diff --git a/dovecot-2.0-defaultconfig.patch b/dovecot-2.0-defaultconfig.patch index c7e145e..c9d0eb4 100644 --- a/dovecot-2.0-defaultconfig.patch +++ b/dovecot-2.0-defaultconfig.patch @@ -1,9 +1,9 @@ -diff -up dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in ---- dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in 2025-11-30 09:24:17.130246956 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in +--- dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in.default-settings 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/doc/dovecot.conf.in 2025-10-15 12:05:14.570388273 +0200 @@ -16,24 +16,19 @@ dovecot_storage_version = @DOVECOT_CONFI # The configuration below is a minimal configuration file using system user authentication. - # See https://@DOVECOT_ASSET_URL@/latest/core/config/quick.html + # See https://@DOVECOT_ASSET_URL@/configuration_manual/quick_configuration/ -!include_try conf.d/*.conf - @@ -48,9 +48,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/doc/dovecot.conf.in.default-settings } + +!include_try conf.d/*.conf -diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf ---- dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings 2025-10-29 08:00:30.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf 2025-11-30 09:18:17.667869864 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf.default-settings 2025-03-28 12:33:46.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve.conf 2025-10-15 12:00:16.233557725 +0200 @@ -21,7 +21,6 @@ # file or directory. Refer to Pigeonhole wiki or INSTALL file for more # information. @@ -76,9 +76,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config # the source line numbers. #sieve_trace_addresses = no -} -diff -up dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf ---- dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings 2025-10-29 08:00:30.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf 2025-11-30 09:18:17.668131795 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf +--- dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf.default-settings 2025-03-28 12:33:46.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/dovecot-pigeonhole/doc/example-config/conf.d/90-sieve-extprograms.conf 2025-10-15 12:00:16.234048364 +0200 @@ -6,7 +6,6 @@ # sieve_extensions or sieve_global_extensions settings. Restricting these # extensions to a global context using sieve_global_extensions is recommended. diff --git a/dovecot-2.4.1-cve-2025-30189.patch b/dovecot-2.4.1-cve-2025-30189.patch new file mode 100644 index 0000000..5b9deae --- /dev/null +++ b/dovecot-2.4.1-cve-2025-30189.patch @@ -0,0 +1,463 @@ +From a70ce7d3e2f983979e971414c5892c4e30197231 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 08:16:52 +0300 +Subject: [PATCH 1/7] auth: Use AUTH_CACHE_KEY_USER instead of per-database + constants + +Fixes cache key issue where users would end up overwriting +each other in cache due to cache key being essentially static +string because we no longer support %u. + +Forgotten in 2e298e7ee98b6df61cf85117f000290d60a473b8 +--- + src/auth/auth-settings.h | 2 ++ + src/auth/passdb-bsdauth.c | 4 +--- + src/auth/passdb-oauth2.c | 2 +- + src/auth/passdb-pam.c | 3 ++- + src/auth/passdb-passwd.c | 3 +-- + src/auth/userdb-passwd.c | 3 +-- + 6 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/src/auth/auth-settings.h b/src/auth/auth-settings.h +index 1d420eceaaf..90aba17ec38 100644 +--- a/src/auth/auth-settings.h ++++ b/src/auth/auth-settings.h +@@ -1,6 +1,8 @@ + #ifndef AUTH_SETTINGS_H + #define AUTH_SETTINGS_H + ++#define AUTH_CACHE_KEY_USER "%{user}" ++ + struct master_service; + struct master_service_settings_output; + +diff --git a/src/auth/passdb-bsdauth.c b/src/auth/passdb-bsdauth.c +index 68292679b7f..1b86da4053c 100644 +--- a/src/auth/passdb-bsdauth.c ++++ b/src/auth/passdb-bsdauth.c +@@ -14,8 +14,6 @@ + #include + #include + +-#define BSDAUTH_CACHE_KEY "%u" +- + struct passdb_bsdauth_settings { + pool_t pool; + }; +@@ -104,7 +102,7 @@ bsdauth_preinit(pool_t pool, struct event *event, + &post_set, error_r) < 0) + return -1; + module->default_cache_key = auth_cache_parse_key_and_fields( +- pool, BSDAUTH_CACHE_KEY, &post_set->fields, "bsdauth"); ++ pool, AUTH_CACHE_KEY_USER, &post_set->fields, "bsdauth"); + + settings_free(post_set); + *module_r = module; +diff --git a/src/auth/passdb-oauth2.c b/src/auth/passdb-oauth2.c +index 96d902d323d..91fed060183 100644 +--- a/src/auth/passdb-oauth2.c ++++ b/src/auth/passdb-oauth2.c +@@ -53,7 +53,7 @@ oauth2_preinit(pool_t pool, struct event *event, struct passdb_module **module_r + if (db_oauth2_init(event, TRUE, &module->db, error_r) < 0) + return -1; + module->module.default_pass_scheme = "PLAIN"; +- module->module.default_cache_key = "%u"; ++ module->module.default_cache_key = AUTH_CACHE_KEY_USER; + *module_r = &module->module; + return 0; + } +diff --git a/src/auth/passdb-pam.c b/src/auth/passdb-pam.c +index 2acbceb80a3..fdf0f573ef4 100644 +--- a/src/auth/passdb-pam.c ++++ b/src/auth/passdb-pam.c +@@ -415,7 +415,8 @@ static int pam_preinit(pool_t pool, struct event *event, + module = p_new(pool, struct pam_passdb_module, 1); + module->module.default_cache_key = + auth_cache_parse_key_and_fields(pool, +- t_strdup_printf("%%u/%s", set->service_name), ++ t_strdup_printf("%"AUTH_CACHE_KEY_USER"\t%s", ++ set->service_name), + &post_set->fields, "pam"); + module->requests_left = set->max_requests; + module->pam_setcred = set->setcred; +diff --git a/src/auth/passdb-passwd.c b/src/auth/passdb-passwd.c +index 13003151f9c..22e2eae7fa3 100644 +--- a/src/auth/passdb-passwd.c ++++ b/src/auth/passdb-passwd.c +@@ -10,7 +10,6 @@ + #include "safe-memset.h" + #include "ipwd.h" + +-#define PASSWD_CACHE_KEY "%u" + #define PASSWD_PASS_SCHEME "CRYPT" + + #undef DEF +@@ -142,7 +141,7 @@ static int passwd_preinit(pool_t pool, struct event *event, + &post_set, error_r) < 0) + return -1; + module->default_cache_key = auth_cache_parse_key_and_fields(pool, +- PASSWD_CACHE_KEY, ++ AUTH_CACHE_KEY_USER, + &post_set->fields, + "passwd"); + settings_free(post_set); +diff --git a/src/auth/userdb-passwd.c b/src/auth/userdb-passwd.c +index 5241129a0cc..14cf90a6d65 100644 +--- a/src/auth/userdb-passwd.c ++++ b/src/auth/userdb-passwd.c +@@ -9,7 +9,6 @@ + #include "ipwd.h" + #include "time-util.h" + +-#define USER_CACHE_KEY "%u" + #define PASSWD_SLOW_WARN_MSECS (10*1000) + #define PASSWD_SLOW_MASTER_WARN_MSECS 50 + #define PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL 100 +@@ -225,7 +224,7 @@ static int passwd_preinit(pool_t pool, struct event *event ATTR_UNUSED, + struct passwd_userdb_module *module = + p_new(pool, struct passwd_userdb_module, 1); + +- module->module.default_cache_key = USER_CACHE_KEY; ++ module->module.default_cache_key = AUTH_CACHE_KEY_USER; + *module_r = &module->module; + return 0; + } + +From c45ce2c073c9439a9d6366016cb4d41059d737f0 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 30 Jul 2025 09:42:20 +0300 +Subject: [PATCH 2/7] auth: auth-cache - Refactor + auth_cache_parse_key_and_fields() + +Call auth_cache_parse_key_exclude() at the function end, +simplifies next commit. +--- + src/auth/auth-cache.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 360ad8b3f62..3ccd45ff4b9 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -129,20 +129,18 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) + { +- if (array_is_empty(fields)) +- return auth_cache_parse_key_exclude(pool, query, exclude_driver); +- +- string_t *full_query = t_str_new(128); +- str_append(full_query, query); +- +- unsigned int i, count; +- const char *const *str = array_get(fields, &count); +- for (i = 0; i < count; i += 2) { +- str_append_c(full_query, '\t'); +- str_append(full_query, str[i + 1]); ++ if (!array_is_empty(fields)) { ++ unsigned int i, count; ++ const char *const *str = array_get(fields, &count); ++ string_t *full_query = t_str_new(128); ++ str_append(full_query, query); ++ for (i = 0; i < count; i += 2) { ++ str_append_c(full_query, '\t'); ++ str_append(full_query, str[i + 1]); ++ } ++ query = str_c(full_query); + } +- return auth_cache_parse_key_exclude(pool, str_c(full_query), +- exclude_driver); ++ return auth_cache_parse_key_exclude(pool, query, exclude_driver); + } + + static void + +From 759ee1af848480987d012de2f7135160156724b6 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:48:43 +0300 +Subject: [PATCH 3/7] auth: auth-cache - Deduplicate auth_cache_parse_key() to + use auth_cache_parse_key_and_fields() + +Simplifies following commit +--- + src/auth/auth-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 3ccd45ff4b9..ad8cbe50784 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -122,14 +122,14 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + char *auth_cache_parse_key(pool_t pool, const char *query) + { +- return auth_cache_parse_key_exclude(pool, query, NULL); ++ return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); + } + + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) + { +- if (!array_is_empty(fields)) { ++ if (fields != NULL && !array_is_empty(fields)) { + unsigned int i, count; + const char *const *str = array_get(fields, &count); + string_t *full_query = t_str_new(128); + +From d12bb78b5a235f31c9d5a655bd223c28d44bcadb Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:51:16 +0300 +Subject: [PATCH 4/7] auth: auth-cache - Change auth_cache_parse_key_exclude() + to return error + +Simplifies following commit +--- + src/auth/auth-cache.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index ad8cbe50784..407e5d4aa0e 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -64,8 +64,10 @@ static void auth_cache_key_add_tab_idx(string_t *str, unsigned int i) + str_append_c(str, '}'); + } + +-static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, +- const char *exclude_driver) ++static int auth_cache_parse_key_exclude(pool_t pool, const char *query, ++ const char *exclude_driver, ++ char **cache_key_r, ++ const char **error_r) + { + string_t *str; + bool key_seen[AUTH_REQUEST_VAR_TAB_COUNT]; +@@ -76,9 +78,9 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + struct var_expand_program *prog; + if (var_expand_program_create(query, &prog, &error) < 0) { +- e_debug(auth_event, "auth-cache: var_expand_program_create('%s') failed: %s", +- query, error); +- return p_strdup(pool, ""); ++ *error_r = t_strdup_printf("var_expand_program_create(%s) failed: %s", ++ query, error); ++ return -1; + } + + const char *const *vars = var_expand_program_variables(prog); +@@ -117,7 +119,8 @@ static char *auth_cache_parse_key_exclude(pool_t pool, const char *query, + + var_expand_program_free(&prog); + +- return p_strdup(pool, str_c(str)); ++ *cache_key_r = p_strdup(pool, str_c(str)); ++ return 0; + } + + char *auth_cache_parse_key(pool_t pool, const char *query) +@@ -140,7 +143,15 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + } + query = str_c(full_query); + } +- return auth_cache_parse_key_exclude(pool, query, exclude_driver); ++ ++ char *cache_key; ++ const char *error; ++ if (auth_cache_parse_key_exclude(pool, query, exclude_driver, ++ &cache_key, &error) < 0) { ++ e_debug(auth_event, "auth-cache: %s", error); ++ cache_key = p_strdup(pool, ""); ++ } ++ return cache_key; + } + + static void + +From 20d15baa071747f91176eb3115235aa8c78a3d11 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:52:36 +0300 +Subject: [PATCH 5/7] auth: auth-cache - Treat cache key parsing errors as + fatals + +Avoids accidentically turning off caching +--- + src/auth/auth-cache.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 407e5d4aa0e..be569349182 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -147,10 +147,8 @@ char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + char *cache_key; + const char *error; + if (auth_cache_parse_key_exclude(pool, query, exclude_driver, +- &cache_key, &error) < 0) { +- e_debug(auth_event, "auth-cache: %s", error); +- cache_key = p_strdup(pool, ""); +- } ++ &cache_key, &error) < 0) ++ i_fatal("auth-cache: %s", error); + return cache_key; + } + + +From 0172f8e8c55aff42c688633b2891cf157641366b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 11:41:03 +0300 +Subject: [PATCH 6/7] auth: auth-cache - Require cache key to contain at least + one variable + +--- + src/auth/auth-cache.c | 7 +++++++ + src/auth/test-auth-cache.c | 37 ++++++++++++++++++++++++++++++++++++- + 2 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index be569349182..32959f5d0f4 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -86,6 +86,13 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, + const char *const *vars = var_expand_program_variables(prog); + str = t_str_new(32); + ++ if (*vars == NULL && *query != '\0') { ++ var_expand_program_free(&prog); ++ *error_r = t_strdup_printf("%s: Cache key must contain at least one variable", ++ query); ++ return -1; ++ } ++ + for (; *vars != NULL; vars++) { + /* ignore any providers */ + if (strchr(*vars, ':') != NULL && +diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c +index 46836defc6d..b36d83ec022 100644 +--- a/src/auth/test-auth-cache.c ++++ b/src/auth/test-auth-cache.c +@@ -97,7 +97,35 @@ static void test_auth_cache_parse_key(void) + tests[i].in); + test_assert_strcmp_idx(cache_key, tests[i].out, i); + } ++ ++ test_end(); ++} ++ ++static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) ++{ ++ if (i == 0) ++ test_begin("auth cache missing variable"); ++ ++ /* ensure that we do not accept static string */ ++ static const struct { ++ const char *in, *out; ++ } tests_bad[] = { ++ { "%u", "auth-cache: %u: Cache key must contain at least one variable" }, ++ { "foobar", "auth-cache: foobar: Cache key must contain at least one variable" }, ++ { "%{test", "auth-cache: var_expand_program_create(%{test) " \ ++ "failed: syntax error, unexpected end of file, " \ ++ "expecting CCBRACE or PIPE" }, ++ }; ++ ++ if (i < N_ELEMENTS(tests_bad)) { ++ test_expect_fatal_string(tests_bad[i].out); ++ (void)auth_cache_parse_key(pool_datastack_create(), ++ tests_bad[i].in); ++ return FATAL_TEST_FAILURE; ++ } ++ + test_end(); ++ return FATAL_TEST_FINISHED; + } + + int main(void) +@@ -108,7 +136,14 @@ int main(void) + test_auth_cache_parse_key, + NULL + }; +- int ret = test_run(test_functions); ++ ++ static test_fatal_func_t *const fatal_functions[] = { ++ test_cache_key_missing_variable, ++ NULL, ++ }; ++ ++ int ret = test_run_with_fatals(test_functions, fatal_functions); ++ + event_unref(&auth_event); + return ret; + } + +From 34caed79b76a7b82a2a9c94cf35371bec6c2b826 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Fri, 25 Jul 2025 12:00:57 +0300 +Subject: [PATCH 7/7] auth: auth-cache - Drop auth_cache_parse_key() + +It's only used by tests and can now just call +auth_cache_parse_key_and_fields(). +--- + src/auth/auth-cache.c | 5 ----- + src/auth/auth-cache.h | 6 ++---- + src/auth/test-auth-cache.c | 8 ++++---- + 3 files changed, 6 insertions(+), 13 deletions(-) + +diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c +index 32959f5d0f4..82cc0d526eb 100644 +--- a/src/auth/auth-cache.c ++++ b/src/auth/auth-cache.c +@@ -130,11 +130,6 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query, + return 0; + } + +-char *auth_cache_parse_key(pool_t pool, const char *query) +-{ +- return auth_cache_parse_key_and_fields(pool, query, NULL, NULL); +-} +- + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, + const char *exclude_driver) +diff --git a/src/auth/auth-cache.h b/src/auth/auth-cache.h +index 9bdb9185170..d63621b1a4c 100644 +--- a/src/auth/auth-cache.h ++++ b/src/auth/auth-cache.h +@@ -16,10 +16,8 @@ struct auth_cache_node { + struct auth_cache; + struct auth_request; + +-/* Parses all %x variables from query and compresses them into tab-separated +- list, so it can be used as a cache key. */ +-char *auth_cache_parse_key(pool_t pool, const char *query); +-/* Same as auth_cache_parse_key(), but add also variables from "fields", ++/* Parses all %variables from query and compresses them into tab-separated ++ list, so it can be used as a cache key. Adds also variables from "fields", + except variables prefixed with ":" */ + char *auth_cache_parse_key_and_fields(pool_t pool, const char *query, + const ARRAY_TYPE(const_string) *fields, +diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c +index b36d83ec022..f58c21f7afb 100644 +--- a/src/auth/test-auth-cache.c ++++ b/src/auth/test-auth-cache.c +@@ -93,8 +93,8 @@ static void test_auth_cache_parse_key(void) + test_begin("auth cache parse key"); + + for (i = 0; i < N_ELEMENTS(tests); i++) { +- cache_key = auth_cache_parse_key(pool_datastack_create(), +- tests[i].in); ++ cache_key = auth_cache_parse_key_and_fields(pool_datastack_create(), ++ tests[i].in, NULL, NULL); + test_assert_strcmp_idx(cache_key, tests[i].out, i); + } + +@@ -119,8 +119,8 @@ static enum fatal_test_state test_cache_key_missing_variable(unsigned int i) + + if (i < N_ELEMENTS(tests_bad)) { + test_expect_fatal_string(tests_bad[i].out); +- (void)auth_cache_parse_key(pool_datastack_create(), +- tests_bad[i].in); ++ (void)auth_cache_parse_key_and_fields(pool_datastack_create(), ++ tests_bad[i].in, NULL, NULL); + return FATAL_TEST_FAILURE; + } + diff --git a/dovecot-2.4.1-gssapi.patch b/dovecot-2.4.1-gssapi.patch new file mode 100644 index 0000000..9765eb9 --- /dev/null +++ b/dovecot-2.4.1-gssapi.patch @@ -0,0 +1,12 @@ +diff -up dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi dovecot-2.4.1-4/src/auth/mech-gssapi.c +--- dovecot-2.4.1-4/src/auth/mech-gssapi.c.gssapi 2025-06-24 00:07:54.720275640 +0200 ++++ dovecot-2.4.1-4/src/auth/mech-gssapi.c 2025-06-24 00:10:04.541651871 +0200 +@@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_req + + if (data_size == 0) { + /* The client should go first */ +- auth_request_handler_reply_continue(request, NULL, 0); ++ auth_request_handler_reply_continue(request, uchar_empty_ptr, 0); + } else { + mech_gssapi_auth_continue(request, data, data_size); + } diff --git a/dovecot-2.4.1-nolibotp.patch b/dovecot-2.4.1-nolibotp.patch index aea6ada..6c8dad5 100644 --- a/dovecot-2.4.1-nolibotp.patch +++ b/dovecot-2.4.1-nolibotp.patch @@ -1,80 +1,134 @@ -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-auth.c 2025-11-30 13:38:50.100927373 +0100 -@@ -16,7 +16,7 @@ - static const char *const settings[] = { - "base_dir", ".", - "auth_mechanisms", -- "ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN OTP " -+ "ANONYMOUS APOP CRAM-MD5 DIGEST-MD5 EXTERNAL LOGIN PLAIN " - "OAUTHBEARER SCRAM-SHA-1 SCRAM-SHA-256 XOAUTH2", - "auth_username_chars", "", - "auth_username_format", "", -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/test-mech.c 2025-11-30 13:38:50.101130654 +0100 -@@ -46,10 +46,7 @@ request_handler_reply_mock_callback(stru +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/main.c 2025-06-05 22:36:50.148155427 +0200 +@@ -20,8 +20,6 @@ + #include "password-scheme.h" + #include "passdb-cache.h" + #include "mech.h" +-#include "otp.h" +-#include "mech-otp-common.h" + #include "auth.h" + #include "auth-penalty.h" + #include "auth-token.h" +@@ -272,7 +270,6 @@ static void main_deinit(void) + + auth_policy_deinit(); + mech_register_deinit(&mech_reg); +- mech_otp_deinit(); + db_oauth2_deinit(); + mech_deinit(global_auth_settings); + settings_free(global_auth_settings); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech.c 2025-06-05 22:36:50.148435422 +0200 +@@ -71,7 +71,6 @@ extern const struct mech_module mech_apo + extern const struct mech_module mech_cram_md5; + extern const struct mech_module mech_digest_md5; + extern const struct mech_module mech_external; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha1_plus; + extern const struct mech_module mech_scram_sha256; +@@ -217,7 +216,6 @@ void mech_init(const struct auth_setting + mech_register_module(&mech_gssapi_spnego); + #endif + } +- mech_register_module(&mech_otp); + mech_register_module(&mech_scram_sha1); + mech_register_module(&mech_scram_sha1_plus); + mech_register_module(&mech_scram_sha256); +@@ -247,7 +245,6 @@ void mech_deinit(const struct auth_setti + mech_unregister_module(&mech_gssapi_spnego); + #endif + } +- mech_unregister_module(&mech_otp); + mech_unregister_module(&mech_scram_sha1); + mech_unregister_module(&mech_scram_sha1_plus); + mech_unregister_module(&mech_scram_sha256); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c.nolibotp 2025-06-05 23:11:23.428522162 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-auth.c 2025-06-05 23:11:23.443511259 +0200 +@@ -72,7 +72,6 @@ void test_auth_init(void) + void test_auth_deinit(void) + { + auth_penalty_deinit(&auth_penalty); +- mech_otp_deinit(); + db_oauth2_deinit(); + auths_deinit(); + auth_token_deinit(); +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/test-mech.c 2025-06-05 22:36:50.148639214 +0200 +@@ -24,7 +24,6 @@ extern const struct mech_module mech_dig + extern const struct mech_module mech_external; + extern const struct mech_module mech_login; + extern const struct mech_module mech_oauthbearer; +-extern const struct mech_module mech_otp; + extern const struct mech_module mech_plain; + extern const struct mech_module mech_scram_sha1; + extern const struct mech_module mech_scram_sha256; +@@ -60,10 +59,7 @@ request_handler_reply_mock_callback(stru if (request->passdb_result == PASSDB_RESULT_OK) request->failed = FALSE; -- else if (strcmp(request->fields.mech_name, SASL_MECH_NAME_OTP) == 0) { +- else if (request->mech == &mech_otp) { - if (null_strcmp(request->fields.user, "otp_phase_2") == 0) - request->failed = FALSE; -- } else if (strcmp(request->fields.mech_name, -+ else if (strcmp(request->fields.mech_name, - SASL_MECH_NAME_OAUTHBEARER) == 0) { +- } else if (request->mech == &mech_oauthbearer) { ++ else if (request->mech == &mech_oauthbearer) { } }; -@@ -190,10 +187,6 @@ static void test_mechs(void) - {"PLAIN", UCHAR_LEN("\0testuser\0testpass"), "testuser", TRUE, FALSE, FALSE}, - {"PLAIN", UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", TRUE, FALSE, FALSE}, - {"PLAIN", UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", TRUE, FALSE, FALSE}, -- {"OTP", UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", TRUE, TRUE, FALSE}, -- {"OTP", UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", TRUE, TRUE, FALSE}, -- {"OTP", UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", TRUE, TRUE, FALSE}, -- {"OTP", UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", TRUE, TRUE, FALSE}, - {"OAUTHBEARER", UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", FALSE, TRUE, FALSE}, - {"SCRAM-SHA-1", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", TRUE, FALSE, FALSE}, - {"SCRAM-SHA-256", UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", TRUE, FALSE, FALSE}, -@@ -208,8 +201,6 @@ static void test_mechs(void) - {"EXTERNAL", UCHAR_LEN(""), "testuser", FALSE, TRUE, FALSE}, - {"EXTERNAL", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, - {"LOGIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, -- {"OTP", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, -- {"OTP", UCHAR_LEN(""), "testuser", FALSE, FALSE, FALSE}, - {"PLAIN", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, - {"OAUTHBEARER", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, - {"XOAUTH2", UCHAR_LEN(""), NULL, FALSE, FALSE, FALSE}, -@@ -221,7 +212,6 @@ static void test_mechs(void) - {"APOP", UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, FALSE, FALSE, FALSE}, - {"APOP", UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, FALSE, FALSE, FALSE}, - {"APOP", UCHAR_LEN("1.1.1"), NULL, FALSE, FALSE, FALSE}, -- {"OTP", UCHAR_LEN("somebody\0testuser"), "testuser", FALSE, TRUE, FALSE}, - {"CRAM-MD5", UCHAR_LEN("testuser\0response"), "testuser", FALSE, FALSE, FALSE}, - {"PLAIN", UCHAR_LEN("testuser\0"), "testuser", FALSE, FALSE, FALSE}, -@@ -264,9 +254,7 @@ static void test_mechs(void) - {"PLAIN", UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, FALSE, FALSE, FALSE}, - {"PLAIN", UCHAR_LEN("failingwiththis"), NULL, FALSE, FALSE, FALSE}, - {"PLAIN", UCHAR_LEN("failing\0withthis"), NULL, FALSE, FALSE, FALSE}, -- {"OTP", UCHAR_LEN("someb\0ody\0testuser"), NULL, FALSE, FALSE, FALSE}, +@@ -181,10 +177,6 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0testuser\0testpass"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0masteruser\0masterpass"), "masteruser", NULL, TRUE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("normaluser\0normaluser\0masterpass"), "normaluser", NULL, TRUE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("hex:5Bf0 75d9 959d 036f"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("word:BOND FOGY DRAB NE RISE MART"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-hex:f6bd 6b33 89b8 7203:md5 499 ke6118:23d1 b253 5ae0 2b7e"), "otp_phase_2", NULL, TRUE, TRUE, FALSE}, +- {&mech_otp, UCHAR_LEN("init-word:END KERN BALM NICK EROS WAVY:md5 499 ke1235:BABY FAIN OILY NIL TIDY DADE"), "otp_phase_2", NULL , TRUE, TRUE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN("n,a=testuser,p=cHJvb2Y=,f=nonstandart\x01host=server\x01port=143\x01""auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==\x01\x01"), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, + {&mech_scram_sha256, UCHAR_LEN("n,,n=testuser,r=rOprNGfwEbeRWgbNEkqO"), "testuser", NULL, TRUE, FALSE, FALSE}, +@@ -199,8 +191,6 @@ static void test_mechs(void) + {&mech_external, UCHAR_LEN(""), "testuser", NULL, FALSE, TRUE, FALSE}, + {&mech_external, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_login, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), NULL, "invalid input", FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN(""), "testuser", "invalid input", FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_oauthbearer, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_xoauth2, UCHAR_LEN(""), NULL, NULL, FALSE, FALSE, FALSE}, +@@ -212,7 +202,6 @@ static void test_mechs(void) + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0tooshort"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1\0testuser\0responseoflen16-"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, + {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, + +@@ -254,9 +243,7 @@ static void test_mechs(void) + {&mech_plain, UCHAR_LEN("\0fa\0il\0ing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failingwiththis"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("failing\0withthis"), NULL, NULL, FALSE, FALSE, FALSE}, +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), NULL, "invalid input", FALSE, FALSE, FALSE}, /* phase 2 */ -- {"OTP", UCHAR_LEN("someb\0ody\0testuser"), "testuser", FALSE, TRUE, FALSE}, - {"SCRAM-SHA-1", UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, FALSE, FALSE, FALSE}, - {"SCRAM-SHA-1", UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, FALSE, FALSE, FALSE}, - {"SCRAM-SHA-1", UCHAR_LEN("n,a=masteruser,,"), NULL, FALSE, FALSE, FALSE}, -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibotp 2025-11-30 13:38:50.093609901 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c 2025-11-30 13:38:50.101359374 +0100 +- {&mech_otp, UCHAR_LEN("someb\0ody\0testuser"), "testuser", "unsupported response type", FALSE, TRUE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts="), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("iws0X8v3Bz2T0CJGbJQyF0X+HI4Ts=,,,,"), NULL, NULL, FALSE, FALSE, FALSE}, + {&mech_scram_sha1, UCHAR_LEN("n,a=masteruser,,"), NULL, NULL, FALSE, FALSE, FALSE}, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.nolibotp 2025-06-05 22:36:50.142606171 +0200 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-06-05 22:36:50.148822418 +0200 @@ -13,7 +13,6 @@ #include "randgen.h" #include "sha1.h" #include "sha2.h" -#include "otp.h" #include "str.h" - #include "auth-digest.h" #include "password-scheme.h" -@@ -704,33 +703,6 @@ plain_md5_generate(const char *plaintext + #include "password-scheme-private.h" +@@ -701,33 +700,6 @@ plain_md5_generate(const char *plaintext *size_r = MD5_RESULTLEN; } @@ -108,7 +162,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibo static const struct password_scheme builtin_schemes[] = { { .name = "MD5", -@@ -894,13 +866,6 @@ static const struct password_scheme buil +@@ -891,13 +863,6 @@ static const struct password_scheme buil .password_generate = plain_md5_generate, }, { @@ -122,9 +176,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.nolibo .name = "PBKDF2", .default_encoding = PW_ENCODING_NONE, .raw_password_len = 0, -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibotp 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h 2025-11-30 13:38:50.101549260 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.h 2025-06-05 22:36:50.148942954 +0200 @@ -98,9 +98,6 @@ void password_set_encryption_rounds(unsi /* INTERNAL: */ const char *password_generate_salt(size_t len); @@ -133,11 +187,11 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.h.nolibo - unsigned int algo, const char **result_r) - ATTR_NULL(2); - int scram_verify(const struct hash_method *hmethod, const char *scheme_name, - const char *plaintext, const unsigned char *raw_password, -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.nolibotp 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c 2025-11-30 13:38:50.101711124 +0100 + int scram_scheme_parse(const struct hash_method *hmethod, const char *name, + const unsigned char *credentials, size_t size, +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c.nolibotp 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/test-password-scheme.c 2025-06-05 22:36:50.149077275 +0200 @@ -107,7 +107,6 @@ static void test_password_schemes(void) test_password_scheme("SHA512", "{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==", "test"); test_password_scheme("SSHA", "{SSHA}H/zrDv8FXUu1JmwvVYijfrYEF34jVZcO", "test"); @@ -146,140 +200,3 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/test-password-scheme.c.n test_password_scheme("PBKDF2", "{PBKDF2}$1$bUnT4Pl7yFtYX0KU$5000$50a83cafdc517b9f46519415e53c6a858908680a", "test"); test_password_scheme("CRAM-MD5", "{CRAM-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6", "test"); test_password_scheme("DIGEST-MD5", "{DIGEST-MD5}77c1a8c437c9b08ba2f460fe5d58db5d", "test"); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c.nolibotp 2025-11-30 13:39:54.210043386 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client.c 2025-11-30 13:39:54.217205256 +0100 -@@ -175,7 +175,6 @@ void dsasl_clients_init(void) - dsasl_client_mech_register(&dsasl_client_mech_digest_md5); - dsasl_client_mech_register(&dsasl_client_mech_cram_md5); - dsasl_client_mech_register(&dsasl_client_mech_oauthbearer); -- dsasl_client_mech_register(&dsasl_client_mech_otp); - dsasl_client_mech_register(&dsasl_client_mech_xoauth2); - dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1); - dsasl_client_mech_register(&dsasl_client_mech_scram_sha_1_plus); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h.nolibotp 2025-11-30 13:40:22.269119732 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-private.h 2025-11-30 13:40:22.275363043 +0100 -@@ -50,7 +50,6 @@ extern const struct dsasl_client_mech ds - extern const struct dsasl_client_mech dsasl_client_mech_external; - extern const struct dsasl_client_mech dsasl_client_mech_login; - extern const struct dsasl_client_mech dsasl_client_mech_oauthbearer; --extern const struct dsasl_client_mech dsasl_client_mech_otp; - extern const struct dsasl_client_mech dsasl_client_mech_xoauth2; - extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1; - extern const struct dsasl_client_mech dsasl_client_mech_scram_sha_1_plus; -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c.nolibotp 2025-11-30 13:40:56.823727053 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/fuzz-sasl-authentication.c 2025-11-30 13:40:56.837864792 +0100 -@@ -635,7 +635,6 @@ static void fuzz_sasl_run(struct istream - sasl_server_mech_register_cram_md5(server_inst); - sasl_server_mech_register_digest_md5(server_inst); - sasl_server_mech_register_login(server_inst); -- sasl_server_mech_register_otp(server_inst); - sasl_server_mech_register_plain(server_inst); - sasl_server_mech_register_scram_sha1(server_inst); - sasl_server_mech_register_scram_sha1_plus(server_inst); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h.nolibotp 2025-11-30 13:41:24.035316421 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server.h 2025-11-30 13:41:24.050796571 +0100 -@@ -193,8 +193,6 @@ void sasl_server_mech_register_scram_sha - void sasl_server_mech_register_scram_sha256_plus( - struct sasl_server_instance *sinst); - --void sasl_server_mech_register_otp(struct sasl_server_instance *sinst); -- - /* Winbind */ - - struct sasl_server_winbind_settings { -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c.nolibotp 2025-11-30 13:42:08.741524883 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/test-sasl-authentication.c 2025-11-30 13:42:08.757334395 +0100 -@@ -507,7 +507,6 @@ test_sasl_run(const struct test_sasl *te - sasl_server_mech_register_digest_md5(server_inst); - sasl_server_mech_register_external(server_inst); - sasl_server_mech_register_login(server_inst); -- sasl_server_mech_register_otp(server_inst); - sasl_server_mech_register_plain(server_inst); - sasl_server_mech_register_scram_sha1(server_inst); - sasl_server_mech_register_scram_sha1_plus(server_inst); -@@ -722,16 +721,6 @@ static const struct test_sasl success_te - .password = "tokentokentoken", - }, - }, -- /* OTP */ -- { -- .mech = "OTP", -- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, -- .server = { -- .authid = "user", -- .password = "pass", -- }, -- .repeat = 1050, -- }, - /* EXTERNAL */ - { - .mech = "EXTERNAL", -@@ -1457,31 +1446,6 @@ static const struct test_sasl bad_creds_ - }, - .failure = TRUE, - }, -- /* OTP */ -- { -- .mech = "OTP", -- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, -- .server = { -- .authid = "user", -- .password = "pass", -- }, -- .client = { -- .authid = "userb", -- }, -- .failure = TRUE, -- }, -- { -- .mech = "OTP", -- .authid_type = SASL_SERVER_AUTHID_TYPE_USERNAME, -- .server = { -- .authid = "user", -- .password = "pass", -- }, -- .client = { -- .password = "florp", -- }, -- .failure = TRUE, -- }, - /* EXTERNAL */ - { - .mech = "EXTERNAL", -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c.nolibotp2 2025-11-30 13:56:23.124460140 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-sasl.c 2025-11-30 13:56:39.521935947 +0100 -@@ -472,7 +472,6 @@ MECH_SIMPLE_REGISTER__TEMPLATE(cram_md5) - MECH_SIMPLE_REGISTER__TEMPLATE(digest_md5) - MECH_SIMPLE_REGISTER__TEMPLATE(external) - MECH_SIMPLE_REGISTER__TEMPLATE(login) --MECH_SIMPLE_REGISTER__TEMPLATE(otp) - MECH_SIMPLE_REGISTER__TEMPLATE(plain) - MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1) - MECH_SIMPLE_REGISTER__TEMPLATE(scram_sha1_plus) -@@ -539,12 +538,6 @@ static const struct auth_sasl_mech_modul - .mech_register = mech_login_register, - }; - --static const struct auth_sasl_mech_module mech_otp = { -- .mech_name = SASL_MECH_NAME_OTP, -- -- .mech_register = mech_otp_register, --}; -- - static const struct auth_sasl_mech_module mech_plain = { - .mech_name = SASL_MECH_NAME_PLAIN, - -@@ -612,7 +605,6 @@ static void auth_sasl_mechs_init(const s - if (set->use_winbind) - auth_sasl_mech_register_module(&mech_winbind_ntlm); - auth_sasl_mech_oauth2_register(); -- auth_sasl_mech_register_module(&mech_otp); - auth_sasl_mech_register_module(&mech_plain); - auth_sasl_mech_register_module(&mech_scram_sha1); - auth_sasl_mech_register_module(&mech_scram_sha1_plus); diff --git a/dovecot-2.4.1-opensslhmac3.patch b/dovecot-2.4.1-opensslhmac3.patch index 1947856..d5e8a92 100644 --- a/dovecot-2.4.1-opensslhmac3.patch +++ b/dovecot-2.4.1-opensslhmac3.patch @@ -1,6 +1,6 @@ -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c 2025-11-30 09:57:55.178213106 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/auth-token.c 2025-07-30 11:45:19.801515296 +0200 @@ -162,17 +162,17 @@ void auth_token_deinit(void) const char *auth_token_get(const char *service, const char *session_pid, const char *username, const char *session_id) @@ -26,10 +26,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/auth-token.c.opensslhmac3 do return binary_to_hex(result, sizeof(result)); } -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am ---- dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am 2025-11-30 09:57:55.178490134 +0100 -@@ -71,6 +71,7 @@ auth_LDFLAGS = -export-dynamic +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/Makefile.am 2025-07-30 11:45:19.803705887 +0200 +@@ -66,6 +66,7 @@ auth_LDFLAGS = -export-dynamic auth_libs = \ ../lib-auth/libauth-crypt.la \ $(AUTH_LUA_LIBS) \ @@ -37,9 +37,35 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/auth/Makefile.am.opensslhmac3 dov $(LIBDOVECOT_SQL) auth_CPPFLAGS = $(AM_CPPFLAGS) $(BINARY_CFLAGS) -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am ---- dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am 2025-11-30 09:57:55.179136544 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/auth/mech-cram-md5.c 2025-07-30 11:45:19.801656370 +0200 +@@ -50,7 +50,7 @@ static bool verify_credentials(struct cr + const unsigned char *credentials, size_t size) + { + unsigned char digest[MD5_RESULTLEN]; +- struct hmac_context ctx; ++ struct orig_hmac_context ctx; + const char *response_hex; + + if (size != CRAM_MD5_CONTEXTLEN) { +@@ -59,10 +59,10 @@ static bool verify_credentials(struct cr + return FALSE; + } + +- hmac_init(&ctx, NULL, 0, &hash_method_md5); ++ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5); + hmac_md5_set_cram_context(&ctx, credentials); +- hmac_update(&ctx, request->challenge, strlen(request->challenge)); +- hmac_final(&ctx, digest); ++ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge)); ++ orig_hmac_final(&ctx, digest); + + response_hex = binary_to_hex(digest, sizeof(digest)); + +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap/Makefile.am 2025-07-30 11:45:19.803805844 +0200 @@ -21,11 +21,13 @@ AM_CPPFLAGS = \ $(BINARY_CFLAGS) @@ -54,10 +80,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap/Makefile.am.opensslhmac3 dov $(LIBDOVECOT_STORAGE) \ $(LIBDOVECOT) imap_DEPENDENCIES = \ -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am ---- dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am 2025-11-30 09:57:55.179268682 +0100 -@@ -23,6 +23,7 @@ imap_urlauth_CPPFLAGS = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/imap-urlauth/Makefile.am 2025-07-30 11:45:19.803904279 +0200 +@@ -22,6 +22,7 @@ imap_urlauth_CPPFLAGS = \ imap_urlauth_LDFLAGS = -export-dynamic imap_urlauth_LDADD = $(LIBDOVECOT) \ @@ -65,7 +91,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslh $(BINARY_LDFLAGS) imap_urlauth_DEPENDENCIES = $(LIBDOVECOT_DEPS) -@@ -53,7 +54,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy +@@ -52,7 +53,7 @@ imap_urlauth_worker_LDFLAGS = -export-dy urlauth_libs = \ $(top_builddir)/src/lib-imap-urlauth/libimap-urlauth.la @@ -74,10 +100,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/imap-urlauth/Makefile.am.opensslh imap_urlauth_worker_DEPENDENCIES = $(urlauth_libs) $(LIBDOVECOT_STORAGE_DEPS) $(LIBDOVECOT_DEPS) imap_urlauth_worker_SOURCES = \ -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c 2025-11-30 09:57:55.179413002 +0100 -@@ -222,7 +222,7 @@ static string_t *auth_scram_get_client_f +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-client.c 2025-07-30 11:45:19.801788468 +0200 +@@ -248,7 +248,7 @@ static string_t *auth_scram_get_client_f unsigned char client_signature[hmethod->digest_size]; unsigned char client_proof[hmethod->digest_size]; unsigned char server_key[hmethod->digest_size]; @@ -86,7 +112,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open const void *cbind_input; size_t cbind_input_size; string_t *auth_message, *str; -@@ -281,9 +281,9 @@ static string_t *auth_scram_get_client_f +@@ -307,9 +307,9 @@ static string_t *auth_scram_get_client_f client->iter, salted_password); /* ClientKey := HMAC(SaltedPassword, "Client Key") */ @@ -99,7 +125,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open /* StoredKey := H(ClientKey) */ hash_method_get_digest(hmethod, client_key, sizeof(client_key), -@@ -301,9 +301,9 @@ static string_t *auth_scram_get_client_f +@@ -327,9 +327,9 @@ static string_t *auth_scram_get_client_f str_append_str(auth_message, str); /* ClientSignature := HMAC(StoredKey, AuthMessage) */ @@ -112,7 +138,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open /* ClientProof := ClientKey XOR ClientSignature */ for (k = 0; k < hmethod->digest_size; k++) -@@ -314,16 +314,16 @@ static string_t *auth_scram_get_client_f +@@ -340,16 +340,16 @@ static string_t *auth_scram_get_client_f safe_memset(client_signature, 0, sizeof(client_signature)); /* ServerKey := HMAC(SaltedPassword, "Server Key") */ @@ -135,9 +161,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-client.c.open safe_memset(salted_password, 0, sizeof(salted_password)); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c 2025-11-30 09:57:55.179729815 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram.c 2025-07-30 11:45:19.801918022 +0200 @@ -31,7 +31,7 @@ void auth_scram_hi(const struct hash_met const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char *result) @@ -207,10 +233,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram.c.opensslhmac safe_memset(salted_password, 0, sizeof(salted_password)); safe_memset(client_key, 0, sizeof(client_key)); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c 2025-11-30 09:57:55.179862473 +0100 -@@ -288,7 +288,7 @@ auth_scram_server_verify_credentials(str +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/auth-scram-server.c 2025-07-30 11:45:19.802027357 +0200 +@@ -342,7 +342,7 @@ auth_scram_server_verify_credentials(str { const struct hash_method *hmethod = server->set.hash_method; struct auth_scram_key_data *kdata = &server->key_data; @@ -219,7 +245,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open const char *auth_message; unsigned char client_key[hmethod->digest_size]; unsigned char client_signature[hmethod->digest_size]; -@@ -309,9 +309,9 @@ auth_scram_server_verify_credentials(str +@@ -363,9 +363,9 @@ auth_scram_server_verify_credentials(str server->server_first_message, ",", server->client_final_message_without_proof, NULL); @@ -232,7 +258,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open /* ClientProof := ClientKey XOR ClientSignature */ const unsigned char *proof_data = server->proof->data; -@@ -440,7 +440,7 @@ auth_scram_get_server_final(struct auth_ +@@ -494,7 +494,7 @@ auth_scram_get_server_final(struct auth_ { const struct hash_method *hmethod = server->set.hash_method; struct auth_scram_key_data *kdata = &server->key_data; @@ -241,7 +267,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open const char *auth_message; unsigned char server_signature[hmethod->digest_size]; string_t *str; -@@ -456,9 +456,9 @@ auth_scram_get_server_final(struct auth_ +@@ -510,9 +510,9 @@ auth_scram_get_server_final(struct auth_ server->server_first_message, ",", server->client_final_message_without_proof, NULL); @@ -254,10 +280,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/auth-scram-server.c.open /* RFC 5802, Section 7: -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c 2025-11-30 09:57:55.180035106 +0100 -@@ -633,11 +633,11 @@ static void +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme.c 2025-07-30 11:45:19.802166177 +0200 +@@ -631,11 +631,11 @@ static void cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED, const unsigned char **raw_password_r, size_t *size_r) { @@ -271,10 +297,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme.c.openss strlen(plaintext), &hash_method_md5); hmac_md5_get_cram_context(&ctx, context_digest); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c 2025-11-30 09:57:55.180182392 +0100 -@@ -23,7 +23,7 @@ int scram_verify(const struct hash_metho +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-auth/password-scheme-scram.c 2025-07-30 11:45:19.802285591 +0200 +@@ -69,7 +69,7 @@ int scram_verify(const struct hash_metho const char *plaintext, const unsigned char *raw_password, size_t size, const char **error_r) { @@ -283,7 +309,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c. const char *salt_base64; unsigned int iter_count; const unsigned char *salt; -@@ -49,9 +49,9 @@ int scram_verify(const struct hash_metho +@@ -94,9 +94,9 @@ int scram_verify(const struct hash_metho salt, salt_len, iter_count, salted_password); /* Calculate ClientKey */ @@ -296,9 +322,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-auth/password-scheme-scram.c. /* Calculate StoredKey */ hash_method_get_digest(hmethod, client_key, sizeof(client_key), -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c 2025-11-30 09:57:55.180318937 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.c 2025-07-30 11:46:43.346310291 +0200 @@ -7,6 +7,10 @@ * This software is released under the MIT license. */ @@ -572,9 +598,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.c.opensslhmac3 dovecot-2 - safe_memset(prk, 0, sizeof(prk)); - safe_memset(okm, 0, sizeof(okm)); } -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c 2025-11-30 09:57:55.180461985 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.c 2025-07-30 11:45:19.802547733 +0200 @@ -9,10 +9,10 @@ #include "md5.h" #include "hmac-cram-md5.h" @@ -601,9 +627,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.c.opensslhmac3 const unsigned char *cdp; struct md5_context *ctx = (void*)hmac_ctx->ctx; -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h 2025-11-30 09:57:55.180563796 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac-cram-md5.h 2025-07-30 11:45:19.802643613 +0200 @@ -5,9 +5,9 @@ #define CRAM_MD5_CONTEXTLEN 32 @@ -616,9 +642,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac-cram-md5.h.opensslhmac3 const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h 2025-11-30 09:57:55.180723505 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/hmac.h 2025-07-30 11:45:19.802751766 +0200 @@ -4,60 +4,108 @@ #include "hash-method.h" #include "sha1.h" @@ -628,7 +654,7 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2 +#include +#include - #define HMAC_MAX_CONTEXT_SIZE HASH_METHOD_MAX_CONTEXT_SIZE + #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx) -struct hmac_context_priv { + @@ -741,9 +767,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/hmac.h.opensslhmac3 dovecot-2 okm_buffer, okm_len); return okm_buffer; } -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c 2025-11-30 09:57:55.180863807 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-imap-urlauth/imap-urlauth.c 2025-07-30 11:45:19.802862354 +0200 @@ -87,15 +87,15 @@ imap_urlauth_internal_generate( const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN], size_t *token_len_r) @@ -764,10 +790,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-imap-urlauth/imap-urlauth.c.o *token_len_r = SHA1_RESULTLEN + 1; return token; -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am 2025-11-30 09:57:55.180990124 +0100 -@@ -414,6 +414,9 @@ headers = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/Makefile.am 2025-07-30 11:45:19.802976508 +0200 +@@ -359,6 +359,9 @@ headers = \ wildcard-match.h \ write-full.h @@ -777,9 +803,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/Makefile.am.opensslhmac3 dove test_programs = test-lib noinst_PROGRAMS = $(test_programs) -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c 2025-11-30 09:57:55.181135306 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/oauth2-jwt.c 2025-07-30 11:45:19.803097425 +0200 @@ -210,14 +210,14 @@ oauth2_validate_hmac(const struct oauth2 if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0) return -1; @@ -801,9 +827,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/oauth2-jwt.c.opensslhm buffer_t *their_digest = t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]); -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c 2025-11-30 09:57:55.181290025 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-oauth2/test-oauth2-jwt.c 2025-07-30 11:45:19.803224443 +0200 @@ -250,7 +250,7 @@ static void save_key_azp_to(const char * static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key) { @@ -831,9 +857,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-oauth2/test-oauth2-jwt.c.open tokenbuf); buffer_append(tokenbuf, ".", 1); base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX, -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c 2025-11-30 09:57:55.181492013 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/pkcs5.c 2025-07-30 11:45:19.803357132 +0200 @@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */ unsigned char dk[l * hash->digest_size]; @@ -868,35 +894,9 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/pkcs5.c.opensslhmac3 dovecot- for(i = 0; i < hash->digest_size; i++) block[i] ^= U_c[i]; } -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/sasl-server-mech-cram-md5.c 2025-11-30 10:00:28.967795725 +0100 -@@ -53,7 +53,7 @@ verify_credentials(struct sasl_server_me - container_of(auth_request, struct cram_auth_request, - auth_request); - unsigned char digest[MD5_RESULTLEN]; -- struct hmac_context ctx; -+ struct orig_hmac_context ctx; - const char *response_hex; - - if (size != CRAM_MD5_CONTEXTLEN) { -@@ -62,10 +62,10 @@ verify_credentials(struct sasl_server_me - return; - } - -- hmac_init(&ctx, NULL, 0, &hash_method_md5); -+ orig_hmac_init(&ctx, NULL, 0, &hash_method_md5); - hmac_md5_set_cram_context(&ctx, credentials); -- hmac_update(&ctx, request->challenge, strlen(request->challenge)); -- hmac_final(&ctx, digest); -+ orig_hmac_update(&ctx, request->challenge, strlen(request->challenge)); -+ orig_hmac_final(&ctx, digest); - - response_hex = binary_to_hex(digest, sizeof(digest)); - -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c 2025-11-30 09:57:55.181656401 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib/test-hmac.c 2025-07-30 11:45:19.803460807 +0200 @@ -206,11 +206,11 @@ static void test_hmac_rfc(void) test_begin("hmac sha256 rfc4231 vectors"); for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) { @@ -972,10 +972,10 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib/test-hmac.c.opensslhmac3 dove vec->ikm_len, vec->info, vec->info_len, vec->okm_len); test_assert(tmp->used == vec->okm_len && -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am 2025-11-30 09:58:11.669117030 +0100 -@@ -34,13 +34,13 @@ test_libs = \ +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/lib-var-expand-crypt/Makefile.am 2025-07-30 11:45:19.803606280 +0200 +@@ -30,13 +30,13 @@ test_libs = \ $(DLLIB) test_var_expand_crypt_SOURCES = test-var-expand-crypt.c @@ -986,14 +986,14 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-var-expand-crypt/Makefile.am. test_var_expand_crypt_LDFLAGS = -export-dynamic -Wl,$(LD_WHOLE_ARCHIVE),../lib/.libs/liblib.a,../lib-json/.libs/libjson.a,../lib-ssl-iostream/.libs/libssl_iostream.a,$(LD_NO_WHOLE_ARCHIVE) endif --test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) \ -+test_var_expand_crypt_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) \ +-test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) \ ++test_var_expand_crypt_CFLAGS = $(AM_CPPFLAGS) $(SSL_CFLAGS) \ -DDCRYPT_BUILD_DIR=\"$(top_builddir)/src/lib-dcrypt\" check-local: -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am ---- dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhmac3 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am 2025-11-30 09:57:55.182137562 +0100 +diff -up dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am +--- dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am.opensslhmac3 2025-03-28 12:32:27.000000000 +0100 ++++ dovecot-2.4.1-build/dovecot-2.4.1-4/src/submission/Makefile.am 2025-07-30 11:45:19.804003916 +0200 @@ -29,6 +29,7 @@ submission_LDADD = \ $(urlauth_libs) \ $(LIBDOVECOT_STORAGE) \ @@ -1002,24 +1002,3 @@ diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/submission/Makefile.am.opensslhma $(MODULE_LIBS) submission_DEPENDENCIES = \ $(urlauth_libs) \ -diff -up dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2 dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c ---- dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c.fixbuild2 2025-11-30 13:11:06.583413762 +0100 -+++ dovecot-2.4.2-build/dovecot-2.4.2/src/lib-sasl/dsasl-client-mech-cram-md5.c 2025-11-30 13:22:04.883307427 +0100 -@@ -81,13 +81,13 @@ mech_cram_md5_output(struct dsasl_client - return DSASL_CLIENT_RESULT_OK; - } - -- struct hmac_context ctx; -+ struct openssl_hmac_context ctx; - unsigned char digest[MD5_RESULTLEN]; - -- hmac_init(&ctx, (const unsigned char *)client->password, -+ openssl_hmac_init(&ctx, (const unsigned char *)client->password, - strlen(client->password), &hash_method_md5); -- hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge)); -- hmac_final(&ctx, digest); -+ openssl_hmac_update(&ctx, cclient->challenge, strlen(cclient->challenge)); -+ openssl_hmac_final(&ctx, digest); - - str = str_new(client->pool, 256); - str_append(str, client->set.authid); diff --git a/dovecot-2.4.2-fixbuild.patch b/dovecot-2.4.2-fixbuild.patch deleted file mode 100644 index ad5530b..0000000 --- a/dovecot-2.4.2-fixbuild.patch +++ /dev/null @@ -1,135 +0,0 @@ -diff -up dovecot-2.4.2/src/lib/istream.c.fixbuild dovecot-2.4.2/src/lib/istream.c ---- dovecot-2.4.2/src/lib/istream.c.fixbuild 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2/src/lib/istream.c 2025-11-30 11:40:37.739536137 +0100 -@@ -85,7 +85,7 @@ void i_stream_add_destroy_callback(struc - } - - void i_stream_remove_destroy_callback(struct istream *stream, -- void (*callback)()) -+ istream_callback_t *callback) - { - io_stream_remove_destroy_callback(&stream->real_stream->iostream, - callback); -diff -up dovecot-2.4.2/src/lib/istream.h.fixbuild dovecot-2.4.2/src/lib/istream.h ---- dovecot-2.4.2/src/lib/istream.h.fixbuild 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2/src/lib/istream.h 2025-11-30 11:40:37.739798710 +0100 -@@ -100,7 +100,7 @@ void i_stream_add_destroy_callback(struc - (istream_callback_t *)callback, context) - /* Remove the destroy callback. */ - void i_stream_remove_destroy_callback(struct istream *stream, -- void (*callback)()); -+ istream_callback_t *callback); - - /* Return file descriptor for stream, or -1 if none is available. */ - int i_stream_get_fd(struct istream *stream); -diff -up dovecot-2.4.2/src/lib/ostream.c.fixbuild dovecot-2.4.2/src/lib/ostream.c ---- dovecot-2.4.2/src/lib/ostream.c.fixbuild 2025-11-30 11:42:21.434063550 +0100 -+++ dovecot-2.4.2/src/lib/ostream.c 2025-11-30 11:42:55.814100259 +0100 -@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc - } - - void o_stream_remove_destroy_callback(struct ostream *stream, -- void (*callback)()) -+ ostream_callback_t *callback) - { - io_stream_remove_destroy_callback(&stream->real_stream->iostream, - callback); -diff -up dovecot-2.4.2/src/lib/ostream.h.fixbuild dovecot-2.4.2/src/lib/ostream.h ---- dovecot-2.4.2/src/lib/ostream.h.fixbuild 2025-11-30 11:42:29.639009602 +0100 -+++ dovecot-2.4.2/src/lib/ostream.h 2025-11-30 11:43:20.101652841 +0100 -@@ -127,7 +127,7 @@ void o_stream_add_destroy_callback(struc - (ostream_callback_t *)callback, context) - /* Remove the destroy callback. */ - void o_stream_remove_destroy_callback(struct ostream *stream, -- void (*callback)()); -+ ostream_callback_t *callback); - - /* Mark the stream and all of its parent streams closed. Nothing will be - sent after this call. When using ostreams that require writing a trailer, -diff -up dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild dovecot-2.4.2/src/lib-json/json-istream.c ---- dovecot-2.4.2/src/lib-json/json-istream.c.fixbuild 2025-10-29 07:58:41.000000000 +0100 -+++ dovecot-2.4.2/src/lib-json/json-istream.c 2025-11-30 12:52:15.970430672 +0100 -@@ -706,7 +706,7 @@ static void json_istream_drop_value_stre - if (stream->seekable_stream != NULL) { - i_stream_remove_destroy_callback( - stream->seekable_stream, -- json_istream_drop_seekable_stream); -+ (istream_callback_t *)json_istream_drop_seekable_stream); - i_stream_unref(&stream->seekable_stream); - } - } -@@ -720,12 +720,12 @@ static void json_istream_consumed_value_ - if (stream->seekable_stream != NULL) { - i_stream_remove_destroy_callback( - stream->seekable_stream, -- json_istream_drop_seekable_stream); -+ (istream_callback_t *)json_istream_drop_seekable_stream); - } - if (stream->value_stream != NULL) { - i_stream_remove_destroy_callback( - stream->value_stream, -- json_istream_drop_value_stream); -+ (istream_callback_t *)json_istream_drop_value_stream); - } - stream->value_stream = NULL; - stream->seekable_stream = NULL; - i_stream_remove_destroy_callback(conn->incoming_payload, -- http_client_payload_destroyed); -+ (istream_callback_t *)http_client_payload_destroyed); - conn->incoming_payload = NULL; - } - -diff -up dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-server-connection.c ---- dovecot-2.4.2/src/lib-http/http-server-connection.c.fixbuild 2025-11-30 13:02:24.337384848 +0100 -+++ dovecot-2.4.2/src/lib-http/http-server-connection.c 2025-11-30 13:03:14.477064608 +0100 -@@ -1066,7 +1066,7 @@ http_server_connection_disconnect(struct - if (conn->incoming_payload != NULL) { - /* The stream is still accessed by lib-http caller. */ - i_stream_remove_destroy_callback(conn->incoming_payload, -- http_server_payload_destroyed); -+ (istream_callback_t *)http_server_payload_destroyed); - conn->incoming_payload = NULL; - } - if (conn->payload_handler != NULL) -diff -up dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild dovecot-2.4.2/src/lib-http/http-client-connection.c ---- dovecot-2.4.2/src/lib-http/http-client-connection.c.fixbuild 2025-11-30 12:57:42.670247695 +0100 -+++ dovecot-2.4.2/src/lib-http/http-client-connection.c 2025-11-30 13:00:54.862436490 +0100 -@@ -832,7 +832,7 @@ void http_client_connection_request_dest - is closed and we don't care about it anymore, so act as though it is - destroyed. */ - i_stream_remove_destroy_callback(payload, -- http_client_payload_destroyed); -+ (istream_callback_t *)http_client_payload_destroyed); - http_client_payload_destroyed(req); - } - -@@ -888,7 +888,7 @@ http_client_connection_return_response(s - if (response->payload != NULL) { - i_stream_remove_destroy_callback( - conn->incoming_payload, -- http_client_payload_destroyed); -+ (istream_callback_t *)http_client_payload_destroyed); - i_stream_unref(&conn->incoming_payload); - connection_input_resume(&conn->conn); - } -@@ -1731,7 +1731,7 @@ http_client_connection_disconnect(struct - if (conn->incoming_payload != NULL) { - /* The stream is still accessed by lib-http caller. */ - i_stream_remove_destroy_callback(conn->incoming_payload, -- http_client_payload_destroyed); -+ (istream_callback_t *)http_client_payload_destroyed); - conn->incoming_payload = NULL; - } - -diff -up dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2 dovecot-2.4.2/src/lib-storage/index/index-mail.c ---- dovecot-2.4.2/src/lib-storage/index/index-mail.c.fixbuild2 2025-11-30 13:48:46.658539149 +0100 -+++ dovecot-2.4.2/src/lib-storage/index/index-mail.c 2025-11-30 13:49:47.178158024 +0100 -@@ -1840,7 +1840,7 @@ static void index_mail_close_streams_ful - allowed to have references until the mail is closed - (but we can't really check that) */ - i_stream_remove_destroy_callback(data->stream, -- index_mail_stream_destroy_callback); -+ (istream_callback_t *)index_mail_stream_destroy_callback); - } - i_stream_unref(&data->stream); - /* there must be no references to the mail when the diff --git a/dovecot.spec b/dovecot.spec index 11efa4b..9937b17 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -4,9 +4,9 @@ Summary: Secure imap and pop3 server Name: dovecot Epoch: 1 -Version: 2.4.2 -%global prever %{nil} -Release: 1%{?dist} +Version: 2.4.1 +%global prever -4 +Release: 8%{?dist} #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 License: MIT AND LGPL-2.1-only @@ -47,7 +47,10 @@ Patch18: dovecot-2.3.15-valbasherr.patch # Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes Patch23: dovecot-2.4.1-nolibotp.patch -Patch24: dovecot-2.4.2-fixbuild.patch +Patch24: dovecot-2.4.1-gssapi.patch +#from upstream, for <= 2.4.1, rhbz#2402122 +#https://github.com/dovecot/core/compare/a70ce7d3e2f983979e971414c5892c4e30197231%5E...34caed79b76a7b82a2a9c94cf35371bec6c2b826.patch +Patch25: dovecot-2.4.1-cve-2025-30189.patch BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel BuildRequires: libtool, autoconf, automake, pkgconfig @@ -153,7 +156,8 @@ mv dovecot-pigeonhole-%{pigeonholever} dovecot-pigeonhole %patch -P 17 -p2 -b .fixvalcond %patch -P 18 -p1 -b .valbasherr %patch -P 23 -p2 -b .nolibotp -%patch -P 24 -p1 -b .fixbuild +%patch -P 24 -p1 -b .gssapi +%patch -P 25 -p1 -b .cve-2025-30189 cp run-test-valgrind.supp dovecot-pigeonhole/ # valgrind would fail with shell wrapper echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude @@ -164,8 +168,6 @@ echo >src/auth/mech-otp-common.c echo >src/auth/mech-otp-common.h echo >src/auth/mech-otp.c echo >src/lib-auth/password-scheme-otp.c -echo >src/lib-sasl/sasl-server-mech-otp.c -echo >src/lib-sasl/dsasl-client-mech-otp.c pushd src/lib-otp for f in *.c *.h do @@ -358,8 +360,7 @@ fi # some aarch64 tests timeout, skip for now make check cd dovecot-pigeonhole -# FIXME: make check will fail as it requires doveconf to be already installed at /usr/bin/doveconf -make check ||: +make check %endif %files @@ -403,7 +404,6 @@ make check ||: %{_libdir}/dovecot/auth/libauthdb_lua.so %endif %{_libdir}/dovecot/auth/libmech_gssapi.so -%{_libdir}/dovecot/auth/libmech_gss_spnego.so %{_libdir}/dovecot/auth/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdriver_sqlite.so %{_libdir}/dovecot/dict/libdict_ldap.so @@ -479,9 +479,6 @@ make check ||: %{_libdir}/%{name}/dict/libdriver_pgsql.so %changelog -* Sun Nov 30 2025 Michal Hlavinka - 1:2.4.2-1 -- updated to 2.4.2 (#2411846) - * Wed Nov 05 2025 Michal Hlavinka - 1:2.4.1-8 - update patch for CVE-2025-30189 diff --git a/sources b/sources index 54fc50d..490e720 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (dovecot-2.4.2.tar.gz) = 0524695341abe711d3a811c56156889d6fef7a09becc684c6f1dc1e5add605969ca8794eb7d44bfbc49f70515f22e8640b5828443addecfe4798fb8b174670ae -SHA512 (dovecot-pigeonhole-2.4.2.tar.gz) = 82c46c7ac2792aa5c211c8b66309f9f21c05ecd2fa8ab3abf98fb4e05831fd37aaa3edffcfbe1b3defbb9ac8ef9df1c33ece83cf7524e8b226c4deab8c250134 +SHA512 (dovecot-2.4.1-4.tar.gz) = 4915e9282898a4bce4dc3c9781f9aa849e8a2d5bb89dffc2222b417560eaa0135d66342ef342098a86dd5e9b4e76d41145381b7264144411cf45a6f88ca36698 +SHA512 (dovecot-pigeonhole-2.4.1-4.tar.gz) = 47b9cc62b13d710123389c47d13c104e70b815d683dc6b957e86b57b2f175101d07f462d0fdb0488d6dcdcfbbc137c926825ba9a0d798551576aa7f3c9082100