rpms/dovecot
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import dovecot-2.2.36-8.el8

Browse Source
This commit is contained in:
CentOS Sources 2019-08-01 12:42:57 -04:00 committed by Stepan Oksanichenko
commit fbe52931b8
24 changed files with 3762 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dovecot.metadata Normal file
View File

@ -0,0 +1,2 @@
09febe0f459ba26c526d8195b22179f39d48bc69 SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz
74c55736dfc92f586e2c75b7b4dd50816f63850b SOURCES/dovecot-2.2.36.tar.gz

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/dovecot-2.2-pigeonhole-0.4.24.tar.gz
SOURCES/dovecot-2.2.36.tar.gz

11
SOURCES/dovecot-1.0.beta2-mkcert-permissions.patch Normal file
View File

@ -0,0 +1,11 @@
--- dovecot-1.0.beta2/doc/mkcert.sh.configfile 2006-01-16 21:14:54.000000000 +0100
+++ dovecot-1.0.beta2/doc/mkcert.sh 2006-01-26 14:28:38.000000000 +0100
@@ -29,6 +29,7 @@
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
-chmod 0600 $KEYFILE
+chown root:root $CERTFILE $KEYFILE
+chmod 0600 $CERTFILE $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

14
SOURCES/dovecot-1.0.rc7-mkcert-paths.patch Normal file
View File

@ -0,0 +1,14 @@
diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh
--- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths 2016-12-05 10:26:07.913515286 +0100
+++ dovecot-2.2.27/doc/mkcert.sh 2016-12-05 10:28:25.439634417 +0100
@@ -5,8 +5,8 @@
umask 077
OPENSSL=${OPENSSL-openssl}
-SSLDIR=${SSLDIR-/etc/ssl}
-OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
+SSLDIR=${SSLDIR-/etc/pki/dovecot}
+OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

42
SOURCES/dovecot-2.0-defaultconfig.patch Normal file
View File

@ -0,0 +1,42 @@
diff -up dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf.default-settings 2014-06-02 13:50:10.000000000 +0200
+++ dovecot-2.2.18/doc/example-config/conf.d/10-mail.conf 2015-08-24 17:09:03.866648631 +0200
@@ -165,7 +165,7 @@ namespace inbox {
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
-#first_valid_uid = 500
+first_valid_uid = 1000
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
@@ -283,6 +283,7 @@ namespace inbox {
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
+mbox_write_locks = fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
diff -up dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf.default-settings 2014-10-03 16:36:00.000000000 +0200
+++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf 2015-08-24 17:10:49.536071649 +0200
@@ -3,7 +3,9 @@
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-#ssl = yes
+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
+# plain imap and pop3 are still allowed for local connections
+ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
@@ -50,6 +52,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+ssl_cipher_list = PROFILE=SYSTEM
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

11
SOURCES/dovecot-2.1.10-waitonline.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up dovecot-2.2.22/dovecot.service.in.waitonline dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.waitonline 2016-03-16 13:36:49.426772606 +0100
+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:47:23.923606903 +0100
@@ -24,6 +24,7 @@ After=local-fs.target network.target
[Service]
Type=forking
+ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=@sbindir@/dovecot
PIDFile=@rundir@/master.pid
ExecReload=@bindir@/doveadm reload

60
SOURCES/dovecot-2.2-gidcheck.patch Normal file
View File

@ -0,0 +1,60 @@
From ca5b3ec5331545b46ec1f1c4ecfa1302ddb10653 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Wed, 29 Jun 2016 00:56:56 +0300
Subject: [PATCH] auth: userdb passwd iteration now skips users not in
first/last_valid_gid range
Patch by Michal Hlavinka / Red Hat
---
src/auth/auth-settings.c | 4 ++++
src/auth/auth-settings.h | 2 ++
src/auth/userdb-passwd.c | 4 ++++
3 files changed, 10 insertions(+)
diff -up dovecot-2.2.36/src/auth/auth-settings.c.gidcheck dovecot-2.2.36/src/auth/auth-settings.c
--- dovecot-2.2.36/src/auth/auth-settings.c.gidcheck 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/auth-settings.c 2018-09-17 12:17:13.132032699 +0200
@@ -272,6 +272,8 @@ static const struct setting_define auth_
DEF_NOPREFIX(SET_BOOL, verbose_proctitle),
DEF_NOPREFIX(SET_UINT, first_valid_uid),
DEF_NOPREFIX(SET_UINT, last_valid_uid),
+ DEF_NOPREFIX(SET_UINT, first_valid_gid),
+ DEF_NOPREFIX(SET_UINT, last_valid_gid),
DEF_NOPREFIX(SET_STR, ssl_client_ca_dir),
DEF_NOPREFIX(SET_STR, ssl_client_ca_file),
@@ -331,6 +333,8 @@ static const struct auth_settings auth_d
.verbose_proctitle = FALSE,
.first_valid_uid = 500,
.last_valid_uid = 0,
+ .first_valid_gid = 1,
+ .last_valid_gid = 0,
};
const struct setting_parser_info auth_setting_parser_info = {
diff -up dovecot-2.2.36/src/auth/auth-settings.h.gidcheck dovecot-2.2.36/src/auth/auth-settings.h
--- dovecot-2.2.36/src/auth/auth-settings.h.gidcheck 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/auth-settings.h 2018-09-17 12:13:30.540159133 +0200
@@ -88,6 +88,8 @@ struct auth_settings {
bool verbose_proctitle;
unsigned int first_valid_uid;
unsigned int last_valid_uid;
+ unsigned int first_valid_gid;
+ unsigned int last_valid_gid;
/* generated: */
char username_chars_map[256];
diff -up dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck dovecot-2.2.36/src/auth/userdb-passwd.c
--- dovecot-2.2.36/src/auth/userdb-passwd.c.gidcheck 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/userdb-passwd.c 2018-09-17 12:13:30.540159133 +0200
@@ -145,6 +145,10 @@ passwd_iterate_want_pw(struct passwd *pw
return FALSE;
if (pw->pw_uid > (uid_t)set->last_valid_uid && set->last_valid_uid != 0)
return FALSE;
+ if (pw->pw_gid < (gid_t)set->first_valid_gid)
+ return FALSE;
+ if (pw->pw_gid > (gid_t)set->last_valid_gid && set->last_valid_gid != 0)
+ return FALSE;
return TRUE;
}

12
SOURCES/dovecot-2.2.13-online.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up dovecot-2.2.22/dovecot.service.in.online dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.online 2016-03-16 13:47:47.112491206 +0100
+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:48:14.339355363 +0100
@@ -20,7 +20,7 @@
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
-After=local-fs.target network.target
+After=local-fs.target network-online.target
[Service]
Type=forking

51
SOURCES/dovecot-2.2.20-initbysystemd.patch Normal file
View File

@ -0,0 +1,51 @@
diff -up dovecot-2.2.22/dovecot-init.service.initbysystemd dovecot-2.2.22/dovecot-init.service
--- dovecot-2.2.22/dovecot-init.service.initbysystemd 2016-03-16 13:48:25.996297203 +0100
+++ dovecot-2.2.22/dovecot-init.service 2016-03-16 13:48:25.996297203 +0100
@@ -0,0 +1,18 @@
+[Unit]
+Description=One-time Dovecot init service
+ConditionPathExists=|!/var/lib/dovecot/ssl-parameters.dat
+ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/bin/sh -c '\
+if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \
+then\
+ SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
+fi;\
+if [ ! -f /var/lib/dovecot/ssl-parameters.dat ]; \
+then\
+ /usr/libexec/dovecot/ssl-params >/dev/null 2>&1; \
+fi'
+
diff -up dovecot-2.2.22/dovecot.service.in.initbysystemd dovecot-2.2.22/dovecot.service.in
--- dovecot-2.2.22/dovecot.service.in.initbysystemd 2016-03-16 13:48:25.996297203 +0100
+++ dovecot-2.2.22/dovecot.service.in 2016-03-16 13:49:17.619039641 +0100
@@ -20,7 +20,8 @@
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
-After=local-fs.target network-online.target
+After=local-fs.target network-online.target dovecot-init.service
+Requires=dovecot-init.service
[Service]
Type=forking
diff -up dovecot-2.2.22/Makefile.am.initbysystemd dovecot-2.2.22/Makefile.am
--- dovecot-2.2.22/Makefile.am.initbysystemd 2016-03-04 12:04:33.000000000 +0100
+++ dovecot-2.2.22/Makefile.am 2016-03-16 13:48:25.996297203 +0100
@@ -51,9 +51,10 @@ if HAVE_SYSTEMD
systemdsystemunit_DATA = \
dovecot.socket \
- dovecot.service
+ dovecot.service \
+ dovecot-init.service
else
-EXTRA_DIST += dovecot.socket dovecot.service.in
+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service
endif
install-exec-hook:

14
SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch Normal file
View File

@ -0,0 +1,14 @@
diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in
--- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem 2017-02-27 10:00:14.647423500 +0100
+++ dovecot-2.2.28/dovecot.service.in 2017-02-27 10:02:18.051377067 +0100
@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop
PrivateTmp=true
NonBlocking=yes
-# Enable this if your systemd is new enough to support it:
-#ProtectSystem=full
+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot)
+ProtectSystem=full
# You can add environment variables with e.g.:
#Environment='CORE_OUTOFMEM=1'

13
SOURCES/dovecot-2.2.36-aclfix.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c
--- dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix 2018-09-18 15:00:08.778823903 +0200
+++ dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c 2018-09-18 15:00:08.814823737 +0200
@@ -161,8 +161,7 @@ acl_backend_vfile_object_init(struct acl
T_BEGIN {
if (*name == '\0' ||
mailbox_list_is_valid_name(_backend->list, name, &error)) {
- vname = *name == '\0' ? "" :
- mailbox_list_get_vname(_backend->list, name);
+ vname = mailbox_list_get_vname(_backend->list, name);
dir = acl_backend_vfile_get_local_dir(_backend, name, vname);
aclobj->local_path = dir == NULL ? NULL :

10
SOURCES/dovecot-2.2.36-bigkey.patch Normal file
View File

@ -0,0 +1,10 @@
diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf
--- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey 2017-06-23 13:18:28.000000000 +0200
+++ dovecot-2.2.36/doc/dovecot-openssl.cnf 2018-10-16 17:15:35.836205498 +0200
@@ -1,5 +1,5 @@
[ req ]
-default_bits = 1024
+default_bits = 3072
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

69
SOURCES/dovecot-2.2.36-cve_2019_3814part1of3.patch Normal file
View File

@ -0,0 +1,69 @@
From eb5ffe2641febe0fa5e9038f2e216c130e1e7519 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 21 Jan 2019 11:36:30 +0200
Subject: [PATCH] login-common: Ensure we get username from certificate
---
src/login-common/sasl-server.c | 42 ++++++++++++++++++++++++++++++++--
1 file changed, 40 insertions(+), 2 deletions(-)
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index a833c9a6d4..9465da9657 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -321,6 +321,37 @@ authenticate_callback(struct auth_client_request *request,
}
}
+static bool get_cert_username(struct client *client, const char **username_r,
+ const char **error_r)
+{
+ /* no SSL */
+ if (client->ssl_proxy == NULL) {
+ *username_r = NULL;
+ return TRUE;
+ }
+
+ /* no client certificate */
+ if (!ssl_proxy_has_valid_client_cert(client->ssl_proxy)) {
+ *username_r = NULL;
+ return TRUE;
+ }
+
+ /* get peer name */
+ const char *username = ssl_proxy_get_peer_name(client->ssl_proxy);
+
+ /* if we wanted peer name, but it was not there, fail */
+ if (client->set->auth_ssl_username_from_cert &&
+ (username == NULL || *username == '\0')) {
+ if (client->set->auth_ssl_require_client_cert) {
+ *error_r = "Missing username in certificate";
+ return FALSE;
+ }
+ }
+
+ *username_r = username;
+ return TRUE;
+}
+
void sasl_server_auth_begin(struct client *client,
const char *service, const char *mech_name,
const char *initial_resp_base64,
@@ -359,8 +390,15 @@ void sasl_server_auth_begin(struct client *client,
info.mech = mech->name;
info.service = service;
info.session_id = client_get_session_id(client);
- info.cert_username = client->ssl_proxy == NULL ? NULL :
- ssl_proxy_get_peer_name(client->ssl_proxy);
+ if (client->set->auth_ssl_username_from_cert) {
+ const char *error;
+ if (!get_cert_username(client, &info.cert_username, &error)) {
+ client_log_err(client, t_strdup_printf("Cannot get username "
+ "from certificate: %s", error));
+ sasl_server_auth_failed(client, "Unable to validate certificate");
+ return;
+ }
+ }
info.flags = client_get_auth_flags(client);
info.local_ip = client->local_ip;
info.remote_ip = client->ip;

29
SOURCES/dovecot-2.2.36-cve_2019_3814part2of3.patch Normal file
View File

@ -0,0 +1,29 @@
From 7525fece60f01b52deb13df3620976ee1d616837 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 21 Jan 2019 10:54:06 +0200
Subject: [PATCH] auth: Fail authentication if certificate username was
unexpectedly missing
---
src/auth/auth-request-handler.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
index 617dc1883d..3044e94f91 100644
--- a/src/auth/auth-request-handler.c
+++ b/src/auth/auth-request-handler.c
@@ -560,6 +560,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
return TRUE;
}
+ if (request->set->ssl_require_client_cert &&
+ request->set->ssl_username_from_cert &&
+ !request->cert_username) {
+ auth_request_handler_auth_fail(handler, request,
+ "SSL certificate didn't contain username");
+ return TRUE;
+ }
+
/* Empty initial response is a "=" base64 string. Completely empty
string shouldn't really be sent, but at least Exim does it,
so just allow it for backwards compatibility.. */

22
SOURCES/dovecot-2.2.36-cve_2019_3814part3of3.patch Normal file
View File

@ -0,0 +1,22 @@
From e5d428297d70e3ac8b6dfce7e0de182b86825082 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 16 Jan 2019 18:28:57 +0200
Subject: [PATCH] auth: Do not import empty certificate username
---
src/auth/auth-request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index dd288b6d23..1cb665ec8c 100644
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -445,7 +445,7 @@ bool auth_request_import_auth(struct auth_request *request,
else if (strcmp(key, "valid-client-cert") == 0)
request->valid_client_cert = TRUE;
else if (strcmp(key, "cert_username") == 0) {
- if (request->set->ssl_username_from_cert) {
+ if (request->set->ssl_username_from_cert && *value != '\0') {
/* get username from SSL certificate. it overrides
the username given by the auth mechanism. */
request->user = p_strdup(request->pool, value);

11
SOURCES/dovecot-2.3.0.1-libxcrypt.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c
--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100
+++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200
@@ -14,6 +14,7 @@
# define _XPG6 /* Some Solaris versions require this, some break with this */
#endif
#include <unistd.h>
+#include <crypt.h>
#include "mycrypt.h"

785
SOURCES/dovecot-2.3.6-opensslhmac.patch Normal file
View File

@ -0,0 +1,785 @@
diff -up dovecot-2.2.36/src/auth/auth-token.c.opensslhmac dovecot-2.2.36/src/auth/auth-token.c
--- dovecot-2.2.36/src/auth/auth-token.c.opensslhmac 2018-04-30 15:52:04.000000000 +0200
+++ dovecot-2.2.36/src/auth/auth-token.c 2019-06-10 15:38:38.834070480 +0200
@@ -163,17 +163,17 @@ void auth_token_deinit(void)
const char *auth_token_get(const char *service, const char *session_pid,
const char *username, const char *session_id)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char result[SHA1_RESULTLEN];
- hmac_init(&ctx, (const unsigned char*)username, strlen(username),
+ openssl_hmac_init(&ctx, (const unsigned char*)username, strlen(username),
&hash_method_sha1);
- hmac_update(&ctx, session_pid, strlen(session_pid));
+ openssl_hmac_update(&ctx, session_pid, strlen(session_pid));
if (session_id != NULL && *session_id != '\0')
- hmac_update(&ctx, session_id, strlen(session_id));
- hmac_update(&ctx, service, strlen(service));
- hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
- hmac_final(&ctx, result);
+ openssl_hmac_update(&ctx, session_id, strlen(session_id));
+ openssl_hmac_update(&ctx, service, strlen(service));
+ openssl_hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
+ openssl_hmac_final(&ctx, result);
return binary_to_hex(result, sizeof(result));
}
diff -up dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.2.36/src/auth/mech-cram-md5.c
--- dovecot-2.2.36/src/auth/mech-cram-md5.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/mech-cram-md5.c 2019-06-10 15:38:38.834070480 +0200
@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
{
unsigned char digest[MD5_RESULTLEN];
- struct hmac_context ctx;
+ struct orig_hmac_context ctx;
const char *response_hex;
if (size != CRAM_MD5_CONTEXTLEN) {
@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr
return FALSE;
}
- hmac_init(&ctx, NULL, 0, &hash_method_md5);
+ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5);
hmac_md5_set_cram_context(&ctx, credentials);
- hmac_update(&ctx, request->challenge, strlen(request->challenge));
- hmac_final(&ctx, digest);
+ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge));
+ orig_hmac_final(&ctx, digest);
response_hex = binary_to_hex(digest, sizeof(digest));
diff -up dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac dovecot-2.2.36/src/auth/mech-scram-sha1.c
--- dovecot-2.2.36/src/auth/mech-scram-sha1.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/mech-scram-sha1.c 2019-06-10 15:38:38.834070480 +0200
@@ -71,7 +71,7 @@ static const char *get_scram_server_firs
static const char *get_scram_server_final(struct scram_auth_request *request)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *auth_message;
unsigned char server_signature[SHA1_RESULTLEN];
string_t *str;
@@ -80,10 +80,10 @@ static const char *get_scram_server_fina
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
- hmac_init(&ctx, request->server_key, sizeof(request->server_key),
+ openssl_hmac_init(&ctx, request->server_key, sizeof(request->server_key),
&hash_method_sha1);
- hmac_update(&ctx, auth_message, strlen(auth_message));
- hmac_final(&ctx, server_signature);
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, server_signature);
str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
str_append(str, "v=");
@@ -221,7 +221,7 @@ static bool parse_scram_client_first(str
static bool verify_credentials(struct scram_auth_request *request)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *auth_message;
unsigned char client_key[SHA1_RESULTLEN];
unsigned char client_signature[SHA1_RESULTLEN];
@@ -232,10 +232,10 @@ static bool verify_credentials(struct sc
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
- hmac_init(&ctx, request->stored_key, sizeof(request->stored_key),
+ openssl_hmac_init(&ctx, request->stored_key, sizeof(request->stored_key),
&hash_method_sha1);
- hmac_update(&ctx, auth_message, strlen(auth_message));
- hmac_final(&ctx, client_signature);
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, client_signature);
for (i = 0; i < sizeof(client_signature); i++)
client_key[i] =
diff -up dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme.c
--- dovecot-2.2.36/src/auth/password-scheme.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/password-scheme.c 2019-06-10 15:38:38.834070480 +0200
@@ -655,11 +655,11 @@ static void
cram_md5_generate(const char *plaintext, const char *user ATTR_UNUSED,
const unsigned char **raw_password_r, size_t *size_r)
{
- struct hmac_context ctx;
+ struct orig_hmac_context ctx;
unsigned char *context_digest;
context_digest = t_malloc(CRAM_MD5_CONTEXTLEN);
- hmac_init(&ctx, (const unsigned char *)plaintext,
+ orig_hmac_init(&ctx, (const unsigned char *)plaintext,
strlen(plaintext), &hash_method_md5);
hmac_md5_get_cram_context(&ctx, context_digest);
diff -up dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.2.36/src/auth/password-scheme-scram.c
--- dovecot-2.2.36/src/auth/password-scheme-scram.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/auth/password-scheme-scram.c 2019-06-10 15:38:38.834070480 +0200
@@ -27,23 +27,23 @@ static void Hi(const unsigned char *str,
const unsigned char *salt, size_t salt_size, unsigned int i,
unsigned char result[SHA1_RESULTLEN])
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char U[SHA1_RESULTLEN];
unsigned int j, k;
/* Calculate U1 */
- hmac_init(&ctx, str, str_size, &hash_method_sha1);
- hmac_update(&ctx, salt, salt_size);
- hmac_update(&ctx, "\0\0\0\1", 4);
- hmac_final(&ctx, U);
+ openssl_hmac_init(&ctx, str, str_size, &hash_method_sha1);
+ openssl_hmac_update(&ctx, salt, salt_size);
+ openssl_hmac_update(&ctx, "\0\0\0\1", 4);
+ openssl_hmac_final(&ctx, U);
memcpy(result, U, SHA1_RESULTLEN);
/* Calculate U2 to Ui and Hi */
for (j = 2; j <= i; j++) {
- hmac_init(&ctx, str, str_size, &hash_method_sha1);
- hmac_update(&ctx, U, sizeof(U));
- hmac_final(&ctx, U);
+ openssl_hmac_init(&ctx, str, str_size, &hash_method_sha1);
+ openssl_hmac_update(&ctx, U, sizeof(U));
+ openssl_hmac_final(&ctx, U);
for (k = 0; k < SHA1_RESULTLEN; k++)
result[k] ^= U[k];
}
@@ -94,7 +94,7 @@ int scram_sha1_verify(const char *plaint
const unsigned char *raw_password, size_t size,
const char **error_r)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *salt_base64;
unsigned int iter_count;
const unsigned char *salt;
@@ -118,10 +118,10 @@ int scram_sha1_verify(const char *plaint
iter_count, salted_password);
/* Calculate ClientKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password),
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password),
&hash_method_sha1);
- hmac_update(&ctx, "Client Key", 10);
- hmac_final(&ctx, client_key);
+ openssl_hmac_update(&ctx, "Client Key", 10);
+ openssl_hmac_final(&ctx, client_key);
/* Calculate StoredKey */
sha1_get_digest(client_key, sizeof(client_key), calculated_stored_key);
@@ -139,7 +139,7 @@ void scram_sha1_generate(const char *pla
const unsigned char **raw_password_r, size_t *size_r)
{
string_t *str;
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char salt[16];
unsigned char salted_password[SHA1_RESULTLEN];
unsigned char client_key[SHA1_RESULTLEN];
@@ -157,10 +157,10 @@ void scram_sha1_generate(const char *pla
sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password);
/* Calculate ClientKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password),
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password),
&hash_method_sha1);
- hmac_update(&ctx, "Client Key", 10);
- hmac_final(&ctx, client_key);
+ openssl_hmac_update(&ctx, "Client Key", 10);
+ openssl_hmac_final(&ctx, client_key);
/* Calculate StoredKey */
sha1_get_digest(client_key, sizeof(client_key), stored_key);
@@ -168,10 +168,10 @@ void scram_sha1_generate(const char *pla
base64_encode(stored_key, sizeof(stored_key), str);
/* Calculate ServerKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password),
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password),
&hash_method_sha1);
- hmac_update(&ctx, "Server Key", 10);
- hmac_final(&ctx, server_key);
+ openssl_hmac_update(&ctx, "Server Key", 10);
+ openssl_hmac_final(&ctx, server_key);
str_append_c(str, ',');
base64_encode(server_key, sizeof(server_key), str);
diff -up dovecot-2.2.36/src/lib/hmac.c.opensslhmac dovecot-2.2.36/src/lib/hmac.c
--- dovecot-2.2.36/src/lib/hmac.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac.c 2019-06-10 15:38:38.834070480 +0200
@@ -7,15 +7,74 @@
* This software is released under the MIT license.
*/
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
#include "lib.h"
#include "hmac.h"
#include "safe-memset.h"
#include "buffer.h"
-void hmac_init(struct hmac_context *_ctx, const unsigned char *key,
+#ifndef HAVE_HMAC_CTX_NEW
+# define HMAC_Init_ex(ctx, key, key_len, md, impl) \
+ HMAC_Init_ex(&(ctx), key, key_len, md, impl)
+# define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len)
+# define HMAC_Final(ctx, md, len) HMAC_Final(&(ctx), md, len)
+# define HMAC_CTX_free(ctx) HMAC_cleanup(&(ctx))
+#else
+# define HMAC_CTX_free(ctx) \
+ STMT_START { HMAC_CTX_free(ctx); (ctx) = NULL; } STMT_END
+#endif
+
+
+void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth)
+{
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+
+ const EVP_MD *md;
+ const char *ebuf = NULL;
+ const char **error_r = &ebuf;
+
+ md = EVP_get_digestbyname(meth->name);
+ if(md == NULL) {
+ if (error_r != NULL) {
+ *error_r = t_strdup_printf("Invalid digest %s",
+ meth->name);
+ }
+ //return FALSE;
+ }
+
+// int ec;
+
+ i_assert(md != NULL);
+#ifdef HAVE_HMAC_CTX_NEW
+ ctx->ctx = HMAC_CTX_new();
+/* if (ctx->ctx == NULL)
+ dcrypt_openssl_error(error_r);*/
+#endif
+ /*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL);
+}
+
+void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ static int no_fips = -1;
+ if (no_fips == -1) {
+ int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+ if (fd != -1)
+ {
+ char buf[4];
+ if (read(fd, buf, 4) > 0)
+ {
+ no_fips = buf[0] == '0';
+ }
+ close(fd);
+ }
+ }
+ i_assert(no_fips);
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
int i;
unsigned char k_ipad[64];
unsigned char k_opad[64];
@@ -51,9 +110,27 @@ void hmac_init(struct hmac_context *_ctx
safe_memset(k_opad, 0, 64);
}
-void hmac_final(struct hmac_context *_ctx, unsigned char *digest)
+void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest)
+{
+ int ec;
+ unsigned char buf[HMAC_MAX_MD_CBLOCK];
+ unsigned int outl;
+// const char *ebuf = NULL;
+// const char **error_r = &ebuf;
+
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+ ec = HMAC_Final(ctx->ctx, buf, &outl);
+ HMAC_CTX_free(ctx->ctx);
+ if (ec == 1)
+ memcpy(digest, buf, outl);
+// else
+// dcrypt_openssl_error(error_r);
+
+}
+
+void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
ctx->hash->result(ctx->ctx, digest);
@@ -61,35 +138,35 @@ void hmac_final(struct hmac_context *_ct
ctx->hash->result(ctx->ctxo, digest);
}
-buffer_t *t_hmac_data(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const void *data, size_t data_len)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
i_assert(meth != NULL);
i_assert(key != NULL && key_len > 0);
i_assert(data != NULL || data_len == 0);
buffer_t *res = buffer_create_dynamic(pool_datastack_create(), meth->digest_size);
- hmac_init(&ctx, key, key_len, meth);
+ openssl_hmac_init(&ctx, key, key_len, meth);
if (data_len > 0)
- hmac_update(&ctx, data, data_len);
+ openssl_hmac_update(&ctx, data, data_len);
unsigned char *buf = buffer_get_space_unsafe(res, 0, meth->digest_size);
- hmac_final(&ctx, buf);
+ openssl_hmac_final(&ctx, buf);
return res;
}
-buffer_t *t_hmac_buffer(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const buffer_t *data)
{
- return t_hmac_data(meth, key, key_len, data->data, data->used);
+ return openssl_t_hmac_data(meth, key, key_len, data->data, data->used);
}
-buffer_t *t_hmac_str(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const char *data)
{
- return t_hmac_data(meth, key, key_len, data, strlen(data));
+ return openssl_t_hmac_data(meth, key, key_len, data, strlen(data));
}
diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.c
--- dovecot-2.2.36/src/lib/hmac-cram-md5.c.opensslhmac 2017-06-23 13:18:28.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac-cram-md5.c 2019-06-10 15:38:38.835070476 +0200
@@ -9,10 +9,10 @@
#include "md5.h"
#include "hmac-cram-md5.h"
-void hmac_md5_get_cram_context(struct hmac_context *_hmac_ctx,
+void hmac_md5_get_cram_context(struct orig_hmac_context *_hmac_ctx,
unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
{
- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
@@ -35,10 +35,10 @@ void hmac_md5_get_cram_context(struct hm
CDPUT(cdp, ctx->d);
}
-void hmac_md5_set_cram_context(struct hmac_context *_hmac_ctx,
+void hmac_md5_set_cram_context(struct orig_hmac_context *_hmac_ctx,
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
{
- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
const unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
diff -up dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.2.36/src/lib/hmac-cram-md5.h
--- dovecot-2.2.36/src/lib/hmac-cram-md5.h.opensslhmac 2017-06-23 13:18:28.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac-cram-md5.h 2019-06-10 15:38:38.835070476 +0200
@@ -5,9 +5,9 @@
#define CRAM_MD5_CONTEXTLEN 32
-void hmac_md5_get_cram_context(struct hmac_context *ctx,
+void hmac_md5_get_cram_context(struct orig_hmac_context *ctx,
unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
-void hmac_md5_set_cram_context(struct hmac_context *ctx,
+void hmac_md5_set_cram_context(struct orig_hmac_context *ctx,
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
diff -up dovecot-2.2.36/src/lib/hmac.h.opensslhmac dovecot-2.2.36/src/lib/hmac.h
--- dovecot-2.2.36/src/lib/hmac.h.opensslhmac 2017-06-23 13:18:28.000000000 +0200
+++ dovecot-2.2.36/src/lib/hmac.h 2019-06-10 15:38:38.835070476 +0200
@@ -3,43 +3,98 @@
#include "hash-method.h"
#include "sha1.h"
+#include <openssl/objects.h>
+#include <openssl/hmac.h>
+#include <openssl/err.h>
#define HMAC_MAX_CONTEXT_SIZE 256
-struct hmac_context_priv {
+struct openssl_hmac_context_priv {
+#ifdef HAVE_HMAC_CTX_NEW
+ HMAC_CTX *ctx;
+#else
+ HMAC_CTX ctx;
+#endif
+ const struct hash_method *hash;
+};
+
+struct orig_hmac_context_priv {
char ctx[HMAC_MAX_CONTEXT_SIZE];
char ctxo[HMAC_MAX_CONTEXT_SIZE];
const struct hash_method *hash;
};
-struct hmac_context {
+struct openssl_hmac_context {
+ union {
+ struct openssl_hmac_context_priv priv;
+ uint64_t padding_requirement;
+ } u;
+};
+
+struct orig_hmac_context {
union {
- struct hmac_context_priv priv;
+ struct orig_hmac_context_priv priv;
uint64_t padding_requirement;
} u;
};
-void hmac_init(struct hmac_context *ctx, const unsigned char *key,
+void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth);
-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
+void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest);
+
+static inline void
+openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size)
+{
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+ HMAC_Update(ctx->ctx, data, size);
+/* if (ec != 1)
+ {
+ const char *ebuf = NULL;
+ const char **error_r = &ebuf;
+ dcrypt_openssl_error(error_r);
+ }*/
+}
+
+void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth);
+void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest);
static inline void
-hmac_update(struct hmac_context *_ctx, const void *data, size_t size)
+orig_hmac_update(struct orig_hmac_context *_ctx, const void *data, size_t size)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
ctx->hash->loop(ctx->ctx, data, size);
}
-buffer_t *t_hmac_data(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const void *data, size_t data_len);
-buffer_t *t_hmac_buffer(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const buffer_t *data);
-buffer_t *t_hmac_str(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const char *data);
+
+#if 0
+static bool dcrypt_openssl_error(const char **error_r)
+{
+ unsigned long ec;
+
+ if (error_r == NULL) {
+ /* caller is not really interested */
+ return FALSE;
+ }
+
+ ec = ERR_get_error();
+ *error_r = t_strdup_printf("%s", ERR_error_string(ec, NULL));
+ return FALSE;
+}
+#endif
+
+
+
#endif
diff -up dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib-imap-urlauth/imap-urlauth.c 2019-06-10 15:38:38.835070476 +0200
@@ -83,15 +83,15 @@ imap_urlauth_internal_generate(const cha
const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
size_t *token_len_r)
{
- struct hmac_context hmac;
+ struct openssl_hmac_context hmac;
unsigned char *token;
token = t_new(unsigned char, SHA1_RESULTLEN + 1);
token[0] = IMAP_URLAUTH_MECH_INTERNAL_VERSION;
- hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
- hmac_update(&hmac, rumpurl, strlen(rumpurl));
- hmac_final(&hmac, token+1);
+ openssl_hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
+ openssl_hmac_update(&hmac, rumpurl, strlen(rumpurl));
+ openssl_hmac_final(&hmac, token+1);
*token_len_r = SHA1_RESULTLEN + 1;
return token;
diff -up dovecot-2.2.36/src/lib/Makefile.am.opensslhmac dovecot-2.2.36/src/lib/Makefile.am
--- dovecot-2.2.36/src/lib/Makefile.am.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib/Makefile.am 2019-06-10 15:42:28.810140696 +0200
@@ -306,6 +306,9 @@ headers = \
wildcard-match.h \
write-full.h
+liblib_la_LIBADD = $(SSL_LIBS)
+liblib_la_CFLAGS = $(SSL_CFLAGS)
+
test_programs = test-lib
noinst_PROGRAMS = $(test_programs)
@@ -335,6 +338,7 @@ test_lib_SOURCES = \
test-hash-format.c \
test-hash-method.c \
test-hex-binary.c \
+ test-hmac.c \
test-imem.c \
test-ioloop.c \
test-iso8601-date.c \
diff -up dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c
--- dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c.opensslhmac 2018-04-30 15:52:05.000000000 +0200
+++ dovecot-2.2.36/src/lib-ntlm/ntlm-encrypt.c 2019-06-10 15:38:38.835070476 +0200
@@ -61,12 +61,12 @@ void ntlm_v1_hash(const char *passwd, un
}
static void
-hmac_md5_ucs2le_string_ucase(struct hmac_context *ctx, const char *str)
-{
- size_t len;
- unsigned char *wstr = t_unicode_str(str, 1, &len);
-
- hmac_update(ctx, wstr, len);
+hmac_md5_ucs2le_string_ucase(struct openssl_hmac_context *ctx, const char *str)
+ {
+ size_t len;
+ unsigned char *wstr = t_unicode_str(str, TRUE, &len);
+
+ openssl_hmac_update(ctx, wstr, len);
}
static void ATTR_NULL(2)
@@ -74,13 +74,13 @@ ntlm_v2_hash(const char *user, const cha
const unsigned char *hash_v1,
unsigned char hash[NTLMSSP_V2_HASH_SIZE])
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
- hmac_init(&ctx, hash_v1, NTLMSSP_HASH_SIZE, &hash_method_md5);
+ openssl_hmac_init(&ctx, hash_v1, NTLMSSP_HASH_SIZE, &hash_method_md5);
hmac_md5_ucs2le_string_ucase(&ctx, user);
if (target != NULL)
hmac_md5_ucs2le_string_ucase(&ctx, target);
- hmac_final(&ctx, hash);
+ openssl_hmac_final(&ctx, hash);
}
void
@@ -125,15 +125,15 @@ ntlmssp_v2_response(const char *user, co
const unsigned char *blob, size_t blob_size,
unsigned char response[NTLMSSP_V2_RESPONSE_SIZE])
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char hash[NTLMSSP_V2_HASH_SIZE];
ntlm_v2_hash(user, target, hash_v1, hash);
- hmac_init(&ctx, hash, NTLMSSP_V2_HASH_SIZE, &hash_method_md5);
- hmac_update(&ctx, challenge, NTLMSSP_CHALLENGE_SIZE);
- hmac_update(&ctx, blob, blob_size);
- hmac_final(&ctx, response);
+ openssl_hmac_init(&ctx, hash, NTLMSSP_V2_HASH_SIZE, &hash_method_md5);
+ openssl_hmac_update(&ctx, challenge, NTLMSSP_CHALLENGE_SIZE);
+ openssl_hmac_update(&ctx, blob, blob_size);
+ openssl_hmac_final(&ctx, response);
safe_memset(hash, 0, sizeof(hash));
}
diff -up dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac dovecot-2.2.36/src/lib/pkcs5.c
--- dovecot-2.2.36/src/lib/pkcs5.c.opensslhmac 2018-04-30 15:52:04.000000000 +0200
+++ dovecot-2.2.36/src/lib/pkcs5.c 2019-06-10 15:38:38.835070476 +0200
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
unsigned char dk[l * hash->digest_size];
unsigned char *block;
- struct hmac_context hctx;
+ struct openssl_hmac_context hctx;
unsigned int c,i,t;
unsigned char U_c[hash->digest_size];
@@ -60,17 +60,17 @@ int pkcs5_pbkdf2(const struct hash_metho
block = &(dk[t*hash->digest_size]);
/* U_1 = PRF(Password, Salt|| INT_BE32(Block_Number)) */
c = htonl(t+1);
- hmac_init(&hctx, password, password_len, hash);
- hmac_update(&hctx, salt, salt_len);
- hmac_update(&hctx, &c, sizeof(c));
- hmac_final(&hctx, U_c);
+ openssl_hmac_init(&hctx, password, password_len, hash);
+ openssl_hmac_update(&hctx, salt, salt_len);
+ openssl_hmac_update(&hctx, &c, sizeof(c));
+ openssl_hmac_final(&hctx, U_c);
/* block = U_1 ^ .. ^ U_iter */
memcpy(block, U_c, hash->digest_size);
/* U_c = PRF(Password, U_c-1) */
for(c = 1; c < iter; c++) {
- hmac_init(&hctx, password, password_len, hash);
- hmac_update(&hctx, U_c, hash->digest_size);
- hmac_final(&hctx, U_c);
+ openssl_hmac_init(&hctx, password, password_len, hash);
+ openssl_hmac_update(&hctx, U_c, hash->digest_size);
+ openssl_hmac_final(&hctx, U_c);
for(i = 0; i < hash->digest_size; i++)
block[i] ^= U_c[i];
}
diff -up dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac dovecot-2.2.36/src/lib/test-hmac.c
--- dovecot-2.2.36/src/lib/test-hmac.c.opensslhmac 2019-06-10 15:43:02.847003098 +0200
+++ dovecot-2.2.36/src/lib/test-hmac.c 2019-06-10 14:00:52.000000000 +0200
@@ -0,0 +1,103 @@
+/* Copyright (c) 2016-2018 Dovecot authors, see the included COPYING file */
+
+#include "test-lib.h"
+#include "hash-method.h"
+#include "hmac.h"
+#include "sha-common.h"
+#include "buffer.h"
+
+struct test_vector {
+ const char *prf;
+ const unsigned char *key;
+ size_t key_len;
+ const unsigned char *data;
+ size_t data_len;
+ const unsigned char *res;
+ size_t res_len;
+};
+
+#define TEST_BUF(x) (const unsigned char*)x, sizeof(x)-1
+
+/* RFC 4231 test vectors */
+static const struct test_vector test_vectors[] = {
+ /* Test Case 1 */
+ { "sha256",
+ TEST_BUF("\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"),
+ TEST_BUF("Hi There"),
+ TEST_BUF("\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32\xcf\xf7")
+ },
+ /* Test Case 2 */
+ { "sha256",
+ TEST_BUF("\x4a\x65\x66\x65"), /* "Jefe" */
+ TEST_BUF("what do ya want for nothing?"),
+ TEST_BUF("\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec\x38\x43")
+ },
+ /* Test Case 3 */
+ { "sha256",
+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+ TEST_BUF("\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"),
+ TEST_BUF("\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81\xa7\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5\x65\xfe")
+ },
+ /* Test Case 4 */
+ { "sha256",
+ TEST_BUF("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"),
+ TEST_BUF("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+ TEST_BUF("\x82\x55\x8a\x38\x9a\x44\x3c\x0e\xa4\xcc\x81\x98\x99\xf2\x08\x3a\x85\xf0\xfa\xa3\xe5\x78\xf8\x07\x7a\x2e\x3f\xf4\x67\x29\x66\x5b")
+ },
+ /* Test Case 5 */
+ { "sha256",
+ TEST_BUF("\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"),
+ TEST_BUF("\x54\x65\x73\x74\x20\x57\x69\x74\x68\x20\x54\x72\x75\x6e\x63\x61\x74\x69\x6f\x6e"), /* "Test With Truncation" */
+ TEST_BUF("\xa3\xb6\x16\x74\x73\x10\x0e\xe0\x6e\x0c\x79\x6c\x29\x55\x55\x2b")
+ },
+ /* Test Case 6 */
+ { "sha256",
+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+ TEST_BUF("\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74"), /* "Test Using Larger Than Block-Size Key - Hash Key First" */
+ TEST_BUF("\x60\xe4\x31\x59\x1e\xe0\xb6\x7f\x0d\x8a\x26\xaa\xcb\xf5\xb7\x7f\x8e\x0b\xc6\x21\x37\x28\xc5\x14\x05\x46\x04\x0f\x0e\xe3\x7f\x54")
+ },
+ /* Test Case 7 */
+ { "sha256",
+ TEST_BUF("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"),
+ TEST_BUF("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"),
+ /* "This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm." */
+ TEST_BUF("\x9b\x09\xff\xa7\x1b\x94\x2f\xcb\x27\x63\x5f\xbc\xd5\xb0\xe9\x44\xbf\xdc\x63\x64\x4f\x07\x13\x93\x8a\x7f\x51\x53\x5c\x3a\x35\xe2")
+ }
+};
+
+static void test_hmac_rfc(void)
+{
+ test_begin("hmac sha256 rfc4231 vectors");
+ for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
+ const struct test_vector *vec = &(test_vectors[i]);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ unsigned char res[SHA256_RESULTLEN];
+ openssl_hmac_final(&ctx, res);
+ test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ }
+ test_end();
+}
+
+static void test_hmac_buffer(void)
+{
+ const struct test_vector *vec = &(test_vectors[0]);
+ test_begin("hmac temporary buffer");
+
+ buffer_t *tmp;
+
+ tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
+ vec->data, vec->data_len);
+
+ test_assert(tmp->used == vec->res_len &&
+ memcmp(tmp->data, vec->res, vec->res_len) == 0);
+
+ test_end();
+}
+
+void test_hmac(void)
+{
+ test_hmac_rfc();
+ test_hmac_buffer();
+}
diff -up dovecot-2.2.36/src/lib/test-lib.h.opensslhmac dovecot-2.2.36/src/lib/test-lib.h
--- dovecot-2.2.36/src/lib/test-lib.h.opensslhmac 2019-06-10 15:41:57.155268669 +0200
+++ dovecot-2.2.36/src/lib/test-lib.h 2019-06-10 15:41:57.194268512 +0200
@@ -20,6 +20,7 @@ void test_failures(void);
void test_file_create_locked(void);
void test_guid(void);
void test_hash(void);
+void test_hmac(void);
void test_hash_format(void);
void test_hash_method(void);
void test_hex_binary(void);

19
SOURCES/dovecot.conf.5 Normal file
View File

@ -0,0 +1,19 @@
.TH DOVECOT.CONF 5 2010/06/27 "dovecot" "File Formats and Conventions"
.SH NAME
\fBdovecot.conf\fP \- The configuration file for dovecot imap and pop3 server
.SH FULL PATH
.B /etc/dovecot.conf
.SH DESCRIPTION
The dovecot.conf file is a configuration file for the
.BR dovecot (1)
imap and pop3 server. The dovecot.conf configuration file contains description to all available options. Some of these options are described also in offline wiki documentation placed in /usr/share/doc/dovecot*/wiki/.
For backup purposes unmodified version of dovecot.conf can be found in /usr/share/doc/dovecot-<version>/example-config/dovecot.conf.default
.SH "SEE ALSO"
.BR doveadm (1),
.BR dovecot (1),
.I /usr/share/doc/dovecot*/wiki/
.I /usr/share/doc/dovecot*/dovecot.conf.default

108
SOURCES/dovecot.init Executable file
View File

@ -0,0 +1,108 @@
#!/bin/bash
#
# /etc/rc.d/init.d/dovecot
#
# Starts the dovecot daemon
#
# chkconfig: - 65 35
# description: Dovecot Imap Server
# processname: dovecot
# config: /etc/dovecot.conf
# config: /etc/sysconfig/dovecot
# pidfile: /var/run/dovecot/master.pid
### BEGIN INIT INFO
# Provides: dovecot
# Required-Start: $local_fs $network
# Required-Stop: $local_fs $network
# Should-Start: $remote_fs
# Should-Stop: $remote_fs
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: start and stop Dovecot Imap server
# Description: Dovecot is an IMAP server for Linux/UNIX-like systems,
# written with security primarily in mind. It also contains
# a small POP3 server.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/dovecot -a $UID -eq 0 ]; then
. /etc/sysconfig/dovecot
fi
RETVAL=0
prog="Dovecot Imap"
exec="/usr/sbin/dovecot"
config="/etc/dovecot/dovecot.conf"
pidfile="/var/run/dovecot/master.pid"
lockfile="/var/lock/subsys/dovecot"
start() {
[ $UID -eq 0 ] || exit 4
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --pidfile $pidfile $exec $OPTIONS
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $lockfile
echo
}
stop() {
[ $UID -eq 0 ] || exit 4
echo -n $"Stopping $prog: "
killproc -p $pidfile $exec
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
}
reload() {
[ $UID -eq 0 ] || exit 4
echo -n $"Reloading $prog: "
killproc -p $pidfile $exec -HUP
RETVAL=$?
echo
}
#
# See how we were called.
#
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
force-reload|restart)
stop
sleep 1
start
RETVAL=$?
;;
condrestart|try-restart)
if [ -f $lockfile ]; then
stop
sleep 3
start
fi
;;
status)
status -p $pidfile $exec
RETVAL=$?
;;
*)
echo $"Usage: $0 {condrestart|try-restart|start|stop|restart|reload|force-reload|status}"
RETVAL=2
[ "$1" = 'usage' ] && RETVAL=0
esac
exit $RETVAL

5
SOURCES/dovecot.pam Normal file
View File

@ -0,0 +1,5 @@
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth

3
SOURCES/dovecot.sysconfig Normal file
View File

@ -0,0 +1,3 @@
# Here you can specify your dovecot command line options.
#
#OPTIONS=""

2
SOURCES/dovecot.tmpfilesd Normal file
View File

@ -0,0 +1,2 @@
d /var/run/dovecot 0755 root dovecot -

3
SOURCES/prestartscript Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
/bin/systemctl -q is-enabled NetworkManager.service >/dev/null 2>&1 && /usr/bin/nm-online -q --timeout 30 ||:

2464
SPECS/dovecot.spec Normal file
View File

File diff suppressed because it is too large Load Diff