packages/dovecot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!38 upgrade to 2.3.15 to fix CVE

Browse Source 
From: @jackie_wu123
Reviewed-by: 
Signed-off-by:
This commit is contained in:
openeuler-ci-bot 2021-07-09 07:57:03 +00:00 committed by Gitee
commit 892f2ccbf6
28 changed files with 1045 additions and 3859 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
0001-Fix-bugs-in-smtp-server.patch
View File

@ -1,40 +0,0 @@
From a215a7d1a1c5eab40f6896fc07931a81d5504f18 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 27 Mar 2021 11:18:23 +0800
Subject: [PATCH] Fix bugs in smtp server
reference to: https://github.com/dovecot/core/pull/120
---
src/lib-smtp/smtp-server-cmd-data.c | 2 +-
src/lib-smtp/smtp-server-cmd-helo.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib-smtp/smtp-server-cmd-data.c b/src/lib-smtp/smtp-server-cmd-data.c
index 2650643..a7db425 100644
--- a/src/lib-smtp/smtp-server-cmd-data.c
+++ b/src/lib-smtp/smtp-server-cmd-data.c
@@ -654,7 +654,7 @@ void smtp_server_cmd_bdat(struct smtp_server_cmd_ctx *cmd,
}
}
- if (ret > 0 || size > 0) {
+ if (ret > 0 || (size > 0 && conn->smtp_parser)) {
/* read/skip data even in case of error, as long as size is
known */
input = smtp_command_parse_data_with_size(conn->smtp_parser,
diff --git a/src/lib-smtp/smtp-server-cmd-helo.c b/src/lib-smtp/smtp-server-cmd-helo.c
index 330ceaa..40ba328 100644
--- a/src/lib-smtp/smtp-server-cmd-helo.c
+++ b/src/lib-smtp/smtp-server-cmd-helo.c
@@ -155,7 +155,7 @@ smtp_server_cmd_ehlo_reply_create(struct smtp_server_cmd_ctx *cmd)
unsigned int extra_caps_count, i, j;
struct smtp_server_reply *reply;
- i_assert(cmd->cmd->reg->func == smtp_server_cmd_ehlo);
+ i_assert(cmd->cmd->reg->func == smtp_server_cmd_ehlo || cmd->cmd->reg->func == smtp_server_cmd_helo);
reply = smtp_server_reply_create_ehlo(cmd->cmd);
if (helo_data->helo.old_smtp)
--
2.23.0

27
0002-Fix-assert-crash-if-parsing-invalid-BODYSTRUCTURE.patch
View File

@ -1,27 +0,0 @@
From c4c499cb5b9fc35e8b850a9faf6b700feb3b299f Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 27 Mar 2021 11:55:31 +0800
Subject: [PATCH] Fix assert-crash if parsing invalid BODYSTRUCTURE with empty
Content-Language list
reference to: https://github.com/dovecot/core/commit/dd51ae09a8a688c8466e31d5b6108756d5154153
---
src/lib-imap/imap-bodystructure.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib-imap/imap-bodystructure.c b/src/lib-imap/imap-bodystructure.c
index a2d778f..b52af28 100644
--- a/src/lib-imap/imap-bodystructure.c
+++ b/src/lib-imap/imap-bodystructure.c
@@ -245,6 +245,8 @@ imap_bodystructure_strlist_parse(const struct imap_arg *arg,
} else {
if (!imap_arg_get_list_full(arg, &list_args, &list_count))
return -1;
+ if (list_count == 0)
+ return -1;
list = p_new(pool, const char *, list_count+1);
for (i = 0; i < list_count; i++) {
--
2.23.0

26
0003-Handle-empty-lists-in-IMAP-BODYSTRUCTURE-parsing-as-invalid.patch
View File

@ -1,26 +0,0 @@
From 269640a83ac140b48aaa191eec13ead5dd60519a Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Thu, 3 Jun 2021 11:24:44 +0800
Subject: [PATCH] Handle empty lists in IMAP BODYSTRUCTURE parsing as invalid
reference: https://github.com/dovecot/core/commit/586cca576970cc377a40f995512dbc02981900a3
---
src/lib-imap/imap-bodystructure.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib-imap/imap-bodystructure.c b/src/lib-imap/imap-bodystructure.c
index b52af28..07bd5a4 100644
--- a/src/lib-imap/imap-bodystructure.c
+++ b/src/lib-imap/imap-bodystructure.c
@@ -276,6 +276,8 @@ imap_bodystructure_params_parse(const struct imap_arg *arg,
return -1;
if ((list_count % 2) != 0)
return -1;
+ if (list_count == 0)
+ return -1;
params_count = list_count/2;
params = p_new(pool, struct message_part_param, params_count+1);
--
2.23.0

30
0004-Fix-writing-BODYSTRUCTURE-for-truncated-multipart-digest-part.patch
View File

@ -1,30 +0,0 @@
From 7039d1c3bc054142eb4034b88df150fda1eb75e4 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Thu, 3 Jun 2021 16:48:55 +0800
Subject: [PATCH] Fix writing BODYSTRUCTURE for truncated multipart/digest part
reference:
https://github.com/dovecot/core/commit/84cde48e5859b1d20f2fd98b57b7410b4d3727fa
https://github.com/dovecot/core/commit/0f66865e0e3dae3e902abd8bb559d7706dbff437
---
src/lib-imap/imap-bodystructure.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/lib-imap/imap-bodystructure.c b/src/lib-imap/imap-bodystructure.c
index 07bd5a4..81ce529 100644
--- a/src/lib-imap/imap-bodystructure.c
+++ b/src/lib-imap/imap-bodystructure.c
@@ -164,6 +164,10 @@ static void part_write_body(const struct message_part *part,
str_append_c(str, ' ');
imap_append_string(str, data->content_subtype);
}
+ bool part_is_text = (part->flags & MESSAGE_PART_FLAG_TEXT) != 0;
+ if (text != part_is_text) {
+ return;
+ }
}
/* ("content type param key" "value" ...) */
--
2.23.0

11
CVE-2015-3420.patch
View File

@ -1,11 +0,0 @@
diff -r 27ee6a472555 src/lib/strnum.h
--- a/src/lib/strnum.h Tue Dec 08 15:47:28 2015 +0200
+++ b/src/lib/strnum.h Wed Dec 09 10:54:49 2015 +0200
@@ -169,6 +169,7 @@
int str_parse_uoff(const char *str, uoff_t *num_r,
const char **endp_r) ATTR_WARN_UNUSED_RESULT ATTR_NULL(3);
+#define str_to_time str_to_time_no_collision
int str_to_time(const char *str, time_t *num_r)
ATTR_WARN_UNUSED_RESULT;

27
CVE-2016-8652.patch
View File

@ -1,27 +0,0 @@
From 1f2c35da2b96905bec6e45f88af0f33ee63789e6 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Wed, 23 Nov 2016 13:16:19 +0200
Subject: [PATCH] auth: Fix auth-policy crash when username is NULL
If SASL request is invalid, or incomplete, and username
is left NULL, handle it gracefully by adding just
NUL byte in auth policy digest for username.
---
src/auth/auth-policy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff -Nur dovecot-2.3.3_old/src/auth/auth-policy.c dovecot-2.3.3/src/auth/auth-policy.c
--- dovecot-2.3.3_old/src/auth/auth-policy.c 2020-03-16 17:38:38.308283675 +0800
+++ dovecot-2.3.3/src/auth/auth-policy.c 2020-03-16 17:42:41.873103352 +0800
@@ -466,7 +466,10 @@
else
requested_username = "";
/* use +1 to make sure \0 gets included */
- digest->loop(ctx, requested_username, strlen(requested_username)+1);
+ if (context->request->user == NULL)
+ digest->loop(ctx, "\0", 1);
+ else
+ digest->loop(ctx, context->request->user, strlen(context->request->user) + 1);
if (password != NULL)
digest->loop(ctx, password, strlen(password));
ptr = buffer_get_modifiable_data(buffer, NULL);

3283
CVE-2020-12100-1.patch
View File

File diff suppressed because it is too large Load Diff

70
CVE-2020-12100-2.patch
View File

@ -1,70 +0,0 @@
From f691580f7450b41bb3de36d825fc46fa5071cabf Mon Sep 17 00:00:00 2001
Date: Mon, 26 Oct 2020 18:52:57 +0800
Subject: [PATCH] fix CVE-2020-12100
---
.../src/lib-sieve/plugins/notify/ext-notify-common.c | 3 ++-
.../src/lib-sieve/sieve-message.c | 12 ++++++------
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
index 700b79d..9d950f3 100644
--- a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
+++ b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/plugins/notify/ext-notify-common.c
@@ -156,6 +156,7 @@ cmd_notify_extract_body_text(const struct sieve_runtime_env *renv,
{
const struct sieve_execute_env *eenv = renv->exec_env;
const struct sieve_extension *this_ext = renv->oprtn->ext;
+ const struct message_parser_settings parser_set = { .flags = 0 };
struct ext_notify_message_context *mctx;
struct mail *mail = eenv->msgdata->mail;
struct message_parser_ctx *parser;
@@ -189,7 +190,7 @@ cmd_notify_extract_body_text(const struct sieve_runtime_env *renv,
/* Initialize body decoder */
decoder = message_decoder_init(NULL, 0);
- parser = message_parser_init(mctx->pool, input, 0, 0);
+ parser = message_parser_init(mctx->pool, input, &parser_set);
is_text = TRUE;
save_body = FALSE;
while ((ret = message_parser_parse_next_block(parser, &block)) > 0) {
diff --git a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
index afbf31f..c791758 100644
--- a/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
+++ b/dovecot-2.3-pigeonhole-0.5.10/src/lib-sieve/sieve-message.c
@@ -1081,10 +1081,10 @@ static int sieve_message_parts_add_missing
struct sieve_message_context *msgctx = renv->msgctx;
pool_t pool = msgctx->context_pool;
struct mail *mail = sieve_message_get_mail(renv->msgctx);
- enum message_parser_flags mparser_flags =
- MESSAGE_PARSER_FLAG_INCLUDE_MULTIPART_BLOCKS;
- enum message_header_parser_flags hparser_flags =
- MESSAGE_HEADER_PARSER_FLAG_SKIP_INITIAL_LWSP;
+ struct message_parser_settings parser_set = {
+ .hdr_flags = MESSAGE_HEADER_PARSER_FLAG_SKIP_INITIAL_LWSP,
+ .flags = MESSAGE_PARSER_FLAG_INCLUDE_MULTIPART_BLOCKS,
+ };
ARRAY(struct sieve_message_header) headers;
struct sieve_message_part *body_part, *header_part, *last_part;
struct message_parser_ctx *parser;
@@ -1121,7 +1121,7 @@ static int sieve_message_parts_add_missing
if (iter_all) {
t_array_init(&headers, 64);
hdr_content = t_str_new(512);
- hparser_flags |= MESSAGE_HEADER_PARSER_FLAG_CLEAN_ONELINE;
+ parser_set.hdr_flags |= MESSAGE_HEADER_PARSER_FLAG_CLEAN_ONELINE;
} else {
i_zero(&headers);
}
@@ -1133,7 +1133,7 @@ static int sieve_message_parts_add_missing
//parser = message_parser_init_from_parts(parts, input,
// hparser_flags, mparser_flags);
parser = message_parser_init(pool_datastack_create(),
- input, hparser_flags, mparser_flags);
+ input, &parser_set);
while ( (ret=message_parser_parse_next_block
(parser, &block)) > 0 ) {
struct sieve_message_part **body_part_idx;
--
2.23.0

31
CVE-2020-12673.patch
View File

@ -1,31 +0,0 @@
From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 18 May 2020 12:33:39 +0300
Subject: [PATCH] lib-ntlm: Check buffer length on responses
Add missing check for buffer length.
If this is not checked, it is possible to send message which
causes read past buffer bug.
Broken in c7480644202e5451fbed448508ea29a25cffc99c
---
src/lib-ntlm/ntlm-message.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
index 160b9f918c..a29413b47e 100644
--- a/src/lib-ntlm/ntlm-message.c
+++ b/src/lib-ntlm/ntlm-message.c
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
if (length == 0 && space == 0)
return TRUE;
+ if (length > data_size) {
+ *error = "buffer length out of bounds";
+ return FALSE;
+ }
+
if (offset >= data_size) {
*error = "buffer offset out of bounds";
return FALSE;

22
CVE-2020-12674.patch
View File

@ -1,22 +0,0 @@
From 69ad3c902ea4bbf9f21ab1857d8923f975dc6145 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 6 May 2020 13:40:36 +0300
Subject: [PATCH] auth: mech-rpa - Fail on zero len buffer
---
src/auth/mech-rpa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c
index 08298ebdd6..2de8705b4f 100644
--- a/src/auth/mech-rpa.c
+++ b/src/auth/mech-rpa.c
@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data,
return 0;
len = *p++;
- if (p + len > end)
+ if (p + len > end || len == 0)
return 0;
*buffer = p_malloc(pool, len);

55
CVE-2020-24386.patch
View File

@ -1,55 +0,0 @@
From 62061e8cf68f506c0ccaaba21fd4174764ca875f Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 17 Aug 2020 18:15:35 +0300
Subject: [PATCH] imap-login: Split off client_invalid_command()
---
src/imap-login/imap-login-client.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
index e2af176309..ce5049d567 100644
--- a/src/imap-login/imap-login-client.c
+++ b/src/imap-login/imap-login-client.c
@@ -194,6 +194,22 @@ static int client_command_execute(struct imap_client *client, const char *cmd,
return login_cmd->func(client, args);
}
+static bool client_invalid_command(struct imap_client *client)
+{
+ if (*client->cmd_tag == '\0')
+ client->cmd_tag = "*";
+ if (++client->common.bad_counter >= CLIENT_MAX_BAD_COMMANDS) {
+ client_send_reply(&client->common, IMAP_CMD_REPLY_BYE,
+ "Too many invalid IMAP commands.");
+ client_destroy(&client->common,
+ "Disconnected: Too many invalid commands");
+ return FALSE;
+ }
+ client_send_reply(&client->common, IMAP_CMD_REPLY_BAD,
+ "Error in IMAP command received by server.");
+ return TRUE;
+}
+
static bool imap_is_valid_tag(const char *tag)
{
for (; *tag != '\0'; tag++) {
@@ -326,17 +342,8 @@ static bool imap_client_input_next_cmd(struct client *_client)
"not the command name. Add that before the command, "
"like: a login user pass");
} else if (ret < 0) {
- if (*client->cmd_tag == '\0')
- client->cmd_tag = "*";
- if (++client->common.bad_counter >= CLIENT_MAX_BAD_COMMANDS) {
- client_send_reply(&client->common, IMAP_CMD_REPLY_BYE,
- "Too many invalid IMAP commands.");
- client_destroy(&client->common,
- "Disconnected: Too many invalid commands");
+ if (!client_invalid_command(client))
return FALSE;
- }
- client_send_reply(&client->common, IMAP_CMD_REPLY_BAD,
- "Error in IMAP command received by server.");
}
return ret != 0 && !client->common.destroyed;

63
CVE-2020-25275-1.patch
View File

@ -1,63 +0,0 @@
From 266e54b7b8c34c9a58dd60a2e53c5ca7d1deae19 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 11 Sep 2020 10:57:51 +0300
Subject: [PATCH] lib-imap: Don't generate invalid BODYSTRUCTURE when reaching
MIME part limit
If the last MIME part was message/rfc822 and its child was truncated away,
BODYSTRUCTURE was missing the ENVELOPE and BODY[STRUCTURE] parts. Fixed by
writing empty dummy ones.
---
src/lib-imap/imap-bodystructure.c | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/src/lib-imap/imap-bodystructure.c b/src/lib-imap/imap-bodystructure.c
index 4e379e56a9..e3da1090b4 100644
--- a/src/lib-imap/imap-bodystructure.c
+++ b/src/lib-imap/imap-bodystructure.c
@@ -146,11 +146,25 @@ static void part_write_body(const struct message_part *part,
string_t *str, bool extended)
{
const struct message_part_data *data = part->data;
- bool text;
+ bool text, message_rfc822;
i_assert(part->data != NULL);
- if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0) {
+ if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0)
+ message_rfc822 = TRUE;
+ else if (data->content_type != NULL &&
+ strcasecmp(data->content_type, "message") == 0 &&
+ strcasecmp(data->content_subtype, "rfc822") == 0) {
+ /* It's message/rfc822, but without
+ MESSAGE_PART_FLAG_MESSAGE_RFC822. That likely means maximum
+ MIME part count was reached while parsing the mail. Write
+ the missing child mail's ENVELOPE and BODY as empty dummy
+ values. */
+ message_rfc822 = TRUE;
+ } else
+ message_rfc822 = FALSE;
+
+ if (message_rfc822) {
str_append(str, "\"message\" \"rfc822\"");
text = FALSE;
} else {
@@ -200,6 +214,17 @@ static void part_write_body(const struct message_part *part,
part_write_bodystructure_siblings(part->children, str, extended);
str_printfa(str, " %u", part->body_size.lines);
+ } else if (message_rfc822) {
+ /* truncated MIME part - write out dummy values */
+ i_assert(part->children == NULL);
+
+ str_append(str, " (NIL NIL NIL NIL NIL NIL NIL NIL NIL NIL) ");
+
+ if (!extended)
+ str_append(str, EMPTY_BODY);
+ else
+ str_append(str, EMPTY_BODYSTRUCTURE);
+ str_printfa(str, " %u", part->body_size.lines);
}
if (!extended)

129
CVE-2020-25275-2.patch
View File

@ -1,129 +0,0 @@
From 3df3d432073390bb403e9b022790497ae2f0dece Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Wed, 3 Feb 2021 16:31:26 +0800
Subject: [PATCH] lib-mail: message-parser - Fix assert-crash when enforcing
MIME part limit
The limit could have been exceeded with message/rfc822 parts.
---
src/lib-mail/message-parser.c | 3 +-
src/lib-mail/test-message-parser.c | 82 ++++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 1 deletion(-)
diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c
index 011dea9..8bc5972 100644
--- a/src/lib-mail/message-parser.c
+++ b/src/lib-mail/message-parser.c
@@ -700,7 +700,8 @@ static int parse_next_header(struct message_parser_ctx *ctx,
ctx->multipart = FALSE;
ctx->parse_next_block = parse_next_body_to_boundary;
} else if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0 &&
- !parse_too_many_nested_mime_parts(ctx)) {
+ !parse_too_many_nested_mime_parts(ctx) &&
+ ctx->total_parts_count < ctx->max_total_mime_parts) {
ctx->parse_next_block = parse_next_body_message_rfc822_init;
} else {
part->flags &= ~MESSAGE_PART_FLAG_MESSAGE_RFC822;
diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c
index 71a738d..5dfe491 100644
--- a/src/lib-mail/test-message-parser.c
+++ b/src/lib-mail/test-message-parser.c
@@ -1131,6 +1131,87 @@ static const char input_msg[] =
test_end();
}
+static void test_message_parser_mime_part_limit_rfc822(void)
+{
+static const char input_msg[] =
+"Content-Type: multipart/mixed; boundary=\"1\"\n"
+"\n"
+"--1\n"
+"Content-Type: multipart/mixed; boundary=\"2\"\n"
+"\n"
+"--2\n"
+"Content-Type: message/rfc822\n"
+"\n"
+"Content-Type: text/plain\n"
+"\n"
+"1\n"
+"--2\n"
+"Content-Type: message/rfc822\n"
+"\n"
+"Content-Type: text/plain\n"
+"\n"
+"22\n"
+"--1\n"
+"Content-Type: message/rfc822\n"
+"\n"
+"Content-Type: text/plain\n"
+"\n"
+"333\n";
+ const struct message_parser_settings parser_set = {
+ .max_total_mime_parts = 3,
+ };
+ struct message_parser_ctx *parser;
+ struct istream *input;
+ struct message_part *parts, *part;
+ struct message_block block;
+ pool_t pool;
+ int ret;
+
+ test_begin("message parser mime part limit rfc822");
+ pool = pool_alloconly_create("message parser", 10240);
+ input = test_istream_create(input_msg);
+
+ parser = message_parser_init(pool, input, &parser_set);
+ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ;
+ test_assert(ret < 0);
+ message_parser_deinit(&parser, &parts);
+
+ part = parts;
+ test_assert(part->children_count == 2);
+ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
+ test_assert(part->header_size.lines == 2);
+ test_assert(part->header_size.physical_size == 45);
+ test_assert(part->header_size.virtual_size == 45+2);
+ test_assert(part->body_size.lines == 21);
+ test_assert(part->body_size.physical_size == 238);
+ test_assert(part->body_size.virtual_size == 238+21);
+
+ part = parts->children;
+ test_assert(part->children_count == 1);
+ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME));
+ test_assert(part->header_size.lines == 2);
+ test_assert(part->header_size.physical_size == 45);
+ test_assert(part->header_size.virtual_size == 45+2);
+ test_assert(part->body_size.lines == 18);
+ test_assert(part->body_size.physical_size == 189);
+ test_assert(part->body_size.virtual_size == 189+18);
+
+ part = parts->children->children;
+ test_assert(part->children_count == 0);
+ test_assert(part->flags == MESSAGE_PART_FLAG_IS_MIME);
+ test_assert(part->header_size.lines == 2);
+ test_assert(part->header_size.physical_size == 30);
+ test_assert(part->header_size.virtual_size == 30+2);
+ test_assert(part->body_size.lines == 15);
+ test_assert(part->body_size.physical_size == 155);
+ test_assert(part->body_size.virtual_size == 155+15);
+
+ test_parsed_parts(input, parts);
+ i_stream_unref(&input);
+ pool_unref(&pool);
+ test_end();
+}
+
int main(void)
{
static void (*const test_functions[])(void) = {
@@ -1151,6 +1232,7 @@ int main(void)
test_message_parser_mime_part_nested_limit,
test_message_parser_mime_part_nested_limit_rfc822,
test_message_parser_mime_part_limit,
+ test_message_parser_mime_part_limit_rfc822,
NULL
};
return test_run(test_functions);
--
2.23.0

12
dovecot-2.1.10-waitonline.patch
View File

@ -1,11 +1,11 @@
diff -up dovecot-2.3.0.1/dovecot.service.in.waitonline dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.waitonline 2018-03-01 10:35:39.888371078 +0100
+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:36:29.738784661 +0100
@@ -12,6 +12,7 @@ After=local-fs.target network-online.tar
diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
--- dovecot-2.3.15/dovecot.service.in.waitonline 2021-06-21 20:19:19.560494654 +0200
+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:21:17.443066248 +0200
@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
[Service]
Type=simple
Type=@systemdservicetype@
+ExecStartPre=/usr/libexec/dovecot/prestartscript
ExecStart=@sbindir@/dovecot -F
PIDFile=@rundir@/master.pid
ExecReload=@bindir@/doveadm reload
ExecStop=@bindir@/doveadm stop

37
dovecot-2.2.20-initbysystemd.patch
View File

@ -1,6 +1,6 @@
diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dovecot-init.service
--- dovecot-2.3.0.1/dovecot-init.service.initbysystemd 2018-03-01 10:38:22.059716008 +0100
+++ dovecot-2.3.0.1/dovecot-init.service 2018-03-01 10:38:22.059716008 +0100
diff -up dovecot-2.3.15/dovecot-init.service.initbysystemd dovecot-2.3.15/dovecot-init.service
--- dovecot-2.3.15/dovecot-init.service.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/dovecot-init.service 2021-06-21 20:21:49.250680889 +0200
@@ -0,0 +1,13 @@
+[Unit]
+Description=One-time Dovecot init service
@ -15,32 +15,37 @@ diff -up dovecot-2.3.0.1/dovecot-init.service.initbysystemd dovecot-2.3.0.1/dove
+ SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
+fi'
+
diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/dovecot.service.in
--- dovecot-2.3.0.1/dovecot.service.in.initbysystemd 2018-03-01 10:38:22.060716016 +0100
+++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:40:45.524901319 +0100
@@ -8,7 +8,8 @@
diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in
--- dovecot-2.3.15/dovecot.service.in.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/dovecot.service.in 2021-06-21 20:22:46.935981920 +0200
@@ -11,7 +11,8 @@
Description=Dovecot IMAP/POP3 email server
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
Documentation=https://doc.dovecot.org/
-After=local-fs.target network-online.target
+After=local-fs.target network-online.target dovecot-init.service
+Requires=dovecot-init.service
[Service]
Type=simple
diff -up dovecot-2.3.0.1/Makefile.am.initbysystemd dovecot-2.3.0.1/Makefile.am
--- dovecot-2.3.0.1/Makefile.am.initbysystemd 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.0.1/Makefile.am 2018-03-01 10:38:22.060716016 +0100
@@ -63,9 +63,10 @@ if HAVE_SYSTEMD
Type=@systemdservicetype@
diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
--- dovecot-2.3.15/Makefile.am.initbysystemd 2021-06-21 20:21:49.250680889 +0200
+++ dovecot-2.3.15/Makefile.am 2021-06-21 20:24:26.676765849 +0200
@@ -21,6 +21,7 @@ EXTRA_DIST = \
run-test-valgrind.supp \
dovecot.service.in \
dovecot.socket \
+ dovecot-init.service \
$(conf_DATA)
noinst_DATA = dovecot-config
@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi
if WANT_SYSTEMD
systemdsystemunit_DATA = \
dovecot.socket \
- dovecot.service
+ dovecot.service \
+ dovecot-init.service
else
-EXTRA_DIST += dovecot.socket dovecot.service.in
+EXTRA_DIST += dovecot.socket dovecot.service.in dovecot-init.service
endif
install-exec-hook:

BIN
dovecot-2.3-pigeonhole-0.5.10.tar.gz
View File

Binary file not shown.

BIN
dovecot-2.3-pigeonhole-0.5.15.tar.gz Normal file
View File

Binary file not shown.

BIN
dovecot-2.3.10.1.tar.gz
View File

Binary file not shown.

10
dovecot-2.3.11-bigkey.patch Normal file
View File

@ -0,0 +1,10 @@
diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf
--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey 2021-06-21 20:24:51.913456628 +0200
+++ dovecot-2.3.15/doc/dovecot-openssl.cnf 2021-06-21 20:25:36.352912123 +0200
@@ -1,5 +1,5 @@
[ req ]
-default_bits = 2048
+default_bits = 3072
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

24
dovecot-2.3.15-fixvalcond.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200
+++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200
@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
{
struct sieve_dict_script *dscript =
(struct sieve_dict_script *)script;
- const char *path, *name = script->name, *data, *error;
+ const char *path, *name = script->name, *data, *error = NULL;
int ret;
dscript->data_pool =
diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond 2021-06-14 15:40:37.000000000 +0200
+++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c 2021-06-21 21:52:22.963171229 +0200
@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
struct mail_attribute_value *value_r)
{
struct dict *dict;
- const char *mailbox_prefix, *error;
+ const char *mailbox_prefix, *error = NULL;
int ret;
i_zero(value_r);

20
dovecot-2.3.15-valbasherr.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200
+++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200
@@ -1,4 +1,16 @@
{
+ <bashagin>
+ Memcheck:Leak
+ match-leak-kinds: definite
+ fun:malloc
+ fun:make_if_command
+ fun:yyparse
+ fun:parse_command
+ fun:read_command
+ fun:reader_loop
+ fun:main
+}
+{
<bash>
Memcheck:Leak
fun:malloc

BIN
dovecot-2.3.15.tar.gz Normal file
View File

Binary file not shown.

813
dovecot-2.3.6-opensslhmac.patch Normal file
View File

@ -0,0 +1,813 @@
diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c
--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/auth-token.c 2021-03-22 20:44:13.022912242 +0100
@@ -161,17 +161,17 @@ void auth_token_deinit(void)
const char *auth_token_get(const char *service, const char *session_pid,
const char *username, const char *session_id)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char result[SHA1_RESULTLEN];
- hmac_init(&ctx, (const unsigned char*)username, strlen(username),
+ openssl_hmac_init(&ctx, (const unsigned char*)username, strlen(username),
&hash_method_sha1);
- hmac_update(&ctx, session_pid, strlen(session_pid));
+ openssl_hmac_update(&ctx, session_pid, strlen(session_pid));
if (session_id != NULL && *session_id != '\0')
- hmac_update(&ctx, session_id, strlen(session_id));
- hmac_update(&ctx, service, strlen(service));
- hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
- hmac_final(&ctx, result);
+ openssl_hmac_update(&ctx, session_id, strlen(session_id));
+ openssl_hmac_update(&ctx, service, strlen(service));
+ openssl_hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
+ openssl_hmac_final(&ctx, result);
return binary_to_hex(result, sizeof(result));
}
diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c
--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-cram-md5.c 2021-03-22 20:44:13.022912242 +0100
@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
{
unsigned char digest[MD5_RESULTLEN];
- struct hmac_context ctx;
+ struct orig_hmac_context ctx;
const char *response_hex;
if (size != CRAM_MD5_CONTEXTLEN) {
@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr
return FALSE;
}
- hmac_init(&ctx, NULL, 0, &hash_method_md5);
+ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5);
hmac_md5_set_cram_context(&ctx, credentials);
- hmac_update(&ctx, request->challenge, strlen(request->challenge));
- hmac_final(&ctx, digest);
+ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge));
+ orig_hmac_final(&ctx, digest);
response_hex = binary_to_hex(digest, sizeof(digest));
diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c
--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/mech-scram.c 2021-03-22 20:44:13.022912242 +0100
@@ -78,7 +78,7 @@ static const char *get_scram_server_firs
static const char *get_scram_server_final(struct scram_auth_request *request)
{
const struct hash_method *hmethod = request->hash_method;
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *auth_message;
unsigned char server_signature[hmethod->digest_size];
string_t *str;
@@ -87,9 +87,9 @@ static const char *get_scram_server_fina
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
- hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
- hmac_update(&ctx, auth_message, strlen(auth_message));
- hmac_final(&ctx, server_signature);
+ openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, server_signature);
str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
str_append(str, "v=");
@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str
static bool verify_credentials(struct scram_auth_request *request)
{
const struct hash_method *hmethod = request->hash_method;
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *auth_message;
unsigned char client_key[hmethod->digest_size];
unsigned char client_signature[hmethod->digest_size];
@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
- hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
- hmac_update(&ctx, auth_message, strlen(auth_message));
- hmac_final(&ctx, client_signature);
+ openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
+ openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
+ openssl_hmac_final(&ctx, client_signature);
const unsigned char *proof_data = request->proof->data;
for (i = 0; i < sizeof(client_signature); i++)
diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c
--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/password-scheme.c 2021-03-22 20:44:13.022912242 +0100
@@ -639,11 +639,11 @@ static void
cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
const unsigned char **raw_password_r, size_t *size_r)
{
- struct hmac_context ctx;
+ struct orig_hmac_context ctx;
unsigned char *context_digest;
context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN);
- hmac_init(&ctx, (const unsigned char *)plaintext,
+ orig_hmac_init(&ctx, (const unsigned char *)plaintext,
strlen(plaintext), &hash_method_md5);
hmac_md5_get_cram_context(&ctx, context_digest);
diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c
--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/auth/password-scheme-scram.c 2021-03-22 20:44:13.023912229 +0100
@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co
const unsigned char *salt, size_t salt_size, unsigned int i,
unsigned char *result)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char U[hmethod->digest_size];
unsigned int j, k;
/* Calculate U1 */
- hmac_init(&ctx, str, str_size, hmethod);
- hmac_update(&ctx, salt, salt_size);
- hmac_update(&ctx, "\0\0\0\1", 4);
- hmac_final(&ctx, U);
+ openssl_hmac_init(&ctx, str, str_size, hmethod);
+ openssl_hmac_update(&ctx, salt, salt_size);
+ openssl_hmac_update(&ctx, "\0\0\0\1", 4);
+ openssl_hmac_final(&ctx, U);
memcpy(result, U, hmethod->digest_size);
/* Calculate U2 to Ui and Hi */
for (j = 2; j <= i; j++) {
- hmac_init(&ctx, str, str_size, hmethod);
- hmac_update(&ctx, U, sizeof(U));
- hmac_final(&ctx, U);
+ openssl_hmac_init(&ctx, str, str_size, hmethod);
+ openssl_hmac_update(&ctx, U, sizeof(U));
+ openssl_hmac_final(&ctx, U);
for (k = 0; k < hmethod->digest_size; k++)
result[k] ^= U[k];
}
@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho
const char *plaintext, const unsigned char *raw_password,
size_t size, const char **error_r)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
const char *salt_base64;
unsigned int iter_count;
const unsigned char *salt;
@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho
salt, salt_len, iter_count, salted_password);
/* Calculate ClientKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
- hmac_update(&ctx, "Client Key", 10);
- hmac_final(&ctx, client_key);
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+ openssl_hmac_update(&ctx, "Client Key", 10);
+ openssl_hmac_final(&ctx, client_key);
/* Calculate StoredKey */
hash_method_get_digest(hmethod, client_key, sizeof(client_key),
@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me
const unsigned char **raw_password_r, size_t *size_r)
{
string_t *str;
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
unsigned char salt[16];
unsigned char salted_password[hmethod->digest_size];
unsigned char client_key[hmethod->digest_size];
@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me
sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password);
/* Calculate ClientKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
- hmac_update(&ctx, "Client Key", 10);
- hmac_final(&ctx, client_key);
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+ openssl_hmac_update(&ctx, "Client Key", 10);
+ openssl_hmac_final(&ctx, client_key);
/* Calculate StoredKey */
hash_method_get_digest(hmethod, client_key, sizeof(client_key),
@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me
base64_encode(stored_key, sizeof(stored_key), str);
/* Calculate ServerKey */
- hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
- hmac_update(&ctx, "Server Key", 10);
- hmac_final(&ctx, server_key);
+ openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+ openssl_hmac_update(&ctx, "Server Key", 10);
+ openssl_hmac_final(&ctx, server_key);
str_append_c(str, ',');
base64_encode(server_key, sizeof(server_key), str);
diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.c 2021-03-22 20:44:13.023912229 +0100
@@ -7,6 +7,10 @@
* This software is released under the MIT license.
*/
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
#include "lib.h"
#include "hmac.h"
#include "safe-memset.h"
@@ -14,10 +18,65 @@
#include "hex-binary.h"
-void hmac_init(struct hmac_context *_ctx, const unsigned char *key,
+#ifndef HAVE_HMAC_CTX_NEW
+# define HMAC_Init_ex(ctx, key, key_len, md, impl) \
+ HMAC_Init_ex(&(ctx), key, key_len, md, impl)
+# define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len)
+# define HMAC_Final(ctx, md, len) HMAC_Final(&(ctx), md, len)
+# define HMAC_CTX_free(ctx) HMAC_cleanup(&(ctx))
+#else
+# define HMAC_CTX_free(ctx) \
+ STMT_START { HMAC_CTX_free(ctx); (ctx) = NULL; } STMT_END
+#endif
+
+
+void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+
+ const EVP_MD *md;
+ const char *ebuf = NULL;
+ const char **error_r = &ebuf;
+
+ md = EVP_get_digestbyname(meth->name);
+ if(md == NULL) {
+ if (error_r != NULL) {
+ *error_r = t_strdup_printf("Invalid digest %s",
+ meth->name);
+ }
+ //return FALSE;
+ }
+
+// int ec;
+
+ i_assert(md != NULL);
+#ifdef HAVE_HMAC_CTX_NEW
+ ctx->ctx = HMAC_CTX_new();
+/* if (ctx->ctx == NULL)
+ dcrypt_openssl_error(error_r);*/
+#endif
+ /*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL);
+}
+
+void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth)
+{
+ static int no_fips = -1;
+ if (no_fips == -1) {
+ int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+ if (fd != -1)
+ {
+ char buf[4];
+ if (read(fd, buf, 4) > 0)
+ {
+ no_fips = buf[0] == '0';
+ }
+ close(fd);
+ }
+ }
+ i_assert(no_fips);
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
unsigned int i;
unsigned char k_ipad[meth->block_size];
unsigned char k_opad[meth->block_size];
@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx
safe_memset(k_opad, 0, meth->block_size);
}
-void hmac_final(struct hmac_context *_ctx, unsigned char *digest)
+void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest)
+{
+ int ec;
+ unsigned char buf[HMAC_MAX_MD_CBLOCK];
+ unsigned int outl;
+// const char *ebuf = NULL;
+// const char **error_r = &ebuf;
+
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+ ec = HMAC_Final(ctx->ctx, buf, &outl);
+ HMAC_CTX_free(ctx->ctx);
+ if (ec == 1)
+ memcpy(digest, buf, outl);
+// else
+// dcrypt_openssl_error(error_r);
+
+}
+
+void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
ctx->hash->result(ctx->ctx, digest);
@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct
ctx->hash->result(ctx->ctxo, digest);
}
-buffer_t *t_hmac_data(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const void *data, size_t data_len)
{
- struct hmac_context ctx;
+ struct openssl_hmac_context ctx;
i_assert(meth != NULL);
i_assert(key != NULL && key_len > 0);
i_assert(data != NULL || data_len == 0);
buffer_t *res = t_buffer_create(meth->digest_size);
- hmac_init(&ctx, key, key_len, meth);
+ openssl_hmac_init(&ctx, key, key_len, meth);
if (data_len > 0)
- hmac_update(&ctx, data, data_len);
+ openssl_hmac_update(&ctx, data, data_len);
unsigned char *buf = buffer_get_space_unsafe(res, 0, meth->digest_size);
- hmac_final(&ctx, buf);
+ openssl_hmac_final(&ctx, buf);
return res;
}
-buffer_t *t_hmac_buffer(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const buffer_t *data)
{
- return t_hmac_data(meth, key, key_len, data->data, data->used);
+ return openssl_t_hmac_data(meth, key, key_len, data->data, data->used);
}
-buffer_t *t_hmac_str(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const char *data)
{
- return t_hmac_data(meth, key, key_len, data, strlen(data));
+ return openssl_t_hmac_data(meth, key, key_len, data, strlen(data));
}
-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
buffer_t *okm_r, size_t okm_len)
{
+ const EVP_MD *md;
+ EVP_PKEY_CTX *pctx;
+ int r = 1;
+
i_assert(method != NULL);
i_assert(okm_len < 255*method->digest_size);
- struct hmac_context key_mac;
- struct hmac_context info_mac;
- size_t remain = okm_len;
- unsigned char prk[method->digest_size];
- unsigned char okm[method->digest_size];
- /* N = ceil(L/HashLen) */
- unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size;
/* salt and info can be NULL */
i_assert(salt != NULL || salt_len == 0);
@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method
i_assert(ikm != NULL && ikm_len > 0);
i_assert(okm_r != NULL && okm_len > 0);
- /* but they still need valid pointer, reduces
- complains from static analysers */
- if (salt == NULL)
- salt = &uchar_nul;
- if (info == NULL)
- info = &uchar_nul;
-
- /* extract */
- hmac_init(&key_mac, salt, salt_len, method);
- hmac_update(&key_mac, ikm, ikm_len);
- hmac_final(&key_mac, prk);
-
- /* expand */
- for (unsigned int i = 0; remain > 0 && i < rounds; i++) {
- unsigned char round = (i+1);
- size_t amt = remain;
- if (amt > method->digest_size)
- amt = method->digest_size;
- hmac_init(&info_mac, prk, method->digest_size, method);
- if (i > 0)
- hmac_update(&info_mac, okm, method->digest_size);
- hmac_update(&info_mac, info, info_len);
- hmac_update(&info_mac, &round, 1);
- memset(okm, 0, method->digest_size);
- hmac_final(&info_mac, okm);
- buffer_append(okm_r, okm, amt);
- remain -= amt;
+
+ md = EVP_get_digestbyname(method->name);
+ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+ unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len);
+
+ if ((r=EVP_PKEY_derive_init(pctx)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0)
+ goto out;
+ if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0)
+ goto out;
+
+ out:
+ EVP_PKEY_CTX_free(pctx);
+ if (r <= 0) {
+ unsigned long ec = ERR_get_error();
+ unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL));
+ i_error("%s", error);
}
- safe_memset(prk, 0, sizeof(prk));
- safe_memset(okm, 0, sizeof(okm));
}
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c
--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.c 2021-03-22 20:44:13.023912229 +0100
@@ -9,10 +9,10 @@
#include "md5.h"
#include "hmac-cram-md5.h"
-void hmac_md5_get_cram_context(struct hmac_context *_hmac_ctx,
+void hmac_md5_get_cram_context(struct orig_hmac_context *_hmac_ctx,
unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
{
- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
@@ -35,10 +35,10 @@ void hmac_md5_get_cram_context(struct hm
CDPUT(cdp, ctx->d);
}
-void hmac_md5_set_cram_context(struct hmac_context *_hmac_ctx,
+void hmac_md5_set_cram_context(struct orig_hmac_context *_hmac_ctx,
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
{
- struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
const unsigned char *cdp;
struct md5_context *ctx = (void*)hmac_ctx->ctx;
diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h
--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac-cram-md5.h 2021-03-22 20:44:13.023912229 +0100
@@ -5,9 +5,9 @@
#define CRAM_MD5_CONTEXTLEN 32
-void hmac_md5_get_cram_context(struct hmac_context *ctx,
+void hmac_md5_get_cram_context(struct orig_hmac_context *ctx,
unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
-void hmac_md5_set_cram_context(struct hmac_context *ctx,
+void hmac_md5_set_cram_context(struct orig_hmac_context *ctx,
const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h
--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/hmac.h 2021-03-22 20:44:13.023912229 +0100
@@ -4,60 +4,97 @@
#include "hash-method.h"
#include "sha1.h"
#include "sha2.h"
+#include <openssl/objects.h>
+#include <openssl/hmac.h>
+#include <openssl/kdf.h>
+#include <openssl/err.h>
#define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx)
-struct hmac_context_priv {
+struct openssl_hmac_context_priv {
+#ifdef HAVE_HMAC_CTX_NEW
+ HMAC_CTX *ctx;
+#else
+ HMAC_CTX ctx;
+#endif
+ const struct hash_method *hash;
+};
+
+struct orig_hmac_context_priv {
char ctx[HMAC_MAX_CONTEXT_SIZE];
char ctxo[HMAC_MAX_CONTEXT_SIZE];
const struct hash_method *hash;
};
-struct hmac_context {
+struct openssl_hmac_context {
+ union {
+ struct openssl_hmac_context_priv priv;
+ uint64_t padding_requirement;
+ } u;
+};
+
+struct orig_hmac_context {
union {
- struct hmac_context_priv priv;
+ struct orig_hmac_context_priv priv;
uint64_t padding_requirement;
} u;
};
-void hmac_init(struct hmac_context *ctx, const unsigned char *key,
+void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key,
+ size_t key_len, const struct hash_method *meth);
+void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest);
+
+static inline void
+openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size)
+{
+ struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
+ HMAC_Update(ctx->ctx, data, size);
+/* if (ec != 1)
+ {
+ const char *ebuf = NULL;
+ const char **error_r = &ebuf;
+ dcrypt_openssl_error(error_r);
+ }*/
+}
+
+void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key,
size_t key_len, const struct hash_method *meth);
-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
+void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest);
static inline void
-hmac_update(struct hmac_context *_ctx, const void *data, size_t size)
+orig_hmac_update(struct orig_hmac_context *_ctx, const void *data, size_t size)
{
- struct hmac_context_priv *ctx = &_ctx->u.priv;
+ struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
ctx->hash->loop(ctx->ctx, data, size);
}
-buffer_t *t_hmac_data(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const void *data, size_t data_len);
-buffer_t *t_hmac_buffer(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const buffer_t *data);
-buffer_t *t_hmac_str(const struct hash_method *meth,
+buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
const unsigned char *key, size_t key_len,
const char *data);
-void hmac_hkdf(const struct hash_method *method,
+void openssl_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
buffer_t *okm_r, size_t okm_len);
static inline buffer_t *
-t_hmac_hkdf(const struct hash_method *method,
+openssl_t_hmac_hkdf(const struct hash_method *method,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
size_t okm_len)
{
buffer_t *okm_buffer = t_buffer_create(okm_len);
- hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
+ openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
okm_buffer, okm_len);
return okm_buffer;
}
diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c
--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c 2021-03-22 20:44:13.023912229 +0100
@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
size_t *token_len_r)
{
- struct hmac_context hmac;
+ struct openssl_hmac_context hmac;
unsigned char *token;
token = t_new(unsigned char, SHA1_RESULTLEN + 1);
token[0] = IMAP_URLAUTH_MECH_INTERNAL_VERSION;
- hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
- hmac_update(&hmac, rumpurl, strlen(rumpurl));
- hmac_final(&hmac, token+1);
+ openssl_hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
+ openssl_hmac_update(&hmac, rumpurl, strlen(rumpurl));
+ openssl_hmac_final(&hmac, token+1);
*token_len_r = SHA1_RESULTLEN + 1;
return token;
diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am
--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/Makefile.am 2021-03-22 20:44:13.023912229 +0100
@@ -352,6 +352,9 @@ headers = \
wildcard-match.h \
write-full.h
+liblib_la_LIBADD = $(SSL_LIBS)
+liblib_la_CFLAGS = $(SSL_CFLAGS)
+
test_programs = test-lib
noinst_PROGRAMS = $(test_programs)
diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c 2021-03-22 20:44:13.024912217 +0100
@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2
if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
return -1;
- struct hmac_context ctx;
- hmac_init(&ctx, key->data, key->used, method);
- hmac_update(&ctx, blobs[0], strlen(blobs[0]));
- hmac_update(&ctx, ".", 1);
- hmac_update(&ctx, blobs[1], strlen(blobs[1]));
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, key->data, key->used, method);
+ openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0]));
+ openssl_hmac_update(&ctx, ".", 1);
+ openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1]));
unsigned char digest[method->digest_size];
- hmac_final(&ctx, digest);
+ openssl_hmac_final(&ctx, digest);
buffer_t *their_digest =
t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c
--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c 2021-03-22 20:46:09.524440794 +0100
@@ -236,7 +236,7 @@ static void save_key_to(const char *algo
static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
- buffer_t *sig = t_hmac_buffer(&hash_method_sha256, key->data, key->used,
+ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha256, key->data, key->used,
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_
static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
- buffer_t *sig = t_hmac_buffer(&hash_method_sha384, key->data, key->used,
+ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha384, key->data, key->used,
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_
static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key)
{
i_assert(key != NULL);
- buffer_t *sig = t_hmac_buffer(&hash_method_sha512, key->data, key->used,
+ buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha512, key->data, key->used,
tokenbuf);
buffer_append(tokenbuf, ".", 1);
base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c
--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/pkcs5.c 2021-03-22 20:44:13.024912217 +0100
@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
unsigned char dk[l * hash->digest_size];
unsigned char *block;
- struct hmac_context hctx;
+ struct openssl_hmac_context hctx;
unsigned int c,i,t;
unsigned char U_c[hash->digest_size];
@@ -60,17 +60,17 @@ int pkcs5_pbkdf2(const struct hash_metho
block = &(dk[t*hash->digest_size]);
/* U_1 = PRF(Password, Salt|| INT_BE32(Block_Number)) */
c = htonl(t+1);
- hmac_init(&hctx, password, password_len, hash);
- hmac_update(&hctx, salt, salt_len);
- hmac_update(&hctx, &c, sizeof(c));
- hmac_final(&hctx, U_c);
+ openssl_hmac_init(&hctx, password, password_len, hash);
+ openssl_hmac_update(&hctx, salt, salt_len);
+ openssl_hmac_update(&hctx, &c, sizeof(c));
+ openssl_hmac_final(&hctx, U_c);
/* block = U_1 ^ .. ^ U_iter */
memcpy(block, U_c, hash->digest_size);
/* U_c = PRF(Password, U_c-1) */
for(c = 1; c < iter; c++) {
- hmac_init(&hctx, password, password_len, hash);
- hmac_update(&hctx, U_c, hash->digest_size);
- hmac_final(&hctx, U_c);
+ openssl_hmac_init(&hctx, password, password_len, hash);
+ openssl_hmac_update(&hctx, U_c, hash->digest_size);
+ openssl_hmac_final(&hctx, U_c);
for(i = 0; i < hash->digest_size; i++)
block[i] ^= U_c[i];
}
diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c
--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac 2021-03-04 09:38:06.000000000 +0100
+++ dovecot-2.3.14/src/lib/test-hmac.c 2021-03-22 20:44:13.024912217 +0100
@@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
test_begin("hmac sha256 rfc4231 vectors");
for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
const struct test_vector *vec = &(test_vectors[i]);
- struct hmac_context ctx;
- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
- hmac_update(&ctx, vec->data, vec->data_len);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
unsigned char res[SHA256_RESULTLEN];
- hmac_final(&ctx, res);
+ openssl_hmac_final(&ctx, res);
test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
}
test_end();
@@ -221,11 +221,11 @@ static void test_hmac384_rfc(void)
test_begin("hmac sha384 rfc4231 vectors");
for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac384); i++) {
const struct test_vector *vec = &(test_vectors_hmac384[i]);
- struct hmac_context ctx;
- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
- hmac_update(&ctx, vec->data, vec->data_len);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
unsigned char res[SHA384_RESULTLEN];
- hmac_final(&ctx, res);
+ openssl_hmac_final(&ctx, res);
test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
}
test_end();
@@ -236,11 +236,11 @@ static void test_hmac512_rfc(void)
test_begin("hmac sha512 rfc4231 vectors");
for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac512); i++) {
const struct test_vector *vec = &(test_vectors_hmac512[i]);
- struct hmac_context ctx;
- hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
- hmac_update(&ctx, vec->data, vec->data_len);
+ struct openssl_hmac_context ctx;
+ openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+ openssl_hmac_update(&ctx, vec->data, vec->data_len);
unsigned char res[SHA512_RESULTLEN];
- hmac_final(&ctx, res);
+ openssl_hmac_final(&ctx, res);
test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
}
test_end();
@@ -253,7 +253,7 @@ static void test_hmac_buffer(void)
buffer_t *tmp;
- tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
+ tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
vec->data, vec->data_len);
test_assert(tmp->used == vec->res_len &&
@@ -270,7 +270,7 @@ static void test_hkdf_rfc(void)
buffer_set_used_size(res, 0);
const struct test_vector_5869 *vec = &(test_vectors_5869[i]);
const struct hash_method *m = hash_method_lookup(vec->prf);
- hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
+ openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
vec->info, vec->info_len, res, vec->okm_len);
test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i);
}
@@ -283,7 +283,7 @@ static void test_hkdf_buffer(void)
test_begin("hkdf temporary buffer");
const struct test_vector_5869 *vec = &(test_vectors_5869[0]);
const struct hash_method *m = hash_method_lookup(vec->prf);
- buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
+ buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
vec->ikm_len, vec->info, vec->info_len,
vec->okm_len);
test_assert(tmp->used == vec->okm_len &&

19
dovecot.conf.5 Normal file
View File

@ -0,0 +1,19 @@
.TH DOVECOT.CONF 5 2010/06/27 "dovecot" "File Formats and Conventions"
.SH NAME
\fBdovecot.conf\fP \- The configuration file for dovecot imap and pop3 server
.SH FULL PATH
.B /etc/dovecot.conf
.SH DESCRIPTION
The dovecot.conf file is a configuration file for the
.BR dovecot (1)
imap and pop3 server. The dovecot.conf configuration file contains description to all available options. Some of these options are described also in offline wiki documentation placed in /usr/share/doc/dovecot*/wiki/.
For backup purposes unmodified version of dovecot.conf can be found in /usr/share/doc/dovecot-<version>/example-config/dovecot.conf.default
.SH "SEE ALSO"
.BR doveadm (1),
.BR dovecot (1),
.I /usr/share/doc/dovecot*/wiki/
.I /usr/share/doc/dovecot*/dovecot.conf.default

108
dovecot.init Executable file
View File

@ -0,0 +1,108 @@
#!/bin/bash
#
# /etc/rc.d/init.d/dovecot
#
# Starts the dovecot daemon
#
# chkconfig: - 65 35
# description: Dovecot Imap Server
# processname: dovecot
# config: /etc/dovecot.conf
# config: /etc/sysconfig/dovecot
# pidfile: /var/run/dovecot/master.pid
### BEGIN INIT INFO
# Provides: dovecot
# Required-Start: $local_fs $network
# Required-Stop: $local_fs $network
# Should-Start: $remote_fs
# Should-Stop: $remote_fs
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: start and stop Dovecot Imap server
# Description: Dovecot is an IMAP server for Linux/UNIX-like systems,
# written with security primarily in mind. It also contains
# a small POP3 server.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
if [ -f /etc/sysconfig/dovecot -a $UID -eq 0 ]; then
. /etc/sysconfig/dovecot
fi
RETVAL=0
prog="Dovecot Imap"
exec="/usr/sbin/dovecot"
config="/etc/dovecot/dovecot.conf"
pidfile="/var/run/dovecot/master.pid"
lockfile="/var/lock/subsys/dovecot"
start() {
[ $UID -eq 0 ] || exit 4
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --pidfile $pidfile $exec $OPTIONS
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $lockfile
echo
}
stop() {
[ $UID -eq 0 ] || exit 4
echo -n $"Stopping $prog: "
killproc -p $pidfile $exec
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
}
reload() {
[ $UID -eq 0 ] || exit 4
echo -n $"Reloading $prog: "
killproc -p $pidfile $exec -HUP
RETVAL=$?
echo
}
#
# See how we were called.
#
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
force-reload|restart)
stop
sleep 1
start
RETVAL=$?
;;
condrestart|try-restart)
if [ -f $lockfile ]; then
stop
sleep 3
start
fi
;;
status)
status -p $pidfile $exec
RETVAL=$?
;;
*)
echo $"Usage: $0 {condrestart|try-restart|start|stop|restart|reload|force-reload|status}"
RETVAL=2
[ "$1" = 'usage' ] && RETVAL=0
esac
exit $RETVAL

41
dovecot.spec
View File

@ -5,23 +5,23 @@
%global _hardened_build 1
Name: dovecot
Version: 2.3.10.1
Release: 7
Version: 2.3.15
Release: 1
Summary: Dovecot Secure imap server
License: MIT and LGPLv2.1
URL: http://www.dovecot.org/
Epoch: 1
Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}.tar.gz
Source1: dovecot.init
Source2: dovecot.pam
%global pigeonholever 0.5.10
%global pigeonholever 0.5.15
Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
Source9: dovecot.sysconfig
Source10: dovecot.tmpfilesd
Source11: https://raw.githubusercontent.com/QMailToaster/dovecot/master/dovecot.prestartscript
Source11: prestartscript
Source12: dovecot.conf.5
Patch6000: CVE-2015-3420.patch
Patch6001: CVE-2016-8652.patch
Patch6002: dovecot-2.0-defaultconfig.patch
Patch6003: dovecot-1.0.beta2-mkcert-permissions.patch
Patch6004: dovecot-1.0.rc7-mkcert-paths.patch
@ -31,22 +31,17 @@ Patch6005: dovecot-2.1.10-waitonline.patch
Patch6006: dovecot-2.2.20-initbysystemd.patch
Patch6007: dovecot-2.2.22-systemd_w_protectsystem.patch
Patch6008: CVE-2020-12673.patch
Patch6009: CVE-2020-12674.patch
Patch6010: CVE-2020-12100-1.patch
Patch6011: CVE-2020-12100-2.patch
Patch6012: CVE-2020-25275-1.patch
Patch6013: CVE-2020-25275-2.patch
Patch6014: CVE-2020-24386.patch
Patch6015: 0001-Fix-bugs-in-smtp-server.patch
Patch6016: 0002-Fix-assert-crash-if-parsing-invalid-BODYSTRUCTURE.patch
Patch6017: 0003-Handle-empty-lists-in-IMAP-BODYSTRUCTURE-parsing-as-invalid.patch
Patch6018: 0004-Fix-writing-BODYSTRUCTURE-for-truncated-multipart-digest-part.patch
Patch6009: dovecot-2.3.11-bigkey.patch
Patch6010: dovecot-2.3.6-opensslhmac.patch
Patch6011: dovecot-2.3.15-fixvalcond.patch
Patch6012: dovecot-2.3.15-valbasherr.patch
BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel
BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel
BuildRequires: mariadb-connector-c-devel libxcrypt-devel openldap-devel krb5-devel
BuildRequires: quota-devel xz-devel gettext-devel clucene-core-devel libcurl-devel expat-devel
BuildRequires: lz4-devel libzstd-devel libicu-devel libstemmer-devel multilib-rpm-config
BuildRequires: systemd-devel
Requires: openssl >= 0.9.7f-4 systemd
Requires(pre): shadow-utils
@ -77,7 +72,7 @@ Man pages and other related help documents for %{name}.
%prep
%autosetup -n %{name}-%{version}%{?prever} -a 8 -p1
%autosetup -n %{name}-%{version} -a 8 -p1
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
@ -121,6 +116,7 @@ install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_B
cd -
install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot
install -p -D -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
install -p -D -m 755 %{SOURCE11} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript
install -d $RPM_BUILD_ROOT%{ssldir}/certs
@ -226,6 +222,7 @@ make check
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-deny.conf.ext,auth-dict.conf.ext,auth-ldap.conf.ext}
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-master.conf.ext,auth-passwdfile.conf.ext,auth-sql.conf.ext}
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-static.conf.ext,auth-system.conf.ext,auth-vpopmail.conf.ext}
%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-metrics.conf
%config(noreplace) %{_sysconfdir}/pam.d/dovecot
%config(noreplace) %{ssldir}/dovecot-openssl.cnf
@ -242,7 +239,7 @@ make check
%exclude %{_libdir}/dovecot/doveadm/*sieve*
%{_libdir}/dovecot/*.so.*
%{_libdir}/dovecot/*_plugin.so
%exclude %{_libdir}/dovecot/*_sieve_plugin.so
%{_libdir}/dovecot/*_sieve_plugin.so
%{_libdir}/dovecot/auth/{lib20_auth_var_expand_crypt.so,libauthdb_imap.so,libauthdb_ldap.so}
%{_libdir}/dovecot/auth/{libmech_gssapi.so,libdriver_sqlite.so}
%{_libdir}/dovecot/dict/{libdriver_sqlite.so,libdict_ldap.so}
@ -288,11 +285,15 @@ make check
%files help
%{_mandir}/man1/*
%{_mandir}/man5/dovecot.conf.5*
%{_mandir}/man7/doveadm-search-query.7*
%{_mandir}/man7/pigeonhole.7*
%changelog
* Thu Jul 08 2021 wutao <wutao61@huawei.com> - 2.3.15-1
- upgrade to 2.3.15
* Thu Jun 03 2021 maminjie <maminjie1@huawei.com> - 2.3.10.1-7
- backport some patches about imap-bodystructure

2
dovecot.tmpfilesd
View File

@ -1,2 +1,2 @@
d /var/run/dovecot 0755 root dovecot -
d /run/dovecot 0755 root dovecot -

4
dovecot.prestartscript → prestartscript
View File

@ -1,3 +1,3 @@
#!/bin/sh
/bin/systemctl -q is-enabled NetworkManager.service >/dev/null 2>&1 \
&& /usr/bin/nm-online -q --timeout 30 ||:
/bin/systemctl -q is-enabled NetworkManager.service >/dev/null 2>&1 && /usr/bin/nm-online -q --timeout 30 ||: