From bc7d0a0069ae125ddb593931c8198eb23b77631d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD=20=D0=9F=D0=B0=D0=BB=D0=B0?= =?UTF-8?q?=D1=83=D0=B7=D0=BE=D0=B2?= Date: Sat, 7 Oct 2023 16:34:55 +0000 Subject: [PATCH] imap/httpd: remove DIGEST-MD5 DIGEST-MD5 is declared Historic by RFC 6331 and is removed from Cyrus SASL by https://github.com/cyrusimap/cyrus-sasl/commit/2ce03b618ad60338e8f9094f5b7ba7ee0aef40bf imap/rfc-support.rst: remove some references to DIGEST-MD5. --- changes/next/httpd_remove_digestmd5 | 11 +++++ cunit/backend.testc | 47 +------------------ docsrc/assets/man-imtest.rst | 7 ++- .../imap/download/installation/manage-dav.rst | 4 +- docsrc/imap/rfc-support.rst | 12 ++--- imap/httpd.c | 2 - imap/httpd.h | 3 -- imtest/imtest.c | 11 +---- perl/imap/IMAP/Shell.pm | 2 +- 9 files changed, 26 insertions(+), 73 deletions(-) create mode 100644 changes/next/httpd_remove_digestmd5 diff --git a/changes/next/httpd_remove_digestmd5 b/changes/next/httpd_remove_digestmd5 new file mode 100644 index 00000000000..859f6d1c218 --- /dev/null +++ b/changes/next/httpd_remove_digestmd5 @@ -0,0 +1,11 @@ +Description: + +Remove DIGEST-MD5 from httpd and imtest. + +Config changes: + +In imapd.conf remove sasl_mech_list: DIGEST-MD5 + +Upgrade instructions: + +None diff --git a/cunit/backend.testc b/cunit/backend.testc index 2326e866a20..3d962eb356e 100644 --- a/cunit/backend.testc +++ b/cunit/backend.testc @@ -24,7 +24,6 @@ struct server_config { int sasl_plain; int sasl_login; - int sasl_digestmd5; int starttls; int deflate; int caps_one_per_line; @@ -71,7 +70,6 @@ static struct server_state *server_state; static const struct server_config default_server_config = { .sasl_plain = 1, .sasl_login = 0, - .sasl_digestmd5 = 0, .starttls = 0, .deflate = 0, .caps_one_per_line = 1 @@ -582,38 +580,6 @@ static void not_test_sasl_login(void) } #endif -/* - * Test authenticating with the DIGEST-MD5 mechanism. - */ -static void test_sasl_digestmd5(void) -{ - struct backend *be; - const char *auth_status = NULL; - char *mechs; - int r; - - default_conditions(); - server_state->config.sasl_plain = 0; - server_state->config.sasl_digestmd5 = 1; - - be = backend_connect(NULL, HOST, &test_prot, - USERID, callbacks, &auth_status, /*fd*/-1); - CU_ASSERT_PTR_NOT_NULL_FATAL(be); - CU_ASSERT_EQUAL(server_state->is_connected, 1); - CU_ASSERT_EQUAL(server_state->is_authenticated, 1); - CU_ASSERT_EQUAL(server_state->is_tls, 0); - - mechs = backend_get_cap_params(be, CAPA_AUTH); - CU_ASSERT_STRING_EQUAL(mechs, "DIGEST-MD5"); - free(mechs); - - r = backend_ping(be, NULL); - CU_ASSERT_EQUAL(r, 0); - - backend_disconnect(be); - free(be); -} - /* Common routine to test the semantics of capabilities */ static void caps_common(void) { @@ -1036,7 +1002,6 @@ static void server_emit_caps(struct server_state *state) if (!state->config.starttls || state->is_tls) { int got_login = 0; int got_plain = 0; - int got_digestmd5 = 0; /* First see what mechanisms SASL has; no point reporting * mechanisms which aren't actually available. */ @@ -1057,10 +1022,6 @@ static void server_emit_caps(struct server_state *state) words[n++] = "PLAIN"; got_plain = 1; } - if (!strcasecmp(p, "DIGEST-MD5") && state->config.sasl_digestmd5) { - words[n++] = "DIGEST-MD5"; - got_digestmd5 = 1; - } } words[n++] = NULL; free(b); @@ -1071,9 +1032,6 @@ static void server_emit_caps(struct server_state *state) if (state->config.sasl_plain && !got_plain) fprintf(stderr, "Server failed to find requested " "SASL mechanism \"PLAIN\"\n"); - if (state->config.sasl_digestmd5 && !got_digestmd5) - fprintf(stderr, "Server failed to find requested " - "SASL mechanism \"DIGEST-MD5\"\n"); } /* @@ -1462,8 +1420,7 @@ static AUXPROP_RTYPE server_auxprop_lookup(void *glob_context __attribute__((unu if (!prop) return AUXPROP_RET; for ( ; prop->name ; prop++) { - if (!strcmp(prop->name, "*userPassword") || - !strcmp(prop->name, "*cmusaslsecretDIGEST-MD5")) { + if (!strcmp(prop->name, "*userPassword")) { if (prop->values) sparams->utils->prop_erase(sparams->propctx, prop->name); sparams->utils->prop_set(sparams->propctx, prop->name, @@ -1476,7 +1433,7 @@ static AUXPROP_RTYPE server_auxprop_lookup(void *glob_context __attribute__((unu /* * Helps create a fake "auxiliary property plugin" for the SASL library, - * which is how we hook into the DIGEST-MD5 mechanism when it wants to + * which is how we hook into the DIGEST-MD5? mechanism when it wants to * get a plaintext password to check against the hash received from the * client. */ diff --git a/docsrc/assets/man-imtest.rst b/docsrc/assets/man-imtest.rst index 2d4b5303abc..51504c8f8be 100644 --- a/docsrc/assets/man-imtest.rst +++ b/docsrc/assets/man-imtest.rst @@ -56,7 +56,7 @@ Options .. Note:: This is only used with SASL mechanisms that allow proxying - (e.g. PLAIN, DIGEST-MD5). + (e.g. PLAIN). .. option:: -k num, --minssf=num @@ -73,7 +73,7 @@ Options .. option:: -r realm, --realm=realm Specify the *realm* to use. Certain authentication mechanisms - (e.g. DIGEST-MD5) may require one to specify the realm. + may require one to specify the realm. .. option:: -f file, --input-filename=file @@ -82,8 +82,7 @@ Options .. option:: -n num, --reauth-attempts=num Number of authentication attempts; default = 1. The client will - attempt to do SSL/TLS session reuse and/or fast reauth - (e.g. DIGEST-MD5), if possible. + attempt to do SSL/TLS session reuse and/or fast reauth if possible. .. option:: -s, --require-tls diff --git a/docsrc/imap/download/installation/manage-dav.rst b/docsrc/imap/download/installation/manage-dav.rst index e7836634819..1a508692315 100644 --- a/docsrc/imap/download/installation/manage-dav.rst +++ b/docsrc/imap/download/installation/manage-dav.rst @@ -85,8 +85,8 @@ authentication does not depend on a Cyrus SASL plugin. The advertisement of the other HTTP authentication schemes is controlled by the :ref:`SASL mech_list option ` option. For Cyrus httpd -the DIGEST-MD5, GSS-SPNEGO, NTLM, SCRAM-SHA-1, and SCRAM-SHA-256 values enable -support for the Digest, Negotiate (Kerberos only), NTLM, SCRAM-SHA-1, and +the GSS-SPNEGO, NTLM, SCRAM-SHA-1, and SCRAM-SHA-256 values enable +support for the Negotiate (Kerberos only), NTLM, SCRAM-SHA-1, and SCRAM-SHA-256 authentication schemes respectively, provided that the plugins are installed on the server. diff --git a/docsrc/imap/rfc-support.rst b/docsrc/imap/rfc-support.rst index 4b300ab86d0..7d0fe140eea 100644 --- a/docsrc/imap/rfc-support.rst +++ b/docsrc/imap/rfc-support.rst @@ -162,7 +162,11 @@ The following is an inventory of RFCs supported by Cyrus IMAP. :rfc:`2617` HTTP Authentication: Basic and Digest Access Authentication, - updated by :rfc:`7615`, :rfc:`7616`, :rfc:`7617`. + updated by :rfc:`7616`, :rfc:`7617`, :rfc:`9110`. + + .. NOTE:: + + RFC 6331 declares DIGEST-MD5 as Historic. :rfc:`2817` @@ -180,10 +184,6 @@ The following is an inventory of RFCs supported by Cyrus IMAP. Internet Message Format -:rfc:`2831` - - Using Digest Authentication as a SASL Mechanism - :rfc:`2920` SMTP Service Extension for Command Pipelining @@ -749,7 +749,7 @@ The following is an inventory of RFCs supported by Cyrus IMAP. :rfc:`7615` HTTP Authentication-Info and Proxy-Authentication-Info Response - Header Fields + Header Fields, obsoleted by :rfc:`9110`. :rfc:`7616` diff --git a/imap/httpd.c b/imap/httpd.c index 801c06c96ca..5f9032562a5 100644 --- a/imap/httpd.c +++ b/imap/httpd.c @@ -451,8 +451,6 @@ struct auth_scheme_t auth_schemes[] = { { AUTH_SCRAM_SHA1, "SCRAM-SHA-1", "SCRAM-SHA-1", AUTH_NEED_PERSIST | AUTH_SERVER_FIRST | AUTH_BASE64 | AUTH_REALM_PARAM | AUTH_DATA_PARAM }, - { AUTH_DIGEST, "Digest", HTTP_DIGEST_MECH, - AUTH_NEED_REQUEST | AUTH_SERVER_FIRST }, { AUTH_NTLM, "NTLM", "NTLM", AUTH_NEED_PERSIST | AUTH_BASE64 }, { AUTH_BEARER, "Bearer", NULL, diff --git a/imap/httpd.h b/imap/httpd.h index ce83feae6e8..993ae8184b2 100644 --- a/imap/httpd.h +++ b/imap/httpd.h @@ -93,10 +93,8 @@ /* SASL usage based on availability */ #if defined(SASL_NEED_HTTP) && defined(SASL_HTTP_REQUEST) - #define HTTP_DIGEST_MECH "DIGEST-MD5" #define SASL_USAGE_FLAGS (SASL_NEED_HTTP | SASL_SUCCESS_DATA) #else - #define HTTP_DIGEST_MECH NULL /* not supported by our SASL version */ #define SASL_USAGE_FLAGS SASL_SUCCESS_DATA #endif /* SASL_NEED_HTTP */ @@ -185,7 +183,6 @@ struct auth_scheme_t { /* Auth scheme identifiers */ enum { AUTH_BASIC = (1<<0), - AUTH_DIGEST = (1<<1), AUTH_SPNEGO = (1<<2), AUTH_NTLM = (1<<3), AUTH_BEARER = (1<<4), diff --git a/imtest/imtest.c b/imtest/imtest.c index c3bfe3125bd..b517f3288df 100644 --- a/imtest/imtest.c +++ b/imtest/imtest.c @@ -2359,10 +2359,6 @@ static void http_parse_mechlist(struct buf *ret, const char *str, *capabilities |= CAPA_LOGIN; return; } - else if (len == 6 && !strncmp(scheme, "Digest", len)) { - scheme = "DIGEST-MD5"; - len = strlen(scheme); - } else if (len == 9 && !strncmp(scheme, "Negotiate", len)) { scheme = "GSS-SPNEGO"; len = strlen(scheme); @@ -2459,10 +2455,6 @@ static int auth_http_sasl(const char *servername, const char *mechlist) return saslresult; } - if (!strcmp(mechusing, "DIGEST-MD5")) { - mechusing = "Digest"; - do_base64 = 0; - } else if (!strcmp(mechusing, "GSS-SPNEGO")) { mechusing = "Negotiate"; } @@ -2668,8 +2660,7 @@ static int http_do_auth(struct sasl_cmd_t *sasl_cmd __attribute__((unused)), result = auth_http_basic(servername); } } else { - if (!strcasecmp(mech, "digest")) mech = "DIGEST-MD5"; - else if (!strcasecmp(mech, "negotiate")) mech = "GSS-SPNEGO"; + if (!strcasecmp(mech, "negotiate")) mech = "GSS-SPNEGO"; if (!mechlist || !stristr(mechlist, mech)) { printf("[Server did not advertise HTTP %s]\n", ucase(mech)); diff --git a/perl/imap/IMAP/Shell.pm b/perl/imap/IMAP/Shell.pm index 2aa6ea09d64..f65ca8983ef 100644 --- a/perl/imap/IMAP/Shell.pm +++ b/perl/imap/IMAP/Shell.pm @@ -1766,7 +1766,7 @@ Connect to the *server* specified on the port specified. =item C<--auth> I -Use the mechanism specified to authenticate. One of PLAIN, LOGIN, DIGEST-MD5, etc. +Use the mechanism specified to authenticate. One of PLAIN, LOGIN, etc. =item C<--help>