net-mail/dovecot: test fixes, hardening tweak

* Fix tests with GCC 15 (upstream PR#229, bug #939857). The test had
  a bogus assertion which was exposed by GCC 15.

* Fix tests with LTO (upstream PR#230). I was convinced that I'd backported
  these fixes already but apparently not. This one fixes a real problem
  where dovecot would be miscompiled because of strict aliasing violations
  in the md4+md5 code. Thanks to parona for the help with (re-)testing it
  and confirming the fixes.

* Pass --disable-hardening because it just copies the defaults even on
  vanilla profiles these days. For hardened, it actually makes things
  less safe because it does -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 which
  overrides the default of -D_FORTIFY_SOURCE=3 there.

Closes: https://bugs.gentoo.org/939857
Signed-off-by: Sam James <sam@gentoo.org>

3 files changed, 425 insertions, 0 deletions

diff --git a/net-mail/dovecot/dovecot-2.3.21.1-r1.ebuild b/net-mail/dovecot/dovecot-2.3.21.1-r1.ebuild
new file mode 100644
index 000000000000..2378c7ca8d93
--- /dev/null
+++ b/net-mail/dovecot/dovecot-2.3.21.1-r1.ebuild
@@ -0,0 +1,309 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+LUA_COMPAT=( lua5-1 lua5-3 )
+# do not add a ssl USE flag.  ssl is mandatory
+SSL_DEPS_SKIP=1
+inherit autotools flag-o-matic lua-single ssl-cert systemd toolchain-funcs
+
+MY_P="${P/_/.}"
+#MY_S="${PN}-ce-${PV}"
+major_minor="$(ver_cut 1-2)"
+sieve_version="0.5.21.1"
+if [[ ${PV} == *_rc* ]]; then
+	rc_dir="rc/"
+else
+	rc_dir=""
+fi
+
+DESCRIPTION="An IMAP and POP3 server written with security primarily in mind"
+HOMEPAGE="https://www.dovecot.org/"
+SRC_URI="https://dovecot.org/releases/${major_minor}/${rc_dir}${MY_P}.tar.gz
+	sieve? (
+	https://pigeonhole.dovecot.org/releases/${major_minor}/${rc_dir}${PN}-${major_minor}-pigeonhole-${sieve_version}.tar.gz
+	)
+	managesieve? (
+	https://pigeonhole.dovecot.org/releases/${major_minor}/${rc_dir}${PN}-${major_minor}-pigeonhole-${sieve_version}.tar.gz
+	) "
+S="${WORKDIR}/${MY_P}"
+LICENSE="LGPL-2.1 MIT"
+SLOT="0/${PV}"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+
+IUSE_DOVECOT_AUTH="kerberos ldap lua mysql pam postgres sqlite"
+IUSE_DOVECOT_COMPRESS="lz4 zstd"
+IUSE_DOVECOT_OTHER="argon2 caps doc lucene managesieve rpc
+	selinux sieve solr static-libs stemmer suid systemd tcpd textcat unwind"
+
+IUSE="${IUSE_DOVECOT_AUTH} ${IUSE_DOVECOT_COMPRESS} ${IUSE_DOVECOT_OTHER}"
+
+REQUIRED_USE="lua? ( ${LUA_REQUIRED_USE} )"
+
+DEPEND="
+	app-arch/bzip2
+	app-arch/xz-utils
+	dev-libs/icu:=
+	dev-libs/openssl:0=
+	sys-libs/zlib:=
+	virtual/libiconv
+	argon2? ( dev-libs/libsodium:= )
+	caps? ( sys-libs/libcap )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap:= )
+	lua? ( ${LUA_DEPS} )
+	lucene? ( >=dev-cpp/clucene-2.3 )
+	lz4? ( app-arch/lz4 )
+	mysql? ( dev-db/mysql-connector-c:0= )
+	pam? ( sys-libs/pam:= )
+	postgres? ( dev-db/postgresql:* )
+	rpc? ( net-libs/libtirpc:= net-libs/rpcsvc-proto )
+	selinux? ( sec-policy/selinux-dovecot )
+	solr? ( net-misc/curl dev-libs/expat )
+	sqlite? ( dev-db/sqlite:* )
+	stemmer? ( dev-libs/snowball-stemmer:= )
+	suid? ( acct-group/mail )
+	systemd? ( sys-apps/systemd:= )
+	tcpd? ( sys-apps/tcp-wrappers )
+	textcat? ( app-text/libexttextcat )
+	unwind? ( sys-libs/libunwind:= )
+	zstd? ( app-arch/zstd:= )
+	virtual/libcrypt:=
+	"
+
+RDEPEND="
+	${DEPEND}
+	acct-group/dovecot
+	acct-group/dovenull
+	acct-user/dovecot
+	acct-user/dovenull
+	net-mail/mailbase[pam?]
+	"
+
+PATCHES=(
+	"${FILESDIR}/${PN}"-autoconf-lua-version-v2.patch
+	"${FILESDIR}/${PN}"-socket-name-too-long.patch
+	"${FILESDIR}/${PN}"-2.3.19.1-slibtool.patch # 782631
+	"${FILESDIR}"/CVE-2022-30550.patch
+	"${FILESDIR}/${PN}"-openssl-3.patch
+	"${FILESDIR}/${PN}"-typo-push.patch
+	"${FILESDIR}/${PN}"-2.3.21.1-lto-tests.patch
+	"${FILESDIR}/${PN}"-2.3.21.1-gcc15-test.patch
+)
+
+pkg_setup() {
+	use lua && lua-single_pkg_setup
+	if use managesieve && ! use sieve; then
+		ewarn "managesieve USE flag selected but sieve USE flag unselected"
+		ewarn "sieve USE flag will be turned on"
+	fi
+}
+
+src_prepare() {
+	default
+	# bug 657108, 782631
+	#elibtoolize
+	eautoreconf
+
+	# Bug #727244
+	append-cflags -fasynchronous-unwind-tables
+}
+
+src_configure() {
+	local conf=""
+
+	if use postgres || use mysql || use sqlite; then
+		conf="${conf} --with-sql"
+	fi
+
+	# --disable-hardening because our toolchain already defaults to
+	# these bits on, and it actually regresses the default _FORTIFY_SOURCE
+	# level for hardened at least from 3 to 2.
+	#
+	# turn valgrind tests off. Bug #340791
+	VALGRIND=no \
+	LUAPC="${ELUA}" \
+	systemdsystemunitdir="$(systemd_get_systemunitdir)" \
+	econf \
+		--with-rundir="${EPREFIX}/run/dovecot" \
+		--with-statedir="${EPREFIX}/var/lib/dovecot" \
+		--with-moduledir="${EPREFIX}/usr/$(get_libdir)/dovecot" \
+		--disable-hardening \
+		--disable-rpath \
+		--with-bzlib \
+		--without-libbsd \
+		--with-lzma \
+		--with-icu \
+		--with-ssl \
+		--with-zlib \
+		$( use_with argon2 sodium ) \
+		$( use_with caps libcap ) \
+		$( use_with kerberos gssapi ) \
+		$( use_with lua ) \
+		$( use_with ldap ) \
+		$( use_with lucene ) \
+		$( use_with lz4 ) \
+		$( use_with mysql ) \
+		$( use_with pam ) \
+		$( use_with postgres pgsql ) \
+		$( use_with sqlite ) \
+		$( use_with solr ) \
+		$( use_with stemmer ) \
+		$( use_with systemd ) \
+		$( use_with tcpd libwrap ) \
+		$( use_with textcat ) \
+		$( use_with unwind libunwind ) \
+		$( use_with zstd ) \
+		$( use_enable static-libs static ) \
+		${conf}
+
+	if use sieve || use managesieve; then
+		# The sieve plugin needs this file to be build to determine the plugin
+		# directory and the list of libraries to link to.
+		emake dovecot-config
+		cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+		econf \
+			$( use_enable static-libs static ) \
+			--localstatedir="${EPREFIX}/var" \
+			--enable-shared \
+			--with-dovecot="${S}" \
+			$( use_with ldap ) \
+			$( use_with managesieve )
+	fi
+}
+
+src_compile() {
+	default
+	if use sieve || use managesieve; then
+		cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+		emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}"
+	fi
+}
+
+src_test() {
+	# bug #340791 and bug #807178
+	local -x NOVALGRIND=true
+
+	default
+	if use sieve || use managesieve; then
+		cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+		default
+	fi
+}
+
+src_install() {
+	default
+
+	if use suid; then
+		einfo "Changing perms to allow deliver to be suided"
+		fowners root:mail "/usr/libexec/dovecot/dovecot-lda"
+		fperms 4750 "/usr/libexec/dovecot/dovecot-lda"
+	fi
+
+	newinitd "${FILESDIR}"/dovecot.init-r6 dovecot
+
+	rm -rf "${ED}"/usr/share/doc/dovecot
+
+	dodoc AUTHORS NEWS README TODO
+	dodoc doc/*.{txt,cnf,xml,sh}
+	docinto example-config
+	dodoc doc/example-config/*.{conf,ext}
+	docinto example-config/conf.d
+	dodoc doc/example-config/conf.d/*.{conf,ext}
+	docinto wiki
+	dodoc doc/wiki/*
+	doman doc/man/*.{1,7}
+
+	# Create the dovecot.conf file from the dovecot-example.conf file that
+	# the dovecot folks nicely left for us....
+	local conf="${ED}/etc/dovecot/dovecot.conf"
+	local confd="${ED}/etc/dovecot/conf.d"
+
+	insinto /etc/dovecot
+	doins doc/example-config/*.{conf,ext}
+	insinto /etc/dovecot/conf.d
+	doins doc/example-config/conf.d/*.{conf,ext}
+	fperms 0600 /etc/dovecot/dovecot-{ldap,sql}.conf.ext
+	rm -f "${confd}/../README"
+
+	# .maildir is the Gentoo default
+	local mail_location="maildir:~/.maildir"
+	sed -i -e \
+		"s|#mail_location =|mail_location = ${mail_location}|" \
+		"${confd}/10-mail.conf" \
+		|| die "failed to update mail location settings in 10-mail.conf"
+
+	# We're using pam files (imap and pop3) provided by mailbase
+	if use pam; then
+		sed -i -e '/driver = pam/,/^[ \t]*}/ s|#args = dovecot|args = "\*"|' \
+			"${confd}/auth-system.conf.ext" \
+			|| die "failed to update PAM settings in auth-system.conf.ext"
+		# mailbase does not provide a sieve pam file
+		use managesieve && dosym imap /etc/pam.d/sieve
+		sed -i -e \
+			's/#!include auth-system.conf.ext/!include auth-system.conf.ext/' \
+			"${confd}/10-auth.conf" \
+			|| die "failed to update PAM settings in 10-auth.conf"
+	fi
+
+	# Update ssl cert locations
+	sed -i -e 's:^#ssl = yes:ssl = yes:' "${confd}/10-ssl.conf" \
+		|| die "ssl conf failed"
+	sed -i -e 's:^ssl_cert =.*:ssl_cert = </etc/ssl/dovecot/server.pem:' \
+		-e 's:^ssl_key =.*:ssl_key = </etc/ssl/dovecot/server.key:' \
+		"${confd}/10-ssl.conf" || die "failed to update SSL settings in 10-ssl.conf"
+
+	# Install SQL configuration
+	if use mysql || use postgres; then
+		sed -i -e \
+			's/#!include auth-sql.conf.ext/!include auth-sql.conf.ext/' \
+			"${confd}/10-auth.conf" || die "failed to update SQL settings in \
+			10-auth.conf"
+	fi
+
+	# Install LDAP configuration
+	if use ldap; then
+		sed -i -e \
+			's/#!include auth-ldap.conf.ext/!include auth-ldap.conf.ext/' \
+			"${confd}/10-auth.conf" \
+			|| die "failed to update ldap settings in 10-auth.conf"
+	fi
+
+	if use sieve || use managesieve; then
+		cd "../dovecot-${major_minor}-pigeonhole-${sieve_version}" || die "cd failed"
+		emake DESTDIR="${ED}" install
+		sed -i -e \
+			's/^[[:space:]]*#mail_plugins = $mail_plugins/mail_plugins = sieve/' "${confd}/15-lda.conf" \
+			|| die "failed to update sieve settings in 15-lda.conf"
+		rm -rf "${ED}"/usr/share/doc/dovecot
+		docinto example-config/conf.d
+		dodoc doc/example-config/conf.d/*.conf
+		insinto /etc/dovecot/conf.d
+		doins doc/example-config/conf.d/90-sieve{,-extprograms}.conf
+		use managesieve && doins doc/example-config/conf.d/20-managesieve.conf
+		docinto sieve/rfc
+		dodoc doc/rfc/*.txt
+		docinto sieve/devel
+		dodoc doc/devel/DESIGN
+		docinto plugins
+		dodoc doc/plugins/*.txt
+		docinto extensions
+		dodoc doc/extensions/*.txt
+		docinto locations
+		dodoc doc/locations/*.txt
+		doman doc/man/*.{1,7}
+	fi
+
+	use static-libs || find "${ED}"/usr/lib* -name '*.la' -delete
+}
+
+pkg_postinst() {
+	# Let's not make a new certificate if we already have one
+	if ! [[ -e "${ROOT}"/etc/ssl/dovecot/server.pem && \
+		-e "${ROOT}"/etc/ssl/dovecot/server.key ]];	then
+		einfo "Creating SSL	certificate"
+		SSL_ORGANIZATION="${SSL_ORGANIZATION:-Dovecot IMAP Server}"
+		install_cert /etc/ssl/dovecot/server
+	fi
+}
diff --git a/net-mail/dovecot/files/dovecot-2.3.21.1-gcc15-test.patch b/net-mail/dovecot/files/dovecot-2.3.21.1-gcc15-test.patch
new file mode 100644
index 000000000000..774fe67f9659
--- /dev/null
+++ b/net-mail/dovecot/files/dovecot-2.3.21.1-gcc15-test.patch
@@ -0,0 +1,30 @@
+https://github.com/dovecot/core/pull/229
+
+From aaeabfec1abd0d4f2b68819a1afee51defd62e3c Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sat, 28 Dec 2024 13:17:24 +0000
+Subject: [PATCH] lib: test-data-stack - Drop bogus assertion
+
+This assertion goes back to 992a1726a41b42fa47204565ff17f7c635fcb421 when
+test-data-stack.c was added.
+
+It starts to fail with (upcoming) GCC 15 which has improvements for
+optimising out redundant pointer-vs-pointer comparisons, specifically
+r15-580-gf3e5f4c58591f5 for gcc bug PR13962.
+
+Anyway, this is a problem for this assertion because t_malloc_no0
+is marked with `__attribute__((malloc))` which guarantees that the
+returned pointer doesn't alias, hence a == b must be false.
+
+Bug: https://bugs.gentoo.org/939857
+--- a/src/lib/test-data-stack.c
++++ b/src/lib/test-data-stack.c
+@@ -188,7 +188,6 @@ static void test_ds_buffers(void)
+ 		void *b = t_buffer_get(1000);
+ 		void *a = t_malloc_no0(1);
+ 		void *b2 = t_buffer_get(1001);
+-		test_assert(a == b); /* expected, not guaranteed */
+ 		test_assert(b2 != b);
+ 	} T_END;
+ 	test_end();
+
diff --git a/net-mail/dovecot/files/dovecot-2.3.21.1-lto-tests.patch b/net-mail/dovecot/files/dovecot-2.3.21.1-lto-tests.patch
new file mode 100644
index 000000000000..9173674ef1a1
--- /dev/null
+++ b/net-mail/dovecot/files/dovecot-2.3.21.1-lto-tests.patch
@@ -0,0 +1,86 @@
+https://github.com/dovecot/core/pull/230
+
+From 33cda8cbbc445d27ce38234b17442a9abe66167f Mon Sep 17 00:00:00 2001
+From: Martin Liska <mliska@suse.cz>
+Date: Fri, 24 Mar 2023 13:33:13 +0100
+Subject: [PATCH 1/2] lib: md4 - Fix violation of strict aliasing.
+
+Fix miscompilation when LTO is enabled.
+
+(cherry picked from commit f0c1cf42ea78d22e2674b03fe65f0ee6545c5b99)
+--- a/src/lib/md4.c
++++ b/src/lib/md4.c
+@@ -34,23 +34,6 @@
+ 	(a) = ((a) << (s)) | ((a) >> (32 - (s)))
+ 
+ 
+-/*
+- * SET reads 4 input bytes in little-endian byte order and stores them
+- * in a properly aligned word in host byte order.
+- *
+- * The check for little-endian architectures which tolerate unaligned
+- * memory accesses is just an optimization.  Nothing will break if it
+- * doesn't work.
+- */
+-#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
+-/* uint_fast32_t might be 64 bit, and thus may read 4 more bytes
+- * beyond the end of the buffer. So only read precisely 32 bits
+- */
+-#define SET(n)				\
+-	(*(const uint32_t *)&ptr[(n) * 4])
+-#define GET(n) \
+-	SET(n)
+-#else
+ #define SET(n) \
+ 	(ctx->block[(n)] = \
+ 	(uint_fast32_t)ptr[(n) * 4] | \
+@@ -59,7 +42,6 @@
+ 	((uint_fast32_t)ptr[(n) * 4 + 3] << 24))
+ #define GET(n) \
+ 	(ctx->block[(n)])
+-#endif
+ 
+ /*
+  * This processes one or more 64-byte data blocks, but does NOT update
+
+From 6cdd0b1428ab393ec5996ed10a98e7a7043c501f Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Mon, 27 Mar 2023 02:25:12 +0100
+Subject: [PATCH 2/2] lib: md5: Fix strict aliasing violation
+
+Followup to f0c1cf42ea78d22e2674b03fe65f0ee6545c5b99. It's exactly the
+same code as in md4, so let's rip it out here too.
+
+(cherry picked from commit 6de2e4ac0b9abd4ab09b68f1f7e5f032705080b1)
+--- a/src/lib/md5.c
++++ b/src/lib/md5.c
+@@ -38,20 +38,6 @@
+ 	(a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s)))); \
+ 	(a) += (b);
+ 
+-/*
+- * SET reads 4 input bytes in little-endian byte order and stores them
+- * in a properly aligned word in host byte order.
+- *
+- * The check for little-endian architectures which tolerate unaligned
+- * memory accesses is just an optimization.  Nothing will break if it
+- * doesn't work.
+- */
+-#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
+-#define SET(n) \
+-	(*(const uint32_t *)&ptr[(n) * 4])
+-#define GET(n) \
+-	SET(n)
+-#else
+ #define SET(n) \
+ 	(ctx->block[(n)] = \
+ 	(uint_fast32_t)ptr[(n) * 4] | \
+@@ -60,7 +46,6 @@
+ 	((uint_fast32_t)ptr[(n) * 4 + 3] << 24))
+ #define GET(n) \
+ 	(ctx->block[(n)])
+-#endif
+ 
+ /*
+  * This processes one or more 64-byte data blocks, but does NOT update
+