imap/httpd: remove DIGEST-MD5

DIGEST-MD5 is declared Historic by RFC 6331 and is removed from Cyrus SASL by cyrusimap/cyrus-sasl@2ce03b6 imap/rfc-support.rst: remove some references to DIGEST-MD5.
dilyanpalauzov · Oct 7, 2023 · bc7d0a0 · bc7d0a0
1 parent 264b7d9
commit bc7d0a0
Show file tree

Hide file tree

Showing 9 changed files with 26 additions and 73 deletions.
diff --git a/changes/next/httpd_remove_digestmd5 b/changes/next/httpd_remove_digestmd5
@@ -0,0 +1,11 @@
+Description:
+
+Remove DIGEST-MD5 from httpd and imtest.
+
+Config changes:
+
+In imapd.conf remove sasl_mech_list: DIGEST-MD5
+
+Upgrade instructions:
+
+None
diff --git a/cunit/backend.testc b/cunit/backend.testc
@@ -24,7 +24,6 @@
 struct server_config {
     int sasl_plain;
     int sasl_login;
-    int sasl_digestmd5;
     int starttls;
     int deflate;
     int caps_one_per_line;
@@ -71,7 +70,6 @@ static struct server_state *server_state;
 static const struct server_config default_server_config = {
     .sasl_plain = 1,
     .sasl_login = 0,
-    .sasl_digestmd5 = 0,
     .starttls = 0,
     .deflate = 0,
     .caps_one_per_line = 1
@@ -582,38 +580,6 @@ static void not_test_sasl_login(void)
 }
 #endif
 
-/*
- * Test authenticating with the DIGEST-MD5 mechanism.
- */
-static void test_sasl_digestmd5(void)
-{
-    struct backend *be;
-    const char *auth_status = NULL;
-    char *mechs;
-    int r;
-
-    default_conditions();
-    server_state->config.sasl_plain = 0;
-    server_state->config.sasl_digestmd5 = 1;
-
-    be = backend_connect(NULL, HOST, &test_prot,
-                         USERID, callbacks, &auth_status, /*fd*/-1);
-    CU_ASSERT_PTR_NOT_NULL_FATAL(be);
-    CU_ASSERT_EQUAL(server_state->is_connected, 1);
-    CU_ASSERT_EQUAL(server_state->is_authenticated, 1);
-    CU_ASSERT_EQUAL(server_state->is_tls, 0);
-
-    mechs = backend_get_cap_params(be, CAPA_AUTH);
-    CU_ASSERT_STRING_EQUAL(mechs, "DIGEST-MD5");
-    free(mechs);
-
-    r = backend_ping(be, NULL);
-    CU_ASSERT_EQUAL(r, 0);
-
-    backend_disconnect(be);
-    free(be);
-}
-
 /* Common routine to test the semantics of capabilities */
 static void caps_common(void)
 {
@@ -1036,7 +1002,6 @@ static void server_emit_caps(struct server_state *state)
     if (!state->config.starttls || state->is_tls) {
         int got_login = 0;
         int got_plain = 0;
-        int got_digestmd5 = 0;
 
         /* First see what mechanisms SASL has; no point reporting
          * mechanisms which aren't actually available. */
@@ -1057,10 +1022,6 @@ static void server_emit_caps(struct server_state *state)
                 words[n++] = "PLAIN";
                 got_plain = 1;
             }
-            if (!strcasecmp(p, "DIGEST-MD5") && state->config.sasl_digestmd5) {
-                words[n++] = "DIGEST-MD5";
-                got_digestmd5 = 1;
-            }
         }
         words[n++] = NULL;
         free(b);
@@ -1071,9 +1032,6 @@ static void server_emit_caps(struct server_state *state)
         if (state->config.sasl_plain && !got_plain)
             fprintf(stderr, "Server failed to find requested "
                             "SASL mechanism \"PLAIN\"\n");
-        if (state->config.sasl_digestmd5 && !got_digestmd5)
-            fprintf(stderr, "Server failed to find requested "
-                            "SASL mechanism \"DIGEST-MD5\"\n");
     }
 
     /*
@@ -1462,8 +1420,7 @@ static AUXPROP_RTYPE server_auxprop_lookup(void *glob_context __attribute__((unu
     if (!prop)
         return AUXPROP_RET;
     for ( ; prop->name ; prop++) {
-        if (!strcmp(prop->name, "*userPassword") ||
-            !strcmp(prop->name, "*cmusaslsecretDIGEST-MD5")) {
+        if (!strcmp(prop->name, "*userPassword")) {
             if (prop->values)
                 sparams->utils->prop_erase(sparams->propctx, prop->name);
             sparams->utils->prop_set(sparams->propctx, prop->name,
@@ -1476,7 +1433,7 @@ static AUXPROP_RTYPE server_auxprop_lookup(void *glob_context __attribute__((unu
 
 /*
  * Helps create a fake "auxiliary property plugin" for the SASL library,
- * which is how we hook into the DIGEST-MD5 mechanism when it wants to
+ * which is how we hook into the DIGEST-MD5? mechanism when it wants to
  * get a plaintext password to check against the hash received from the
  * client.
  */

diff --git a/docsrc/assets/man-imtest.rst b/docsrc/assets/man-imtest.rst
@@ -56,7 +56,7 @@ Options
 
     .. Note::
         This is only used with SASL mechanisms that allow proxying
-        (e.g. PLAIN, DIGEST-MD5).
+        (e.g. PLAIN).
 
 .. option:: -k num, --minssf=num
 
@@ -73,7 +73,7 @@ Options
 .. option:: -r realm, --realm=realm
 
     Specify the *realm* to use. Certain authentication mechanisms
-    (e.g. DIGEST-MD5) may require one to specify the realm.
+    may require one to specify the realm.
 
 .. option:: -f file, --input-filename=file
 
@@ -82,8 +82,7 @@ Options
 .. option:: -n num, --reauth-attempts=num
 
     Number of authentication attempts; default = 1.  The client will
-    attempt to do SSL/TLS session reuse and/or fast reauth
-    (e.g. DIGEST-MD5), if possible.
+    attempt to do SSL/TLS session reuse and/or fast reauth if possible.
 
 .. option:: -s, --require-tls
 

diff --git a/docsrc/imap/download/installation/manage-dav.rst b/docsrc/imap/download/installation/manage-dav.rst
@@ -85,8 +85,8 @@ authentication does not depend on a Cyrus SASL plugin.
 
 The advertisement of the other HTTP authentication schemes is controlled by the
 :ref:`SASL mech_list option <cyrussasl:options>` option. For Cyrus httpd
-the DIGEST-MD5, GSS-SPNEGO, NTLM, SCRAM-SHA-1, and SCRAM-SHA-256 values enable
-support for the Digest, Negotiate (Kerberos only), NTLM, SCRAM-SHA-1, and
+the GSS-SPNEGO, NTLM, SCRAM-SHA-1, and SCRAM-SHA-256 values enable
+support for the Negotiate (Kerberos only), NTLM, SCRAM-SHA-1, and
 SCRAM-SHA-256 authentication schemes respectively, provided that the plugins
 are installed on the server.
 

diff --git a/docsrc/imap/rfc-support.rst b/docsrc/imap/rfc-support.rst
@@ -162,7 +162,11 @@ The following is an inventory of RFCs supported by Cyrus IMAP.
 :rfc:`2617`
 
     HTTP Authentication: Basic and Digest Access Authentication,
-    updated by :rfc:`7615`, :rfc:`7616`, :rfc:`7617`.
+    updated by :rfc:`7616`, :rfc:`7617`, :rfc:`9110`.
+
+    .. NOTE::
+
+        RFC 6331 declares DIGEST-MD5 as Historic.
 
 :rfc:`2817`
 
@@ -180,10 +184,6 @@ The following is an inventory of RFCs supported by Cyrus IMAP.
 
     Internet Message Format
 
-:rfc:`2831`
-
-    Using Digest Authentication as a SASL Mechanism
-
 :rfc:`2920`
 
     SMTP Service Extension for Command Pipelining
@@ -749,7 +749,7 @@ The following is an inventory of RFCs supported by Cyrus IMAP.
 :rfc:`7615`
 
     HTTP Authentication-Info and Proxy-Authentication-Info Response
-    Header Fields
+    Header Fields, obsoleted by :rfc:`9110`.
 
 :rfc:`7616`
 

diff --git a/imap/httpd.c b/imap/httpd.c
@@ -451,8 +451,6 @@ struct auth_scheme_t auth_schemes[] = {
     { AUTH_SCRAM_SHA1, "SCRAM-SHA-1", "SCRAM-SHA-1",
       AUTH_NEED_PERSIST | AUTH_SERVER_FIRST | AUTH_BASE64 |
       AUTH_REALM_PARAM | AUTH_DATA_PARAM },
-    { AUTH_DIGEST, "Digest", HTTP_DIGEST_MECH,
-      AUTH_NEED_REQUEST | AUTH_SERVER_FIRST },
     { AUTH_NTLM, "NTLM", "NTLM",
       AUTH_NEED_PERSIST | AUTH_BASE64 },
     { AUTH_BEARER, "Bearer", NULL,

diff --git a/imap/httpd.h b/imap/httpd.h
@@ -93,10 +93,8 @@
 
 /* SASL usage based on availability */
 #if defined(SASL_NEED_HTTP) && defined(SASL_HTTP_REQUEST)
-  #define HTTP_DIGEST_MECH "DIGEST-MD5"
   #define SASL_USAGE_FLAGS (SASL_NEED_HTTP | SASL_SUCCESS_DATA)
 #else
-  #define HTTP_DIGEST_MECH NULL  /* not supported by our SASL version */
   #define SASL_USAGE_FLAGS SASL_SUCCESS_DATA
 #endif /* SASL_NEED_HTTP */
 
@@ -185,7 +183,6 @@ struct auth_scheme_t {
 /* Auth scheme identifiers */
 enum {
     AUTH_BASIC        = (1<<0),
-    AUTH_DIGEST       = (1<<1),
     AUTH_SPNEGO       = (1<<2),
     AUTH_NTLM         = (1<<3),
     AUTH_BEARER       = (1<<4),

diff --git a/imtest/imtest.c b/imtest/imtest.c
@@ -2359,10 +2359,6 @@ static void http_parse_mechlist(struct buf *ret, const char *str,
         *capabilities |= CAPA_LOGIN;
         return;
     }
-    else if (len == 6 && !strncmp(scheme, "Digest", len)) {
-        scheme = "DIGEST-MD5";
-        len = strlen(scheme);
-    }
     else if (len == 9 && !strncmp(scheme, "Negotiate", len)) {
         scheme = "GSS-SPNEGO";
         len = strlen(scheme);
@@ -2459,10 +2455,6 @@ static int auth_http_sasl(const char *servername, const char *mechlist)
         return saslresult;
     }
 
-    if (!strcmp(mechusing, "DIGEST-MD5")) {
-        mechusing = "Digest";
-        do_base64 = 0;
-    }
     else if (!strcmp(mechusing, "GSS-SPNEGO")) {
         mechusing = "Negotiate";
     }
@@ -2668,8 +2660,7 @@ static int http_do_auth(struct sasl_cmd_t *sasl_cmd __attribute__((unused)),
                 result = auth_http_basic(servername);
             }
         } else {
-            if (!strcasecmp(mech, "digest")) mech = "DIGEST-MD5";
-            else if (!strcasecmp(mech, "negotiate")) mech = "GSS-SPNEGO";
+            if (!strcasecmp(mech, "negotiate")) mech = "GSS-SPNEGO";
 
             if (!mechlist || !stristr(mechlist, mech)) {
                 printf("[Server did not advertise HTTP %s]\n", ucase(mech));

diff --git a/perl/imap/IMAP/Shell.pm b/perl/imap/IMAP/Shell.pm
@@ -1766,7 +1766,7 @@ Connect to the *server* specified on the port specified.
 
 =item C<--auth> I<mechanism>
 
-Use the mechanism specified to authenticate. One of PLAIN, LOGIN, DIGEST-MD5, etc.
+Use the mechanism specified to authenticate. One of PLAIN, LOGIN, etc.
 
 =item C<--help>