Skip to content

Commit

Permalink
imap/httpd: remove DIGEST-MD5
Browse files Browse the repository at this point in the history
DIGEST-MD5 is declared Historic by RFC 6331 and is removed from Cyrus SASL by
cyrusimap/cyrus-sasl@2ce03b6

imap/rfc-support.rst: remove some references to DIGEST-MD5.
  • Loading branch information
dilyanpalauzov committed Oct 7, 2023
1 parent 264b7d9 commit bc7d0a0
Show file tree
Hide file tree
Showing 9 changed files with 26 additions and 73 deletions.
11 changes: 11 additions & 0 deletions changes/next/httpd_remove_digestmd5
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
Description:

Remove DIGEST-MD5 from httpd and imtest.

Config changes:

In imapd.conf remove sasl_mech_list: DIGEST-MD5

Upgrade instructions:

None
47 changes: 2 additions & 45 deletions cunit/backend.testc
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
struct server_config {
int sasl_plain;
int sasl_login;
int sasl_digestmd5;
int starttls;
int deflate;
int caps_one_per_line;
Expand Down Expand Up @@ -71,7 +70,6 @@ static struct server_state *server_state;
static const struct server_config default_server_config = {
.sasl_plain = 1,
.sasl_login = 0,
.sasl_digestmd5 = 0,
.starttls = 0,
.deflate = 0,
.caps_one_per_line = 1
Expand Down Expand Up @@ -582,38 +580,6 @@ static void not_test_sasl_login(void)
}
#endif

/*
* Test authenticating with the DIGEST-MD5 mechanism.
*/
static void test_sasl_digestmd5(void)
{
struct backend *be;
const char *auth_status = NULL;
char *mechs;
int r;

default_conditions();
server_state->config.sasl_plain = 0;
server_state->config.sasl_digestmd5 = 1;

be = backend_connect(NULL, HOST, &test_prot,
USERID, callbacks, &auth_status, /*fd*/-1);
CU_ASSERT_PTR_NOT_NULL_FATAL(be);
CU_ASSERT_EQUAL(server_state->is_connected, 1);
CU_ASSERT_EQUAL(server_state->is_authenticated, 1);
CU_ASSERT_EQUAL(server_state->is_tls, 0);

mechs = backend_get_cap_params(be, CAPA_AUTH);
CU_ASSERT_STRING_EQUAL(mechs, "DIGEST-MD5");
free(mechs);

r = backend_ping(be, NULL);
CU_ASSERT_EQUAL(r, 0);

backend_disconnect(be);
free(be);
}

/* Common routine to test the semantics of capabilities */
static void caps_common(void)
{
Expand Down Expand Up @@ -1036,7 +1002,6 @@ static void server_emit_caps(struct server_state *state)
if (!state->config.starttls || state->is_tls) {
int got_login = 0;
int got_plain = 0;
int got_digestmd5 = 0;

/* First see what mechanisms SASL has; no point reporting
* mechanisms which aren't actually available. */
Expand All @@ -1057,10 +1022,6 @@ static void server_emit_caps(struct server_state *state)
words[n++] = "PLAIN";
got_plain = 1;
}
if (!strcasecmp(p, "DIGEST-MD5") && state->config.sasl_digestmd5) {
words[n++] = "DIGEST-MD5";
got_digestmd5 = 1;
}
}
words[n++] = NULL;
free(b);
Expand All @@ -1071,9 +1032,6 @@ static void server_emit_caps(struct server_state *state)
if (state->config.sasl_plain && !got_plain)
fprintf(stderr, "Server failed to find requested "
"SASL mechanism \"PLAIN\"\n");
if (state->config.sasl_digestmd5 && !got_digestmd5)
fprintf(stderr, "Server failed to find requested "
"SASL mechanism \"DIGEST-MD5\"\n");
}

/*
Expand Down Expand Up @@ -1462,8 +1420,7 @@ static AUXPROP_RTYPE server_auxprop_lookup(void *glob_context __attribute__((unu
if (!prop)
return AUXPROP_RET;
for ( ; prop->name ; prop++) {
if (!strcmp(prop->name, "*userPassword") ||
!strcmp(prop->name, "*cmusaslsecretDIGEST-MD5")) {
if (!strcmp(prop->name, "*userPassword")) {
if (prop->values)
sparams->utils->prop_erase(sparams->propctx, prop->name);
sparams->utils->prop_set(sparams->propctx, prop->name,
Expand All @@ -1476,7 +1433,7 @@ static AUXPROP_RTYPE server_auxprop_lookup(void *glob_context __attribute__((unu

/*
* Helps create a fake "auxiliary property plugin" for the SASL library,
* which is how we hook into the DIGEST-MD5 mechanism when it wants to
* which is how we hook into the DIGEST-MD5? mechanism when it wants to
* get a plaintext password to check against the hash received from the
* client.
*/
Expand Down
7 changes: 3 additions & 4 deletions docsrc/assets/man-imtest.rst
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ Options

.. Note::
This is only used with SASL mechanisms that allow proxying
(e.g. PLAIN, DIGEST-MD5).
(e.g. PLAIN).

.. option:: -k num, --minssf=num

Expand All @@ -73,7 +73,7 @@ Options
.. option:: -r realm, --realm=realm

Specify the *realm* to use. Certain authentication mechanisms
(e.g. DIGEST-MD5) may require one to specify the realm.
may require one to specify the realm.

.. option:: -f file, --input-filename=file

Expand All @@ -82,8 +82,7 @@ Options
.. option:: -n num, --reauth-attempts=num

Number of authentication attempts; default = 1. The client will
attempt to do SSL/TLS session reuse and/or fast reauth
(e.g. DIGEST-MD5), if possible.
attempt to do SSL/TLS session reuse and/or fast reauth if possible.

.. option:: -s, --require-tls

Expand Down
4 changes: 2 additions & 2 deletions docsrc/imap/download/installation/manage-dav.rst
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,8 @@ authentication does not depend on a Cyrus SASL plugin.

The advertisement of the other HTTP authentication schemes is controlled by the
:ref:`SASL mech_list option <cyrussasl:options>` option. For Cyrus httpd
the DIGEST-MD5, GSS-SPNEGO, NTLM, SCRAM-SHA-1, and SCRAM-SHA-256 values enable
support for the Digest, Negotiate (Kerberos only), NTLM, SCRAM-SHA-1, and
the GSS-SPNEGO, NTLM, SCRAM-SHA-1, and SCRAM-SHA-256 values enable
support for the Negotiate (Kerberos only), NTLM, SCRAM-SHA-1, and
SCRAM-SHA-256 authentication schemes respectively, provided that the plugins
are installed on the server.

Expand Down
12 changes: 6 additions & 6 deletions docsrc/imap/rfc-support.rst
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,11 @@ The following is an inventory of RFCs supported by Cyrus IMAP.
:rfc:`2617`

HTTP Authentication: Basic and Digest Access Authentication,
updated by :rfc:`7615`, :rfc:`7616`, :rfc:`7617`.
updated by :rfc:`7616`, :rfc:`7617`, :rfc:`9110`.

.. NOTE::

RFC 6331 declares DIGEST-MD5 as Historic.

:rfc:`2817`

Expand All @@ -180,10 +184,6 @@ The following is an inventory of RFCs supported by Cyrus IMAP.

Internet Message Format

:rfc:`2831`

Using Digest Authentication as a SASL Mechanism

:rfc:`2920`

SMTP Service Extension for Command Pipelining
Expand Down Expand Up @@ -749,7 +749,7 @@ The following is an inventory of RFCs supported by Cyrus IMAP.
:rfc:`7615`

HTTP Authentication-Info and Proxy-Authentication-Info Response
Header Fields
Header Fields, obsoleted by :rfc:`9110`.

:rfc:`7616`

Expand Down
2 changes: 0 additions & 2 deletions imap/httpd.c
Original file line number Diff line number Diff line change
Expand Up @@ -451,8 +451,6 @@ struct auth_scheme_t auth_schemes[] = {
{ AUTH_SCRAM_SHA1, "SCRAM-SHA-1", "SCRAM-SHA-1",
AUTH_NEED_PERSIST | AUTH_SERVER_FIRST | AUTH_BASE64 |
AUTH_REALM_PARAM | AUTH_DATA_PARAM },
{ AUTH_DIGEST, "Digest", HTTP_DIGEST_MECH,
AUTH_NEED_REQUEST | AUTH_SERVER_FIRST },
{ AUTH_NTLM, "NTLM", "NTLM",
AUTH_NEED_PERSIST | AUTH_BASE64 },
{ AUTH_BEARER, "Bearer", NULL,
Expand Down
3 changes: 0 additions & 3 deletions imap/httpd.h
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,8 @@

/* SASL usage based on availability */
#if defined(SASL_NEED_HTTP) && defined(SASL_HTTP_REQUEST)
#define HTTP_DIGEST_MECH "DIGEST-MD5"
#define SASL_USAGE_FLAGS (SASL_NEED_HTTP | SASL_SUCCESS_DATA)
#else
#define HTTP_DIGEST_MECH NULL /* not supported by our SASL version */
#define SASL_USAGE_FLAGS SASL_SUCCESS_DATA
#endif /* SASL_NEED_HTTP */

Expand Down Expand Up @@ -185,7 +183,6 @@ struct auth_scheme_t {
/* Auth scheme identifiers */
enum {
AUTH_BASIC = (1<<0),
AUTH_DIGEST = (1<<1),
AUTH_SPNEGO = (1<<2),
AUTH_NTLM = (1<<3),
AUTH_BEARER = (1<<4),
Expand Down
11 changes: 1 addition & 10 deletions imtest/imtest.c
Original file line number Diff line number Diff line change
Expand Up @@ -2359,10 +2359,6 @@ static void http_parse_mechlist(struct buf *ret, const char *str,
*capabilities |= CAPA_LOGIN;
return;
}
else if (len == 6 && !strncmp(scheme, "Digest", len)) {
scheme = "DIGEST-MD5";
len = strlen(scheme);
}
else if (len == 9 && !strncmp(scheme, "Negotiate", len)) {
scheme = "GSS-SPNEGO";
len = strlen(scheme);
Expand Down Expand Up @@ -2459,10 +2455,6 @@ static int auth_http_sasl(const char *servername, const char *mechlist)
return saslresult;
}

if (!strcmp(mechusing, "DIGEST-MD5")) {
mechusing = "Digest";
do_base64 = 0;
}
else if (!strcmp(mechusing, "GSS-SPNEGO")) {
mechusing = "Negotiate";
}
Expand Down Expand Up @@ -2668,8 +2660,7 @@ static int http_do_auth(struct sasl_cmd_t *sasl_cmd __attribute__((unused)),
result = auth_http_basic(servername);
}
} else {
if (!strcasecmp(mech, "digest")) mech = "DIGEST-MD5";
else if (!strcasecmp(mech, "negotiate")) mech = "GSS-SPNEGO";
if (!strcasecmp(mech, "negotiate")) mech = "GSS-SPNEGO";

if (!mechlist || !stristr(mechlist, mech)) {
printf("[Server did not advertise HTTP %s]\n", ucase(mech));
Expand Down
2 changes: 1 addition & 1 deletion perl/imap/IMAP/Shell.pm
Original file line number Diff line number Diff line change
Expand Up @@ -1766,7 +1766,7 @@ Connect to the *server* specified on the port specified.
=item C<--auth> I<mechanism>
Use the mechanism specified to authenticate. One of PLAIN, LOGIN, DIGEST-MD5, etc.
Use the mechanism specified to authenticate. One of PLAIN, LOGIN, etc.
=item C<--help>
Expand Down

0 comments on commit bc7d0a0

Please sign in to comment.