dovecot updated to 2.3.14, pigeonhole to 0.5.14

use OpenSSL's implementation of HMAC
Remove autocreate, expire, snarf and mail-filter plugins.
Remove cydir storage driver.
Remove XZ/LZMA write support. Read support will be removed in future release.

dovecot-2.2.20-initbysystemd.patch

@@ -21,7 +21,7 @@ diff -up dovecot-2.3.0.1/dovecot.service.in.initbysystemd dovecot-2.3.0.1/doveco
 @@ -8,7 +8,8 @@
  Description=Dovecot IMAP/POP3 email server
  Documentation=man:dovecot(1)
- Documentation=http://wiki2.dovecot.org/
+ Documentation=https://doc.dovecot.org/
 -After=local-fs.target network-online.target
 +After=local-fs.target network-online.target dovecot-init.service
 +Requires=dovecot-init.service

dovecot-2.3.11-bigkey.patch

@@ -0,0 +1,10 @@
+diff -up dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey dovecot-2.2.36/doc/dovecot-openssl.cnf
+--- dovecot-2.2.36/doc/dovecot-openssl.cnf.bigkey	2017-06-23 13:18:28.000000000 +0200
++++ dovecot-2.2.36/doc/dovecot-openssl.cnf	2018-10-16 17:15:35.836205498 +0200
+@@ -1,5 +1,5 @@
+ [ req ]
+-default_bits = 1024
++default_bits = 3072
+ encrypt_key = yes
+ distinguished_name = req_dn
+ x509_extensions = cert_type

dovecot-2.3.6-opensslhmac.patch

@@ -0,0 +1,813 @@
+diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c
+--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/auth-token.c	2021-03-22 20:44:13.022912242 +0100
+@@ -161,17 +161,17 @@ void auth_token_deinit(void)
+ const char *auth_token_get(const char *service, const char *session_pid,
+ 			   const char *username, const char *session_id)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	unsigned char result[SHA1_RESULTLEN];
+ 
+-	hmac_init(&ctx, (const unsigned char*)username, strlen(username),
++	openssl_hmac_init(&ctx, (const unsigned char*)username, strlen(username),
+ 		  &hash_method_sha1);
+-	hmac_update(&ctx, session_pid, strlen(session_pid));
++	openssl_hmac_update(&ctx, session_pid, strlen(session_pid));
+ 	if (session_id != NULL && *session_id != '\0')
+-		hmac_update(&ctx, session_id, strlen(session_id));
+-	hmac_update(&ctx, service, strlen(service));
+-	hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
+-	hmac_final(&ctx, result);
++		openssl_hmac_update(&ctx, session_id, strlen(session_id));
++	openssl_hmac_update(&ctx, service, strlen(service));
++	openssl_hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
++	openssl_hmac_final(&ctx, result);
+ 
+ 	return binary_to_hex(result, sizeof(result));
+ }
+diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c
+--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/mech-cram-md5.c	2021-03-22 20:44:13.022912242 +0100
+@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
+ {
+ 	
+ 	unsigned char digest[MD5_RESULTLEN];
+-        struct hmac_context ctx;
++        struct orig_hmac_context ctx;
+ 	const char *response_hex;
+ 
+ 	if (size != CRAM_MD5_CONTEXTLEN) {
+@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr
+ 		return FALSE;
+ 	}
+ 
+-	hmac_init(&ctx, NULL, 0, &hash_method_md5);
++	orig_hmac_init(&ctx, NULL, 0, &hash_method_md5);
+ 	hmac_md5_set_cram_context(&ctx, credentials);
+-	hmac_update(&ctx, request->challenge, strlen(request->challenge));
+-	hmac_final(&ctx, digest);
++	orig_hmac_update(&ctx, request->challenge, strlen(request->challenge));
++	orig_hmac_final(&ctx, digest);
+ 
+ 	response_hex = binary_to_hex(digest, sizeof(digest));
+ 
+diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c
+--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/mech-scram.c	2021-03-22 20:44:13.022912242 +0100
+@@ -78,7 +78,7 @@ static const char *get_scram_server_firs
+ static const char *get_scram_server_final(struct scram_auth_request *request)
+ {
+ 	const struct hash_method *hmethod = request->hash_method;
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	const char *auth_message;
+ 	unsigned char server_signature[hmethod->digest_size];
+ 	string_t *str;
+@@ -87,9 +87,9 @@ static const char *get_scram_server_fina
+ 			request->server_first_message, ",",
+ 			request->client_final_message_without_proof, NULL);
+ 
+-	hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
+-	hmac_update(&ctx, auth_message, strlen(auth_message));
+-	hmac_final(&ctx, server_signature);
++	openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
++	openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
++	openssl_hmac_final(&ctx, server_signature);
+ 
+ 	str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
+ 	str_append(str, "v=");
+@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str
+ static bool verify_credentials(struct scram_auth_request *request)
+ {
+ 	const struct hash_method *hmethod = request->hash_method;
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	const char *auth_message;
+ 	unsigned char client_key[hmethod->digest_size];
+ 	unsigned char client_signature[hmethod->digest_size];
+@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc
+ 			request->server_first_message, ",",
+ 			request->client_final_message_without_proof, NULL);
+ 
+-	hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
+-	hmac_update(&ctx, auth_message, strlen(auth_message));
+-	hmac_final(&ctx, client_signature);
++	openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
++	openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
++	openssl_hmac_final(&ctx, client_signature);
+ 
+ 	const unsigned char *proof_data = request->proof->data;
+ 	for (i = 0; i < sizeof(client_signature); i++)
+diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c
+--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/password-scheme.c	2021-03-22 20:44:13.022912242 +0100
+@@ -639,11 +639,11 @@ static void
+ cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
+ 		  const unsigned char **raw_password_r, size_t *size_r)
+ {
+-	struct hmac_context ctx;
++	struct orig_hmac_context ctx;
+ 	unsigned char *context_digest;
+ 
+ 	context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN);
+-	hmac_init(&ctx, (const unsigned char *)plaintext,
++	orig_hmac_init(&ctx, (const unsigned char *)plaintext,
+ 		  strlen(plaintext), &hash_method_md5);
+ 	hmac_md5_get_cram_context(&ctx, context_digest);
+ 
+diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c
+--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/password-scheme-scram.c	2021-03-22 20:44:13.023912229 +0100
+@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co
+    const unsigned char *salt, size_t salt_size, unsigned int i,
+    unsigned char *result)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	unsigned char U[hmethod->digest_size];
+ 	unsigned int j, k;
+ 
+ 	/* Calculate U1 */
+-	hmac_init(&ctx, str, str_size, hmethod);
+-	hmac_update(&ctx, salt, salt_size);
+-	hmac_update(&ctx, "\0\0\0\1", 4);
+-	hmac_final(&ctx, U);
++	openssl_hmac_init(&ctx, str, str_size, hmethod);
++	openssl_hmac_update(&ctx, salt, salt_size);
++	openssl_hmac_update(&ctx, "\0\0\0\1", 4);
++	openssl_hmac_final(&ctx, U);
+ 
+ 	memcpy(result, U, hmethod->digest_size);
+ 
+ 	/* Calculate U2 to Ui and Hi */
+ 	for (j = 2; j <= i; j++) {
+-		hmac_init(&ctx, str, str_size, hmethod);
+-		hmac_update(&ctx, U, sizeof(U));
+-		hmac_final(&ctx, U);
++		openssl_hmac_init(&ctx, str, str_size, hmethod);
++		openssl_hmac_update(&ctx, U, sizeof(U));
++		openssl_hmac_final(&ctx, U);
+ 		for (k = 0; k < hmethod->digest_size; k++)
+ 			result[k] ^= U[k];
+ 	}
+@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho
+ 		 const char *plaintext, const unsigned char *raw_password,
+ 		 size_t size, const char **error_r)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	const char *salt_base64;
+ 	unsigned int iter_count;
+ 	const unsigned char *salt;
+@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho
+ 	   salt, salt_len, iter_count, salted_password);
+ 
+ 	/* Calculate ClientKey */
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+-	hmac_update(&ctx, "Client Key", 10);
+-	hmac_final(&ctx, client_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
++	openssl_hmac_update(&ctx, "Client Key", 10);
++	openssl_hmac_final(&ctx, client_key);
+ 
+ 	/* Calculate StoredKey */
+ 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
+@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me
+ 		    const unsigned char **raw_password_r, size_t *size_r)
+ {
+ 	string_t *str;
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	unsigned char salt[16];
+ 	unsigned char salted_password[hmethod->digest_size];
+ 	unsigned char client_key[hmethod->digest_size];
+@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me
+ 	   sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password);
+ 
+ 	/* Calculate ClientKey */
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+-	hmac_update(&ctx, "Client Key", 10);
+-	hmac_final(&ctx, client_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
++	openssl_hmac_update(&ctx, "Client Key", 10);
++	openssl_hmac_final(&ctx, client_key);
+ 
+ 	/* Calculate StoredKey */
+ 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
+@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me
+ 	base64_encode(stored_key, sizeof(stored_key), str);
+ 
+ 	/* Calculate ServerKey */
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+-	hmac_update(&ctx, "Server Key", 10);
+-	hmac_final(&ctx, server_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
++	openssl_hmac_update(&ctx, "Server Key", 10);
++	openssl_hmac_final(&ctx, server_key);
+ 	str_append_c(str, ',');
+ 	base64_encode(server_key, sizeof(server_key), str);
+ 
+diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
+--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac.c	2021-03-22 20:44:13.023912229 +0100
+@@ -7,6 +7,10 @@
+  * This software is released under the MIT license.
+  */
+ 
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
+ #include "lib.h"
+ #include "hmac.h"
+ #include "safe-memset.h"
+@@ -14,10 +18,65 @@
+ 
+ #include "hex-binary.h"
+ 
+-void hmac_init(struct hmac_context *_ctx, const unsigned char *key,
++#ifndef HAVE_HMAC_CTX_NEW
++#  define HMAC_Init_ex(ctx, key, key_len, md, impl) \
++	HMAC_Init_ex(&(ctx), key, key_len, md, impl)
++#  define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len)
++#  define HMAC_Final(ctx, md, len) HMAC_Final(&(ctx), md, len)
++#  define HMAC_CTX_free(ctx) HMAC_cleanup(&(ctx))
++#else
++#  define HMAC_CTX_free(ctx) \
++	STMT_START { HMAC_CTX_free(ctx); (ctx) = NULL; } STMT_END
++#endif
++
++
++void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key,
+ 		size_t key_len, const struct hash_method *meth)
+ {
+-	struct hmac_context_priv *ctx = &_ctx->u.priv;
++ 	struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
++
++	const EVP_MD *md;
++	const char *ebuf = NULL;
++	const char **error_r = &ebuf;
++
++	md = EVP_get_digestbyname(meth->name);
++	if(md == NULL) {
++		if (error_r != NULL) {
++			*error_r = t_strdup_printf("Invalid digest %s",
++						   meth->name);
++		}
++		//return FALSE;
++	}
++
++// 	int ec;
++
++	i_assert(md != NULL);
++#ifdef HAVE_HMAC_CTX_NEW
++	ctx->ctx = HMAC_CTX_new();
++/*	if (ctx->ctx == NULL)
++		dcrypt_openssl_error(error_r);*/
++#endif
++	/*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL);
++}
++
++void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key,
++		size_t key_len, const struct hash_method *meth)
++{
++    static int no_fips = -1;
++    if (no_fips == -1) {
++        int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
++        if (fd != -1)
++        {
++            char buf[4];
++            if (read(fd, buf, 4) > 0)
++            {
++                no_fips = buf[0] == '0';   
++            }
++            close(fd);   
++        }
++    }
++    i_assert(no_fips);
++	struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
+ 	unsigned int i;
+ 	unsigned char k_ipad[meth->block_size];
+ 	unsigned char k_opad[meth->block_size];
+@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx
+ 	safe_memset(k_opad, 0, meth->block_size);
+ }
+ 
+-void hmac_final(struct hmac_context *_ctx, unsigned char *digest)
++void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest)
++{
++	int ec;
++	unsigned char buf[HMAC_MAX_MD_CBLOCK];
++	unsigned int outl;
++//     const char *ebuf = NULL;
++//     const char **error_r = &ebuf;
++
++    struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
++	ec = HMAC_Final(ctx->ctx, buf, &outl);
++	HMAC_CTX_free(ctx->ctx);
++	if (ec == 1)
++		memcpy(digest, buf, outl);
++//	else
++//		dcrypt_openssl_error(error_r);
++
++}
++
++void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest)
+ {
+-	struct hmac_context_priv *ctx = &_ctx->u.priv;
++	struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
+ 
+ 	ctx->hash->result(ctx->ctx, digest);
+ 
+@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct
+ 	ctx->hash->result(ctx->ctxo, digest);
+ }
+ 
+-buffer_t *t_hmac_data(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
+ 		      const unsigned char *key, size_t key_len,
+ 		      const void *data, size_t data_len)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	i_assert(meth != NULL);
+ 	i_assert(key != NULL && key_len > 0);
+ 	i_assert(data != NULL || data_len == 0);
+ 
+ 	buffer_t *res = t_buffer_create(meth->digest_size);
+-	hmac_init(&ctx, key, key_len, meth);
++	openssl_hmac_init(&ctx, key, key_len, meth);
+ 	if (data_len > 0)
+-		hmac_update(&ctx, data, data_len);
++		openssl_hmac_update(&ctx, data, data_len);
+ 	unsigned char *buf = buffer_get_space_unsafe(res, 0, meth->digest_size);
+-	hmac_final(&ctx, buf);
++	openssl_hmac_final(&ctx, buf);
+ 	return res;
+ }
+ 
+-buffer_t *t_hmac_buffer(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
+ 			const unsigned char *key, size_t key_len,
+ 			const buffer_t *data)
+ {
+-	return t_hmac_data(meth, key, key_len, data->data, data->used);
++	return openssl_t_hmac_data(meth, key, key_len, data->data, data->used);
+ }
+ 
+-buffer_t *t_hmac_str(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
+ 		     const unsigned char *key, size_t key_len,
+ 		     const char *data)
+ {
+-	return t_hmac_data(meth, key, key_len, data, strlen(data));
++	return openssl_t_hmac_data(meth, key, key_len, data, strlen(data));
+ }
+ 
+-void hmac_hkdf(const struct hash_method *method,
++void openssl_hmac_hkdf(const struct hash_method *method,
+ 	       const unsigned char *salt, size_t salt_len,
+ 	       const unsigned char *ikm, size_t ikm_len,
+ 	       const unsigned char *info, size_t info_len,
+ 	       buffer_t *okm_r, size_t okm_len)
+ {
++	const EVP_MD *md;
++	EVP_PKEY_CTX *pctx;
++	int r = 1;
++
+ 	i_assert(method != NULL);
+ 	i_assert(okm_len < 255*method->digest_size);
+-	struct hmac_context key_mac;
+-	struct hmac_context info_mac;
+-	size_t remain = okm_len;
+-	unsigned char prk[method->digest_size];
+-	unsigned char okm[method->digest_size];
+-	/* N = ceil(L/HashLen) */
+-	unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size;
+ 
+ 	/* salt and info can be NULL */
+ 	i_assert(salt != NULL || salt_len == 0);
+@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method
+ 	i_assert(ikm != NULL && ikm_len > 0);
+ 	i_assert(okm_r != NULL && okm_len > 0);
+ 
+-	/* but they still need valid pointer, reduces
+-	   complains from static analysers */
+-	if (salt == NULL)
+-		salt = &uchar_nul;
+-	if (info == NULL)
+-		info = &uchar_nul;
+-
+-	/* extract */
+-	hmac_init(&key_mac, salt, salt_len, method);
+-	hmac_update(&key_mac, ikm, ikm_len);
+-	hmac_final(&key_mac, prk);
+-
+-	/* expand */
+-	for (unsigned int i = 0; remain > 0 && i < rounds; i++) {
+-		unsigned char round = (i+1);
+-		size_t amt = remain;
+-		if (amt > method->digest_size)
+-			amt = method->digest_size;
+-		hmac_init(&info_mac, prk, method->digest_size, method);
+-		if (i > 0)
+-			hmac_update(&info_mac, okm, method->digest_size);
+-		hmac_update(&info_mac, info, info_len);
+-		hmac_update(&info_mac, &round, 1);
+-		memset(okm, 0, method->digest_size);
+-		hmac_final(&info_mac, okm);
+-		buffer_append(okm_r, okm, amt);
+-		remain -= amt;
++
++	md = EVP_get_digestbyname(method->name);
++	pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
++	unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len);
++
++	if ((r=EVP_PKEY_derive_init(pctx)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0)
++		goto out;
++
++     out:
++	EVP_PKEY_CTX_free(pctx);
++	if (r <= 0) {
++		unsigned long ec = ERR_get_error();
++		unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL));
++		i_error("%s", error);
+ 	}
+ 
+-	safe_memset(prk, 0, sizeof(prk));
+-	safe_memset(okm, 0, sizeof(okm));
+ }
+diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c
+--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac-cram-md5.c	2021-03-22 20:44:13.023912229 +0100
+@@ -9,10 +9,10 @@
+ #include "md5.h"
+ #include "hmac-cram-md5.h"
+ 
+-void hmac_md5_get_cram_context(struct hmac_context *_hmac_ctx,
++void hmac_md5_get_cram_context(struct orig_hmac_context *_hmac_ctx,
+ 			unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
+ {
+-	struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
++	struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ 	unsigned char *cdp;
+ 
+ 	struct md5_context *ctx = (void*)hmac_ctx->ctx;
+@@ -35,10 +35,10 @@ void hmac_md5_get_cram_context(struct hm
+ 	CDPUT(cdp, ctx->d);
+ }
+ 
+-void hmac_md5_set_cram_context(struct hmac_context *_hmac_ctx,
++void hmac_md5_set_cram_context(struct orig_hmac_context *_hmac_ctx,
+ 			const unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
+ {
+-	struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
++	struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ 	const unsigned char *cdp;
+ 
+ 	struct md5_context *ctx = (void*)hmac_ctx->ctx;
+diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h
+--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac-cram-md5.h	2021-03-22 20:44:13.023912229 +0100
+@@ -5,9 +5,9 @@
+ 
+ #define CRAM_MD5_CONTEXTLEN 32
+ 
+-void hmac_md5_get_cram_context(struct hmac_context *ctx,
++void hmac_md5_get_cram_context(struct orig_hmac_context *ctx,
+ 		unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
+-void hmac_md5_set_cram_context(struct hmac_context *ctx,
++void hmac_md5_set_cram_context(struct orig_hmac_context *ctx,
+ 		const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
+ 
+ 
+diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h
+--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac.h	2021-03-22 20:44:13.023912229 +0100
+@@ -4,60 +4,97 @@
+ #include "hash-method.h"
+ #include "sha1.h"
+ #include "sha2.h"
++#include <openssl/objects.h>
++#include <openssl/hmac.h>
++#include <openssl/kdf.h>
++#include <openssl/err.h>
+ 
+ #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx)
+ 
+-struct hmac_context_priv {
++struct openssl_hmac_context_priv {
++#ifdef HAVE_HMAC_CTX_NEW
++	HMAC_CTX *ctx;
++#else
++	HMAC_CTX ctx;
++#endif
++	const struct hash_method *hash;
++};
++
++struct orig_hmac_context_priv {
+ 	char ctx[HMAC_MAX_CONTEXT_SIZE];
+ 	char ctxo[HMAC_MAX_CONTEXT_SIZE];
+ 	const struct hash_method *hash;
+ };
+ 
+-struct hmac_context {
++struct openssl_hmac_context {
++	union {
++		struct openssl_hmac_context_priv priv;
++		uint64_t padding_requirement;
++	} u;
++};
++
++struct orig_hmac_context {
+ 	union {
+-		struct hmac_context_priv priv;
++		struct orig_hmac_context_priv priv;
+ 		uint64_t padding_requirement;
+ 	} u;
+ };
+ 
+-void hmac_init(struct hmac_context *ctx, const unsigned char *key,
++void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key,
++		size_t key_len, const struct hash_method *meth);
++void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest);
++
++static inline void
++openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size)
++{
++	struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
++	HMAC_Update(ctx->ctx, data, size);
++/*	if (ec != 1)
++    {
++        const char *ebuf = NULL;
++        const char **error_r = &ebuf;
++		dcrypt_openssl_error(error_r);
++    }*/
++}
++
++void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key,
+ 		size_t key_len, const struct hash_method *meth);
+-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
++void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest);
+ 
+ 
+ static inline void
+-hmac_update(struct hmac_context *_ctx, const void *data, size_t size)
++orig_hmac_update(struct orig_hmac_context *_ctx, const void *data, size_t size)
+ {
+-	struct hmac_context_priv *ctx = &_ctx->u.priv;
++	struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
+ 
+ 	ctx->hash->loop(ctx->ctx, data, size);
+ }
+ 
+-buffer_t *t_hmac_data(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
+ 		      const unsigned char *key, size_t key_len,
+ 		      const void *data, size_t data_len);
+-buffer_t *t_hmac_buffer(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
+ 			const unsigned char *key, size_t key_len,
+ 			const buffer_t *data);
+-buffer_t *t_hmac_str(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
+ 		     const unsigned char *key, size_t key_len,
+ 		     const char *data);
+ 
+-void hmac_hkdf(const struct hash_method *method,
++void openssl_hmac_hkdf(const struct hash_method *method,
+ 	       const unsigned char *salt, size_t salt_len,
+ 	       const unsigned char *ikm, size_t ikm_len,
+ 	       const unsigned char *info, size_t info_len,
+ 	       buffer_t *okm_r, size_t okm_len);
+ 
+ static inline buffer_t *
+-t_hmac_hkdf(const struct hash_method *method,
++openssl_t_hmac_hkdf(const struct hash_method *method,
+ 	    const unsigned char *salt, size_t salt_len,
+ 	    const unsigned char *ikm, size_t ikm_len,
+ 	    const unsigned char *info, size_t info_len,
+ 	    size_t okm_len)
+ {
+ 	buffer_t *okm_buffer = t_buffer_create(okm_len);
+-	hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
++	openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
+ 		  okm_buffer, okm_len);
+ 	return okm_buffer;
+ }
+diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c
+--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c	2021-03-22 20:44:13.023912229 +0100
+@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
+ 			       const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
+ 			       size_t *token_len_r)
+ {
+-	struct hmac_context hmac;
++	struct openssl_hmac_context hmac;
+ 	unsigned char *token;
+ 
+ 	token = t_new(unsigned char, SHA1_RESULTLEN + 1);
+ 	token[0] = IMAP_URLAUTH_MECH_INTERNAL_VERSION;
+ 
+-	hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
+-	hmac_update(&hmac, rumpurl, strlen(rumpurl));
+-	hmac_final(&hmac, token+1);
++	openssl_hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
++	openssl_hmac_update(&hmac, rumpurl, strlen(rumpurl));
++	openssl_hmac_final(&hmac, token+1);
+ 
+ 	*token_len_r = SHA1_RESULTLEN + 1;
+ 	return token;
+diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am
+--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/Makefile.am	2021-03-22 20:44:13.023912229 +0100
+@@ -352,6 +352,9 @@ headers = \
+ 	wildcard-match.h \
+ 	write-full.h
+ 
++liblib_la_LIBADD = $(SSL_LIBS)
++liblib_la_CFLAGS = $(SSL_CFLAGS)
++
+ test_programs = test-lib
+ noinst_PROGRAMS = $(test_programs)
+ 
+diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c
+--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c	2021-03-22 20:44:13.024912217 +0100
+@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2
+ 	if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
+ 		return -1;
+ 
+-	struct hmac_context ctx;
+-	hmac_init(&ctx, key->data, key->used, method);
+-	hmac_update(&ctx, blobs[0], strlen(blobs[0]));
+-	hmac_update(&ctx, ".", 1);
+-	hmac_update(&ctx, blobs[1], strlen(blobs[1]));
++	struct openssl_hmac_context ctx;
++	openssl_hmac_init(&ctx, key->data, key->used, method);
++	openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0]));
++	openssl_hmac_update(&ctx, ".", 1);
++	openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1]));
+ 	unsigned char digest[method->digest_size];
+ 
+-	hmac_final(&ctx, digest);
++	openssl_hmac_final(&ctx, digest);
+ 
+ 	buffer_t *their_digest =
+ 		t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
+diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c
+--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c	2021-03-22 20:46:09.524440794 +0100
+@@ -236,7 +236,7 @@ static void save_key_to(const char *algo
+ static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha256, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha256, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_
+ static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha384, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha384, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_
+ static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha512, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha512, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c
+--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/pkcs5.c	2021-03-22 20:44:13.024912217 +0100
+@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
+ 	size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
+ 	unsigned char dk[l * hash->digest_size];
+ 	unsigned char *block;
+-	struct hmac_context hctx;
++	struct openssl_hmac_context hctx;
+ 	unsigned int c,i,t;
+ 	unsigned char U_c[hash->digest_size];
+ 
+@@ -60,17 +60,17 @@ int pkcs5_pbkdf2(const struct hash_metho
+ 		block = &(dk[t*hash->digest_size]);
+ 		/* U_1 = PRF(Password, Salt|| INT_BE32(Block_Number)) */
+ 		c = htonl(t+1);
+-		hmac_init(&hctx, password, password_len, hash);
+-		hmac_update(&hctx, salt, salt_len);
+-		hmac_update(&hctx, &c, sizeof(c));
+-		hmac_final(&hctx, U_c);
++		openssl_hmac_init(&hctx, password, password_len, hash);
++		openssl_hmac_update(&hctx, salt, salt_len);
++		openssl_hmac_update(&hctx, &c, sizeof(c));
++		openssl_hmac_final(&hctx, U_c);
+ 		/* block = U_1 ^ .. ^ U_iter */
+ 		memcpy(block, U_c, hash->digest_size);
+ 		/* U_c = PRF(Password, U_c-1) */
+ 		for(c = 1; c < iter; c++) {
+-			hmac_init(&hctx, password, password_len, hash);
+-			hmac_update(&hctx, U_c, hash->digest_size);
+-			hmac_final(&hctx, U_c);
++			openssl_hmac_init(&hctx, password, password_len, hash);
++			openssl_hmac_update(&hctx, U_c, hash->digest_size);
++			openssl_hmac_final(&hctx, U_c);
+ 			for(i = 0; i < hash->digest_size; i++)
+ 				block[i] ^= U_c[i];
+ 		}
+diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c
+--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/test-hmac.c	2021-03-22 20:44:13.024912217 +0100
+@@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
+ 	test_begin("hmac sha256 rfc4231 vectors");
+ 	for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
+ 		const struct test_vector *vec = &(test_vectors[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA256_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -221,11 +221,11 @@ static void test_hmac384_rfc(void)
+ 	test_begin("hmac sha384 rfc4231 vectors");
+ 	for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac384); i++) {
+ 		const struct test_vector *vec = &(test_vectors_hmac384[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA384_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -236,11 +236,11 @@ static void test_hmac512_rfc(void)
+ 	test_begin("hmac sha512 rfc4231 vectors");
+ 	for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac512); i++) {
+ 		const struct test_vector *vec = &(test_vectors_hmac512[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA512_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -253,7 +253,7 @@ static void test_hmac_buffer(void)
+ 
+ 	buffer_t *tmp;
+ 
+-	tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
++	tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
+ 			  vec->data, vec->data_len);
+ 
+ 	test_assert(tmp->used == vec->res_len &&
+@@ -270,7 +270,7 @@ static void test_hkdf_rfc(void)
+ 		buffer_set_used_size(res, 0);
+ 		const struct test_vector_5869 *vec = &(test_vectors_5869[i]);
+ 		const struct hash_method *m = hash_method_lookup(vec->prf);
+-		hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
++		openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
+ 			  vec->info, vec->info_len, res, vec->okm_len);
+ 		test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i);
+ 	}
+@@ -283,7 +283,7 @@ static void test_hkdf_buffer(void)
+ 	test_begin("hkdf temporary buffer");
+ 	const struct test_vector_5869 *vec = &(test_vectors_5869[0]);
+ 	const struct hash_method *m = hash_method_lookup(vec->prf);
+-	buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
++	buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
+ 				    vec->ikm_len, vec->info, vec->info_len,
+ 				    vec->okm_len);
+ 	test_assert(tmp->used == vec->okm_len &&

dovecot.spec

@@ -3,9 +3,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.9.2
+Version: 2.3.14
 %global prever %{nil}
-Release: 2%{?dist}
+Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 
@@ -13,7 +13,7 @@ URL: http://www.dovecot.org/
 Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
 Source1: dovecot.init
 Source2: dovecot.pam
-%global pigeonholever 0.5.9
+%global pigeonholever 0.5.14
 Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
 Source9: dovecot.sysconfig
 Source10: dovecot.tmpfilesd
@@ -32,6 +32,12 @@ Patch6: dovecot-2.1.10-waitonline.patch
 Patch8: dovecot-2.2.20-initbysystemd.patch
 Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
 Patch10: dovecot-2.3.0.1-libxcrypt.patch
+Patch15: dovecot-2.3.11-bigkey.patch
+
+# do not use own implementation of HMAC, use OpenSSL for certification purposes
+# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
+# hard to break circular dependency between lib and lib-dcrypt
+Patch16: dovecot-2.3.6-opensslhmac.patch
 
 Source15: prestartscript
 
@@ -39,21 +45,21 @@ BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel,
 BuildRequires: libtool, autoconf, automake, pkgconfig
 BuildRequires: sqlite-devel
 BuildRequires: libpq-devel
-%if %{?fedora}0 < 280
-BuildRequires: mysql-devel
-BuildRequires: tcp_wrappers-devel
-%else
 BuildRequires: mariadb-connector-c-devel
 BuildRequires: libxcrypt-devel
-%endif
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel
 BuildRequires: quota-devel
 BuildRequires: xz-devel
 BuildRequires: lz4-devel
+BuildRequires: libzstd-devel
+%if %{?rhel}0 == 0
 BuildRequires: libsodium-devel
+%endif
+BuildRequires: libicu-devel
 BuildRequires: libexttextcat-devel
 BuildRequires: libstemmer-devel
+BuildRequires: multilib-rpm-config
 
 # gettext-devel is needed for running autoconf because of the
 # presence of AM_ICONV
@@ -64,31 +70,17 @@ Requires: openssl >= 0.9.7f-4
 
 # Package includes an initscript service file, needs to require initscripts package
 Requires(pre): shadow-utils
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 Requires: systemd
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-%else
-Requires: initscripts
-Requires(post): chkconfig
-Requires(preun): chkconfig initscripts
-Requires(postun): initscripts
-%endif
 
-%if %{?fedora}0 > 150 || %{?rhel}0 >60
-#clucene in fedora <=15 and rhel<=6 is too old
 BuildRequires: clucene-core-devel
-%endif
 
 %global ssldir %{_sysconfdir}/pki/%{name}
 
-%if %{?fedora}00%{?rhel} < 6
-%global _initddir %{_initrddir}
-BuildRequires: curl-devel expat-devel
-%else
 BuildRequires: libcurl-devel expat-devel
-%endif
+BuildRequires: make
 
 %global restart_flag /run/%{name}/%{name}-restart-after-rpm-install
 
@@ -133,24 +125,26 @@ This package provides the development files for dovecot.
 %patch6 -p1 -b .waitonline
 %patch8 -p1 -b .initbysystemd
 %patch9 -p1 -b .systemd_w_protectsystem
-#%patch10 -p1 -b .libxcrypt
+%patch15 -p1 -b .bigkey
+%patch16 -p1 -b .opensslhmac
 
 #pushd dovecot-2*3-pigeonhole-%{pigeonholever}
 #popd
 sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
 
 %build
+# This package references hidden symbols during an LTO link.  This needs further
+# investigation.  Until then, disable LTO
+%define _lto_cflags %{nil}
 #required for fdpass.c line 125,190: dereferencing type-punned pointer will break strict-aliasing rules
 %global _hardened_build 1
 export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
 export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
-# el6 autoconf too old to regen; use packaged files (#1082384)
-%if %{?fedora}00%{?rhel} > 6
 mkdir -p m4
 autoreconf -I . -fiv #required for aarch64 support
-%endif
 %configure                       \
     INSTALL_DATA="install -c -p -m644" \
+    --with-rundir=%{_rundir}/%{name}   \
     --docdir=%{_docdir}/%{name}  \
     --disable-static             \
     --disable-rpath              \
@@ -164,24 +158,19 @@ autoreconf -I . -fiv #required for aarch64 support
     --with-mysql                 \
     --with-sqlite                \
     --with-zlib                  \
+    --with-zstd                  \
     --with-libcap                \
-%if %{?fedora}0 < 280
-    --with-libwrap               \
-%endif
-%if %{?fedora}0 > 150 || %{?rhel}0 >60
+    --with-icu                   \
     --with-lucene                \
-%endif
     --with-ssl=openssl           \
     --with-ssldir=%{ssldir}      \
     --with-solr                  \
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
     --with-systemdsystemunitdir=%{_unitdir}  \
-%endif
     --with-docs
 
 sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf
 
-make %{?_smp_mflags}
+%make_build
 
 #pigeonhole
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}
@@ -196,31 +185,28 @@ pushd dovecot-2*3-pigeonhole-%{pigeonholever}
     --with-dovecot=../                 \
     --without-unfinished-features
 
-make %{?_smp_mflags}
+%make_build
 popd
 
 %install
 rm -rf $RPM_BUILD_ROOT
 
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 
-#move doc dir back to build dir so doc macro in files section can use it
+# move doc dir back to build dir so doc macro in files section can use it
 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
 
+# fix multilib issues
+%multilib_fix_c_header --file %{_includedir}/dovecot/config.h
 
 pushd dovecot-2*3-pigeonhole-%{pigeonholever}
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 
 mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
 
 install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
 popd
 
-
-%if %{?fedora}00%{?rhel} < 6
-sed -i 's|password-auth|system-auth|' %{SOURCE2}
-%endif
-
 install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot
 
 #install man pages
@@ -237,12 +223,7 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem
 touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
 chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
 
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf
-%else
-install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot
-install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot
-%endif
 
 mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login}
 
@@ -282,23 +263,14 @@ useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's un
 # do not let dovecot run during upgrade rhbz#134325
 if [ "$1" = "2" ]; then
   rm -f %restart_flag
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
   /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
   /bin/systemctl stop %{name}.service >/dev/null 2>&1
-%else
-  /sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||:
-  /sbin/service %{name} stop >/dev/null 2>&1
-%endif
 fi
 
 %post
 if [ $1 -eq 1 ]
 then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
   %systemd_post dovecot.service
-%else
-  /sbin/chkconfig --add %{name}
-%endif
 fi
 
 install -d -m 0755 -g dovecot -d /run/dovecot
@@ -309,27 +281,16 @@ install -d -m 0750 -g dovenull -d /run/dovecot/token-login
 
 %preun
 if [ $1 = 0 ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
         /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || :
         /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || :
-%else
-    /sbin/service %{name} stop > /dev/null 2>&1
-    /sbin/chkconfig --del %{name}
-%endif
     rm -rf /run/dovecot
 fi
 
 %postun
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :
-%endif
 
 if [ "$1" -ge "1" -a -e %restart_flag ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
     /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
-%else
-    /sbin/service %{name} start >/dev/null 2>&1 || :
-%endif
 rm -f %restart_flag
 fi
 
@@ -337,11 +298,7 @@ fi
 # dovecot should be started again in %%postun, but it's not executed on reinstall
 # if it was already started, restart_flag won't be here, so it's ok to test it again
 if [ -e %restart_flag ]; then
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
     /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
-%else
-    /sbin/service %{name} start >/dev/null 2>&1 || :
-%endif
 rm -f %restart_flag
 fi
 
@@ -357,17 +314,13 @@ make check
 %{_bindir}/doveadm
 %{_bindir}/doveconf
 %{_bindir}/dsync
+%{_bindir}/dovecot-sysreport
 
 
-%if %{?fedora}0 > 140 || %{?rhel}0 > 60
 %_tmpfilesdir/dovecot.conf
 %{_unitdir}/dovecot.service
 %{_unitdir}/dovecot-init.service
 %{_unitdir}/dovecot.socket
-%else
-%{_initddir}/dovecot
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot
-%endif
 
 %dir %{_sysconfdir}/dovecot
 %dir %{_sysconfdir}/dovecot/conf.d
@@ -378,6 +331,7 @@ make check
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-logging.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-mail.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-master.conf
+%config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-metrics.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/10-ssl.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-lda.conf
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/15-mailboxes.conf
@@ -397,8 +351,6 @@ make check
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-sql.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-static.conf.ext
 %config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-system.conf.ext
-%config(noreplace) %{_sysconfdir}/dovecot/conf.d/auth-vpopmail.conf.ext
-
 %config(noreplace) %{_sysconfdir}/pam.d/dovecot
 %config(noreplace) %{ssldir}/dovecot-openssl.cnf
 
@@ -439,7 +391,7 @@ make check
 %{_libexecdir}/%{name}
 %exclude %{_libexecdir}/%{name}/managesieve*
 
-%attr(0755,root,dovecot) %ghost /run/dovecot
+%dir %attr(0755,root,dovecot) %ghost /run/dovecot
 %attr(0750,root,dovenull) %ghost /run/dovecot/login
 %attr(0750,root,dovenull) %ghost /run/dovecot/token-login
 %attr(0755,root,root) %ghost /run/dovecot/empty
@@ -500,6 +452,97 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Mon Mar 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-1
+- dovecot updated to 2.3.14, pigeonhole to 0.5.14
+- use OpenSSL's implementation of HMAC
+- Remove autocreate, expire, snarf and mail-filter plugins.
+- Remove cydir storage driver.
+- Remove XZ/LZMA write support. Read support will be removed in future release.
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 1:2.3.13-7
+- rebuild for libpq ABI fix rhbz#1908268
+
+* Mon Feb 01 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-6
+- use make macros
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.13-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-4
+- fix multilib issues
+
+* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-3
+- bump release and rebuild
+
+* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-2
+- fix rundir location
+
+* Wed Jan 06 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-1
+- fix release number
+
+* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-0
+- dovecot updated to 2.3.13, pigeonhole to 0.5.13
+- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
+  allow logged in user to access other people's emails and filesystem
+  information.
+- Metric filter and global event filter variable syntax changed to a
+  SQL-like format. 
+- auth: Added new aliases for %{variables}. Usage of the old ones is
+  possible, but discouraged.
+- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
+  mechanism and related password schemes.
+- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
+- auth: Removed postfix postmap socket
+
+* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
+- change run directory from /var/run to /run (#1777922)
+
+* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-6
+- use bigger default key size (#1882939)
+
+* Wed Sep 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-5
+- fix gssapi issue
+
+* Wed Aug 26 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-4
+- fix FTBFS on 32bit systems
+
+* Mon Aug 17 2020 Jeff Law <law@redhat.com> - 1:2.3.11.3-2
+- Disable LTO
+
+* Sat Aug 15 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-1
+- CVE-2020-12100: Parsing mails with a large number of MIME parts could
+  have resulted in excessive CPU usage or a crash due to running out of
+  stack memory.
+- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
+  message buffer size, which leads to reading past allocation which can
+  lead to crash.
+- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
+  address that has the empty quoted string as local-part causes the lmtp
+  service to crash.
+- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
+  zero-length message, which leads to assert-crash later on.
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10.1-1
+- dovecot updated to 2.3.10.1
+- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
+
+* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
+- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10
+
+* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
+- dovecot updated to 2.3.9.3
+- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
+      submission-login and lmtp processes.
+- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
+
+
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 

sources

@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253
-SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8
+SHA512 (dovecot-2.3.14.tar.gz) = 69df234cb739c7ee7ae3acfb9756bc22481e94c95463d32bfac315c7ec4b1ba0dfbff552b769f2ab7ee554087ca2ebbe331aa008d3af26417016612dc7cad103
+SHA512 (dovecot-2.3-pigeonhole-0.5.14.tar.gz) = c5d5d309769eabe2c0971646d0c14d166b6b524acf59e1069eca803f764544fa2535c09c9a630ca706aa70442b688ee26af831d29e674823bac7ea7c0e1f33cc