import dovecot-2.3.16-3.el9

This commit is contained in:
CentOS Sources 2022-05-17 05:08:22 -04:00 committed by Stepan Oksanichenko
commit 3daaafe910
22 changed files with 3842 additions and 0 deletions

2
.dovecot.metadata Normal file
View File

@ -0,0 +1,2 @@
4673c244c6ea73ee3da0bb61d0206a1fe3d0be0e SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
b5c598ae8b9901bfabdf2c93271f57cde0bde73e SOURCES/dovecot-2.3.16.tar.gz

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
SOURCES/dovecot-2.3.16.tar.gz

View File

@ -0,0 +1,11 @@
--- dovecot-1.0.beta2/doc/mkcert.sh.configfile 2006-01-16 21:14:54.000000000 +0100
+++ dovecot-1.0.beta2/doc/mkcert.sh 2006-01-26 14:28:38.000000000 +0100
@@ -29,6 +29,7 @@
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
-chmod 0600 $KEYFILE
+chown root:root $CERTFILE $KEYFILE
+chmod 0600 $CERTFILE $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

View File

@ -0,0 +1,14 @@
diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh
--- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths 2016-12-05 10:26:07.913515286 +0100
+++ dovecot-2.2.27/doc/mkcert.sh 2016-12-05 10:28:25.439634417 +0100
@@ -5,8 +5,8 @@
umask 077
OPENSSL=${OPENSSL-openssl}
-SSLDIR=${SSLDIR-/etc/ssl}
-OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
+SSLDIR=${SSLDIR-/etc/pki/dovecot}
+OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

View File

@ -0,0 +1,42 @@
diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200
@@ -175,7 +175,7 @@ namespace inbox {
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
-#first_valid_uid = 500
+first_valid_uid = 1000
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
@@ -322,6 +322,7 @@ protocol !indexer-worker {
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
+mbox_write_locks = fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200
@@ -3,7 +3,9 @@
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-#ssl = yes
+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
+# plain imap and pop3 are still allowed for local connections
+ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
@@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ssl_cipher_list = PROFILE=SYSTEM
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an

View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
--- dovecot-2.3.15/dovecot.service.in.waitonline 2021-06-21 20:19:19.560494654 +0200
+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:21:17.443066248 +0200
@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
[Service]
Type=@systemdservicetype@
+ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=@sbindir@/dovecot -F
ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop

View File

@ -0,0 +1,51 @@
diff -up dovecot-2.3.15/dovecot-init.service.initbysystemd dovecot-2.3.15/dovecot-init.service
--- dovecot-2.3.15/dovecot-init.service.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/dovecot-init.service 2021-06-21 20:21:49.250680889 +0200
@@ -0,0 +1,13 @@
+[Unit]
+Description=One-time Dovecot init service
+ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/bin/sh -c '\
+if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \
+then\
+ SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
+fi'
+
diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in
--- dovecot-2.3.15/dovecot.service.in.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:22:46.935981920 +0200
@@ -11,7 +11,8 @@
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=https://doc.dovecot.org/
-After=local-fs.target network-online.target
+After=local-fs.target network-online.target dovecot-init.service
+Requires=dovecot-init.service
[Service]
Type=@systemdservicetype@
diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
--- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200
@@ -21,6 +21,7 @@ EXTRA_DIST = \
run-test-valgrind.supp \
dovecot.service.in \
dovecot.socket \
+ dovecot-init.service \
$(conf_DATA)
noinst_DATA = dovecot-config
@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi
if WANT_SYSTEMD
systemdsystemunit_DATA = \
dovecot.socket \
- dovecot.service
+ dovecot.service \
+ dovecot-init.service
endif
install-exec-hook:

View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in
--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200
+++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200
@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop
PrivateTmp=true
NonBlocking=yes
+# this will make /usr /boot /etc read only for dovecot
ProtectSystem=full
ProtectHome=no
PrivateDevices=true

View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c
--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100
+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200
@@ -14,6 +14,7 @@
# define _XPG6 /* Some Solaris versions require this, some break with this */
#endif
#include <unistd.h>
+#include <crypt.h>
#include "mycrypt.h"

View File

@ -0,0 +1,10 @@
diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf
--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey 2021-06-21 20:24:51.913456628 +0200
+++ dovecot-2.3.15/doc/dovecot-openssl.cnf 2021-06-21 20:25:36.352912123 +0200
@@ -1,5 +1,5 @@
[ req ]
-default_bits = 2048
+default_bits = 3072
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

View File

@ -0,0 +1,34 @@
diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c
--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200
+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200
@@ -73,10 +73,30 @@
2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
**/
+#if OPENSSL_VERSION_MAJOR == 3
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ EC_KEY_free(eck);
+ return eck;
+}
+
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ return eck;
+}
+
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
+#else
#ifndef HAVE_EVP_PKEY_get0
#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
#define EVP_PKEY_get0_RSA(x) x->pkey.rsa
#endif
+#endif
#ifndef HAVE_OBJ_LENGTH
#define OBJ_length(o) ((o)->length)

View File

@ -0,0 +1,24 @@
diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200
+++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200
@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
{
struct sieve_dict_script *dscript =
(struct sieve_dict_script *)script;
- const char *path, *name = script->name, *data, *error;
+ const char *path, *name = script->name, *data, *error = NULL;
int ret;
dscript->data_pool =
diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond 2021-06-14 15:40:37.000000000 +0200
+++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c 2021-06-21 21:52:22.963171229 +0200
@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
struct mail_attribute_value *value_r)
{
struct dict *dict;
- const char *mailbox_prefix, *error;
+ const char *mailbox_prefix, *error = NULL;
int ret;
i_zero(value_r);

View File

@ -0,0 +1,20 @@
diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200
+++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200
@@ -1,4 +1,16 @@
{
+ <bashagin>
+ Memcheck:Leak
+ match-leak-kinds: definite
+ fun:malloc
+ fun:make_if_command
+ fun:yyparse
+ fun:parse_command
+ fun:read_command
+ fun:reader_loop
+ fun:main
+}
+{
<bash>
Memcheck:Leak
fun:malloc

View File

@ -0,0 +1,53 @@
commit ec4595097067a736717ef202fe8542b1b4bc2dd5
Author: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue Aug 10 12:22:08 2021 +0300
lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs
diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c
index e929fb559d..429e0d234c 100644
--- a/src/lib-index/mail-cache-fields.c
+++ b/src/lib-index/mail-cache-fields.c
@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest,
}
}
+static void
+copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new)
+{
+ size_t offset = offsetof(struct mail_cache_field, last_used);
+#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8
+ /* 64bit time_t with big endian CPUs: copy the last 32 bits instead of
+ the first 32 bits (that are always 0). The 32 bits are enough until
+ year 2106, so we're not in a hurry to use 64 bits on disk. */
+ offset += sizeof(uint32_t);
+#endif
+ copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t));
+}
+
static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
{
buffer_t *buffer;
@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
buffer = t_buffer_create(256);
- copy_to_buf(cache, buffer, FALSE,
- offsetof(struct mail_cache_field, last_used),
- sizeof(uint32_t));
+ copy_to_buf_last_used(cache, buffer, FALSE);
ret = mail_cache_write(cache, buffer->data, buffer->used,
offset + MAIL_CACHE_FIELD_LAST_USED());
if (ret == 0) {
@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest)
buffer_append(dest, &hdr, sizeof(hdr));
/* we have to keep the field order for the existing fields. */
- copy_to_buf(cache, dest, TRUE,
- offsetof(struct mail_cache_field, last_used),
- sizeof(uint32_t));
+ copy_to_buf_last_used(cache, dest, TRUE);
copy_to_buf(cache, dest, TRUE,
offsetof(struct mail_cache_field, field_size),
sizeof(uint32_t));

View File

@ -0,0 +1,813 @@
diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c
--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/auth-token.c 2021-03-22 20:44:13.022912242 +0100
@@ -161,17 +161,17 @@ void auth_token_deinit(void)
const char *auth_token_get(const char *service, const char *session_pid,
const char *username, const char *session_id)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char result[SHA1_RESULTLEN];
- hmac_init(&ctx, (const unsigned char*)username, strlen(username),
+ openssl_hmac_init(&ctx, (const unsigned char*)username, strlen(username),
&hash_method_sha1);
- hmac_update(&ctx, session_pid, strlen(session_pid));
+ openssl_hmac_update(&ctx, session_pid, strlen(session_pid));
if (session_id != NULL && *session_id != '\0')
- hmac_update(&ctx, session_id, strlen(session_id));
- hmac_update(&ctx, service, strlen(service));
- hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
- hmac_final(&ctx, result);
+ openssl_hmac_update(&ctx, session_id, strlen(session_id));
+ openssl_hmac_update(&ctx, service, strlen(service));
+ openssl_hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
+ openssl_hmac_final(&ctx, result);
return binary_to_hex(result, sizeof(result));
}
diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c
--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-cram-md5.c 2021-03-22 20:44:13.022912242 +0100
@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
{
unsigned char digest[MD5_RESULTLEN];
- struct hmac_context ctx;
+ struct orig_hmac_context ctx;
const char *response_hex;
if (size != CRAM_MD5_CONTEXTLEN) {
@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr
return FALSE;
}
- hmac_init(&ctx, NULL, 0, &hash_method_md5);
+ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5);
hmac_md5_set_cram_context(&ctx, credentials);
- hmac_update(&ctx, request->challenge, strlen(request->challenge));
- hmac_final(&ctx, digest);
+ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge));
+ orig_hmac_final(&ctx, digest);
response_hex = binary_to_hex(digest, sizeof(digest));
diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c
--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-scram.c 2021-03-22 20:44:13.022912242 +0100
@@ -78,7 +78,7 @@ static const char *get_scram_server_firs
static const char *get_scram_server_final(struct scram_auth_request *request)
{
const struct hash_method *hmethod = request->hash_method;
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *auth_message;
unsigned char server_signature[hmethod->digest_size];
string_t *str;
@@ -87,9 +87,9 @@ static const char *get_scram_server_fina
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
- hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
- hmac_update(&ctx, auth_message, strlen(auth_message));
- hmac_final(&ctx, server_signature);
+ openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, server_signature);
str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
str_append(str, "v=");
@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str
static bool verify_credentials(struct scram_auth_request *request)
{
const struct hash_method *hmethod = request->hash_method;
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *auth_message;
unsigned char client_key[hmethod->digest_size];
unsigned char client_signature[hmethod->digest_size];
@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
- hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
- hmac_update(&ctx, auth_message, strlen(auth_message));
- hmac_final(&ctx, client_signature);
+ openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, client_signature);
const unsigned char *proof_data = request->proof->data;
for (i = 0; i < sizeof(client_signature); i++)
diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c
--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/password-scheme.c 2021-03-22 20:44:13.022912242 +0100
@@ -639,11 +639,11 @@ static void
cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
const unsigned char **raw_password_r, size_t *size_r)
{
- struct hmac_context ctx;
+ struct orig_hmac_context ctx;
unsigned char *context_digest;
context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN);
- hmac_init(&ctx, (const unsigned char *)plaintext,
+ orig_hmac_init(&ctx, (const unsigned char *)plaintext,
strlen(plaintext), &hash_method_md5);
hmac_md5_get_cram_context(&ctx, context_digest);
diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c
--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/password-scheme-scram.c 2021-03-22 20:44:13.023912229 +0100
@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co
const unsigned char *salt, size_t salt_size, unsigned int i,
unsigned char *result)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char U[hmethod->digest_size];
unsigned int j, k;
/* Calculate U1 */
- hmac_init(&ctx, str, str_size, hmethod);
- hmac_update(&ctx, salt, salt_size);
- hmac_update(&ctx, "\0\0\0\1", 4);
- hmac_final(&ctx, U);
+ openssl_hmac_init(&ctx, str, str_size, hmethod);
+ openssl_hmac_update(&ctx, salt, salt_size);
+ openssl_hmac_update(&ctx, "\0\0\0\1", 4);
+ openssl_hmac_final(&ctx, U);
memcpy(result, U, hmethod->digest_size);
/* Calculate U2 to Ui and Hi */
for (j = 2; j <= i; j++) {
- hmac_init(&ctx, str, str_size, hmethod);
- hmac_update(&ctx, U, sizeof(U));
- hmac_final(&ctx, U);
+ openssl_hmac_init(&ctx, str, str_size, hmethod);
+ openssl_hmac_update(&ctx, U, sizeof(U));
+ openssl_hmac_final(&ctx, U);
for (k = 0; k < hmethod->digest_size; k++)
result[k] ^= U[k];
}
@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho
const char *plaintext, const unsigned char *raw_password,
size_t size, const char **error_r)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *salt_base64;
unsigned int iter_count;
const unsigned char *salt;
@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho
salt, salt_len, iter_count, salted_password);
/* Calculate ClientKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
- hmac_update(&ctx, "Client Key", 10);
- hmac_final(&ctx, client_key);
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+ openssl_hmac_update(&ctx, "Client Key", 10);
+ openssl_hmac_final(&ctx, client_key);
/* Calculate StoredKey */
hash_method_get_digest(hmethod, client_key, sizeof(client_key),
@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me
const unsigned char **raw_password_r, size_t *size_r)
{
string_t *str;
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char salt[16];
unsigned char salted_password[hmethod->digest_size];
unsigned char client_key[hmethod->digest_size];
@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me
sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password);
/* Calculate ClientKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
- hmac_update(&ctx, "Client Key", 10);
- hmac_final(&ctx, client_key);
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+ openssl_hmac_update(&ctx, "Client Key", 10);
+ openssl_hmac_final(&ctx, client_key);
/* Calculate StoredKey */
hash_method_get_digest(hmethod, client_key, sizeof(client_key),
@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me
base64_encode(stored_key, sizeof(stored_key), str);
/* Calculate ServerKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
- hmac_update(&ctx, "Server Key", 10);
- hmac_final(&ctx, server_key);
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+ openssl_hmac_update(&ctx, "Server Key", 10);
+ openssl_hmac_final(&ctx, server_key);
str_append_c(str, ',');
base64_encode(server_key, sizeof(server_key), str);
diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.c 2021-03-22 20:44:13.023912229 +0100
@@ -7,6 +7,10 @@
* This software is released under the MIT license.
*/
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
#include "lib.h"
#include "hmac.h"
#include "safe-memset.h"
@@ -14,10 +18,65 @@
#include "hex-binary.h"
-void hmac_init(struct hmac_context *_ctx, const unsigned char *key,
+#ifndef HAVE_HMAC_CTX_NEW
+# define HMAC_Init_ex(ctx, key, key_len, md, impl) \
+ HMAC_Init_ex(&(ctx), key, key_len, md, impl)
+# define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len)
+# define HMAC_Final(ctx, md, len) HMAC_Final(&(ctx), md, len)
+# define HMAC_CTX_free(ctx) HMAC_cleanup(&(ctx))
+#else
+# define HMAC_CTX_free(ctx) \
+ STMT_START { HMAC_CTX_free(ctx); (ctx) = NULL; } STMT_END
+#endif
+
+
+void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+
+ const EVP_MD *md;
+ const char *ebuf = NULL;
+ const char **error_r = &ebuf;
+
+ md = EVP_get_digestbyname(meth->name);
+ if(md == NULL) {
+ if (error_r != NULL) {
+ *error_r = t_strdup_printf("Invalid digest %s",
+ meth->name);
+ }
+ //return FALSE;
+ }
+
+// int ec;
+
+ i_assert(md != NULL);
+#ifdef HAVE_HMAC_CTX_NEW
+ ctx->ctx = HMAC_CTX_new();
+/* if (ctx->ctx == NULL)
+ dcrypt_openssl_error(error_r);*/
+#endif
+ /*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL);
+}
+
+void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth)
+{
+ static int no_fips = -1;
+ if (no_fips == -1) {
+ int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+ if (fd != -1)
+ {
+ char buf[4];
+ if (read(fd, buf, 4) > 0)
+ {
+ no_fips = buf[0] == '0';
+ }
+ close(fd);
+ }
+ }
+ i_assert(no_fips);
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
unsigned int i;
unsigned char k_ipad[meth->block_size];
unsigned char k_opad[meth->block_size];
@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx
safe_memset(k_opad, 0, meth->block_size);
}
-void hmac_final(struct hmac_context *_ctx, unsigned char *digest)
+void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest)
+{
+ int ec;
+ unsigned char buf[HMAC_MAX_MD_CBLOCK];
+ unsigned int outl;
+// const char *ebuf = NULL;
+// const char **error_r = &ebuf;
+
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+ ec = HMAC_Final(ctx->ctx, buf, &outl);
+ HMAC_CTX_free(ctx->ctx);
+ if (ec == 1)
+ memcpy(digest, buf, outl);
+// else
+// dcrypt_openssl_error(error_r);
+
+}
+
+void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
ctx->hash->result(ctx->ctx, digest);
@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct
ctx->hash->result(ctx->ctxo, digest);
}
-buffer_t *t_hmac_data(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const void *data, size_t data_len)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
i_assert(meth != NULL);
i_assert(key != NULL && key_len > 0);
i_assert(data != NULL || data_len == 0);
buffer_t *res = t_buffer_create(meth->digest_size);
- hmac_init(&ctx, key, key_len, meth);
+ openssl_hmac_init(&ctx, key, key_len, meth);
if (data_len > 0)
- hmac_update(&ctx, data, data_len);
+ openssl_hmac_update(&ctx, data, data_len);
unsigned char *buf = buffer_get_space_unsafe(res, 0, meth->digest_size);
- hmac_final(&ctx, buf);
+ openssl_hmac_final(&ctx, buf);
return res;
}
-buffer_t *t_hmac_buffer(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const buffer_t *data)
{
- return t_hmac_data(meth, key, key_len, data->data, data->used);
+ return openssl_t_hmac_data(meth, key, key_len, data->data, data->used);
}
-buffer_t *t_hmac_str(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const char *data)
{
- return t_hmac_data(meth, key, key_len, data, strlen(data));
+ return openssl_t_hmac_data(meth, key, key_len, data, strlen(data));
}
-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
buffer_t *okm_r, size_t okm_len)
{
+ const EVP_MD *md;
+ EVP_PKEY_CTX *pctx;
+ int r = 1;
+
i_assert(method != NULL);
i_assert(okm_len < 255*method->digest_size);
- struct hmac_context key_mac;
- struct hmac_context info_mac;
- size_t remain = okm_len;
- unsigned char prk[method->digest_size];
- unsigned char okm[method->digest_size];
- /* N = ceil(L/HashLen) */
- unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size;
/* salt and info can be NULL */
i_assert(salt != NULL || salt_len == 0);
@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method
i_assert(ikm != NULL && ikm_len > 0);
i_assert(okm_r != NULL && okm_len > 0);
- /* but they still need valid pointer, reduces
- complains from static analysers */
- if (salt == NULL)
- salt = &uchar_nul;
- if (info == NULL)
- info = &uchar_nul;
-
- /* extract */
- hmac_init(&key_mac, salt, salt_len, method);
- hmac_update(&key_mac, ikm, ikm_len);
- hmac_final(&key_mac, prk);
-
- /* expand */
- for (unsigned int i = 0; remain > 0 && i < rounds; i++) {
- unsigned char round = (i+1);
- size_t amt = remain;
- if (amt > method->digest_size)
- amt = method->digest_size;
- hmac_init(&info_mac, prk, method->digest_size, method);
- if (i > 0)
- hmac_update(&info_mac, okm, method->digest_size);
- hmac_update(&info_mac, info, info_len);
- hmac_update(&info_mac, &round, 1);
- memset(okm, 0, method->digest_size);
- hmac_final(&info_mac, okm);
- buffer_append(okm_r, okm, amt);
- remain -= amt;
+
+ md = EVP_get_digestbyname(method->name);
+ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+ unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len);
+
+ if ((r=EVP_PKEY_derive_init(pctx)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0)
+ goto out;
+
+ out:
+ EVP_PKEY_CTX_free(pctx);
+ if (r <= 0) {
+ unsigned long ec = ERR_get_error();
+ unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL));
+ i_error("%s", error);
}
- safe_memset(prk, 0, sizeof(prk));
- safe_memset(okm, 0, sizeof(okm));
}
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c
--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.c 2021-03-22 20:44:13.023912229 +0100
@@ -9,10 +9,10 @@
#include "md5.h"
#include "hmac-cram-md5.h"
-void hmac_md5_get_cram_context(struct hmac_context *_hmac_ctx,
+void hmac_md5_get_cram_context(struct orig_hmac_context *_hmac_ctx,
unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
{
- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
@@ -35,10 +35,10 @@ void hmac_md5_get_cram_context(struct hm
CDPUT(cdp, ctx->d);
}
-void hmac_md5_set_cram_context(struct hmac_context *_hmac_ctx,
+void hmac_md5_set_cram_context(struct orig_hmac_context *_hmac_ctx,
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
{
- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
const unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h
--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.h 2021-03-22 20:44:13.023912229 +0100
@@ -5,9 +5,9 @@
#define CRAM_MD5_CONTEXTLEN 32
-void hmac_md5_get_cram_context(struct hmac_context *ctx,
+void hmac_md5_get_cram_context(struct orig_hmac_context *ctx,
unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
-void hmac_md5_set_cram_context(struct hmac_context *ctx,
+void hmac_md5_set_cram_context(struct orig_hmac_context *ctx,
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h
--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.h 2021-03-22 20:44:13.023912229 +0100
@@ -4,60 +4,97 @@
#include "hash-method.h"
#include "sha1.h"
#include "sha2.h"
+#include <openssl/objects.h>
+#include <openssl/hmac.h>
+#include <openssl/kdf.h>
+#include <openssl/err.h>
#define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx)
-struct hmac_context_priv {
+struct openssl_hmac_context_priv {
+#ifdef HAVE_HMAC_CTX_NEW
+ HMAC_CTX *ctx;
+#else
+ HMAC_CTX ctx;
+#endif
+ const struct hash_method *hash;
+};
+
+struct orig_hmac_context_priv {
char ctx[HMAC_MAX_CONTEXT_SIZE];
char ctxo[HMAC_MAX_CONTEXT_SIZE];
const struct hash_method *hash;
};
-struct hmac_context {
+struct openssl_hmac_context {
+ union {
+ struct openssl_hmac_context_priv priv;
+ uint64_t padding_requirement;
+ } u;
+};
+
+struct orig_hmac_context {
union {
- struct hmac_context_priv priv;
+ struct orig_hmac_context_priv priv;
uint64_t padding_requirement;
} u;
};
-void hmac_init(struct hmac_context *ctx, const unsigned char *key,
+void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth);
+void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest);
+
+static inline void
+openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size)
+{
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+ HMAC_Update(ctx->ctx, data, size);
+/* if (ec != 1)
+ {
+ const char *ebuf = NULL;
+ const char **error_r = &ebuf;
+ dcrypt_openssl_error(error_r);
+ }*/
+}
+
+void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth);
-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
+void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest);
static inline void
-hmac_update(struct hmac_context *_ctx, const void *data, size_t size)
+orig_hmac_update(struct orig_hmac_context *_ctx, const void *data, size_t size)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
ctx->hash->loop(ctx->ctx, data, size);
}
-buffer_t *t_hmac_data(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const void *data, size_t data_len);
-buffer_t *t_hmac_buffer(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const buffer_t *data);
-buffer_t *t_hmac_str(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const char *data);
-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
buffer_t *okm_r, size_t okm_len);
static inline buffer_t *
-t_hmac_hkdf(const struct hash_method *method,
+openssl_t_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
size_t okm_len)
{
buffer_t *okm_buffer = t_buffer_create(okm_len);
- hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
+ openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
okm_buffer, okm_len);
return okm_buffer;
}
diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 20:44:13.023912229 +0100
@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
size_t *token_len_r)
{
- struct hmac_context hmac;
+ struct openssl_hmac_context hmac;
unsigned char *token;
token = t_new(unsigned char, SHA1_RESULTLEN + 1);
token[0] = IMAP_URLAUTH_MECH_INTERNAL_VERSION;
- hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
- hmac_update(&hmac, rumpurl, strlen(rumpurl));
- hmac_final(&hmac, token+1);
+ openssl_hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
+ openssl_hmac_update(&hmac, rumpurl, strlen(rumpurl));
+ openssl_hmac_final(&hmac, token+1);
*token_len_r = SHA1_RESULTLEN + 1;
return token;
diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am
--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/Makefile.am 2021-03-22 20:44:13.023912229 +0100
@@ -352,6 +352,9 @@ headers = \
wildcard-match.h \
write-full.h
+liblib_la_LIBADD = $(SSL_LIBS)
+liblib_la_CFLAGS = $(SSL_CFLAGS)
+
test_programs = test-lib
noinst_PROGRAMS = $(test_programs)
diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c 2021-03-22 20:44:13.024912217 +0100
@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2
if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
return -1;
- struct hmac_context ctx;
- hmac_init(&ctx, key->data, key->used, method);
- hmac_update(&ctx, blobs[0], strlen(blobs[0]));
- hmac_update(&ctx, ".", 1);
- hmac_update(&ctx, blobs[1], strlen(blobs[1]));
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, key->data, key->used, method);
+ openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0]));
+ openssl_hmac_update(&ctx, ".", 1);
+ openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1]));
unsigned char digest[method->digest_size];
- hmac_final(&ctx, digest);
+ openssl_hmac_final(&ctx, digest);
buffer_t *their_digest =
t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 20:46:09.524440794 +0100
@@ -236,7 +236,7 @@ static void save_key_to(const char *algo
static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
- buffer_t *sig = t_hmac_buffer(&hash_method_sha256, key->data, key->used,
+ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha256, key->data, key->used,
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_
static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
- buffer_t *sig = t_hmac_buffer(&hash_method_sha384, key->data, key->used,
+ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha384, key->data, key->used,
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_
static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
- buffer_t *sig = t_hmac_buffer(&hash_method_sha512, key->data, key->used,
+ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha512, key->data, key->used,
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c
--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/pkcs5.c 2021-03-22 20:44:13.024912217 +0100
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
unsigned char dk[l * hash->digest_size];
unsigned char *block;
- struct hmac_context hctx;
+ struct openssl_hmac_context hctx;
unsigned int c,i,t;
unsigned char U_c[hash->digest_size];
@@ -60,17 +60,17 @@ int pkcs5_pbkdf2(const struct hash_metho
block = &(dk[t*hash->digest_size]);
/* U_1 = PRF(Password, Salt|| INT_BE32(Block_Number)) */
c = htonl(t+1);
- hmac_init(&hctx, password, password_len, hash);
- hmac_update(&hctx, salt, salt_len);
- hmac_update(&hctx, &c, sizeof(c));
- hmac_final(&hctx, U_c);
+ openssl_hmac_init(&hctx, password, password_len, hash);
+ openssl_hmac_update(&hctx, salt, salt_len);
+ openssl_hmac_update(&hctx, &c, sizeof(c));
+ openssl_hmac_final(&hctx, U_c);
/* block = U_1 ^ .. ^ U_iter */
memcpy(block, U_c, hash->digest_size);
/* U_c = PRF(Password, U_c-1) */
for(c = 1; c < iter; c++) {
- hmac_init(&hctx, password, password_len, hash);
- hmac_update(&hctx, U_c, hash->digest_size);
- hmac_final(&hctx, U_c);
+ openssl_hmac_init(&hctx, password, password_len, hash);
+ openssl_hmac_update(&hctx, U_c, hash->digest_size);
+ openssl_hmac_final(&hctx, U_c);
for(i = 0; i < hash->digest_size; i++)
block[i] ^= U_c[i];
}
diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c
--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/test-hmac.c 2021-03-22 20:44:13.024912217 +0100
@@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
test_begin("hmac sha256 rfc4231 vectors");
for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
const struct test_vector *vec = &(test_vectors[i]);
- struct hmac_context ctx;
- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
- hmac_update(&ctx, vec->data, vec->data_len);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
unsigned char res[SHA256_RESULTLEN];
- hmac_final(&ctx, res);
+ openssl_hmac_final(&ctx, res);
test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
}
test_end();
@@ -221,11 +221,11 @@ static void test_hmac384_rfc(void)
test_begin("hmac sha384 rfc4231 vectors");
for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac384); i++) {
const struct test_vector *vec = &(test_vectors_hmac384[i]);
- struct hmac_context ctx;
- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
- hmac_update(&ctx, vec->data, vec->data_len);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
unsigned char res[SHA384_RESULTLEN];
- hmac_final(&ctx, res);
+ openssl_hmac_final(&ctx, res);
test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
}
test_end();
@@ -236,11 +236,11 @@ static void test_hmac512_rfc(void)
test_begin("hmac sha512 rfc4231 vectors");
for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac512); i++) {
const struct test_vector *vec = &(test_vectors_hmac512[i]);
- struct hmac_context ctx;
- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
- hmac_update(&ctx, vec->data, vec->data_len);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
unsigned char res[SHA512_RESULTLEN];
- hmac_final(&ctx, res);
+ openssl_hmac_final(&ctx, res);
test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
}
test_end();
@@ -253,7 +253,7 @@ static void test_hmac_buffer(void)
buffer_t *tmp;
- tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
+ tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
vec->data, vec->data_len);
test_assert(tmp->used == vec->res_len &&
@@ -270,7 +270,7 @@ static void test_hkdf_rfc(void)
buffer_set_used_size(res, 0);
const struct test_vector_5869 *vec = &(test_vectors_5869[i]);
const struct hash_method *m = hash_method_lookup(vec->prf);
- hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
+ openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
vec->info, vec->info_len, res, vec->okm_len);
test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i);
}
@@ -283,7 +283,7 @@ static void test_hkdf_buffer(void)
test_begin("hkdf temporary buffer");
const struct test_vector_5869 *vec = &(test_vectors_5869[0]);
const struct hash_method *m = hash_method_lookup(vec->prf);
- buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
+ buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
vec->ikm_len, vec->info, vec->info_len,
vec->okm_len);
test_assert(tmp->used == vec->okm_len &&

19
SOURCES/dovecot.conf.5 Normal file
View File

@ -0,0 +1,19 @@
.TH DOVECOT.CONF 5 2010/06/27 "dovecot" "File Formats and Conventions"
.SH NAME
\fBdovecot.conf\fP \- The configuration file for dovecot imap and pop3 server
.SH FULL PATH
.B /etc/dovecot.conf
.SH DESCRIPTION
The dovecot.conf file is a configuration file for the
.BR dovecot (1)
imap and pop3 server. The dovecot.conf configuration file contains description to all available options. Some of these options are described also in offline wiki documentation placed in /usr/share/doc/dovecot*/wiki/.
For backup purposes unmodified version of dovecot.conf can be found in /usr/share/doc/dovecot-<version>/example-config/dovecot.conf.default
.SH "SEE ALSO"
.BR doveadm (1),
.BR dovecot (1),
.I /usr/share/doc/dovecot*/wiki/
.I /usr/share/doc/dovecot*/dovecot.conf.default

108
SOURCES/dovecot.init Executable file
View File

@ -0,0 +1,108 @@
#!/bin/bash
#
# /etc/rc.d/init.d/dovecot
#
# Starts the dovecot daemon
#
# chkconfig: - 65 35
# description: Dovecot Imap Server
# processname: dovecot
# config: /etc/dovecot.conf
# config: /etc/sysconfig/dovecot
# pidfile: /var/run/dovecot/master.pid
### BEGIN INIT INFO
# Provides: dovecot
# Required-Start: $local_fs $network
# Required-Stop: $local_fs $network
# Should-Start: $remote_fs
# Should-Stop: $remote_fs
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: start and stop Dovecot Imap server
# Description: Dovecot is an IMAP server for Linux/UNIX-like systems,
# written with security primarily in mind. It also contains
# a small POP3 server.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/dovecot -a $UID -eq 0 ]; then
. /etc/sysconfig/dovecot
fi
RETVAL=0
prog="Dovecot Imap"
exec="/usr/sbin/dovecot"
config="/etc/dovecot/dovecot.conf"
pidfile="/var/run/dovecot/master.pid"
lockfile="/var/lock/subsys/dovecot"
start() {
[ $UID -eq 0 ] || exit 4
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --pidfile $pidfile $exec $OPTIONS
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $lockfile
echo
}
stop() {
[ $UID -eq 0 ] || exit 4
echo -n $"Stopping $prog: "
killproc -p $pidfile $exec
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
}
reload() {
[ $UID -eq 0 ] || exit 4
echo -n $"Reloading $prog: "
killproc -p $pidfile $exec -HUP
RETVAL=$?
echo
}
#
# See how we were called.
#
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
force-reload|restart)
stop
sleep 1
start
RETVAL=$?
;;
condrestart|try-restart)
if [ -f $lockfile ]; then
stop
sleep 3
start
fi
;;
status)
status -p $pidfile $exec
RETVAL=$?
;;
*)
echo $"Usage: $0 {condrestart|try-restart|start|stop|restart|reload|force-reload|status}"
RETVAL=2
[ "$1" = 'usage' ] && RETVAL=0
esac
exit $RETVAL

5
SOURCES/dovecot.pam Normal file
View File

@ -0,0 +1,5 @@
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth

View File

@ -0,0 +1,3 @@
# Here you can specify your dovecot command line options.
#
#OPTIONS=""

View File

@ -0,0 +1,2 @@
d /run/dovecot 0755 root dovecot -

3
SOURCES/prestartscript Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
/bin/systemctl -q is-enabled NetworkManager.service >/dev/null 2>&1 && /usr/bin/nm-online -q --timeout 30 ||:

2593
SPECS/dovecot.spec Normal file

File diff suppressed because it is too large Load Diff