import dovecot-2.3.8-1.el8

This commit is contained in:
CentOS Sources 2020-01-21 13:53:24 -05:00 committed by Stepan Oksanichenko
parent fbe52931b8
commit 78a48395b6
13 changed files with 288 additions and 475 deletions

View File

@ -1,2 +1,2 @@
09febe0f459ba26c526d8195b22179f39d48bc69 SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz
74c55736dfc92f586e2c75b7b4dd50816f63850b SOURCES/dovecot-2.2.36.tar.gz
b9c7290dad1ac3bc1ead11359812a137a3d173f7 SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz
65b93f7fd53705b3c97f9eee141a76c5f4f3a624 SOURCES/dovecot-2.3.8.tar.gz

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz
SOURCES/dovecot-2.2.36.tar.gz
SOURCES/dovecot-2.3-pigeonhole-0.5.8.tar.gz
SOURCES/dovecot-2.3.8.tar.gz

View File

@ -1,6 +1,6 @@
diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings 2014-06-02 13:50:10.000000000 +0200
+++ dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf 2015-08-24 17:09:03.866648631 +0200
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100
@@ -165,7 +165,7 @@ namespace inbox {
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
@ -10,7 +10,7 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
@@ -283,6 +283,7 @@ namespace inbox {
@@ -322,6 +322,7 @@ protocol !indexer-worker {
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
@ -18,9 +18,9 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings 2014-10-03 16:36:00.000000000 +0200
+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf 2015-08-24 17:10:49.536071649 +0200
diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100
@@ -3,7 +3,9 @@
##
@ -32,11 +32,11 @@ diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings d
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
@@ -50,6 +52,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ssl_cipher_list = PROFILE=SYSTEM
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an

View File

@ -1,11 +1,11 @@
diff -up dovecot-2.2.22/dovecot.service.in.waitonline dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.waitonline 2016-03-16 13:36:49.426772606 +0100
+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:47:23.923606903 +0100
@@ -24,6 +24,7 @@ After=local-fs.target network.target
diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.waitonline 2018-03-01 10:35:39.888371078 +0100
+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:36:29.738784661 +0100
@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar
[Service]
Type=forking
Type=simple
+ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=@sbindir@/dovecot
ExecStart=@sbindir@/dovecot -F
PIDFile=@rundir@/master.pid
ExecReload=@bindir@/doveadm reload

View File

@ -1,60 +0,0 @@
From ca5b3ec5331545b46ec1f1c4ecfa1302ddb10653 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Wed, 29 Jun 2016 00:56:56 +0300
Subject: [PATCH] auth: userdb passwd iteration now skips users not in
first/last_valid_gid range
Patch by Michal Hlavinka / Red Hat
---
src/auth/auth-settings.c | 4 ++++
src/auth/auth-settings.h | 2 ++
src/auth/userdb-passwd.c | 4 ++++
3 files changed, 10 insertions(+)
diff -up dovecot-2.2.36/src/auth/auth-settings.c.gidcheck dovecot-2.2.36/src/auth/auth-settings.c
--- dovecot-2.2.36/src/auth/auth-settings.c.gidcheck 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/auth-settings.c 2018-09-17 12:17:13.132032699 +0200
@@ -272,6 +272,8 @@ static const struct setting_define auth_
DEF_NOPREFIX(SET_BOOL, verbose_proctitle),
DEF_NOPREFIX(SET_UINT, first_valid_uid),
DEF_NOPREFIX(SET_UINT, last_valid_uid),
+ DEF_NOPREFIX(SET_UINT, first_valid_gid),
+ DEF_NOPREFIX(SET_UINT, last_valid_gid),
DEF_NOPREFIX(SET_STR, ssl_client_ca_dir),
DEF_NOPREFIX(SET_STR, ssl_client_ca_file),
@@ -331,6 +333,8 @@ static const struct auth_settings auth_d
.verbose_proctitle = FALSE,
.first_valid_uid = 500,
.last_valid_uid = 0,
+ .first_valid_gid = 1,
+ .last_valid_gid = 0,
};
const struct setting_parser_info auth_setting_parser_info = {
diff -up dovecot-2.2.36/src/auth/auth-settings.h.gidcheck dovecot-2.2.36/src/auth/auth-settings.h
--- dovecot-2.2.36/src/auth/auth-settings.h.gidcheck 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/auth-settings.h 2018-09-17 12:13:30.540159133 +0200
@@ -88,6 +88,8 @@ struct auth_settings {
bool verbose_proctitle;
unsigned int first_valid_uid;
unsigned int last_valid_uid;
+ unsigned int first_valid_gid;
+ unsigned int last_valid_gid;
/* generated: */
char username_chars_map[256];
diff -up dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck dovecot-2.2.36/src/auth/userdb-passwd.c
--- dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/userdb-passwd.c 2018-09-17 12:13:30.540159133 +0200
@@ -145,6 +145,10 @@ passwd_iterate_want_pw(struct passwd *pw
return FALSE;
if (pw->pw_uid > (uid_t)set->last_valid_uid && set->last_valid_uid != 0)
return FALSE;
+ if (pw->pw_gid < (gid_t)set->first_valid_gid)
+ return FALSE;
+ if (pw->pw_gid > (gid_t)set->last_valid_gid && set->last_valid_gid != 0)
+ return FALSE;
return TRUE;
}

View File

@ -1,12 +0,0 @@
diff -up dovecot-2.2.22/dovecot.service.in.online dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.online 2016-03-16 13:47:47.112491206 +0100
+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:48:14.339355363 +0100
@@ -20,7 +20,7 @@
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
-After=local-fs.target network.target
+After=local-fs.target network-online.target
[Service]
Type=forking

View File

@ -1,10 +1,9 @@
diff -up dovecot-2.2.22/dovecot-init.service.initbysystemd dovecot-2.2.22/dovecot-init.service
--- dovecot-2.2.22/dovecot-init.service.initbysystemd 2016-03-16 13:48:25.996297203 +0100
+++ dovecot-2.2.22/dovecot-init.service 2016-03-16 13:48:25.996297203 +0100
@@ -0,0 +1,18 @@
diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service
--- dovecot-2.3.0.1/dovecot-init.service.initbysystemd 2018-03-01 10:38:22.059716008 +0100
+++ dovecot-2.3.0.1/dovecot-init.service 2018-03-01 10:38:22.059716008 +0100
@@ -0,0 +1,13 @@
+[Unit]
+Description=One-time Dovecot init service
+ConditionPathExists=|!/var/lib/dovecot/ssl-parameters.dat
+ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem
+
+[Service]
@ -14,16 +13,12 @@ diff -up dovecot-2.2.22/dovecot-init.service.initbysystemd dovecot-2.2.22/doveco
+if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \
+then\
+ SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
+fi;\
+if [ ! -f /var/lib/dovecot/ssl-parameters.dat ]; \
+then\
+ /usr/libexec/dovecot/ssl-params >/dev/null 2>&1; \
+fi'
+
diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.initbysystemd 2016-03-16 13:48:25.996297203 +0100
+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:49:17.619039641 +0100
@@ -20,7 +20,8 @@
diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100
+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100
@@ -8,7 +8,8 @@
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
@ -32,11 +27,11 @@ diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.
+Requires=dovecot-init.service
[Service]
Type=forking
diff -up dovecot-2.2.22/Makefile.am.initbysystemd dovecot-2.2.22/Makefile.am
--- dovecot-2.2.22/Makefile.am.initbysystemd 2016-03-04 12:04:33.000000000 +0100
+++ dovecot-2.2.22/Makefile.am 2016-03-16 13:48:25.996297203 +0100
@@ -51,9 +51,10 @@ if HAVE_SYSTEMD
Type=simple
diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am
--- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100
@@ -63,9 +63,10 @@ if HAVE_SYSTEMD
systemdsystemunit_DATA = \
dovecot.socket \

View File

@ -1,14 +1,11 @@
diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in
--- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem 2017-02-27 10:00:14.647423500 +0100
+++ dovecot-2.2.28/dovecot.service.in 2017-02-27 10:02:18.051377067 +0100
@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload
diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in
--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem 2018-07-09 12:00:13.359193526 +0200
+++ dovecot-2.3.2/dovecot.service.in 2018-07-09 12:00:46.387716884 +0200
@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop
PrivateTmp=true
NonBlocking=yes
-# Enable this if your systemd is new enough to support it:
-#ProtectSystem=full
+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot)
+ProtectSystem=full
# You can add environment variables with e.g.:
#Environment='CORE_OUTOFMEM=1'
+# this will make /usr /boot /etc read only for dovecot
ProtectSystem=full
ProtectHome=no
PrivateDevices=true

View File

@ -1,69 +0,0 @@
From eb5ffe2641febe0fa5e9038f2e216c130e1e7519 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 21 Jan 2019 11:36:30 +0200
Subject: [PATCH] login-common: Ensure we get username from certificate
---
src/login-common/sasl-server.c | 42 ++++++++++++++++++++++++++++++++--
1 file changed, 40 insertions(+), 2 deletions(-)
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index a833c9a6d4..9465da9657 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -321,6 +321,37 @@ authenticate_callback(struct auth_client_request *request,
}
}
+static bool get_cert_username(struct client *client, const char **username_r,
+ const char **error_r)
+{
+ /* no SSL */
+ if (client->ssl_proxy == NULL) {
+ *username_r = NULL;
+ return TRUE;
+ }
+
+ /* no client certificate */
+ if (!ssl_proxy_has_valid_client_cert(client->ssl_proxy)) {
+ *username_r = NULL;
+ return TRUE;
+ }
+
+ /* get peer name */
+ const char *username = ssl_proxy_get_peer_name(client->ssl_proxy);
+
+ /* if we wanted peer name, but it was not there, fail */
+ if (client->set->auth_ssl_username_from_cert &&
+ (username == NULL || *username == '\0')) {
+ if (client->set->auth_ssl_require_client_cert) {
+ *error_r = "Missing username in certificate";
+ return FALSE;
+ }
+ }
+
+ *username_r = username;
+ return TRUE;
+}
+
void sasl_server_auth_begin(struct client *client,
const char *service, const char *mech_name,
const char *initial_resp_base64,
@@ -359,8 +390,15 @@ void sasl_server_auth_begin(struct client *client,
info.mech = mech->name;
info.service = service;
info.session_id = client_get_session_id(client);
- info.cert_username = client->ssl_proxy == NULL ? NULL :
- ssl_proxy_get_peer_name(client->ssl_proxy);
+ if (client->set->auth_ssl_username_from_cert) {
+ const char *error;
+ if (!get_cert_username(client, &info.cert_username, &error)) {
+ client_log_err(client, t_strdup_printf("Cannot get username "
+ "from certificate: %s", error));
+ sasl_server_auth_failed(client, "Unable to validate certificate");
+ return;
+ }
+ }
info.flags = client_get_auth_flags(client);
info.local_ip = client->local_ip;
info.remote_ip = client->ip;

View File

@ -1,29 +0,0 @@
From 7525fece60f01b52deb13df3620976ee1d616837 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 21 Jan 2019 10:54:06 +0200
Subject: [PATCH] auth: Fail authentication if certificate username was
unexpectedly missing
---
src/auth/auth-request-handler.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
index 617dc1883d..3044e94f91 100644
--- a/src/auth/auth-request-handler.c
+++ b/src/auth/auth-request-handler.c
@@ -560,6 +560,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
return TRUE;
}
+ if (request->set->ssl_require_client_cert &&
+ request->set->ssl_username_from_cert &&
+ !request->cert_username) {
+ auth_request_handler_auth_fail(handler, request,
+ "SSL certificate didn't contain username");
+ return TRUE;
+ }
+
/* Empty initial response is a "=" base64 string. Completely empty
string shouldn't really be sent, but at least Exim does it,
so just allow it for backwards compatibility.. */

View File

@ -1,22 +0,0 @@
From e5d428297d70e3ac8b6dfce7e0de182b86825082 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 16 Jan 2019 18:28:57 +0200
Subject: [PATCH] auth: Do not import empty certificate username
---
src/auth/auth-request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index dd288b6d23..1cb665ec8c 100644
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -445,7 +445,7 @@ bool auth_request_import_auth(struct auth_request *request,
else if (strcmp(key, "valid-client-cert") == 0)
request->valid_client_cert = TRUE;
else if (strcmp(key, "cert_username") == 0) {
- if (request->set->ssl_username_from_cert) {
+ if (request->set->ssl_username_from_cert && *value != '\0') {
/* get username from SSL certificate. it overrides
the username given by the auth mechanism. */
request->user = p_strdup(request->pool, value);

View File

@ -1,7 +1,7 @@
diff -up dovecot-2.2.36/src/auth/auth-token.c.opensslhmac dovecot-2.2.36/src/auth/auth-token.c
--- dovecot-2.2.36/src/auth/auth-token.c.opensslhmac 2018-04-30 15:52:04.000000000 +0200
+++ dovecot-2.2.36/src/auth/auth-token.c 2019-06-10 15:38:38.834070480 +0200
@@ -163,17 +163,17 @@ void auth_token_deinit(void)
diff -up dovecot-2.3.8/src/auth/auth-token.c.opensslhmac dovecot-2.3.8/src/auth/auth-token.c
--- dovecot-2.3.8/src/auth/auth-token.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/auth-token.c 2019-11-19 16:34:11.338037002 +0100
@@ -161,17 +161,17 @@ void auth_token_deinit(void)
const char *auth_token_get(const char *service, const char *session_pid,
const char *username, const char *session_id)
{
@ -26,9 +26,9 @@ diff -up dovecot-2.2.36/src/auth/auth-token.c.opensslhmac dovecot-2.2.36/src/aut
return binary_to_hex(result, sizeof(result));
}
diff -up dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.2.36/src/auth/mech-cram-md5.c
--- dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/mech-cram-md5.c 2019-06-10 15:38:38.834070480 +0200
diff -up dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.8/src/auth/mech-cram-md5.c
--- dovecot-2.3.8/src/auth/mech-cram-md5.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/mech-cram-md5.c 2019-11-19 16:34:11.338037002 +0100
@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
{
@ -52,9 +52,9 @@ diff -up dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.2.36/src/
response_hex = binary_to_hex(digest, sizeof(digest));
diff -up dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.2.36/src/auth/mech-scram-sha1.c
--- dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/mech-scram-sha1.c 2019-06-10 15:38:38.834070480 +0200
diff -up dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.3.8/src/auth/mech-scram-sha1.c
--- dovecot-2.3.8/src/auth/mech-scram-sha1.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/mech-scram-sha1.c 2019-11-19 16:34:11.338037002 +0100
@@ -71,7 +71,7 @@ static const char *get_scram_server_firs
static const char *get_scram_server_final(struct scram_auth_request *request)
@ -101,26 +101,26 @@ diff -up dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.2.36/sr
for (i = 0; i < sizeof(client_signature); i++)
client_key[i] =
diff -up dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme.c
--- dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/password-scheme.c 2019-06-10 15:38:38.834070480 +0200
@@ -655,11 +655,11 @@ static void
cram_md5_generate(const char *plaintext, const char *user ATTR_UNUSED,
diff -up dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme.c
--- dovecot-2.3.8/src/auth/password-scheme.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/password-scheme.c 2019-11-19 16:34:11.339036998 +0100
@@ -647,11 +647,11 @@ static void
cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
const unsigned char **raw_password_r, size_t *size_r)
{
- struct hmac_context ctx;
+ struct orig_hmac_context ctx;
unsigned char *context_digest;
context_digest = t_malloc(CRAM_MD5_CONTEXTLEN);
context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN);
- hmac_init(&ctx, (const unsigned char *)plaintext,
+ orig_hmac_init(&ctx, (const unsigned char *)plaintext,
strlen(plaintext), &hash_method_md5);
hmac_md5_get_cram_context(&ctx, context_digest);
diff -up dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme-scram.c
--- dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/password-scheme-scram.c 2019-06-10 15:38:38.834070480 +0200
diff -up dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.8/src/auth/password-scheme-scram.c
--- dovecot-2.3.8/src/auth/password-scheme-scram.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/auth/password-scheme-scram.c 2019-11-19 16:34:11.339036998 +0100
@@ -27,23 +27,23 @@ static void Hi(const unsigned char *str,
const unsigned char *salt, size_t salt_size, unsigned int i,
unsigned char result[SHA1_RESULTLEN])
@ -213,10 +213,10 @@ diff -up dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.2
str_append_c(str, ',');
base64_encode(server_key, sizeof(server_key), str);
diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
--- dovecot-2.2.36/src/lib/hmac.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac.c 2019-06-10 15:38:38.834070480 +0200
@@ -7,15 +7,74 @@
diff -up dovecot-2.3.8/src/lib/hmac.c.opensslhmac dovecot-2.3.8/src/lib/hmac.c
--- dovecot-2.3.8/src/lib/hmac.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac.c 2019-11-19 17:25:28.045716181 +0100
@@ -7,6 +7,10 @@
* This software is released under the MIT license.
*/
@ -227,7 +227,9 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
#include "lib.h"
#include "hmac.h"
#include "safe-memset.h"
#include "buffer.h"
@@ -14,10 +18,65 @@
#include "hex-binary.h"
-void hmac_init(struct hmac_context *_ctx, const unsigned char *key,
+#ifndef HAVE_HMAC_CTX_NEW
@ -243,8 +245,9 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
+
+
+void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth)
+{
size_t key_len, const struct hash_method *meth)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+
+ const EVP_MD *md;
@ -272,9 +275,8 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
+}
+
+void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ size_t key_len, const struct hash_method *meth)
+{
+ static int no_fips = -1;
+ if (no_fips == -1) {
+ int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
@ -293,7 +295,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
int i;
unsigned char k_ipad[64];
unsigned char k_opad[64];
@@ -51,9 +110,27 @@ void hmac_init(struct hmac_context *_ctx
@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx
safe_memset(k_opad, 0, 64);
}
@ -323,7 +325,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
ctx->hash->result(ctx->ctx, digest);
@@ -61,35 +138,35 @@ void hmac_final(struct hmac_context *_ct
@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct
ctx->hash->result(ctx->ctxo, digest);
}
@ -338,7 +340,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
i_assert(key != NULL && key_len > 0);
i_assert(data != NULL || data_len == 0);
buffer_t *res = buffer_create_dynamic(pool_datastack_create(), meth->digest_size);
buffer_t *res = t_buffer_create(meth->digest_size);
- hmac_init(&ctx, key, key_len, meth);
+ openssl_hmac_init(&ctx, key, key_len, meth);
if (data_len > 0)
@ -368,9 +370,92 @@ diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
+ return openssl_t_hmac_data(meth, key, key_len, data, strlen(data));
}
diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.c
--- dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac 2017-06-23 13:18:28.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac-cram-md5.c 2019-06-10 15:38:38.835070476 +0200
-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
buffer_t *okm_r, size_t okm_len)
{
+ const EVP_MD *md;
+ EVP_PKEY_CTX *pctx;
+ int r = 1;
+
i_assert(method != NULL);
i_assert(okm_len < 255*method->digest_size);
- struct hmac_context key_mac;
- struct hmac_context info_mac;
- size_t remain = okm_len;
- unsigned char prk[method->digest_size];
- unsigned char okm[method->digest_size];
- /* N = ceil(L/HashLen) */
- unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size;
/* salt and info can be NULL */
i_assert(salt != NULL || salt_len == 0);
@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method
i_assert(ikm != NULL && ikm_len > 0);
i_assert(okm_r != NULL && okm_len > 0);
- /* but they still need valid pointer, reduces
- complains from static analysers */
- if (salt == NULL)
- salt = &uchar_nul;
- if (info == NULL)
- info = &uchar_nul;
-
- /* extract */
- hmac_init(&key_mac, salt, salt_len, method);
- hmac_update(&key_mac, ikm, ikm_len);
- hmac_final(&key_mac, prk);
-
- /* expand */
- for (unsigned int i = 0; remain > 0 && i < rounds; i++) {
- unsigned char round = (i+1);
- size_t amt = remain;
- if (amt > method->digest_size)
- amt = method->digest_size;
- hmac_init(&info_mac, prk, method->digest_size, method);
- if (i > 0)
- hmac_update(&info_mac, okm, method->digest_size);
- hmac_update(&info_mac, info, info_len);
- hmac_update(&info_mac, &round, 1);
- memset(okm, 0, method->digest_size);
- hmac_final(&info_mac, okm);
- buffer_append(okm_r, okm, amt);
- remain -= amt;
+
+ md = EVP_get_digestbyname(method->name);
+ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+ unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len);
+
+ if ((r=EVP_PKEY_derive_init(pctx)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0)
+ goto out;
+
+ out:
+ EVP_PKEY_CTX_free(pctx);
+ if (r <= 0) {
+ unsigned long ec = ERR_get_error();
+ unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL));
+ i_error("%s", error);
}
- safe_memset(prk, 0, sizeof(prk));
- safe_memset(okm, 0, sizeof(okm));
}
diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.c
--- dovecot-2.3.8/src/lib/hmac-cram-md5.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac-cram-md5.c 2019-11-19 16:34:11.339036998 +0100
@@ -9,10 +9,10 @@
#include "md5.h"
#include "hmac-cram-md5.h"
@ -397,9 +482,9 @@ diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.2.36/src/l
const unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.h
--- dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac 2017-06-23 13:18:28.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac-cram-md5.h 2019-06-10 15:38:38.835070476 +0200
diff -up dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.8/src/lib/hmac-cram-md5.h
--- dovecot-2.3.8/src/lib/hmac-cram-md5.h.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac-cram-md5.h 2019-11-19 16:34:11.339036998 +0100
@@ -5,9 +5,9 @@
#define CRAM_MD5_CONTEXTLEN 32
@ -412,15 +497,16 @@ diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.2.36/src/l
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
--- dovecot-2.2.36/src/lib/hmac.h.opensslhmac 2017-06-23 13:18:28.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac.h 2019-06-10 15:38:38.835070476 +0200
@@ -3,43 +3,98 @@
diff -up dovecot-2.3.8/src/lib/hmac.h.opensslhmac dovecot-2.3.8/src/lib/hmac.h
--- dovecot-2.3.8/src/lib/hmac.h.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/hmac.h 2019-11-19 16:34:11.339036998 +0100
@@ -3,60 +3,97 @@
#include "hash-method.h"
#include "sha1.h"
+#include <openssl/objects.h>
+#include <openssl/hmac.h>
+#include <openssl/kdf.h>
+#include <openssl/err.h>
#define HMAC_MAX_CONTEXT_SIZE 256
@ -459,8 +545,7 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
-void hmac_init(struct hmac_context *ctx, const unsigned char *key,
+void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth);
-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
+ size_t key_len, const struct hash_method *meth);
+void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest);
+
+static inline void
@ -477,7 +562,8 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
+}
+
+void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth);
size_t key_len, const struct hash_method *meth);
-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
+void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest);
@ -504,30 +590,31 @@ diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
const unsigned char *key, size_t key_len,
const char *data);
+
+#if 0
+static bool dcrypt_openssl_error(const char **error_r)
+{
+ unsigned long ec;
+
+ if (error_r == NULL) {
+ /* caller is not really interested */
+ return FALSE;
+ }
+
+ ec = ERR_get_error();
+ *error_r = t_strdup_printf("%s", ERR_error_string(ec, NULL));
+ return FALSE;
+}
+#endif
+
+
+
#endif
diff -up dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c 2019-06-10 15:38:38.835070476 +0200
@@ -83,15 +83,15 @@ imap_urlauth_internal_generate(const cha
-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
buffer_t *okm_r, size_t okm_len);
static inline buffer_t *
-t_hmac_hkdf(const struct hash_method *method,
+openssl_t_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
size_t okm_len)
{
buffer_t *okm_buffer = t_buffer_create(okm_len);
- hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
+ openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
okm_buffer, okm_len);
return okm_buffer;
}
diff -up dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib-imap-urlauth/imap-urlauth.c 2019-11-19 16:34:11.339036998 +0100
@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
size_t *token_len_r)
{
@ -547,10 +634,10 @@ diff -up dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-
*token_len_r = SHA1_RESULTLEN + 1;
return token;
diff -up dovecot-2.2.36/src/lib/Makefile.am.opensslhmac dovecot-2.2.36/src/lib/Makefile.am
--- dovecot-2.2.36/src/lib/Makefile.am.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib/Makefile.am 2019-06-10 15:42:28.810140696 +0200
@@ -306,6 +306,9 @@ headers = \
diff -up dovecot-2.3.8/src/lib/Makefile.am.opensslhmac dovecot-2.3.8/src/lib/Makefile.am
--- dovecot-2.3.8/src/lib/Makefile.am.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/Makefile.am 2019-11-19 16:34:11.340036994 +0100
@@ -323,6 +323,9 @@ headers = \
wildcard-match.h \
write-full.h
@ -560,17 +647,9 @@ diff -up dovecot-2.2.36/src/lib/Makefile.am.opensslhmac dovecot-2.2.36/src/lib/M
test_programs = test-lib
noinst_PROGRAMS = $(test_programs)
@@ -335,6 +338,7 @@ test_lib_SOURCES = \
test-hash-format.c \
test-hash-method.c \
test-hex-binary.c \
+ test-hmac.c \
test-imem.c \
test-ioloop.c \
test-iso8601-date.c \
diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c
--- dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c 2019-06-10 15:38:38.835070476 +0200
diff -up dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c
--- dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib-ntlm/ntlm-encrypt.c 2019-11-19 16:34:11.340036994 +0100
@@ -61,12 +61,12 @@ void ntlm_v1_hash(const char *passwd, un
}
@ -578,7 +657,7 @@ diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/s
-hmac_md5_ucs2le_string_ucase(struct hmac_context *ctx, const char *str)
-{
- size_t len;
- unsigned char *wstr = t_unicode_str(str, 1, &len);
- unsigned char *wstr = t_unicode_str(str, TRUE, &len);
-
- hmac_update(ctx, wstr, len);
+hmac_md5_ucs2le_string_ucase(struct openssl_hmac_context *ctx, const char *str)
@ -628,9 +707,9 @@ diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/s
safe_memset(hash, 0, sizeof(hash));
}
diff -up dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac dovecot-2.2.36/src/lib/pkcs5.c
--- dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac 2018-04-30 15:52:04.000000000 +0200
+++ dovecot-2.2.36/src/lib/pkcs5.c 2019-06-10 15:38:38.835070476 +0200
diff -up dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac dovecot-2.3.8/src/lib/pkcs5.c
--- dovecot-2.3.8/src/lib/pkcs5.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/pkcs5.c 2019-11-19 16:34:11.340036994 +0100
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
unsigned char dk[l * hash->digest_size];
@ -665,121 +744,49 @@ diff -up dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac dovecot-2.2.36/src/lib/pkcs5
for(i = 0; i < hash->digest_size; i++)
block[i] ^= U_c[i];
}
diff -up dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac dovecot-2.2.36/src/lib/test-hmac.c
--- dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac 2019-06-10 15:43:02.847003098 +0200
+++ dovecot-2.2.36/src/lib/test-hmac.c 2019-06-10 14:00:52.000000000 +0200
@@ -0,0 +1,103 @@
+/* Copyright (c) 2016-2018 Dovecot authors, see the included COPYING file */
+
+#include "test-lib.h"
+#include "hash-method.h"
+#include "hmac.h"
+#include "sha-common.h"
+#include "buffer.h"
+
+struct test_vector {
+ const char *prf;
+ const unsigned char *key;
+ size_t key_len;
+ const unsigned char *data;
+ size_t data_len;
+ const unsigned char *res;
+ size_t res_len;
+};
+
+#define TEST_BUF(x) (const unsigned char*)x, sizeof(x)-1
+
+/* RFC 4231 test vectors */
+static const struct test_vector test_vectors[] = {
+ /* Test Case 1 */
+ { "sha256",
+ TEST_BUF("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+ TEST_BUF("Hi There"),
+ TEST_BUF("\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32\xcf\xf7")
+ },
+ /* Test Case 2 */
+ { "sha256",
+ TEST_BUF("\x4a\x65\x66\x65"), /* "Jefe" */
+ TEST_BUF("what do ya want for nothing?"),
+ TEST_BUF("\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43")
+ },
+ /* Test Case 3 */
+ { "sha256",
+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+ TEST_BUF("\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"),
+ TEST_BUF("\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81\xa7\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5\x65\xfe")
+ },
+ /* Test Case 4 */
+ { "sha256",
+ TEST_BUF("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"),
+ TEST_BUF("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+ TEST_BUF("\x82\x55\x8a\x38\x9a\x44\x3c\x0e\xa4\xcc\x81\x98\x99\xf2\x08\x3a\x85\xf0\xfa\xa3\xe5\x78\xf8\x07\x7a\x2e\x3f\xf4\x67\x29\x66\x5b")
+ },
+ /* Test Case 5 */
+ { "sha256",
+ TEST_BUF("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+ TEST_BUF("\x54\x65\x73\x74\x20\x57\x69\x74\x68\x20\x54\x72\x75\x6e\x63\x61\x74\x69\x6f\x6e"), /* "Test With Truncation" */
+ TEST_BUF("\xa3\xb6\x16\x74\x73\x10\x0e\xe0\x6e\x0c\x79\x6c\x29\x55\x55\x2b")
+ },
+ /* Test Case 6 */
+ { "sha256",
+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+ TEST_BUF("\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74"), /* "Test Using Larger Than Block-Size Key - Hash Key First" */
+ TEST_BUF("\x60\xe4\x31\x59\x1e\xe0\xb6\x7f\x0d\x8a\x26\xaa\xcb\xf5\xb7\x7f\x8e\x0b\xc6\x21\x37\x28\xc5\x14\x05\x46\x04\x0f\x0e\xe3\x7f\x54")
+ },
+ /* Test Case 7 */
+ { "sha256",
+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+ TEST_BUF("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"),
+ /* "This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm." */
+ TEST_BUF("\x9b\x09\xff\xa7\x1b\x94\x2f\xcb\x27\x63\x5f\xbc\xd5\xb0\xe9\x44\xbf\xdc\x63\x64\x4f\x07\x13\x93\x8a\x7f\x51\x53\x5c\x3a\x35\xe2")
+ }
+};
+
+static void test_hmac_rfc(void)
+{
+ test_begin("hmac sha256 rfc4231 vectors");
+ for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
+ const struct test_vector *vec = &(test_vectors[i]);
diff -up dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac dovecot-2.3.8/src/lib/test-hmac.c
--- dovecot-2.3.8/src/lib/test-hmac.c.opensslhmac 2019-10-08 10:46:18.000000000 +0200
+++ dovecot-2.3.8/src/lib/test-hmac.c 2019-11-19 16:34:11.340036994 +0100
@@ -112,11 +112,11 @@ static void test_hmac_rfc(void)
test_begin("hmac sha256 rfc4231 vectors");
for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
const struct test_vector *vec = &(test_vectors[i]);
- struct hmac_context ctx;
- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
- hmac_update(&ctx, vec->data, vec->data_len);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ unsigned char res[SHA256_RESULTLEN];
unsigned char res[SHA256_RESULTLEN];
- hmac_final(&ctx, res);
+ openssl_hmac_final(&ctx, res);
+ test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ }
+ test_end();
+}
+
+static void test_hmac_buffer(void)
+{
+ const struct test_vector *vec = &(test_vectors[0]);
+ test_begin("hmac temporary buffer");
+
+ buffer_t *tmp;
+
test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
}
test_end();
@@ -129,7 +129,7 @@ static void test_hmac_buffer(void)
buffer_t *tmp;
- tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
+ tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
+ vec->data, vec->data_len);
+
+ test_assert(tmp->used == vec->res_len &&
+ memcmp(tmp->data, vec->res, vec->res_len) == 0);
+
+ test_end();
+}
+
+void test_hmac(void)
+{
+ test_hmac_rfc();
+ test_hmac_buffer();
+}
diff -up dovecot-2.2.36/src/lib/test-lib.h.opensslhmac dovecot-2.2.36/src/lib/test-lib.h
--- dovecot-2.2.36/src/lib/test-lib.h.opensslhmac 2019-06-10 15:41:57.155268669 +0200
+++ dovecot-2.2.36/src/lib/test-lib.h 2019-06-10 15:41:57.194268512 +0200
@@ -20,6 +20,7 @@ void test_failures(void);
void test_file_create_locked(void);
void test_guid(void);
void test_hash(void);
+void test_hmac(void);
void test_hash_format(void);
void test_hash_method(void);
void test_hex_binary(void);
vec->data, vec->data_len);
test_assert(tmp->used == vec->res_len &&
@@ -146,7 +146,7 @@ static void test_hkdf_rfc(void)
buffer_set_used_size(res, 0);
const struct test_vector_5869 *vec = &(test_vectors_5869[i]);
const struct hash_method *m = hash_method_lookup(vec->prf);
- hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
+ openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
vec->info, vec->info_len, res, vec->okm_len);
test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i);
}
@@ -159,7 +159,7 @@ static void test_hkdf_buffer(void)
test_begin("hkdf temporary buffer");
const struct test_vector_5869 *vec = &(test_vectors_5869[0]);
const struct hash_method *m = hash_method_lookup(vec->prf);
- buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
+ buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
vec->ikm_len, vec->info, vec->info_len,
vec->okm_len);
test_assert(tmp->used == vec->okm_len &&

View File

@ -3,19 +3,19 @@
Summary: Secure imap and pop3 server
Name: dovecot
Epoch: 1
Version: 2.2.36
Version: 2.3.8
%global prever %{nil}
Release: 8%{?dist}
Release: 1%{?dist}
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
License: MIT and LGPLv2
Group: System Environment/Daemons
URL: http://www.dovecot.org/
Source: http://www.dovecot.org/releases/2.2/%{name}-%{version}%{?prever}.tar.gz
Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
Source1: dovecot.init
Source2: dovecot.pam
%global pigeonholever 0.4.24
Source8: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-%{pigeonholever}.tar.gz
%global pigeonholever 0.5.8
Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
Source9: dovecot.sysconfig
Source10: dovecot.tmpfilesd
@ -29,7 +29,6 @@ Patch3: dovecot-1.0.rc7-mkcert-paths.patch
#wait for network
Patch6: dovecot-2.1.10-waitonline.patch
Patch7: dovecot-2.2.13-online.patch
Patch8: dovecot-2.2.20-initbysystemd.patch
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
@ -38,18 +37,12 @@ Patch10: dovecot-2.3.0.1-libxcrypt.patch
# sent upstream, rhbz#1630380
Patch11: dovecot-2.2.36-aclfix.patch
# dovecot < 2.3, rhbz#1280436
Patch12: dovecot-2.2-gidcheck.patch
Patch13: dovecot-2.2.36-bigkey.patch
# do not use own implementation of HMAC, use OpenSSL for certification purposes
# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
# hard to break circular dependency between lib and lib-dcrypt
Patch14: dovecot-2.3.6-opensslhmac.patch
Patch15: dovecot-2.2.36-cve_2019_3814part1of3.patch
Patch16: dovecot-2.2.36-cve_2019_3814part2of3.patch
Patch17: dovecot-2.2.36-cve_2019_3814part3of3.patch
Source15: prestartscript
@ -57,11 +50,17 @@ BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
BuildRequires: libtool, autoconf, automake, pkgconfig
BuildRequires: sqlite-devel
BuildRequires: postgresql-devel
#BuildRequires: libpq-devel
BuildRequires: mariadb-connector-c-devel
#BuildRequires: libxcrypt-devel
BuildRequires: openldap-devel
BuildRequires: krb5-devel
BuildRequires: quota-devel
BuildRequires: xz-devel
BuildRequires: lz4-devel
#BuildRequires: libsodium-devel
#BuildRequires: libexttextcat-devel
#BuildRequires: libstemmer-devel
# gettext-devel is needed for running autoconf because of the
# presence of AM_ICONV
@ -143,26 +142,22 @@ This package provides the development files for dovecot.
%patch2 -p1 -b .mkcert-permissions
%patch3 -p1 -b .mkcert-paths
%patch6 -p1 -b .waitonline
%patch7 -p1 -b .online
%patch8 -p1 -b .initbysystemd
%patch9 -p1 -b .systemd_w_protectsystem
%patch10 -p1 -b .libxcrypt
#%patch10 -p1 -b .libxcrypt
%patch11 -p1 -b .aclfix
%patch12 -p1 -b .gidcheck
%patch13 -p1 -b .bigkey
%patch14 -p1 -b .opensslhmac
%patch15 -p1 -b .cve_2019_3814part1of3
%patch16 -p1 -b .cve_2019_3814part2of3
%patch17 -p1 -b .cve_2019_3814part3of3
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
popd
#pushd dovecot-2*2-pigeonhole-%{pigeonholever}
#popd
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
%build
#required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
%global _hardened_build 1
export CFLAGS="%{__global_cflags} -fno-strict-aliasing"
export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
# el6 autoconf too old to regen; use packaged files (#1082384)
%if %{?fedora}00%{?rhel} > 6
@ -197,7 +192,7 @@ sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10
make %{?_smp_mflags}
#pigeonhole
pushd dovecot-2*2-pigeonhole-%{pigeonholever}
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
# required for snapshot
[ -f configure ] || autoreconf -fiv
@ -221,7 +216,7 @@ make install DESTDIR=$RPM_BUILD_ROOT
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
pushd dovecot-2*2-pigeonhole-%{pigeonholever}
pushd dovecot-2*3-pigeonhole-%{pigeonholever}
make install DESTDIR=$RPM_BUILD_ROOT
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
@ -360,7 +355,7 @@ fi
%check
make check
cd dovecot-2*2-pigeonhole-%{pigeonholever}
cd dovecot-2*3-pigeonhole-%{pigeonholever}
make check
%files
@ -397,6 +392,7 @@ make check
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-imap.conf
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-lmtp.conf
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-pop3.conf
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/20-submission.conf
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-acl.conf
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-quota.conf
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/90-plugin.conf
@ -423,7 +419,6 @@ make check
%dir %{_libdir}/dovecot
%dir %{_libdir}/dovecot/auth
%dir %{_libdir}/dovecot/dict
%dir %{_libdir}/dovecot/stats
%{_libdir}/dovecot/doveadm
%exclude %{_libdir}/dovecot/doveadm/*sieve*
%{_libdir}/dovecot/*.so.*
@ -437,8 +432,6 @@ make check
%{_libdir}/dovecot/auth/libdriver_sqlite.so
%{_libdir}/dovecot/dict/libdriver_sqlite.so
%{_libdir}/dovecot/dict/libdict_ldap.so
%{_libdir}/dovecot/stats/libstats_auth.so
%{_libdir}/dovecot/stats/libstats_mail.so
%{_libdir}/dovecot/libdriver_sqlite.so
%{_libdir}/dovecot/libssl_iostream_openssl.so
%{_libdir}/dovecot/libfs_compress.so
@ -446,6 +439,8 @@ make check
%{_libdir}/dovecot/libfs_mail_crypt.so
%{_libdir}/dovecot/libdcrypt_openssl.so
%{_libdir}/dovecot/lib20_var_expand_crypt.so
%{_libdir}/dovecot/old-stats/libold_stats_mail.so
%{_libdir}/dovecot/old-stats/libstats_auth.so
%dir %{_libdir}/dovecot/settings
@ -511,6 +506,17 @@ make check
%{_libdir}/%{name}/dict/libdriver_pgsql.so
%changelog
* Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
- dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117)
* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-10
- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes (#1741788)
* Fri Aug 23 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-9
- reset errno before iterating through users (#1630410)
* Mon Jun 17 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-8
- fix CVE-2019-3814: improper certificate validation (#1674370)
@ -621,7 +627,7 @@ make check
imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to
not work perfectly.
- mdbox: "Inconsistency in map index" wasn't fixed automatically
- dict-ldap: %variable values used in the LDAP filter weren't escaped.
- dict-ldap: %%variable values used in the LDAP filter weren't escaped.
- quota=count: quota_warning = -storage=.. was never executed (try #2).
- imapc: >= 32 kB mail bodies were supposed to be cached for subsequent
FETCHes, but weren't.