-devel libcurl-devel expat-devel BuildRequires: lz4-devel libzstd-devel libicu-devel libstemmer-devel multilib-rpm-config -BuildRequires: systemd-devel chrpath +BuildRequires: systemd-devel chrpath lua-json lua-devel libsodium-devel flex bison Requires: openssl >= 0.9.7f-4 systemd tar %{?sysusers_requires_compat} @@ -59,8 +65,11 @@ Provides: %{name}-mysql = 1:%{version}-%{release} Obsoletes: %{name}-mysql < 1:%{version}-%{release} %description -Dovecot is an IMAP server for Linux/UNIX-like systemsa wrapper package -that will just handle common things for all versioned dovecot packages. +Dovecot is an IMAP server for Linux/UNIX-like systems, written with security +primarily in mind. It also contains a small POP3 server. It supports mail +in either of maildir or mbox formats. + +The SQL drivers and authentication plug-ins are in their subpackages. %package devel Requires: %{name} = %{epoch}:%{version}-%{release} @@ -71,55 +80,122 @@ This package provides the development files for dovecot. %package_help %prep -%autosetup -n %{name}-%{version} -a 8 -p1 - -cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/ -echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude - -sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in +%setup -q -n %{name}-%{version}%{?prever} -a 8 + +mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole + +%patch -P 1 -p2 -b .default-settings +%patch -P 2 -p1 -b .mkcert-permissions +%patch -P 3 -p1 -b .mkcert-paths +%patch -P 6 -p2 -b .waitonline +%patch -P 8 -p2 -b .initbysystemd +%patch -P 9 -p1 -b .systemd_w_protectsystem +%patch -P 15 -p1 -b .bigkey +%patch -P 16 -p2 -b .opensslhmac3 +%patch -P 17 -p2 -b .fixvalcond +%patch -P 18 -p1 -b .valbasherr +%patch -P 23 -p2 -b .nolibotp +%patch -P 24 -p1 -b .gssapi + +cp run-test-valgrind.supp dovecot-pigeonhole/ +# valgrind would fail with shell wrapper +echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude + +# drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes +echo >src/auth/mech-otp-common.c +echo >src/auth/mech-otp-common.h +echo >src/auth/mech-otp.c +echo >src/lib-auth/password-scheme-otp.c +pushd src/lib-otp +for f in *.c *.h +do + echo >$f +done +popd %build -export CFLAGS="%{__global_cflags} -fno-strict-aliasing" LDFLAGS="%{?__global_ldflags}" -%if "%toolchain" == "gcc" - CFLAGS="$CFLAGS -fstack-reuse=none" - export CFLAGS -%endif - +#required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules +%global _hardened_build 1 +export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" +export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" mkdir -p m4 -autoreconf -I. -I%{_datadir}/gettext/m4 -fiv #required for aarch64 support - -%configure INSTALL_DATA="install -c -p -m644" \ - --docdir=%{_docdir}/%{name} --disable-static --disable-rpath --with-nss \ - --with-shadow --with-pam --with-gssapi=plugin --with-ldap=plugin --with-sql=plugin --with-pgsql --with-mysql \ - --with-sqlite --with-zlib --with-libcap --with-lucene --with-ssl=openssl --with-ssldir=%{ssldir} \ - --with-solr --with-docs - -sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf +if [ -d /usr/share/gettext/m4 ] +then + #required for aarch64 support + # point to gettext explicitely, autoreconf cant find iconv.m4 otherwise + autoreconf -I . -I /usr/share/gettext/m4 +else + autoreconf -I . -fiv #required for aarch64 support +fi + +%configure \ + INSTALL_DATA="install -c -p -m644" \ + --with-rundir=%{_rundir}/%{name} \ + --with-systemd \ + --docdir=%{_docdir}/%{name} \ + --disable-static \ + --disable-rpath \ + --with-nss \ + --with-shadow \ + --with-pam \ + --with-gssapi=plugin \ + --with-ldap=plugin \ + --with-sql=plugin \ + --with-pgsql \ + --with-mysql \ + --with-sqlite \ + --with-zlib \ + --with-zstd \ + --with-libcap \ + --with-icu \ + --with-libstemmer \ + --with-lua=plugin \ + --without-lucene \ + --without-exttextcat \ + --with-ssl=openssl \ + --with-ssldir=%{ssldir} \ + --with-solr \ + --with-docs \ + systemdsystemunitdir=%{_unitdir} + +sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh # doc/example-config/conf.d/10-ssl.conf %make_build -cd dovecot-2*3-pigeonhole-%{pigeonholever} - +#pigeonhole +pushd dovecot-pigeonhole + +# required for snapshot [ -f configure ] || autoreconf -fiv [ -f ChangeLog ] || echo "Pigeonhole ChangeLog is not available, yet" >ChangeLog - + %configure \ - INSTALL_DATA="install -c -p -m644" --disable-static --with-dovecot=../ --without-unfinished-features - + INSTALL_DATA="install -c -p -m644" \ + --disable-static \ + --with-dovecot=../ \ + --without-unfinished-features + %make_build -cd - +popd %install +rm -rf $RPM_BUILD_ROOT %make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall -cd dovecot-2*3-pigeonhole-%{pigeonholever} +# fix multilib issues +%multilib_fix_c_header --file %{_includedir}/dovecot/config.h + +pushd dovecot-pigeonhole + %make_install mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole -cd - + +popd + install -p -D -m 644 %{S:2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot install -p -D -m 644 %{S:12} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5 @@ -138,12 +214,8 @@ install -p -D -m 644 %{S:10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf install -d $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} install -d $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d -install -p -m 644 docinstall/example-config/dovecot.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot -install -p -m 644 docinstall/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d -install -p -m 644 docinstall/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d ||: - install -p -m 644 doc/dovecot-openssl.cnf $RPM_BUILD_ROOT%{ssldir}/dovecot-openssl.cnf install -p -m755 doc/mkcert.sh $RPM_BUILD_ROOT%{_libexecdir}/%{name}/mkcert.sh @@ -152,6 +224,7 @@ install -d $RPM_BUILD_ROOT/var/lib/dovecot %delete_la +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/README cd docinstall rm -f securecoding.txt thread-refs.txt cd - @@ -164,7 +237,6 @@ done cd - mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d echo "%{_libdir}/%{name}" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf -echo "%{_libdir}/%{name}/old-stats" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf %pre %sysusers_create_compat %{S:16} @@ -181,11 +253,11 @@ if [ $1 -eq 1 ]; then %systemd_post dovecot.service fi -install -d -m 0755 -g dovecot -d /var/run/dovecot -install -d -m 0755 -d /var/run/dovecot/empty -install -d -m 0750 -g dovenull -d /var/run/dovecot/login -install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login -[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot +install -d -m 0755 -g dovecot -d /run/dovecot +install -d -m 0755 -d /run/dovecot/empty +install -d -m 0750 -g dovenull -d /run/dovecot/login +install -d -m 0750 -g dovenull -d /run/dovecot/token-login +[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot %preun if [ $1 = 0 ]; then @@ -213,32 +285,28 @@ fi %ifnarch aarch64 %check make check -cd dovecot-2*3-pigeonhole-%{pigeonholever} +cd dovecot-pigeonhole make check %endif %files %license COPYING COPYING.LGPL COPYING.MIT -%doc docinstall/* AUTHORS ChangeLog NEWS README +%doc docinstall/* AUTHORS ChangeLog INSTALL.md NEWS README.md SECURITY.md %{_sbindir}/dovecot -%{_bindir}/{doveadm,doveconf,dsync,dovecot-sysreport} +%{_bindir}/doveadm +%{_bindir}/doveconf +%{_bindir}/dovecot-sysreport %_tmpfilesdir/dovecot.conf %{_sysusersdir}/dovecot.conf -%{_unitdir}/{dovecot.service,dovecot.socket,dovecot-init.service} +%{_unitdir}/dovecot.service +%{_unitdir}/dovecot-init.service +%{_unitdir}/dovecot.socket %dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot/conf.d %config(noreplace) %{_sysconfdir}/dovecot/dovecot.conf -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{10-auth.conf,10-director.conf,10-logging.conf,10-mail.conf} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{10-master.conf,10-ssl.conf,15-lda.conf,15-mailboxes.conf} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{20-imap.conf,20-lmtp.conf,20-pop3.conf,20-submission.conf} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{90-acl.conf,90-quota.conf,90-plugin.conf,auth-checkpassword.conf.ext} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-deny.conf.ext,auth-dict.conf.ext,auth-ldap.conf.ext} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-master.conf.ext,auth-passwdfile.conf.ext,auth-sql.conf.ext} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-static.conf.ext,auth-system.conf.ext,auth-vpopmail.conf.ext} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-metrics.conf %config(noreplace) %{_sysconfdir}/pam.d/dovecot %config(noreplace) %{ssldir}/dovecot-openssl.cnf @@ -250,34 +318,50 @@ make check %attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %{ssldir}/private/dovecot.pem %dir %{_libdir}/dovecot -%dir %{_libdir}/dovecot/{auth,dict} +%dir %{_libdir}/dovecot/auth +%dir %{_libdir}/dovecot/dict %{_libdir}/dovecot/doveadm -%exclude %{_libdir}/dovecot/doveadm/*sieve* %{_libdir}/dovecot/*.so.* +#these (*.so files) are plugins, not devel files %{_libdir}/dovecot/*_plugin.so -%{_libdir}/dovecot/auth/{lib20_auth_var_expand_crypt.so,libauthdb_imap.so,libauthdb_ldap.so} -%{_libdir}/dovecot/auth/{libmech_gssapi.so,libdriver_sqlite.so} -%{_libdir}/dovecot/dict/{libdriver_sqlite.so,libdict_ldap.so} -%{_libdir}/dovecot/{libdriver_sqlite.so,libssl_iostream_openssl.so,libfs_compress.so,libfs_crypt.so} -%{_libdir}/dovecot/{libfs_mail_crypt.so,libdcrypt_openssl.so,lib20_var_expand_crypt.so} -%{_libdir}/dovecot/old-stats/{libold_stats_mail.so,libstats_auth.so} +%{_libdir}/dovecot/auth/libauthdb_imap.so +%{_libdir}/dovecot/auth/libauthdb_ldap.so +%{_libdir}/dovecot/auth/libauthdb_lua.so +%{_libdir}/dovecot/auth/libmech_gssapi.so +%{_libdir}/dovecot/auth/libdriver_sqlite.so +%{_libdir}/dovecot/dict/libdriver_sqlite.so +%{_libdir}/dovecot/dict/libdict_ldap.so +%{_libdir}/dovecot/libdriver_sqlite.so +%{_libdir}/dovecot/libssl_iostream_openssl.so +%{_libdir}/dovecot/libfs_compress.so +%{_libdir}/dovecot/libfs_crypt.so +%{_libdir}/dovecot/libdcrypt_openssl.so +%{_libdir}/dovecot//var_expand_crypt.so %dir %{_libdir}/dovecot/settings %{_libexecdir}/%{name} -%ghost /var/run/dovecot +%dir %attr(0755,root,dovecot) %ghost /run/dovecot +%attr(0750,root,dovenull) %ghost /run/dovecot/login +%attr(0750,root,dovenull) %ghost /run/dovecot/token-login +%attr(0755,root,root) %ghost /run/dovecot/empty %attr(0750,dovecot,dovecot) /var/lib/dovecot %{_datadir}/%{name} -%{_bindir}/{sieve-dump,sieve-filter,sieve-test,sievec} -%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{20-managesieve.conf,90-sieve.conf,90-sieve-extprograms.conf} +%{_bindir}/sieve-dump +%{_bindir}/sieve-filter +%{_bindir}/sieve-test +%{_bindir}/sievec +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-managesieve.conf +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-sieve.conf +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-sieve-extprograms.conf %{_docdir}/%{name}-pigeonhole -%{_libdir}/dovecot/doveadm/*sieve* -%{_libdir}/dovecot/settings/{libmanagesieve_*.so,libpigeonhole_*.so} +%{_libdir}/dovecot/settings/libmanagesieve_*.so +%{_libdir}/dovecot/settings/libpigeonhole_*.so %{_libdir}/dovecot/sieve/ %{_libdir}/%{name}/libdriver_mysql.so %{_libdir}/%{name}/auth/libdriver_mysql.so @@ -286,8 +370,6 @@ make check %{_libdir}/%{name}/auth/libdriver_pgsql.so %{_libdir}/%{name}/dict/libdriver_pgsql.so -%exclude %{_sysconfdir}/dovecot/README - %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %files devel @@ -305,6 +387,9 @@ make check %changelog +* Tue Sep 09 2025 wangkai <13474090681@163.com> - 1:2.4.1-1 +- Update to 2.4.1 + * Sat May 10 2025 Funda Wang - 1:2.3.21.1-4 - change user and group creation into systemd style