import dovecot-2.3.16-8.el9

.dovecot.metadata

@@ -0,0 +1,2 @@
+4673c244c6ea73ee3da0bb61d0206a1fe3d0be0e SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
+b5c598ae8b9901bfabdf2c93271f57cde0bde73e SOURCES/dovecot-2.3.16.tar.gz

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/dovecot-2.3-pigeonhole-0.5.16.tar.gz
+SOURCES/dovecot-2.3.16.tar.gz

SOURCES/dovecot-1.0.beta2-mkcert-permissions.patch

@@ -0,0 +1,11 @@
+--- dovecot-1.0.beta2/doc/mkcert.sh.configfile	2006-01-16 21:14:54.000000000 +0100
++++ dovecot-1.0.beta2/doc/mkcert.sh	2006-01-26 14:28:38.000000000 +0100
+@@ -29,6 +29,7 @@
+ fi
+ 
+ $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
+-chmod 0600 $KEYFILE
++chown root:root $CERTFILE $KEYFILE
++chmod 0600 $CERTFILE $KEYFILE
+ echo 
+ $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

SOURCES/dovecot-1.0.rc7-mkcert-paths.patch

@@ -0,0 +1,14 @@
+diff -up dovecot-2.2.27/doc/mkcert.sh.mkcert-paths dovecot-2.2.27/doc/mkcert.sh
+--- dovecot-2.2.27/doc/mkcert.sh.mkcert-paths	2016-12-05 10:26:07.913515286 +0100
++++ dovecot-2.2.27/doc/mkcert.sh	2016-12-05 10:28:25.439634417 +0100
+@@ -5,8 +5,8 @@
+ 
+ umask 077
+ OPENSSL=${OPENSSL-openssl}
+-SSLDIR=${SSLDIR-/etc/ssl}
+-OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
++SSLDIR=${SSLDIR-/etc/pki/dovecot}
++OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}
+ 
+ CERTDIR=$SSLDIR/certs
+ KEYDIR=$SSLDIR/private

SOURCES/dovecot-2.0-defaultconfig.patch

@@ -0,0 +1,42 @@
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
+--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf	2021-10-27 11:13:45.666956339 +0200
+@@ -175,7 +175,7 @@ namespace inbox {
+ # to make sure that users can't log in as daemons or other system users.
+ # Note that denying root logins is hardcoded to dovecot binary and can't
+ # be done even if first_valid_uid is set to 0.
+-#first_valid_uid = 500
++first_valid_uid = 1000
+ #last_valid_uid = 0
+ 
+ # Valid GID range for users, defaults to non-root/wheel. Users having
+@@ -322,6 +322,7 @@ protocol !indexer-worker {
+ # them simultaneously.
+ #mbox_read_locks = fcntl
+ #mbox_write_locks = dotlock fcntl
++mbox_write_locks = fcntl
+ 
+ # Maximum time to wait for lock (all of them) before aborting.
+ #mbox_lock_timeout = 5 mins
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
+--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
++++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf	2021-10-27 11:13:02.834533975 +0200
+@@ -3,7 +3,9 @@
+ ##
+ 
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+-#ssl = yes
++# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
++# plain imap and pop3 are still allowed for local connections
++ssl = required
+ 
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+@@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+ #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ # To disable non-EC DH, use:
+ #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
++ssl_cipher_list = PROFILE=SYSTEM
+ 
+ # Colon separated list of elliptic curves to use. Empty value (the default)
+ # means use the defaults from the SSL library. P-521:P-384:P-256 would be an

SOURCES/dovecot-2.1.10-waitonline.patch

@@ -0,0 +1,11 @@
+diff -up dovecot-2.3.15/dovecot.service.in.waitonline dovecot-2.3.15/dovecot.service.in
+--- dovecot-2.3.15/dovecot.service.in.waitonline	2021-06-21 20:19:19.560494654 +0200
++++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:21:17.443066248 +0200
+@@ -15,6 +15,7 @@ After=local-fs.target network-online.tar
+ 
+ [Service]
+ Type=@systemdservicetype@
++ExecStartPre=/usr/libexec/dovecot/prestartscript
+ ExecStart=@sbindir@/dovecot -F
+ ExecReload=@bindir@/doveadm reload
+ ExecStop=@bindir@/doveadm stop

SOURCES/dovecot-2.2.20-initbysystemd.patch

@@ -0,0 +1,51 @@
+diff -up dovecot-2.3.15/dovecot-init.service.initbysystemd dovecot-2.3.15/dovecot-init.service
+--- dovecot-2.3.15/dovecot-init.service.initbysystemd	2021-06-21 20:21:49.250680889 +0200
++++ dovecot-2.3.15/dovecot-init.service	2021-06-21 20:21:49.250680889 +0200
+@@ -0,0 +1,13 @@
++[Unit]
++Description=One-time Dovecot init service
++ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem
++
++[Service]
++Type=oneshot
++RemainAfterExit=no
++ExecStart=/bin/sh -c '\
++if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ]; \
++then\
++  SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1;\
++fi'
++
+diff -up dovecot-2.3.15/dovecot.service.in.initbysystemd dovecot-2.3.15/dovecot.service.in
+--- dovecot-2.3.15/dovecot.service.in.initbysystemd	2021-06-21 20:21:49.250680889 +0200
++++ dovecot-2.3.15/dovecot.service.in	2021-06-21 20:22:46.935981920 +0200
+@@ -11,7 +11,8 @@
+ Description=Dovecot IMAP/POP3 email server
+ Documentation=man:dovecot(1)
+ Documentation=https://doc.dovecot.org/
+-After=local-fs.target network-online.target
++After=local-fs.target network-online.target dovecot-init.service
++Requires=dovecot-init.service
+ 
+ [Service]
+ Type=@systemdservicetype@
+diff -up dovecot-2.3.15/Makefile.am.initbysystemd dovecot-2.3.15/Makefile.am
+--- dovecot-2.3.15/Makefile.am.initbysystemd	2021-06-21 20:21:49.250680889 +0200
++++ dovecot-2.3.15/Makefile.am	2021-06-21 20:24:26.676765849 +0200
+@@ -21,6 +21,7 @@ EXTRA_DIST = \
+ 	run-test-valgrind.supp \
+ 	dovecot.service.in \
+ 	dovecot.socket \
++	dovecot-init.service \
+ 	$(conf_DATA)
+ 
+ noinst_DATA = dovecot-config
+@@ -69,7 +70,8 @@ dovecot-config: dovecot-config.in Makefi
+ if WANT_SYSTEMD
+ systemdsystemunit_DATA = \
+         dovecot.socket \
+-        dovecot.service
++        dovecot.service \
++        dovecot-init.service
+ endif
+ 
+ install-exec-hook:

SOURCES/dovecot-2.2.22-systemd_w_protectsystem.patch

@@ -0,0 +1,11 @@
+diff -up dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.2/dovecot.service.in
+--- dovecot-2.3.2/dovecot.service.in.systemd_w_protectsystem	2018-07-09 12:00:13.359193526 +0200
++++ dovecot-2.3.2/dovecot.service.in	2018-07-09 12:00:46.387716884 +0200
+@@ -23,6 +23,7 @@ ExecReload=@bindir@/doveadm reload
+ ExecStop=@bindir@/doveadm stop
+ PrivateTmp=true
+ NonBlocking=yes
++# this will make /usr /boot /etc read only for dovecot
+ ProtectSystem=full
+ ProtectHome=no
+ PrivateDevices=true

SOURCES/dovecot-2.3.11-bigkey.patch

@@ -0,0 +1,10 @@
+diff -up dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey dovecot-2.3.15/doc/dovecot-openssl.cnf
+--- dovecot-2.3.15/doc/dovecot-openssl.cnf.bigkey	2021-06-21 20:24:51.913456628 +0200
++++ dovecot-2.3.15/doc/dovecot-openssl.cnf	2021-06-21 20:25:36.352912123 +0200
+@@ -1,5 +1,5 @@
+ [ req ]
+-default_bits = 2048
++default_bits = 3072
+ encrypt_key = yes
+ distinguished_name = req_dn
+ x509_extensions = cert_type

SOURCES/dovecot-2.3.14-opensslv3.patch

@@ -0,0 +1,34 @@
+diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c
+--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3	2021-06-03 18:56:52.573174433 +0200
++++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c	2021-06-03 18:56:52.585174274 +0200
+@@ -73,10 +73,30 @@
+   2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
+ **/
+ 
++#if OPENSSL_VERSION_MAJOR == 3
++static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
++{
++  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
++  EVP_PKEY_set1_EC_KEY(key, eck);
++  EC_KEY_free(eck);
++  return eck;
++}
++
++static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
++{
++  EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
++  EVP_PKEY_set1_EC_KEY(key, eck);
++  return eck;
++}
++
++#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3 
++#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
++#else
+ #ifndef HAVE_EVP_PKEY_get0
+ #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
+ #define EVP_PKEY_get0_RSA(x) x->pkey.rsa
+ #endif
++#endif
+ 
+ #ifndef HAVE_OBJ_LENGTH
+ #define OBJ_length(o) ((o)->length)

SOURCES/dovecot-2.3.15-fixvalcond.patch

@@ -0,0 +1,24 @@
+diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
+--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond	2021-06-21 23:07:55.269814896 +0200
++++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c	2021-06-21 23:07:55.298814544 +0200
+@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
+ {
+ 	struct sieve_dict_script *dscript =
+ 		(struct sieve_dict_script *)script;
+-	const char *path, *name = script->name, *data, *error;
++	const char *path, *name = script->name, *data, *error = NULL;
+ 	int ret;
+ 
+ 	dscript->data_pool =
+diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
+--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond	2021-06-14 15:40:37.000000000 +0200
++++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c	2021-06-21 21:52:22.963171229 +0200
+@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
+ 				struct mail_attribute_value *value_r)
+ {
+ 	struct dict *dict;
+-	const char *mailbox_prefix, *error;
++	const char *mailbox_prefix, *error = NULL;
+ 	int ret;
+ 
+ 	i_zero(value_r);

SOURCES/dovecot-2.3.15-valbasherr.patch

@@ -0,0 +1,20 @@
+diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
+--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr	2021-06-21 22:52:53.272707239 +0200
++++ dovecot-2.3.15/run-test-valgrind.supp	2021-06-21 22:54:19.786668430 +0200
+@@ -1,4 +1,16 @@
+ {
++   <bashagin>
++   Memcheck:Leak
++   match-leak-kinds: definite
++   fun:malloc
++   fun:make_if_command
++   fun:yyparse
++   fun:parse_command
++   fun:read_command
++   fun:reader_loop
++   fun:main
++}
++{
+    <bash>
+    Memcheck:Leak
+    fun:malloc

SOURCES/dovecot-2.3.16-ftbfsbigend.patch

@@ -0,0 +1,53 @@
+commit ec4595097067a736717ef202fe8542b1b4bc2dd5
+Author: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date:   Tue Aug 10 12:22:08 2021 +0300
+
+    lib-index: Fix storing cache fields' last_used with 64bit big endian CPUs
+
+diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c
+index e929fb559d..429e0d234c 100644
+--- a/src/lib-index/mail-cache-fields.c
++++ b/src/lib-index/mail-cache-fields.c
+@@ -524,6 +524,19 @@ static void copy_to_buf_byte(struct mail_cache *cache, buffer_t *dest,
+ 	}
+ }
+ 
++static void
++copy_to_buf_last_used(struct mail_cache *cache, buffer_t *dest, bool add_new)
++{
++	size_t offset = offsetof(struct mail_cache_field, last_used);
++#if defined(WORDS_BIGENDIAN) && SIZEOF_VOID_P == 8
++	/* 64bit time_t with big endian CPUs: copy the last 32 bits instead of
++	   the first 32 bits (that are always 0). The 32 bits are enough until
++	   year 2106, so we're not in a hurry to use 64 bits on disk. */
++	offset += sizeof(uint32_t);
++#endif
++	copy_to_buf(cache, dest, add_new, offset, sizeof(uint32_t));
++}
++
+ static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
+ {
+ 	buffer_t *buffer;
+@@ -536,9 +549,7 @@ static int mail_cache_header_fields_update_locked(struct mail_cache *cache)
+ 
+ 	buffer = t_buffer_create(256);
+ 
+-	copy_to_buf(cache, buffer, FALSE,
+-		    offsetof(struct mail_cache_field, last_used),
+-		    sizeof(uint32_t));
++	copy_to_buf_last_used(cache, buffer, FALSE);
+ 	ret = mail_cache_write(cache, buffer->data, buffer->used,
+ 			       offset + MAIL_CACHE_FIELD_LAST_USED());
+ 	if (ret == 0) {
+@@ -599,9 +610,7 @@ void mail_cache_header_fields_get(struct mail_cache *cache, buffer_t *dest)
+ 	buffer_append(dest, &hdr, sizeof(hdr));
+ 
+ 	/* we have to keep the field order for the existing fields. */
+-	copy_to_buf(cache, dest, TRUE,
+-		    offsetof(struct mail_cache_field, last_used),
+-		    sizeof(uint32_t));
++	copy_to_buf_last_used(cache, dest, TRUE);
+ 	copy_to_buf(cache, dest, TRUE,
+ 		    offsetof(struct mail_cache_field, field_size),
+ 		    sizeof(uint32_t));
+

SOURCES/dovecot-2.3.19.1-7bad6a24.patch

@@ -0,0 +1,131 @@
+From 7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 9 May 2022 15:23:33 +0300
+Subject: [PATCH] auth: Fix handling passdbs with identical driver/args but
+ different mechanisms/username_filter
+
+The passdb was wrongly deduplicated in this situation, causing wrong
+mechanisms or username_filter setting to be used. This would be a rather
+unlikely configuration though.
+
+Fixed by moving mechanisms and username_filter from struct passdb_module
+to struct auth_passdb, which is where they should have been in the first
+place.
+---
+ src/auth/auth-request.c |  6 +++---
+ src/auth/auth.c         | 18 ++++++++++++++++++
+ src/auth/auth.h         |  5 +++++
+ src/auth/passdb.c       | 15 ++-------------
+ src/auth/passdb.h       |  4 ----
+ 5 files changed, 28 insertions(+), 20 deletions(-)
+
+diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
+index cd08b1fa02..0ca29f3674 100644
+--- a/src/auth/auth-request.c
++++ b/src/auth/auth-request.c
+@@ -534,8 +534,8 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ 			      struct auth_passdb *passdb)
+ {
+ 	/* if mechanism is not supported, skip */
+-	const char *const *mechs = passdb->passdb->mechanisms;
+-	const char *const *username_filter = passdb->passdb->username_filter;
++	const char *const *mechs = passdb->mechanisms;
++	const char *const *username_filter = passdb->username_filter;
+ 	const char *username;
+ 
+ 	username = request->fields.user;
+@@ -548,7 +548,7 @@ auth_request_want_skip_passdb(struct auth_request *request,
+ 		return TRUE;
+ 	}
+ 
+-	if (passdb->passdb->username_filter != NULL &&
++	if (passdb->username_filter != NULL &&
+ 	    !auth_request_username_accepted(username_filter, username)) {
+ 		auth_request_log_debug(request,
+ 				       request->mech != NULL ? AUTH_SUBSYS_MECH
+diff --git a/src/auth/auth.c b/src/auth/auth.c
+index f2f3fda20c..9f6c4ba60c 100644
+--- a/src/auth/auth.c
++++ b/src/auth/auth.c
+@@ -99,6 +99,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set,
+ 	auth_passdb->override_fields_tmpl =
+ 		passdb_template_build(auth->pool, set->override_fields);
+ 
++	if (*set->mechanisms == '\0') {
++		auth_passdb->mechanisms = NULL;
++	} else if (strcasecmp(set->mechanisms, "none") == 0) {
++		auth_passdb->mechanisms = (const char *const[]){ NULL };
++	} else {
++		auth_passdb->mechanisms =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->mechanisms, " ,");
++	}
++
++	if (*set->username_filter == '\0') {
++		auth_passdb->username_filter = NULL;
++	} else {
++		auth_passdb->username_filter =
++			(const char *const *)p_strsplit_spaces(auth->pool,
++				set->username_filter, " ,");
++	}
++
+ 	/* for backwards compatibility: */
+ 	if (set->pass)
+ 		auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+diff --git a/src/auth/auth.h b/src/auth/auth.h
+index f700e29d5c..460a179765 100644
+--- a/src/auth/auth.h
++++ b/src/auth/auth.h
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ 	struct passdb_template *default_fields_tmpl;
+ 	struct passdb_template *override_fields_tmpl;
+ 
++	/* Supported authentication mechanisms, NULL is all, {NULL} is none */
++	const char *const *mechanisms;
++	/* Username filter, NULL is no filter */
++	const char *const *username_filter;
++
+ 	enum auth_passdb_skip skip;
+ 	enum auth_db_rule result_success;
+ 	enum auth_db_rule result_failure;
+diff --git a/src/auth/passdb.c b/src/auth/passdb.c
+index eb4ac8ae82..f5eed1af4f 100644
+--- a/src/auth/passdb.c
++++ b/src/auth/passdb.c
+@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set)
+ 	passdb->id = ++auth_passdb_id;
+ 	passdb->iface = *iface;
+ 	passdb->args = p_strdup(pool, set->args);
+-	if (*set->mechanisms == '\0') {
+-		passdb->mechanisms = NULL;
+-	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+-		passdb->mechanisms = (const char *const[]){NULL};
+-	} else {
+-		passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+-	}
+-
+-	if (*set->username_filter == '\0') {
+-		passdb->username_filter = NULL;
+-	} else {
+-		passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+-	}
++	/* NOTE: if anything else than driver & args are added here,
++	   passdb_find() also needs to be updated. */
+ 	array_push_back(&passdb_modules, &passdb);
+ 	return passdb;
+ }
+diff --git a/src/auth/passdb.h b/src/auth/passdb.h
+index 2e95328e5c..e466a9fdb6 100644
+--- a/src/auth/passdb.h
++++ b/src/auth/passdb.h
+@@ -63,10 +63,6 @@ struct passdb_module {
+ 	/* Default password scheme for this module.
+ 	   If default_cache_key is set, must not be NULL. */
+ 	const char *default_pass_scheme;
+-	/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+-	const char *const *mechanisms;
+-	/* Username filter, NULL is no filter */
+-	const char *const *username_filter;
+ 
+ 	/* If blocking is set to TRUE, use child processes to access
+ 	   this passdb. */

SOURCES/dovecot-2.3.6-opensslhmac.patch

@@ -0,0 +1,813 @@
+diff -up dovecot-2.3.14/src/auth/auth-token.c.opensslhmac dovecot-2.3.14/src/auth/auth-token.c
+--- dovecot-2.3.14/src/auth/auth-token.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/auth-token.c	2021-03-22 20:44:13.022912242 +0100
+@@ -161,17 +161,17 @@ void auth_token_deinit(void)
+ const char *auth_token_get(const char *service, const char *session_pid,
+ 			   const char *username, const char *session_id)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	unsigned char result[SHA1_RESULTLEN];
+ 
+-	hmac_init(&ctx, (const unsigned char*)username, strlen(username),
++	openssl_hmac_init(&ctx, (const unsigned char*)username, strlen(username),
+ 		  &hash_method_sha1);
+-	hmac_update(&ctx, session_pid, strlen(session_pid));
++	openssl_hmac_update(&ctx, session_pid, strlen(session_pid));
+ 	if (session_id != NULL && *session_id != '\0')
+-		hmac_update(&ctx, session_id, strlen(session_id));
+-	hmac_update(&ctx, service, strlen(service));
+-	hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
+-	hmac_final(&ctx, result);
++		openssl_hmac_update(&ctx, session_id, strlen(session_id));
++	openssl_hmac_update(&ctx, service, strlen(service));
++	openssl_hmac_update(&ctx, auth_token_secret, sizeof(auth_token_secret));
++	openssl_hmac_final(&ctx, result);
+ 
+ 	return binary_to_hex(result, sizeof(result));
+ }
+diff -up dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac dovecot-2.3.14/src/auth/mech-cram-md5.c
+--- dovecot-2.3.14/src/auth/mech-cram-md5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/mech-cram-md5.c	2021-03-22 20:44:13.022912242 +0100
+@@ -51,7 +51,7 @@ static bool verify_credentials(struct cr
+ {
+ 	
+ 	unsigned char digest[MD5_RESULTLEN];
+-        struct hmac_context ctx;
++        struct orig_hmac_context ctx;
+ 	const char *response_hex;
+ 
+ 	if (size != CRAM_MD5_CONTEXTLEN) {
+@@ -60,10 +60,10 @@ static bool verify_credentials(struct cr
+ 		return FALSE;
+ 	}
+ 
+-	hmac_init(&ctx, NULL, 0, &hash_method_md5);
++	orig_hmac_init(&ctx, NULL, 0, &hash_method_md5);
+ 	hmac_md5_set_cram_context(&ctx, credentials);
+-	hmac_update(&ctx, request->challenge, strlen(request->challenge));
+-	hmac_final(&ctx, digest);
++	orig_hmac_update(&ctx, request->challenge, strlen(request->challenge));
++	orig_hmac_final(&ctx, digest);
+ 
+ 	response_hex = binary_to_hex(digest, sizeof(digest));
+ 
+diff -up dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac dovecot-2.3.14/src/auth/mech-scram.c
+--- dovecot-2.3.14/src/auth/mech-scram.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/mech-scram.c	2021-03-22 20:44:13.022912242 +0100
+@@ -78,7 +78,7 @@ static const char *get_scram_server_firs
+ static const char *get_scram_server_final(struct scram_auth_request *request)
+ {
+ 	const struct hash_method *hmethod = request->hash_method;
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	const char *auth_message;
+ 	unsigned char server_signature[hmethod->digest_size];
+ 	string_t *str;
+@@ -87,9 +87,9 @@ static const char *get_scram_server_fina
+ 			request->server_first_message, ",",
+ 			request->client_final_message_without_proof, NULL);
+ 
+-	hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
+-	hmac_update(&ctx, auth_message, strlen(auth_message));
+-	hmac_final(&ctx, server_signature);
++	openssl_hmac_init(&ctx, request->server_key, hmethod->digest_size, hmethod);
++	openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
++	openssl_hmac_final(&ctx, server_signature);
+ 
+ 	str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature)));
+ 	str_append(str, "v=");
+@@ -228,7 +228,7 @@ static bool parse_scram_client_first(str
+ static bool verify_credentials(struct scram_auth_request *request)
+ {
+ 	const struct hash_method *hmethod = request->hash_method;
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	const char *auth_message;
+ 	unsigned char client_key[hmethod->digest_size];
+ 	unsigned char client_signature[hmethod->digest_size];
+@@ -239,9 +239,9 @@ static bool verify_credentials(struct sc
+ 			request->server_first_message, ",",
+ 			request->client_final_message_without_proof, NULL);
+ 
+-	hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
+-	hmac_update(&ctx, auth_message, strlen(auth_message));
+-	hmac_final(&ctx, client_signature);
++	openssl_hmac_init(&ctx, request->stored_key, hmethod->digest_size, hmethod);
++	openssl_hmac_update(&ctx, auth_message, strlen(auth_message));
++	openssl_hmac_final(&ctx, client_signature);
+ 
+ 	const unsigned char *proof_data = request->proof->data;
+ 	for (i = 0; i < sizeof(client_signature); i++)
+diff -up dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme.c
+--- dovecot-2.3.14/src/auth/password-scheme.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/password-scheme.c	2021-03-22 20:44:13.022912242 +0100
+@@ -639,11 +639,11 @@ static void
+ cram_md5_generate(const char *plaintext, const struct password_generate_params *params ATTR_UNUSED,
+ 		  const unsigned char **raw_password_r, size_t *size_r)
+ {
+-	struct hmac_context ctx;
++	struct orig_hmac_context ctx;
+ 	unsigned char *context_digest;
+ 
+ 	context_digest = t_malloc_no0(CRAM_MD5_CONTEXTLEN);
+-	hmac_init(&ctx, (const unsigned char *)plaintext,
++	orig_hmac_init(&ctx, (const unsigned char *)plaintext,
+ 		  strlen(plaintext), &hash_method_md5);
+ 	hmac_md5_get_cram_context(&ctx, context_digest);
+ 
+diff -up dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac dovecot-2.3.14/src/auth/password-scheme-scram.c
+--- dovecot-2.3.14/src/auth/password-scheme-scram.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/auth/password-scheme-scram.c	2021-03-22 20:44:13.023912229 +0100
+@@ -30,23 +30,23 @@ Hi(const struct hash_method *hmethod, co
+    const unsigned char *salt, size_t salt_size, unsigned int i,
+    unsigned char *result)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	unsigned char U[hmethod->digest_size];
+ 	unsigned int j, k;
+ 
+ 	/* Calculate U1 */
+-	hmac_init(&ctx, str, str_size, hmethod);
+-	hmac_update(&ctx, salt, salt_size);
+-	hmac_update(&ctx, "\0\0\0\1", 4);
+-	hmac_final(&ctx, U);
++	openssl_hmac_init(&ctx, str, str_size, hmethod);
++	openssl_hmac_update(&ctx, salt, salt_size);
++	openssl_hmac_update(&ctx, "\0\0\0\1", 4);
++	openssl_hmac_final(&ctx, U);
+ 
+ 	memcpy(result, U, hmethod->digest_size);
+ 
+ 	/* Calculate U2 to Ui and Hi */
+ 	for (j = 2; j <= i; j++) {
+-		hmac_init(&ctx, str, str_size, hmethod);
+-		hmac_update(&ctx, U, sizeof(U));
+-		hmac_final(&ctx, U);
++		openssl_hmac_init(&ctx, str, str_size, hmethod);
++		openssl_hmac_update(&ctx, U, sizeof(U));
++		openssl_hmac_final(&ctx, U);
+ 		for (k = 0; k < hmethod->digest_size; k++)
+ 			result[k] ^= U[k];
+ 	}
+@@ -102,7 +102,7 @@ int scram_verify(const struct hash_metho
+ 		 const char *plaintext, const unsigned char *raw_password,
+ 		 size_t size, const char **error_r)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	const char *salt_base64;
+ 	unsigned int iter_count;
+ 	const unsigned char *salt;
+@@ -126,9 +126,9 @@ int scram_verify(const struct hash_metho
+ 	   salt, salt_len, iter_count, salted_password);
+ 
+ 	/* Calculate ClientKey */
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+-	hmac_update(&ctx, "Client Key", 10);
+-	hmac_final(&ctx, client_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
++	openssl_hmac_update(&ctx, "Client Key", 10);
++	openssl_hmac_final(&ctx, client_key);
+ 
+ 	/* Calculate StoredKey */
+ 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
+@@ -147,7 +147,7 @@ void scram_generate(const struct hash_me
+ 		    const unsigned char **raw_password_r, size_t *size_r)
+ {
+ 	string_t *str;
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	unsigned char salt[16];
+ 	unsigned char salted_password[hmethod->digest_size];
+ 	unsigned char client_key[hmethod->digest_size];
+@@ -165,9 +165,9 @@ void scram_generate(const struct hash_me
+ 	   sizeof(salt), SCRAM_DEFAULT_ITERATE_COUNT, salted_password);
+ 
+ 	/* Calculate ClientKey */
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+-	hmac_update(&ctx, "Client Key", 10);
+-	hmac_final(&ctx, client_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
++	openssl_hmac_update(&ctx, "Client Key", 10);
++	openssl_hmac_final(&ctx, client_key);
+ 
+ 	/* Calculate StoredKey */
+ 	hash_method_get_digest(hmethod, client_key, sizeof(client_key),
+@@ -176,9 +176,9 @@ void scram_generate(const struct hash_me
+ 	base64_encode(stored_key, sizeof(stored_key), str);
+ 
+ 	/* Calculate ServerKey */
+-	hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
+-	hmac_update(&ctx, "Server Key", 10);
+-	hmac_final(&ctx, server_key);
++	openssl_hmac_init(&ctx, salted_password, sizeof(salted_password), hmethod);
++	openssl_hmac_update(&ctx, "Server Key", 10);
++	openssl_hmac_final(&ctx, server_key);
+ 	str_append_c(str, ',');
+ 	base64_encode(server_key, sizeof(server_key), str);
+ 
+diff -up dovecot-2.3.14/src/lib/hmac.c.opensslhmac dovecot-2.3.14/src/lib/hmac.c
+--- dovecot-2.3.14/src/lib/hmac.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac.c	2021-03-22 20:44:13.023912229 +0100
+@@ -7,6 +7,10 @@
+  * This software is released under the MIT license.
+  */
+ 
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
+ #include "lib.h"
+ #include "hmac.h"
+ #include "safe-memset.h"
+@@ -14,10 +18,65 @@
+ 
+ #include "hex-binary.h"
+ 
+-void hmac_init(struct hmac_context *_ctx, const unsigned char *key,
++#ifndef HAVE_HMAC_CTX_NEW
++#  define HMAC_Init_ex(ctx, key, key_len, md, impl) \
++	HMAC_Init_ex(&(ctx), key, key_len, md, impl)
++#  define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len)
++#  define HMAC_Final(ctx, md, len) HMAC_Final(&(ctx), md, len)
++#  define HMAC_CTX_free(ctx) HMAC_cleanup(&(ctx))
++#else
++#  define HMAC_CTX_free(ctx) \
++	STMT_START { HMAC_CTX_free(ctx); (ctx) = NULL; } STMT_END
++#endif
++
++
++void openssl_hmac_init(struct openssl_hmac_context *_ctx, const unsigned char *key,
+ 		size_t key_len, const struct hash_method *meth)
+ {
+-	struct hmac_context_priv *ctx = &_ctx->u.priv;
++ 	struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
++
++	const EVP_MD *md;
++	const char *ebuf = NULL;
++	const char **error_r = &ebuf;
++
++	md = EVP_get_digestbyname(meth->name);
++	if(md == NULL) {
++		if (error_r != NULL) {
++			*error_r = t_strdup_printf("Invalid digest %s",
++						   meth->name);
++		}
++		//return FALSE;
++	}
++
++// 	int ec;
++
++	i_assert(md != NULL);
++#ifdef HAVE_HMAC_CTX_NEW
++	ctx->ctx = HMAC_CTX_new();
++/*	if (ctx->ctx == NULL)
++		dcrypt_openssl_error(error_r);*/
++#endif
++	/*ec = */HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL);
++}
++
++void orig_hmac_init(struct orig_hmac_context *_ctx, const unsigned char *key,
++		size_t key_len, const struct hash_method *meth)
++{
++    static int no_fips = -1;
++    if (no_fips == -1) {
++        int fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
++        if (fd != -1)
++        {
++            char buf[4];
++            if (read(fd, buf, 4) > 0)
++            {
++                no_fips = buf[0] == '0';   
++            }
++            close(fd);   
++        }
++    }
++    i_assert(no_fips);
++	struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
+ 	unsigned int i;
+ 	unsigned char k_ipad[meth->block_size];
+ 	unsigned char k_opad[meth->block_size];
+@@ -53,9 +112,27 @@ void hmac_init(struct hmac_context *_ctx
+ 	safe_memset(k_opad, 0, meth->block_size);
+ }
+ 
+-void hmac_final(struct hmac_context *_ctx, unsigned char *digest)
++void openssl_hmac_final(struct openssl_hmac_context *_ctx, unsigned char *digest)
++{
++	int ec;
++	unsigned char buf[HMAC_MAX_MD_CBLOCK];
++	unsigned int outl;
++//     const char *ebuf = NULL;
++//     const char **error_r = &ebuf;
++
++    struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
++	ec = HMAC_Final(ctx->ctx, buf, &outl);
++	HMAC_CTX_free(ctx->ctx);
++	if (ec == 1)
++		memcpy(digest, buf, outl);
++//	else
++//		dcrypt_openssl_error(error_r);
++
++}
++
++void orig_hmac_final(struct orig_hmac_context *_ctx, unsigned char *digest)
+ {
+-	struct hmac_context_priv *ctx = &_ctx->u.priv;
++	struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
+ 
+ 	ctx->hash->result(ctx->ctx, digest);
+ 
+@@ -63,53 +140,50 @@ void hmac_final(struct hmac_context *_ct
+ 	ctx->hash->result(ctx->ctxo, digest);
+ }
+ 
+-buffer_t *t_hmac_data(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
+ 		      const unsigned char *key, size_t key_len,
+ 		      const void *data, size_t data_len)
+ {
+-	struct hmac_context ctx;
++	struct openssl_hmac_context ctx;
+ 	i_assert(meth != NULL);
+ 	i_assert(key != NULL && key_len > 0);
+ 	i_assert(data != NULL || data_len == 0);
+ 
+ 	buffer_t *res = t_buffer_create(meth->digest_size);
+-	hmac_init(&ctx, key, key_len, meth);
++	openssl_hmac_init(&ctx, key, key_len, meth);
+ 	if (data_len > 0)
+-		hmac_update(&ctx, data, data_len);
++		openssl_hmac_update(&ctx, data, data_len);
+ 	unsigned char *buf = buffer_get_space_unsafe(res, 0, meth->digest_size);
+-	hmac_final(&ctx, buf);
++	openssl_hmac_final(&ctx, buf);
+ 	return res;
+ }
+ 
+-buffer_t *t_hmac_buffer(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
+ 			const unsigned char *key, size_t key_len,
+ 			const buffer_t *data)
+ {
+-	return t_hmac_data(meth, key, key_len, data->data, data->used);
++	return openssl_t_hmac_data(meth, key, key_len, data->data, data->used);
+ }
+ 
+-buffer_t *t_hmac_str(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
+ 		     const unsigned char *key, size_t key_len,
+ 		     const char *data)
+ {
+-	return t_hmac_data(meth, key, key_len, data, strlen(data));
++	return openssl_t_hmac_data(meth, key, key_len, data, strlen(data));
+ }
+ 
+-void hmac_hkdf(const struct hash_method *method,
++void openssl_hmac_hkdf(const struct hash_method *method,
+ 	       const unsigned char *salt, size_t salt_len,
+ 	       const unsigned char *ikm, size_t ikm_len,
+ 	       const unsigned char *info, size_t info_len,
+ 	       buffer_t *okm_r, size_t okm_len)
+ {
++	const EVP_MD *md;
++	EVP_PKEY_CTX *pctx;
++	int r = 1;
++
+ 	i_assert(method != NULL);
+ 	i_assert(okm_len < 255*method->digest_size);
+-	struct hmac_context key_mac;
+-	struct hmac_context info_mac;
+-	size_t remain = okm_len;
+-	unsigned char prk[method->digest_size];
+-	unsigned char okm[method->digest_size];
+-	/* N = ceil(L/HashLen) */
+-	unsigned int rounds = (okm_len + method->digest_size - 1)/method->digest_size;
+ 
+ 	/* salt and info can be NULL */
+ 	i_assert(salt != NULL || salt_len == 0);
+@@ -118,35 +192,30 @@ void hmac_hkdf(const struct hash_method
+ 	i_assert(ikm != NULL && ikm_len > 0);
+ 	i_assert(okm_r != NULL && okm_len > 0);
+ 
+-	/* but they still need valid pointer, reduces
+-	   complains from static analysers */
+-	if (salt == NULL)
+-		salt = &uchar_nul;
+-	if (info == NULL)
+-		info = &uchar_nul;
+-
+-	/* extract */
+-	hmac_init(&key_mac, salt, salt_len, method);
+-	hmac_update(&key_mac, ikm, ikm_len);
+-	hmac_final(&key_mac, prk);
+-
+-	/* expand */
+-	for (unsigned int i = 0; remain > 0 && i < rounds; i++) {
+-		unsigned char round = (i+1);
+-		size_t amt = remain;
+-		if (amt > method->digest_size)
+-			amt = method->digest_size;
+-		hmac_init(&info_mac, prk, method->digest_size, method);
+-		if (i > 0)
+-			hmac_update(&info_mac, okm, method->digest_size);
+-		hmac_update(&info_mac, info, info_len);
+-		hmac_update(&info_mac, &round, 1);
+-		memset(okm, 0, method->digest_size);
+-		hmac_final(&info_mac, okm);
+-		buffer_append(okm_r, okm, amt);
+-		remain -= amt;
++
++	md = EVP_get_digestbyname(method->name);
++	pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
++	unsigned char *okm_buf = buffer_get_space_unsafe(okm_r, 0, okm_len);
++
++	if ((r=EVP_PKEY_derive_init(pctx)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_set_hkdf_md(pctx, md)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, salt_len)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, ikm_len)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len)) <= 0)
++		goto out;
++	if ((r=EVP_PKEY_derive(pctx, okm_buf, &okm_len)) <= 0)
++		goto out;
++
++     out:
++	EVP_PKEY_CTX_free(pctx);
++	if (r <= 0) {
++		unsigned long ec = ERR_get_error();
++		unsigned char *error = t_strdup_printf("%s", ERR_error_string(ec, NULL));
++		i_error("%s", error);
+ 	}
+ 
+-	safe_memset(prk, 0, sizeof(prk));
+-	safe_memset(okm, 0, sizeof(okm));
+ }
+diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.c
+--- dovecot-2.3.14/src/lib/hmac-cram-md5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac-cram-md5.c	2021-03-22 20:44:13.023912229 +0100
+@@ -9,10 +9,10 @@
+ #include "md5.h"
+ #include "hmac-cram-md5.h"
+ 
+-void hmac_md5_get_cram_context(struct hmac_context *_hmac_ctx,
++void hmac_md5_get_cram_context(struct orig_hmac_context *_hmac_ctx,
+ 			unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
+ {
+-	struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
++	struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ 	unsigned char *cdp;
+ 
+ 	struct md5_context *ctx = (void*)hmac_ctx->ctx;
+@@ -35,10 +35,10 @@ void hmac_md5_get_cram_context(struct hm
+ 	CDPUT(cdp, ctx->d);
+ }
+ 
+-void hmac_md5_set_cram_context(struct hmac_context *_hmac_ctx,
++void hmac_md5_set_cram_context(struct orig_hmac_context *_hmac_ctx,
+ 			const unsigned char context_digest[CRAM_MD5_CONTEXTLEN])
+ {
+-	struct hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
++	struct orig_hmac_context_priv *hmac_ctx = &_hmac_ctx->u.priv;
+ 	const unsigned char *cdp;
+ 
+ 	struct md5_context *ctx = (void*)hmac_ctx->ctx;
+diff -up dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac dovecot-2.3.14/src/lib/hmac-cram-md5.h
+--- dovecot-2.3.14/src/lib/hmac-cram-md5.h.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac-cram-md5.h	2021-03-22 20:44:13.023912229 +0100
+@@ -5,9 +5,9 @@
+ 
+ #define CRAM_MD5_CONTEXTLEN 32
+ 
+-void hmac_md5_get_cram_context(struct hmac_context *ctx,
++void hmac_md5_get_cram_context(struct orig_hmac_context *ctx,
+ 		unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
+-void hmac_md5_set_cram_context(struct hmac_context *ctx,
++void hmac_md5_set_cram_context(struct orig_hmac_context *ctx,
+ 		const unsigned char context_digest[CRAM_MD5_CONTEXTLEN]);
+ 
+ 
+diff -up dovecot-2.3.14/src/lib/hmac.h.opensslhmac dovecot-2.3.14/src/lib/hmac.h
+--- dovecot-2.3.14/src/lib/hmac.h.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/hmac.h	2021-03-22 20:44:13.023912229 +0100
+@@ -4,60 +4,97 @@
+ #include "hash-method.h"
+ #include "sha1.h"
+ #include "sha2.h"
++#include <openssl/objects.h>
++#include <openssl/hmac.h>
++#include <openssl/kdf.h>
++#include <openssl/err.h>
+ 
+ #define HMAC_MAX_CONTEXT_SIZE sizeof(struct sha512_ctx)
+ 
+-struct hmac_context_priv {
++struct openssl_hmac_context_priv {
++#ifdef HAVE_HMAC_CTX_NEW
++	HMAC_CTX *ctx;
++#else
++	HMAC_CTX ctx;
++#endif
++	const struct hash_method *hash;
++};
++
++struct orig_hmac_context_priv {
+ 	char ctx[HMAC_MAX_CONTEXT_SIZE];
+ 	char ctxo[HMAC_MAX_CONTEXT_SIZE];
+ 	const struct hash_method *hash;
+ };
+ 
+-struct hmac_context {
++struct openssl_hmac_context {
++	union {
++		struct openssl_hmac_context_priv priv;
++		uint64_t padding_requirement;
++	} u;
++};
++
++struct orig_hmac_context {
+ 	union {
+-		struct hmac_context_priv priv;
++		struct orig_hmac_context_priv priv;
+ 		uint64_t padding_requirement;
+ 	} u;
+ };
+ 
+-void hmac_init(struct hmac_context *ctx, const unsigned char *key,
++void openssl_hmac_init(struct openssl_hmac_context *ctx, const unsigned char *key,
++		size_t key_len, const struct hash_method *meth);
++void openssl_hmac_final(struct openssl_hmac_context *ctx, unsigned char *digest);
++
++static inline void
++openssl_hmac_update(struct openssl_hmac_context *_ctx, const void *data, size_t size)
++{
++	struct openssl_hmac_context_priv *ctx = &_ctx->u.priv;
++	HMAC_Update(ctx->ctx, data, size);
++/*	if (ec != 1)
++    {
++        const char *ebuf = NULL;
++        const char **error_r = &ebuf;
++		dcrypt_openssl_error(error_r);
++    }*/
++}
++
++void orig_hmac_init(struct orig_hmac_context *ctx, const unsigned char *key,
+ 		size_t key_len, const struct hash_method *meth);
+-void hmac_final(struct hmac_context *ctx, unsigned char *digest);
++void orig_hmac_final(struct orig_hmac_context *ctx, unsigned char *digest);
+ 
+ 
+ static inline void
+-hmac_update(struct hmac_context *_ctx, const void *data, size_t size)
++orig_hmac_update(struct orig_hmac_context *_ctx, const void *data, size_t size)
+ {
+-	struct hmac_context_priv *ctx = &_ctx->u.priv;
++	struct orig_hmac_context_priv *ctx = &_ctx->u.priv;
+ 
+ 	ctx->hash->loop(ctx->ctx, data, size);
+ }
+ 
+-buffer_t *t_hmac_data(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_data(const struct hash_method *meth,
+ 		      const unsigned char *key, size_t key_len,
+ 		      const void *data, size_t data_len);
+-buffer_t *t_hmac_buffer(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_buffer(const struct hash_method *meth,
+ 			const unsigned char *key, size_t key_len,
+ 			const buffer_t *data);
+-buffer_t *t_hmac_str(const struct hash_method *meth,
++buffer_t *openssl_t_hmac_str(const struct hash_method *meth,
+ 		     const unsigned char *key, size_t key_len,
+ 		     const char *data);
+ 
+-void hmac_hkdf(const struct hash_method *method,
++void openssl_hmac_hkdf(const struct hash_method *method,
+ 	       const unsigned char *salt, size_t salt_len,
+ 	       const unsigned char *ikm, size_t ikm_len,
+ 	       const unsigned char *info, size_t info_len,
+ 	       buffer_t *okm_r, size_t okm_len);
+ 
+ static inline buffer_t *
+-t_hmac_hkdf(const struct hash_method *method,
++openssl_t_hmac_hkdf(const struct hash_method *method,
+ 	    const unsigned char *salt, size_t salt_len,
+ 	    const unsigned char *ikm, size_t ikm_len,
+ 	    const unsigned char *info, size_t info_len,
+ 	    size_t okm_len)
+ {
+ 	buffer_t *okm_buffer = t_buffer_create(okm_len);
+-	hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
++	openssl_hmac_hkdf(method, salt, salt_len, ikm, ikm_len, info, info_len,
+ 		  okm_buffer, okm_len);
+ 	return okm_buffer;
+ }
+diff -up dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c
+--- dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-imap-urlauth/imap-urlauth.c	2021-03-22 20:44:13.023912229 +0100
+@@ -85,15 +85,15 @@ imap_urlauth_internal_generate(const cha
+ 			       const unsigned char mailbox_key[IMAP_URLAUTH_KEY_LEN],
+ 			       size_t *token_len_r)
+ {
+-	struct hmac_context hmac;
++	struct openssl_hmac_context hmac;
+ 	unsigned char *token;
+ 
+ 	token = t_new(unsigned char, SHA1_RESULTLEN + 1);
+ 	token[0] = IMAP_URLAUTH_MECH_INTERNAL_VERSION;
+ 
+-	hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
+-	hmac_update(&hmac, rumpurl, strlen(rumpurl));
+-	hmac_final(&hmac, token+1);
++	openssl_hmac_init(&hmac, mailbox_key, IMAP_URLAUTH_KEY_LEN, &hash_method_sha1);
++	openssl_hmac_update(&hmac, rumpurl, strlen(rumpurl));
++	openssl_hmac_final(&hmac, token+1);
+ 
+ 	*token_len_r = SHA1_RESULTLEN + 1;
+ 	return token;
+diff -up dovecot-2.3.14/src/lib/Makefile.am.opensslhmac dovecot-2.3.14/src/lib/Makefile.am
+--- dovecot-2.3.14/src/lib/Makefile.am.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/Makefile.am	2021-03-22 20:44:13.023912229 +0100
+@@ -352,6 +352,9 @@ headers = \
+ 	wildcard-match.h \
+ 	write-full.h
+ 
++liblib_la_LIBADD = $(SSL_LIBS)
++liblib_la_CFLAGS = $(SSL_CFLAGS)
++
+ test_programs = test-lib
+ noinst_PROGRAMS = $(test_programs)
+ 
+diff -up dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c
+--- dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-oauth2/oauth2-jwt.c	2021-03-22 20:44:13.024912217 +0100
+@@ -106,14 +106,14 @@ oauth2_validate_hmac(const struct oauth2
+ 	if (oauth2_lookup_hmac_key(set, azp, alg, key_id, &key, error_r) < 0)
+ 		return -1;
+ 
+-	struct hmac_context ctx;
+-	hmac_init(&ctx, key->data, key->used, method);
+-	hmac_update(&ctx, blobs[0], strlen(blobs[0]));
+-	hmac_update(&ctx, ".", 1);
+-	hmac_update(&ctx, blobs[1], strlen(blobs[1]));
++	struct openssl_hmac_context ctx;
++	openssl_hmac_init(&ctx, key->data, key->used, method);
++	openssl_hmac_update(&ctx, blobs[0], strlen(blobs[0]));
++	openssl_hmac_update(&ctx, ".", 1);
++	openssl_hmac_update(&ctx, blobs[1], strlen(blobs[1]));
+ 	unsigned char digest[method->digest_size];
+ 
+-	hmac_final(&ctx, digest);
++	openssl_hmac_final(&ctx, digest);
+ 
+ 	buffer_t *their_digest =
+ 		t_base64url_decode_str(BASE64_DECODE_FLAG_NO_PADDING, blobs[2]);
+diff -up dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c
+--- dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib-oauth2/test-oauth2-jwt.c	2021-03-22 20:46:09.524440794 +0100
+@@ -236,7 +236,7 @@ static void save_key_to(const char *algo
+ static void sign_jwt_token_hs256(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha256, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha256, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+@@ -246,7 +246,7 @@ static void sign_jwt_token_hs256(buffer_
+ static void sign_jwt_token_hs384(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha384, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha384, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+@@ -256,7 +256,7 @@ static void sign_jwt_token_hs384(buffer_
+ static void sign_jwt_token_hs512(buffer_t *tokenbuf, buffer_t *key)
+ {
+ 	i_assert(key != NULL);
+-	buffer_t *sig = t_hmac_buffer(&hash_method_sha512, key->data, key->used,
++	buffer_t *sig = openssl_t_hmac_buffer(&hash_method_sha512, key->data, key->used,
+ 				      tokenbuf);
+ 	buffer_append(tokenbuf, ".", 1);
+ 	base64url_encode(BASE64_ENCODE_FLAG_NO_PADDING, SIZE_MAX,
+diff -up dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac dovecot-2.3.14/src/lib/pkcs5.c
+--- dovecot-2.3.14/src/lib/pkcs5.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/pkcs5.c	2021-03-22 20:44:13.024912217 +0100
+@@ -52,7 +52,7 @@ int pkcs5_pbkdf2(const struct hash_metho
+ 	size_t l = (length + hash->digest_size - 1)/hash->digest_size; /* same as ceil(length/hash->digest_size) */
+ 	unsigned char dk[l * hash->digest_size];
+ 	unsigned char *block;
+-	struct hmac_context hctx;
++	struct openssl_hmac_context hctx;
+ 	unsigned int c,i,t;
+ 	unsigned char U_c[hash->digest_size];
+ 
+@@ -60,17 +60,17 @@ int pkcs5_pbkdf2(const struct hash_metho
+ 		block = &(dk[t*hash->digest_size]);
+ 		/* U_1 = PRF(Password, Salt|| INT_BE32(Block_Number)) */
+ 		c = htonl(t+1);
+-		hmac_init(&hctx, password, password_len, hash);
+-		hmac_update(&hctx, salt, salt_len);
+-		hmac_update(&hctx, &c, sizeof(c));
+-		hmac_final(&hctx, U_c);
++		openssl_hmac_init(&hctx, password, password_len, hash);
++		openssl_hmac_update(&hctx, salt, salt_len);
++		openssl_hmac_update(&hctx, &c, sizeof(c));
++		openssl_hmac_final(&hctx, U_c);
+ 		/* block = U_1 ^ .. ^ U_iter */
+ 		memcpy(block, U_c, hash->digest_size);
+ 		/* U_c = PRF(Password, U_c-1) */
+ 		for(c = 1; c < iter; c++) {
+-			hmac_init(&hctx, password, password_len, hash);
+-			hmac_update(&hctx, U_c, hash->digest_size);
+-			hmac_final(&hctx, U_c);
++			openssl_hmac_init(&hctx, password, password_len, hash);
++			openssl_hmac_update(&hctx, U_c, hash->digest_size);
++			openssl_hmac_final(&hctx, U_c);
+ 			for(i = 0; i < hash->digest_size; i++)
+ 				block[i] ^= U_c[i];
+ 		}
+diff -up dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac dovecot-2.3.14/src/lib/test-hmac.c
+--- dovecot-2.3.14/src/lib/test-hmac.c.opensslhmac	2021-03-04 09:38:06.000000000 +0100
++++ dovecot-2.3.14/src/lib/test-hmac.c	2021-03-22 20:44:13.024912217 +0100
+@@ -206,11 +206,11 @@ static void test_hmac_rfc(void)
+ 	test_begin("hmac sha256 rfc4231 vectors");
+ 	for(size_t i = 0; i < N_ELEMENTS(test_vectors); i++) {
+ 		const struct test_vector *vec = &(test_vectors[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA256_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -221,11 +221,11 @@ static void test_hmac384_rfc(void)
+ 	test_begin("hmac sha384 rfc4231 vectors");
+ 	for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac384); i++) {
+ 		const struct test_vector *vec = &(test_vectors_hmac384[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA384_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -236,11 +236,11 @@ static void test_hmac512_rfc(void)
+ 	test_begin("hmac sha512 rfc4231 vectors");
+ 	for (size_t i = 0; i < N_ELEMENTS(test_vectors_hmac512); i++) {
+ 		const struct test_vector *vec = &(test_vectors_hmac512[i]);
+-		struct hmac_context ctx;
+-		hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
+-		hmac_update(&ctx, vec->data, vec->data_len);
++		struct openssl_hmac_context ctx;
++		openssl_hmac_init(&ctx, vec->key, vec->key_len, hash_method_lookup(vec->prf));
++		openssl_hmac_update(&ctx, vec->data, vec->data_len);
+ 		unsigned char res[SHA512_RESULTLEN];
+-		hmac_final(&ctx, res);
++		openssl_hmac_final(&ctx, res);
+ 		test_assert_idx(memcmp(res, vec->res, vec->res_len) == 0, i);
+ 	}
+ 	test_end();
+@@ -253,7 +253,7 @@ static void test_hmac_buffer(void)
+ 
+ 	buffer_t *tmp;
+ 
+-	tmp = t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
++	tmp = openssl_t_hmac_data(hash_method_lookup(vec->prf), vec->key, vec->key_len,
+ 			  vec->data, vec->data_len);
+ 
+ 	test_assert(tmp->used == vec->res_len &&
+@@ -270,7 +270,7 @@ static void test_hkdf_rfc(void)
+ 		buffer_set_used_size(res, 0);
+ 		const struct test_vector_5869 *vec = &(test_vectors_5869[i]);
+ 		const struct hash_method *m = hash_method_lookup(vec->prf);
+-		hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
++		openssl_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm, vec->ikm_len,
+ 			  vec->info, vec->info_len, res, vec->okm_len);
+ 		test_assert_idx(memcmp(res->data, vec->okm, vec->okm_len) == 0, i);
+ 	}
+@@ -283,7 +283,7 @@ static void test_hkdf_buffer(void)
+ 	test_begin("hkdf temporary buffer");
+ 	const struct test_vector_5869 *vec = &(test_vectors_5869[0]);
+ 	const struct hash_method *m = hash_method_lookup(vec->prf);
+-	buffer_t *tmp = t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
++	buffer_t *tmp = openssl_t_hmac_hkdf(m, vec->salt, vec->salt_len, vec->ikm,
+ 				    vec->ikm_len, vec->info, vec->info_len,
+ 				    vec->okm_len);
+ 	test_assert(tmp->used == vec->okm_len &&

SOURCES/dovecot.conf.5

@@ -0,0 +1,19 @@
+.TH DOVECOT.CONF 5 2010/06/27 "dovecot" "File Formats and Conventions"
+.SH NAME
+\fBdovecot.conf\fP \- The configuration file for dovecot imap and pop3 server
+
+.SH FULL PATH
+.B /etc/dovecot.conf
+
+.SH DESCRIPTION
+The dovecot.conf file is a configuration file for the
+.BR dovecot (1)
+imap and pop3 server. The dovecot.conf configuration file contains description to all available options. Some of these options are described also in offline wiki documentation placed in /usr/share/doc/dovecot*/wiki/.
+
+For backup purposes unmodified version of dovecot.conf can be found in /usr/share/doc/dovecot-<version>/example-config/dovecot.conf.default
+
+.SH "SEE ALSO"
+.BR doveadm (1),
+.BR dovecot (1),
+.I /usr/share/doc/dovecot*/wiki/
+.I /usr/share/doc/dovecot*/dovecot.conf.default

SOURCES/dovecot.init

@@ -0,0 +1,108 @@
+#!/bin/bash
+#
+#	/etc/rc.d/init.d/dovecot
+#
+# Starts the dovecot daemon
+#
+# chkconfig: - 65 35
+# description: Dovecot Imap Server
+# processname: dovecot
+# config: /etc/dovecot.conf
+# config: /etc/sysconfig/dovecot
+# pidfile: /var/run/dovecot/master.pid
+
+### BEGIN INIT INFO
+# Provides: dovecot
+# Required-Start: $local_fs $network
+# Required-Stop: $local_fs $network
+# Should-Start: $remote_fs
+# Should-Stop: $remote_fs
+# Default-Start: 
+# Default-Stop: 0 1 2 3 4 5 6
+# Short-Description: start and stop Dovecot Imap server
+# Description: Dovecot is an IMAP server for Linux/UNIX-like systems,
+#              written with security primarily in mind.  It also contains
+#              a small POP3 server.
+### END INIT INFO
+
+# Source function library.
+. /etc/init.d/functions
+
+if [ -f /etc/sysconfig/dovecot -a $UID -eq 0 ]; then
+    . /etc/sysconfig/dovecot
+fi
+
+RETVAL=0
+prog="Dovecot Imap"
+exec="/usr/sbin/dovecot"
+config="/etc/dovecot/dovecot.conf"
+pidfile="/var/run/dovecot/master.pid"
+lockfile="/var/lock/subsys/dovecot"
+
+start() {
+	[ $UID -eq 0 ] || exit 4
+	[ -x $exec ] || exit 5
+	[ -f $config ] || exit 6
+
+        echo -n $"Starting $prog: "
+	daemon --pidfile $pidfile $exec $OPTIONS
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch  $lockfile
+	echo
+}
+
+stop() {
+	[ $UID -eq 0 ] || exit 4
+	echo -n $"Stopping $prog: "
+	killproc -p $pidfile $exec
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f $lockfile
+	echo
+}
+
+reload() {
+	[ $UID -eq 0 ] || exit 4
+	echo -n $"Reloading $prog: "
+	killproc -p $pidfile $exec -HUP
+	RETVAL=$?
+	echo
+}
+
+#
+#	See how we were called.
+#
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  reload)
+	reload
+	;;
+  force-reload|restart)
+	stop
+	sleep 1
+	start
+	RETVAL=$?
+	;;
+  condrestart|try-restart)
+	if [ -f $lockfile ]; then
+	    stop
+	    sleep 3
+	    start
+	fi
+	;;
+  status)
+	status -p $pidfile $exec
+	RETVAL=$?
+	;;
+  *)
+	echo $"Usage: $0 {condrestart|try-restart|start|stop|restart|reload|force-reload|status}"
+	RETVAL=2
+	[ "$1" = 'usage' ] && RETVAL=0
+esac
+
+exit $RETVAL
+

SOURCES/dovecot.pam

@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth       required     pam_nologin.so
+auth       include      password-auth
+account    include      password-auth
+session    include      password-auth

SOURCES/dovecot.sysconfig

@@ -0,0 +1,3 @@
+# Here you can specify your dovecot command line options.
+#
+#OPTIONS=""

SOURCES/dovecot.sysusers

@@ -0,0 +1,9 @@
+#Type Name    ID    GECOS                       Home directory       Shell
+g     dovecot 97
+u     dovecot 97   "Dovecot IMAP server"        /usr/libexec/dovecot /sbin/nologin
+m     dovecot dovecot
+
+g     dovenull -
+u     dovenull -   "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
+m     dovenull dovenull
+

SOURCES/dovecot.tmpfilesd

@@ -0,0 +1,2 @@
+d /run/dovecot 0755 root dovecot -
+

SOURCES/prestartscript

@@ -0,0 +1,3 @@
+#!/bin/sh
+/bin/systemctl -q is-enabled NetworkManager.service >/dev/null 2>&1 && /usr/bin/nm-online -q --timeout 30 ||:
+