Fixes #787 - Delete historic CRAM-MD5 mechanism

Delete historic CRAM-MD5 mechanisms from cyrus-sasl

Signed-off-by: Quanah Gibson-Mount <[email protected]>

config/sasl.spec

@@ -28,15 +28,6 @@ applications which use SASL.
 This plugin implements the SASL ANONYMOUS mechanism,
 used for anonymous authentication.
 
-%package plug-crammd5
-%summary: SASL CRAM-MD5 mechanism plugin
-
-%description plug-crammd5
-This plugin implements the SASL CRAM-MD5 mechanism.
-CRAM-MD5 is the mandatory-to-implement authentication mechanism for a
-number of protocols; it uses MD5 with a challenge/response system to
-authenticate the user.
-
 %package plug-plain
 %summary: SASL PLAIN mechanism plugin
 
@@ -84,18 +75,12 @@ fi
 /usr/include/sasl.h
 /usr/include/saslplug.h
 /usr/include/saslutil.h
-/usr/include/hmac-md5.h
 
 %files plug-anonymous
 %doc doc/draft-newman-sasl-anon-00.txt
 /usr/lib/sasl/libanonymous.so.1.0.2
 /usr/lib/sasl/libanonymous.so
 
-%files plug-crammd5
-%doc doc/rfc1321.txt doc/rfc2095.txt doc/rfc2104.txt
-/usr/lib/sasl/libcrammd5.so.1.0.1
-/usr/lib/sasl/libcrammd5.so
-
 %files plug-plain
 /usr/lib/sasl/libplain.so.1.0.1
 /usr/lib/sasl/libplain.so

configure.ac

@@ -77,11 +77,6 @@ AC_ARG_ENABLE(sample,
               [],
               enable_sample=yes)
 
-AC_ARG_ENABLE(obsolete_cram_attr,
-              [AS_HELP_STRING([--enable-obsolete_cram_attr],[enable support for cmusaslsecretCRAM-MD5 auxprop property [[yes]]])],
-              enable_obsolete_cram_attr=$enableval,
-              enable_obsolete_cram_attr=yes)
-
 AC_PROG_CC
 AX_PROG_CC_FOR_BUILD
 AC_PROG_CPP
@@ -308,27 +303,6 @@ if test "$with_openssl" = no; then
   AC_MSG_ERROR(OpenSSL not found)
 fi
 
-dnl CRAM-MD5
-AC_ARG_ENABLE(cram, [  --enable-cram           enable CRAM-MD5 authentication [[yes]] ],
-  cram=$enableval,
-  cram=yes)
-
-AC_MSG_CHECKING(CRAM-MD5)
-if test "$cram" != no -a $ac_cv_lib_crypto_MD5_Init = yes; then
-  AC_MSG_RESULT(enabled)
-  SASL_MECHS="$SASL_MECHS libcrammd5.la"
-  if test "$enable_obsolete_cram_attr" = yes; then
-    CPPFLAGS="$CPPFLAGS -DOBSOLETE_CRAM_ATTR=1"
-  fi
-  if test "$enable_static" = yes; then
-    SASL_STATIC_OBJS="$SASL_STATIC_OBJS cram.o"
-    SASL_STATIC_SRCS="$SASL_STATIC_SRCS \$(top_srcdir)/plugins/cram.c"
-    AC_DEFINE(STATIC_CRAMMD5, [], [Link CRAM-MD5 Statically])
-  fi
-else
-  AC_MSG_RESULT(disabled)
-fi
-
 dnl SCRAM
 AC_ARG_ENABLE(scram, [  --enable-scram            enable SCRAM authentication [[yes]] ],
   scram=$enableval,

docsrc/index.rst

@@ -18,7 +18,7 @@ Features
 --------
 Cyrus SASL provides a number of authentication plugins out of the box.
 
-    LMDB, GDBM, or NDBM (sasldb), PAM, MySQL, PostgreSQL, SQLite, LDAP, Active Directory (LDAP), DCE, Kerberos 5, proxied IMAP auth, getpwent, shadow, SIA, Courier Authdaemon, httpform, APOP and SASL mechanisms: ANONYMOUS, CRAM-MD5, EXTERNAL, GSSAPI, LOGIN, OTP, PASSDSS, PLAIN, SCRAM, SRP
+    LMDB, GDBM, or NDBM (sasldb), PAM, MySQL, PostgreSQL, SQLite, LDAP, Active Directory (LDAP), DCE, Kerberos 5, proxied IMAP auth, getpwent, shadow, SIA, Courier Authdaemon, httpform, APOP and SASL mechanisms: ANONYMOUS, EXTERNAL, GSSAPI, LOGIN, OTP, PASSDSS, PLAIN, SCRAM, SRP
 
 .. _SASL: https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
 

docsrc/sasl/authentication_mechanisms.rst

@@ -14,23 +14,6 @@ This mechanism does not require the client to authenticate or provide any inform
 
 Defined in :rfc:`2245`
 
-.. _MECH-CRAM-MD5:
-
-CRAM-MD5
---------
-
-This mechanism avoids sending the users password over the network in plain text by hashing the password with a server provided random value (known as a nonce).
-A disadvantage of this mechanism is that the server must maintain a database of **plaintext passwords** for comparison.
-
-CRAM-MD5 does not provide adequate security services for use on the Internet, it does not protect the user's authentication identifier from eavesdroppers and is subject to a number of passive and active attacks.
-
-Defined in :rfc:`2195`
-
-Documented in a `RFC Draft: draft-ietf-sasl-crammd5 <https://tools.ietf.org/html/draft-ietf-sasl-crammd5>`_
-
-.. warning::
-   The CRAM-MD5 SASL mechanism is obsolete. It has been moved to Historic in `draft-ietf-sasl-crammd5-to-historic <https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00>`_
-
 EXTERNAL
 --------
 
@@ -162,8 +145,6 @@ of the mechanisms provided by the Cyrus SASL Library.
 +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
 | ANONYMOUS   | 0       | X       |          |        |         |        |      |        | X         |              |          |       |      |      |
 +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
-| CRAM-MD5    | 0       | X       |          |        |         | X      |      |        |           | X            |          |       |      |      |
-+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
 | EXTERNAL    | 0       | X       |          | X      |         | X      |      |        | X         |              |          | X     |      |      |
 +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+
 | GS2         | 56      | X       | X        |        |         | X      |      | X      | X         |              | X        | X     | X    |      |

docsrc/sasl/components.rst

@@ -99,7 +99,7 @@ Plugins: SASL Mechanisms
 ------------------------
 
 The simplest types of plugins to understand are those which provide
-SASL mechanisms, such as CRAM-MD5, GSSAPI, PLAIN, SCRAM, SRP, and so on.
+SASL mechanisms, such as GSSAPI, PLAIN, SCRAM, SRP, and so on.
 These mechanisms take care of both server-side and client-side parts
 of the SASL negotiation.  If the given mechanism supports a security layer
 (that is, makes guarantees about privacy or integrity of data after the
@@ -125,7 +125,7 @@ Password Verification Mechanisms
     of the password.
 Shared Secret Mechanisms
     For these mechanisms,
-    such as CRAM-MD5, OTP, SCRAM, and SRP,
+    such as OTP, SCRAM, and SRP,
     there is a shared secret between the server and client (e.g. a password).
     However, in this case the password itself does not travel on the wire.
     Instead, the client passes a server a token that proves that it knows

docsrc/sasl/faqs/openldap-sasl-gssapi.rst

@@ -6,10 +6,10 @@ This article assumes that you have read and followed the SASL chapter of the `Op
 To verify that you have the Cyrus :ref:`GSSAPI <gssapi>` mechanism properly installed, use the pluginviewer command. For instance::
 
     server:~# pluginviewer  | grep -i gssapi
-     CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL
+     PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL
     Plugin "gssapiv2" [loaded],     API version: 4
            SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
-    CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL
+    PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL
     Plugin "gssapiv2" [loaded],     API version: 4
            SASL mechanism: GSSAPI, best SSF: 56
 
@@ -21,7 +21,6 @@ On your client system, search the Root DSE of the server to view advertised mech
     dn:
     supportedSASLMechanisms: GSSAPI
     supportedSASLMechanisms: OTP
-    supportedSASLMechanisms: CRAM-MD5
 
 If you received a No Such Object error, you may have an `ACL misconfiguration on your server <https://www.openldap.org/doc/admin24/appendix-common-errors.html#ldap_sasl_interactive_bind_s>`_.
 
@@ -34,7 +33,7 @@ For more control over how the SASL library operates within the OpenLDAP? server,
 For instance, if you create /usr/lib/sasl2/slapd.conf (assuming that is the correct location on your system) with the following contents::
 
     keytab: /etc/krb5.keytab-ldap
-    mech_list: CRAM-MD5 GSSAPI
+    mech_list: GSSAPI
 
 then the server will search within /etc/krb5.keytab-ldap when initializing the GSSAPI plugin. The server will only offer the mechanisms listed in mech_list. If mech_list is not specified, the server will offer all the mechanisms available, and that it can initialize.
 
@@ -47,7 +46,6 @@ Once you have verified that the server is advertising GSSAPI support, then try::
     dn:
     supportedSASLMechanisms: GSSAPI
     supportedSASLMechanisms: OTP
-    supportedSASLMechanisms: CRAM-MD5
 
 If you receive a list of mechanisms, then congratulations, you're done.
 

docsrc/sasl/faqs/plaintextpasswords.rst

@@ -1,12 +1,12 @@
 Why does CyrusSasl store plaintext passwords in its databases?
 --------------------------------------------------------------
 
-To operate with the CRAM-MD5 and SCRAM mechanisms, Cyrus SASL 
+To operate with the SCRAM mechanism, Cyrus SASL 
 stores plaintext versions of the passwords in its secret database (an 
 AuxpropPlugin). 
 
 This is typically regarded as insecure practice, however the alternative 
-is not much better. For CRAM-MD5 and SCRAM to function, they must 
+is not much better. For SCRAM to function, it must 
 have a plaintext equivalent locally in order to confirm the hash that 
 actually goes across a wire. This, if these equivalents were 
 compromised, it is trivially easy for an attacker to have access to any 

docsrc/sasl/faqs/rfcs.rst

@@ -5,8 +5,6 @@ RFCs and drafts
 ===============
 
 * :rfc:`1939#page-15` - Post Office Protocol - Version 3 (APOP/sasl_checkapop)
-* :rfc:`2195` - The CRAM-MD5 SASL Mechanism (CRAM-MD5)
-* :rfc:`2222#section-7.1` - Simple Authentication and Security Layer (SASL) (KERBEROS_V4)
 * :rfc:`2444` - The One-Time-Password SASL Mechanism (OTP)
 * :rfc:`2808` - The SecurID(r) SASL Mechanism
 * :rfc:`4120` - The Kerberos Network Authentication Service (V5)
@@ -24,7 +22,6 @@ RFCs and drafts
 * :rfc:`7677` - SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms
 * :rfc:`7804` - Salted Challenge Response HTTP Authentication Mechanism
 * `draft-burdis-cat-srp-sasl <https://tools.ietf.org/html/draft-burdis-cat-srp-sasl-08>`_ - Secure Remote Password SASL Mechanism (SRP)
-* `draft-ietf-sasl-crammd5 <https://tools.ietf.org/html/draft-ietf-sasl-crammd5>`_ - The CRAM-MD5 SASL Mechanism (CRAM-MD5)
 * `draft-murchison-sasl-login <https://tools.ietf.org/html/draft-murchison-sasl-login>`_ - The LOGIN SASL Mechanism
 * `draft-newman-sasl-c-api <https://tools.ietf.org/html/draft-newman-sasl-c-api>`_ - The SASL C API
 * `draft-newman-sasl-passdss <https://tools.ietf.org/html/draft-newman-sasl-passdss>`_ - DSS Secured Password Authentication Mechanism (PASSDSS)

docsrc/sasl/faqs/crammd5-digestmd5-scram.rst → docsrc/sasl/faqs/scram.rst

@@ -1,14 +1,12 @@
-Why do CRAM-MD5 and SCRAM not work with CyrusSaslauthd?
+Why does SCRAM not work with CyrusSaslauthd?
 -------------------------------------------------------
 
 Saslauthd is only capable of verifying plaintext passwords (it takes a 
 plaintext password and a username and responds with "yes" or "no", 
 essentially). Therefore, since the plaintext password isn't passed from 
-client to server in SCRAM and CRAM-MD5, Saslauthd can't verify the 
-password. 
+client to server in SCRAM, Saslauthd can't verify the password. 
 
 Authentication in a CyrusSaslauthd-only environment will not only fail 
-with these mechanisms, it doesn't really make a lot of sense. You'll 
+with this mechanism, it doesn't really make a lot of sense. You'll 
 want to use an AuxpropPlugin instead (for example, sasldb). 
 
-

docsrc/sasl/installation.rst

@@ -75,7 +75,7 @@ installation:
 
 
 1.  What mechanisms do you want to support?  Are they plaintext (LOGIN, PLAIN),
-shared secret (SCRAM, CRAM-MD5), or Kerberos (GSSAPI)?
+shared secret (SCRAM), or Kerberos (GSSAPI)?
 Perhaps you will use some combination (generally plaintext with one of
 the other two types).
 2.  Given the answer to the previous question, how will the mechanisms
@@ -142,10 +142,9 @@ resources to load a given plugin, even if that plugin is otherwise unused
 (even when it is disabled via the :option:`mech_list` option).
 
 As of this writing, modules that are enabled by default but may not
-be applicable to all systems include CRAM-MD5, SCRAM, OTP,
+be applicable to all systems include SCRAM, OTP,
 GSSAPI, PLAIN, and ANONYMOUS.  These can be disabled with::
 
-    ``--disable-cram``,
     ``--disable-scram``, ``--disable-otp``,
     ``--disable-gssapi``,
     ``--disable-plain``, and ``--disable-anon`` respectively.

docsrc/sasl/options.rst

@@ -225,7 +225,7 @@ Examples
    ldapdb_uri: ldap://ldap.example.com
    ldapdb_id: root
    ldapdb_pw: secret
-   ldapdb_mech: SCRAM
+   ldapdb_mech: SCRAM-SHA-512
    ldapdb_canon_attr: uid
 
 The LDAP server must be configured to map the SASL authcId "root" into a DN

docsrc/sasl/quickstart.rst

@@ -17,7 +17,6 @@ The following :ref:`authentication_mechanisms` are included in
 this distribution:
 
 *  ANONYMOUS
-*  CRAM-MD5
 *  EXTERNAL
 *  GSSAPI (MIT Kerberos 5, Heimdal Kerberos 5 or CyberSafe)
 *  LOGIN

docsrc/sasl/sysadmin.rst

@@ -221,9 +221,9 @@ the same way the PLAIN mechanism does.
 Shared secrets mechanisms
 -------------------------
 
-The Cyrus SASL library also supports some "shared secret"
-authentication methods: CRAM-MD5 and SCRAM.
-These methods rely on the client and the server sharing a "secret",
+The Cyrus SASL library also supports a "shared secret"
+authentication method: SCRAM.
+This method relies on the client and the server sharing a "secret",
 usually a password.  The server generates a challenge and the client a
 response proving that it knows the shared secret.  This is much more
 secure than simply sending the secret over the wire proving that the
@@ -234,8 +234,8 @@ server must keep passwords or password equivalents in a database;
 if this database is compromised, it is the same as if all the
 passwords for the realm are compromised.
 
-Put another way, *you cannot use saslauthd with these methods*.
-If you do not wish to advertise these methods for that reason (i.e. you
+Put another way, *you cannot use saslauthd with this method*.
+If you do not wish to advertise this method for that reason (i.e. you
 are only using saslauthd for password verification), then either remove
 the non-plaintext plugins (those other than login and plain) from the
 plugin directory, or use the :option:`mech_list` option to disable them.
@@ -295,7 +295,7 @@ The OTP mechanism
 -----------------
 
 The Cyrus SASL library also supports the One-Time-Password (OTP)
-mechanism.  This mechanism is similar to CRAM-MD5, SCRAM
+mechanism.  This mechanism is similar to SCRAM
 and SRP in that is uses a shared secret and a challenge/response exchange.
 However, OTP is more secure than the other shared secret mechanisms in
 that the secret is used to generate a sequence of one-time (single
@@ -403,7 +403,7 @@ Why doesn't OTP doesn't appear as an available mechanism?
     be readable by the Cyrus user.  By default, the library looks for the
     opiekeys in ``/etc/opiekeys``, but it's configurable using the
     :option:`opiekeys` option.
-Why don't CRAM-MD5 and SCRAM work with my old sasldb?
+Why doesn't SCRAM work with my old sasldb?
     Because sasldb now stores plaintext passwords only, the old
     sasldb is incompatible.
 I'm having performance problems on each authentication, there is a noticeable slowdown when sasl initializes, what can I do?

include/Makefile.am

@@ -45,7 +45,7 @@
 noinst_HEADERS = gai.h exits.h
 
 saslincludedir = $(includedir)/sasl
-saslinclude_HEADERS = hmac-md5.h sasl.h saslplug.h saslutil.h prop.h
+saslinclude_HEADERS = sasl.h saslplug.h saslutil.h prop.h
 
 EXTRA_DIST = NTMakefile
 

include/NTMakefile

@@ -51,7 +51,7 @@ includedir = $(prefix)\include
 
 saslincludedir = $(includedir)\sasl\
 
-saslinclude_HEADERS = hmac-md5.h sasl.h saslplug.h saslutil.h prop.h
+saslinclude_HEADERS = sasl.h saslplug.h saslutil.h prop.h
 
 # The first target get executed by default. We don't want this to be "install"
 all:

include/sasl.h

@@ -59,7 +59,7 @@
  *  sasl_server_step  Perform one authentication exchange step
  *  sasl_checkpass    Check a plaintext passphrase
  *  sasl_checkapop    Check an APOP challenge/response (uses pseudo "APOP"
- *                    mechanism similar to CRAM-MD5 mechanism; optional)
+ *                    mechanism; optional)
  *  sasl_user_exists  Check if user exists
  *  sasl_setpass      Change a password or add a user entry
  *  sasl_auxprop_request  Request auxiliary properties