From 5436909b1d47142ba0961de31bc984bbd544bd80 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Thu, 3 Aug 2023 16:37:02 +0000 Subject: [PATCH] Fixes #787 - Delete historic CRAM-MD5 mechanism Delete historic CRAM-MD5 mechanisms from cyrus-sasl Signed-off-by: Quanah Gibson-Mount --- config/sasl.spec | 15 - configure.ac | 26 - docsrc/index.rst | 2 +- docsrc/sasl/authentication_mechanisms.rst | 19 - docsrc/sasl/components.rst | 4 +- docsrc/sasl/faqs/openldap-sasl-gssapi.rst | 8 +- docsrc/sasl/faqs/plaintextpasswords.rst | 4 +- docsrc/sasl/faqs/rfcs.rst | 3 - ...{crammd5-digestmd5-scram.rst => scram.rst} | 8 +- docsrc/sasl/installation.rst | 5 +- docsrc/sasl/options.rst | 2 +- docsrc/sasl/quickstart.rst | 1 - docsrc/sasl/sysadmin.rst | 14 +- include/Makefile.am | 2 +- include/NTMakefile | 2 +- include/hmac-md5.h | 52 -- include/sasl.h | 2 +- include/saslplug.h | 15 - lib/Makefile.am | 2 +- lib/common.c | 6 - lib/md5.c | 182 ----- lib/server.c | 1 - lib/staticopen.h | 8 - m4/openssl.m4 | 5 +- mac/include/sasl_crammd5_plugin_decl.h | 5 - mac/mac_lib/mac_monolithic_dlopen.c | 6 - plugins/Makefile.am | 8 +- plugins/NTMakefile | 19 +- plugins/cram.c | 692 ------------------ plugins/makeinit.sh | 2 +- saslauthd/LDAP_SASLAUTHD | 2 +- saslauthd/saslauthd-main.c | 2 +- utils/saslpasswd.c | 4 +- win32/cyrus-sasl-all-in-one.sln | 2 - win32/cyrus-sasl-common.sln | 2 - win32/cyrus-sasl-core.sln | 2 - win32/cyrus-sasl-gssapiv2.sln | 2 - win32/cyrus-sasl-sasldb.sln | 2 - win32/include/config.h | 2 - win32/makeinit.ps1 | 2 +- 40 files changed, 37 insertions(+), 1105 deletions(-) rename docsrc/sasl/faqs/{crammd5-digestmd5-scram.rst => scram.rst} (66%) delete mode 100755 include/hmac-md5.h delete mode 100644 lib/md5.c delete mode 100755 mac/include/sasl_crammd5_plugin_decl.h delete mode 100644 plugins/cram.c diff --git a/config/sasl.spec b/config/sasl.spec index f98952fd..0466baa6 100644 --- a/config/sasl.spec +++ b/config/sasl.spec @@ -28,15 +28,6 @@ applications which use SASL. This plugin implements the SASL ANONYMOUS mechanism, used for anonymous authentication. -%package plug-crammd5 -%summary: SASL CRAM-MD5 mechanism plugin - -%description plug-crammd5 -This plugin implements the SASL CRAM-MD5 mechanism. -CRAM-MD5 is the mandatory-to-implement authentication mechanism for a -number of protocols; it uses MD5 with a challenge/response system to -authenticate the user. - %package plug-plain %summary: SASL PLAIN mechanism plugin @@ -84,18 +75,12 @@ fi /usr/include/sasl.h /usr/include/saslplug.h /usr/include/saslutil.h -/usr/include/hmac-md5.h %files plug-anonymous %doc doc/draft-newman-sasl-anon-00.txt /usr/lib/sasl/libanonymous.so.1.0.2 /usr/lib/sasl/libanonymous.so -%files plug-crammd5 -%doc doc/rfc1321.txt doc/rfc2095.txt doc/rfc2104.txt -/usr/lib/sasl/libcrammd5.so.1.0.1 -/usr/lib/sasl/libcrammd5.so - %files plug-plain /usr/lib/sasl/libplain.so.1.0.1 /usr/lib/sasl/libplain.so diff --git a/configure.ac b/configure.ac index 47c40040..91059087 100644 --- a/configure.ac +++ b/configure.ac @@ -77,11 +77,6 @@ AC_ARG_ENABLE(sample, [], enable_sample=yes) -AC_ARG_ENABLE(obsolete_cram_attr, - [AS_HELP_STRING([--enable-obsolete_cram_attr],[enable support for cmusaslsecretCRAM-MD5 auxprop property [[yes]]])], - enable_obsolete_cram_attr=$enableval, - enable_obsolete_cram_attr=yes) - AC_PROG_CC AX_PROG_CC_FOR_BUILD AC_PROG_CPP @@ -308,27 +303,6 @@ if test "$with_openssl" = no; then AC_MSG_ERROR(OpenSSL not found) fi -dnl CRAM-MD5 -AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [[yes]] ], - cram=$enableval, - cram=yes) - -AC_MSG_CHECKING(CRAM-MD5) -if test "$cram" != no -a $ac_cv_lib_crypto_MD5_Init = yes; then - AC_MSG_RESULT(enabled) - SASL_MECHS="$SASL_MECHS libcrammd5.la" - if test "$enable_obsolete_cram_attr" = yes; then - CPPFLAGS="$CPPFLAGS -DOBSOLETE_CRAM_ATTR=1" - fi - if test "$enable_static" = yes; then - SASL_STATIC_OBJS="$SASL_STATIC_OBJS cram.o" - SASL_STATIC_SRCS="$SASL_STATIC_SRCS \$(top_srcdir)/plugins/cram.c" - AC_DEFINE(STATIC_CRAMMD5, [], [Link CRAM-MD5 Statically]) - fi -else - AC_MSG_RESULT(disabled) -fi - dnl SCRAM AC_ARG_ENABLE(scram, [ --enable-scram enable SCRAM authentication [[yes]] ], scram=$enableval, diff --git a/docsrc/index.rst b/docsrc/index.rst index 886589a8..2743c593 100644 --- a/docsrc/index.rst +++ b/docsrc/index.rst @@ -18,7 +18,7 @@ Features -------- Cyrus SASL provides a number of authentication plugins out of the box. - LMDB, GDBM, or NDBM (sasldb), PAM, MySQL, PostgreSQL, SQLite, LDAP, Active Directory (LDAP), DCE, Kerberos 5, proxied IMAP auth, getpwent, shadow, SIA, Courier Authdaemon, httpform, APOP and SASL mechanisms: ANONYMOUS, CRAM-MD5, EXTERNAL, GSSAPI, LOGIN, OTP, PASSDSS, PLAIN, SCRAM, SRP + LMDB, GDBM, or NDBM (sasldb), PAM, MySQL, PostgreSQL, SQLite, LDAP, Active Directory (LDAP), DCE, Kerberos 5, proxied IMAP auth, getpwent, shadow, SIA, Courier Authdaemon, httpform, APOP and SASL mechanisms: ANONYMOUS, EXTERNAL, GSSAPI, LOGIN, OTP, PASSDSS, PLAIN, SCRAM, SRP .. _SASL: https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer diff --git a/docsrc/sasl/authentication_mechanisms.rst b/docsrc/sasl/authentication_mechanisms.rst index 611236c7..37ad8f87 100644 --- a/docsrc/sasl/authentication_mechanisms.rst +++ b/docsrc/sasl/authentication_mechanisms.rst @@ -14,23 +14,6 @@ This mechanism does not require the client to authenticate or provide any inform Defined in :rfc:`2245` -.. _MECH-CRAM-MD5: - -CRAM-MD5 --------- - -This mechanism avoids sending the users password over the network in plain text by hashing the password with a server provided random value (known as a nonce). -A disadvantage of this mechanism is that the server must maintain a database of **plaintext passwords** for comparison. - -CRAM-MD5 does not provide adequate security services for use on the Internet, it does not protect the user's authentication identifier from eavesdroppers and is subject to a number of passive and active attacks. - -Defined in :rfc:`2195` - -Documented in a `RFC Draft: draft-ietf-sasl-crammd5 `_ - -.. warning:: - The CRAM-MD5 SASL mechanism is obsolete. It has been moved to Historic in `draft-ietf-sasl-crammd5-to-historic `_ - EXTERNAL -------- @@ -162,8 +145,6 @@ of the mechanisms provided by the Cyrus SASL Library. +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ | ANONYMOUS | 0 | X | | | | | | | X | | | | | | +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ -| CRAM-MD5 | 0 | X | | | | X | | | | X | | | | | -+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ | EXTERNAL | 0 | X | | X | | X | | | X | | | X | | | +-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ | GS2 | 56 | X | X | | | X | | X | X | | X | X | X | | diff --git a/docsrc/sasl/components.rst b/docsrc/sasl/components.rst index ffe642b9..22098aa0 100644 --- a/docsrc/sasl/components.rst +++ b/docsrc/sasl/components.rst @@ -99,7 +99,7 @@ Plugins: SASL Mechanisms ------------------------ The simplest types of plugins to understand are those which provide -SASL mechanisms, such as CRAM-MD5, GSSAPI, PLAIN, SCRAM, SRP, and so on. +SASL mechanisms, such as GSSAPI, PLAIN, SCRAM, SRP, and so on. These mechanisms take care of both server-side and client-side parts of the SASL negotiation. If the given mechanism supports a security layer (that is, makes guarantees about privacy or integrity of data after the @@ -125,7 +125,7 @@ Password Verification Mechanisms of the password. Shared Secret Mechanisms For these mechanisms, - such as CRAM-MD5, OTP, SCRAM, and SRP, + such as OTP, SCRAM, and SRP, there is a shared secret between the server and client (e.g. a password). However, in this case the password itself does not travel on the wire. Instead, the client passes a server a token that proves that it knows diff --git a/docsrc/sasl/faqs/openldap-sasl-gssapi.rst b/docsrc/sasl/faqs/openldap-sasl-gssapi.rst index cd898464..8cd6726a 100644 --- a/docsrc/sasl/faqs/openldap-sasl-gssapi.rst +++ b/docsrc/sasl/faqs/openldap-sasl-gssapi.rst @@ -6,10 +6,10 @@ This article assumes that you have read and followed the SASL chapter of the `Op To verify that you have the Cyrus :ref:`GSSAPI ` mechanism properly installed, use the pluginviewer command. For instance:: server:~# pluginviewer | grep -i gssapi - CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL + PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no - CRAM-MD5 PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL + PLAIN GSSAPI OTP ANONYMOUS LOGIN EXTERNAL Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56 @@ -21,7 +21,6 @@ On your client system, search the Root DSE of the server to view advertised mech dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: OTP - supportedSASLMechanisms: CRAM-MD5 If you received a No Such Object error, you may have an `ACL misconfiguration on your server `_. @@ -34,7 +33,7 @@ For more control over how the SASL library operates within the OpenLDAP? server, For instance, if you create /usr/lib/sasl2/slapd.conf (assuming that is the correct location on your system) with the following contents:: keytab: /etc/krb5.keytab-ldap - mech_list: CRAM-MD5 GSSAPI + mech_list: GSSAPI then the server will search within /etc/krb5.keytab-ldap when initializing the GSSAPI plugin. The server will only offer the mechanisms listed in mech_list. If mech_list is not specified, the server will offer all the mechanisms available, and that it can initialize. @@ -47,7 +46,6 @@ Once you have verified that the server is advertising GSSAPI support, then try:: dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: OTP - supportedSASLMechanisms: CRAM-MD5 If you receive a list of mechanisms, then congratulations, you're done. diff --git a/docsrc/sasl/faqs/plaintextpasswords.rst b/docsrc/sasl/faqs/plaintextpasswords.rst index dcc1a4c4..dcf84ddf 100644 --- a/docsrc/sasl/faqs/plaintextpasswords.rst +++ b/docsrc/sasl/faqs/plaintextpasswords.rst @@ -1,12 +1,12 @@ Why does CyrusSasl store plaintext passwords in its databases? -------------------------------------------------------------- -To operate with the CRAM-MD5 and SCRAM mechanisms, Cyrus SASL +To operate with the SCRAM mechanism, Cyrus SASL stores plaintext versions of the passwords in its secret database (an AuxpropPlugin). This is typically regarded as insecure practice, however the alternative -is not much better. For CRAM-MD5 and SCRAM to function, they must +is not much better. For SCRAM to function, it must have a plaintext equivalent locally in order to confirm the hash that actually goes across a wire. This, if these equivalents were compromised, it is trivially easy for an attacker to have access to any diff --git a/docsrc/sasl/faqs/rfcs.rst b/docsrc/sasl/faqs/rfcs.rst index 798dc116..515241be 100644 --- a/docsrc/sasl/faqs/rfcs.rst +++ b/docsrc/sasl/faqs/rfcs.rst @@ -5,8 +5,6 @@ RFCs and drafts =============== * :rfc:`1939#page-15` - Post Office Protocol - Version 3 (APOP/sasl_checkapop) -* :rfc:`2195` - The CRAM-MD5 SASL Mechanism (CRAM-MD5) -* :rfc:`2222#section-7.1` - Simple Authentication and Security Layer (SASL) (KERBEROS_V4) * :rfc:`2444` - The One-Time-Password SASL Mechanism (OTP) * :rfc:`2808` - The SecurID(r) SASL Mechanism * :rfc:`4120` - The Kerberos Network Authentication Service (V5) @@ -24,7 +22,6 @@ RFCs and drafts * :rfc:`7677` - SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms * :rfc:`7804` - Salted Challenge Response HTTP Authentication Mechanism * `draft-burdis-cat-srp-sasl `_ - Secure Remote Password SASL Mechanism (SRP) -* `draft-ietf-sasl-crammd5 `_ - The CRAM-MD5 SASL Mechanism (CRAM-MD5) * `draft-murchison-sasl-login `_ - The LOGIN SASL Mechanism * `draft-newman-sasl-c-api `_ - The SASL C API * `draft-newman-sasl-passdss `_ - DSS Secured Password Authentication Mechanism (PASSDSS) diff --git a/docsrc/sasl/faqs/crammd5-digestmd5-scram.rst b/docsrc/sasl/faqs/scram.rst similarity index 66% rename from docsrc/sasl/faqs/crammd5-digestmd5-scram.rst rename to docsrc/sasl/faqs/scram.rst index 238ae9c0..1725f22c 100644 --- a/docsrc/sasl/faqs/crammd5-digestmd5-scram.rst +++ b/docsrc/sasl/faqs/scram.rst @@ -1,14 +1,12 @@ -Why do CRAM-MD5 and SCRAM not work with CyrusSaslauthd? +Why does SCRAM not work with CyrusSaslauthd? ------------------------------------------------------- Saslauthd is only capable of verifying plaintext passwords (it takes a plaintext password and a username and responds with "yes" or "no", essentially). Therefore, since the plaintext password isn't passed from -client to server in SCRAM and CRAM-MD5, Saslauthd can't verify the -password. +client to server in SCRAM, Saslauthd can't verify the password. Authentication in a CyrusSaslauthd-only environment will not only fail -with these mechanisms, it doesn't really make a lot of sense. You'll +with this mechanism, it doesn't really make a lot of sense. You'll want to use an AuxpropPlugin instead (for example, sasldb). - diff --git a/docsrc/sasl/installation.rst b/docsrc/sasl/installation.rst index d467aac3..022e7bab 100644 --- a/docsrc/sasl/installation.rst +++ b/docsrc/sasl/installation.rst @@ -75,7 +75,7 @@ installation: 1. What mechanisms do you want to support? Are they plaintext (LOGIN, PLAIN), -shared secret (SCRAM, CRAM-MD5), or Kerberos (GSSAPI)? +shared secret (SCRAM), or Kerberos (GSSAPI)? Perhaps you will use some combination (generally plaintext with one of the other two types). 2. Given the answer to the previous question, how will the mechanisms @@ -142,10 +142,9 @@ resources to load a given plugin, even if that plugin is otherwise unused (even when it is disabled via the :option:`mech_list` option). As of this writing, modules that are enabled by default but may not -be applicable to all systems include CRAM-MD5, SCRAM, OTP, +be applicable to all systems include SCRAM, OTP, GSSAPI, PLAIN, and ANONYMOUS. These can be disabled with:: - ``--disable-cram``, ``--disable-scram``, ``--disable-otp``, ``--disable-gssapi``, ``--disable-plain``, and ``--disable-anon`` respectively. diff --git a/docsrc/sasl/options.rst b/docsrc/sasl/options.rst index 309d4310..4c8c4050 100644 --- a/docsrc/sasl/options.rst +++ b/docsrc/sasl/options.rst @@ -225,7 +225,7 @@ Examples ldapdb_uri: ldap://ldap.example.com ldapdb_id: root ldapdb_pw: secret - ldapdb_mech: SCRAM + ldapdb_mech: SCRAM-SHA-512 ldapdb_canon_attr: uid The LDAP server must be configured to map the SASL authcId "root" into a DN diff --git a/docsrc/sasl/quickstart.rst b/docsrc/sasl/quickstart.rst index 54d5d81e..4bdb761e 100644 --- a/docsrc/sasl/quickstart.rst +++ b/docsrc/sasl/quickstart.rst @@ -17,7 +17,6 @@ The following :ref:`authentication_mechanisms` are included in this distribution: * ANONYMOUS -* CRAM-MD5 * EXTERNAL * GSSAPI (MIT Kerberos 5, Heimdal Kerberos 5 or CyberSafe) * LOGIN diff --git a/docsrc/sasl/sysadmin.rst b/docsrc/sasl/sysadmin.rst index 1bcaaa21..04018192 100644 --- a/docsrc/sasl/sysadmin.rst +++ b/docsrc/sasl/sysadmin.rst @@ -221,9 +221,9 @@ the same way the PLAIN mechanism does. Shared secrets mechanisms ------------------------- -The Cyrus SASL library also supports some "shared secret" -authentication methods: CRAM-MD5 and SCRAM. -These methods rely on the client and the server sharing a "secret", +The Cyrus SASL library also supports a "shared secret" +authentication method: SCRAM. +This method relies on the client and the server sharing a "secret", usually a password. The server generates a challenge and the client a response proving that it knows the shared secret. This is much more secure than simply sending the secret over the wire proving that the @@ -234,8 +234,8 @@ server must keep passwords or password equivalents in a database; if this database is compromised, it is the same as if all the passwords for the realm are compromised. -Put another way, *you cannot use saslauthd with these methods*. -If you do not wish to advertise these methods for that reason (i.e. you +Put another way, *you cannot use saslauthd with this method*. +If you do not wish to advertise this method for that reason (i.e. you are only using saslauthd for password verification), then either remove the non-plaintext plugins (those other than login and plain) from the plugin directory, or use the :option:`mech_list` option to disable them. @@ -295,7 +295,7 @@ The OTP mechanism ----------------- The Cyrus SASL library also supports the One-Time-Password (OTP) -mechanism. This mechanism is similar to CRAM-MD5, SCRAM +mechanism. This mechanism is similar to SCRAM and SRP in that is uses a shared secret and a challenge/response exchange. However, OTP is more secure than the other shared secret mechanisms in that the secret is used to generate a sequence of one-time (single @@ -403,7 +403,7 @@ Why doesn't OTP doesn't appear as an available mechanism? be readable by the Cyrus user. By default, the library looks for the opiekeys in ``/etc/opiekeys``, but it's configurable using the :option:`opiekeys` option. -Why don't CRAM-MD5 and SCRAM work with my old sasldb? +Why doesn't SCRAM work with my old sasldb? Because sasldb now stores plaintext passwords only, the old sasldb is incompatible. I'm having performance problems on each authentication, there is a noticeable slowdown when sasl initializes, what can I do? diff --git a/include/Makefile.am b/include/Makefile.am index 431dbb5f..c03d058d 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -45,7 +45,7 @@ noinst_HEADERS = gai.h exits.h saslincludedir = $(includedir)/sasl -saslinclude_HEADERS = hmac-md5.h sasl.h saslplug.h saslutil.h prop.h +saslinclude_HEADERS = sasl.h saslplug.h saslutil.h prop.h EXTRA_DIST = NTMakefile diff --git a/include/NTMakefile b/include/NTMakefile index 5be382f3..d9a7bcda 100644 --- a/include/NTMakefile +++ b/include/NTMakefile @@ -51,7 +51,7 @@ includedir = $(prefix)\include saslincludedir = $(includedir)\sasl\ -saslinclude_HEADERS = hmac-md5.h sasl.h saslplug.h saslutil.h prop.h +saslinclude_HEADERS = sasl.h saslplug.h saslutil.h prop.h # The first target get executed by default. We don't want this to be "install" all: diff --git a/include/hmac-md5.h b/include/hmac-md5.h deleted file mode 100755 index a0537010..00000000 --- a/include/hmac-md5.h +++ /dev/null @@ -1,52 +0,0 @@ -/* hmac-md5.h -- HMAC_MD5 functions - */ - -#ifndef HMAC_MD5_H -#define HMAC_MD5_H 1 - -#ifdef HAVE_MD5 -#include - -#define HMAC_MD5_SIZE 16 - -/* intermediate MD5 context */ -typedef struct HMAC_MD5_CTX_s { - MD5_CTX ictx, octx; -} HMAC_MD5_CTX; - -/* intermediate HMAC state - * values stored in network byte order (Big Endian) - */ -typedef struct HMAC_MD5_STATE_s { - uint32_t istate[4]; - uint32_t ostate[4]; -} HMAC_MD5_STATE; - -#ifdef __cplusplus -extern "C" { -#endif - -/* precalculate intermediate state from key - */ -void _sasl_hmac_md5_precalc(HMAC_MD5_STATE *hmac, - const unsigned char *key, int key_len); - -/* initialize context from intermediate state - */ -void _sasl_hmac_md5_import(HMAC_MD5_CTX *hmac, HMAC_MD5_STATE *state); - -int _sasl_hmac_md5_update(HMAC_MD5_CTX *hmac, - const void *data, - unsigned long len); - -/* finish hmac from intermediate result. Intermediate result is zeroed. - */ -void _sasl_hmac_md5_final(unsigned char digest[HMAC_MD5_SIZE], - HMAC_MD5_CTX *hmac); - -#ifdef __cplusplus -} -#endif - -#endif /* HAVE_MD5 */ -#endif /* HMAC_MD5_H */ diff --git a/include/sasl.h b/include/sasl.h index 853ab7e2..003d3105 100755 --- a/include/sasl.h +++ b/include/sasl.h @@ -59,7 +59,7 @@ * sasl_server_step Perform one authentication exchange step * sasl_checkpass Check a plaintext passphrase * sasl_checkapop Check an APOP challenge/response (uses pseudo "APOP" - * mechanism similar to CRAM-MD5 mechanism; optional) + * mechanism; optional) * sasl_user_exists Check if user exists * sasl_setpass Change a password or add a user entry * sasl_auxprop_request Request auxiliary properties diff --git a/include/saslplug.h b/include/saslplug.h index 113982a5..a3bc4655 100755 --- a/include/saslplug.h +++ b/include/saslplug.h @@ -4,9 +4,6 @@ #ifndef SASLPLUG_H #define SASLPLUG_H 1 -#ifndef HMAC_MD5_H -#include "hmac-md5.h" -#endif #ifndef PROP_H #include "prop.h" #endif @@ -64,18 +61,6 @@ typedef struct sasl_utils { sasl_mutex_unlock_t *mutex_unlock; sasl_mutex_free_t *mutex_free; -#ifdef HAVE_MD5 - /* MD5 hash and HMAC functions */ - void (*hmac_md5)(const unsigned char *text, int text_len, - const unsigned char *key, int key_len, - unsigned char [16]); - void (*hmac_md5_update)(HMAC_MD5_CTX *, const void *data, unsigned long len); - void (*hmac_md5_final)(unsigned char [16], HMAC_MD5_CTX *); - void (*hmac_md5_precalc)(HMAC_MD5_STATE *, - const unsigned char *key, int len); - void (*hmac_md5_import)(HMAC_MD5_CTX *, HMAC_MD5_STATE *); -#endif - /* mechanism utility functions (same as above): */ int (*mkchal)(sasl_conn_t *conn, char *buf, unsigned maxlen, unsigned hostflag); diff --git a/lib/Makefile.am b/lib/Makefile.am index 8f1cc13a..8e614605 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -63,7 +63,7 @@ DLOPEN_C = dlopen.c endif common_headers = saslint.h -common_sources = auxprop.c canonusr.c checkpw.c client.c common.c config.c external.c md5.c saslutil.c server.c seterror.c $(DLOPEN_C) +common_sources = auxprop.c canonusr.c checkpw.c client.c common.c config.c external.c saslutil.c server.c seterror.c $(DLOPEN_C) LTLIBOBJS = @LTLIBOBJS@ LIB_DOOR= @LIB_DOOR@ diff --git a/lib/common.c b/lib/common.c index e4a6d751..43b8bb9c 100644 --- a/lib/common.c +++ b/lib/common.c @@ -2075,12 +2075,6 @@ _sasl_alloc_utils(sasl_conn_t *conn, utils->mutex_unlock = _sasl_mutex_utils.unlock; utils->mutex_free = _sasl_mutex_utils.free; -#ifdef HAVE_MD5 - utils->hmac_md5_update = &_sasl_hmac_md5_update; - utils->hmac_md5_final = &_sasl_hmac_md5_final; - utils->hmac_md5_precalc = &_sasl_hmac_md5_precalc; - utils->hmac_md5_import = &_sasl_hmac_md5_import; -#endif utils->mkchal = &sasl_mkchal; utils->utf8verify = &sasl_utf8verify; utils->rand=&sasl_rand; diff --git a/lib/md5.c b/lib/md5.c deleted file mode 100644 index b0b04d32..00000000 --- a/lib/md5.c +++ /dev/null @@ -1,182 +0,0 @@ -/* md5.c - HMAC based on MD5 message-digest algorithm - */ -/* - * Copyright (c) 1998-1999 Carnegie Mellon University. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. The name "Carnegie Mellon University" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For permission or any other legal - * details, please contact - * Carnegie Mellon University - * Center for Technology Transfer and Enterprise Creation - * 4615 Forbes Avenue - * Suite 302 - * Pittsburgh, PA 15213 - * (412) 268-7393, fax: (412) 268-7395 - * innovation@andrew.cmu.edu - * - * 4. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by Computing Services - * at Carnegie Mellon University (http://www.cmu.edu/computing/)." - * - * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO - * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE - * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN - * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include "hmac-md5.h" -#include - -#ifdef HAVE_MD5 -#ifndef WIN32 -# include -#endif - -static void _sasl_hmac_md5_init(HMAC_MD5_CTX *hmac, - const unsigned char *key, - int key_len) -{ - unsigned char k_ipad[65]; /* inner padding - - * key XORd with ipad - */ - unsigned char k_opad[65]; /* outer padding - - * key XORd with opad - */ - unsigned char tk[16]; - int i; - /* if key is longer than 64 bytes reset it to key=MD5(key) */ - if (key_len > 64) { - - MD5_CTX tctx; - - MD5_Init(&tctx); - MD5_Update(&tctx, key, key_len); - MD5_Final(tk, &tctx); - - key = tk; - key_len = 16; - } - - /* - * the HMAC_MD5 transform looks like: - * - * MD5(K XOR opad, MD5(K XOR ipad, text)) - * - * where K is an n byte key - * ipad is the byte 0x36 repeated 64 times - * opad is the byte 0x5c repeated 64 times - * and text is the data being protected - */ - - /* start out by storing key in pads */ - OPENSSL_cleanse(k_ipad, sizeof(k_ipad)); - OPENSSL_cleanse(k_opad, sizeof(k_opad)); - memcpy(k_ipad, key, key_len); - memcpy(k_opad, key, key_len); - - /* XOR key with ipad and opad values */ - for (i=0; i<64; i++) { - k_ipad[i] ^= 0x36; - k_opad[i] ^= 0x5c; - } - - MD5_Init(&hmac->ictx); /* init inner context */ - MD5_Update(&hmac->ictx, k_ipad, 64); /* apply inner pad */ - - MD5_Init(&hmac->octx); /* init outer context */ - MD5_Update(&hmac->octx, k_opad, 64); /* apply outer pad */ - - /* scrub the pads and key context (if used) */ - OPENSSL_cleanse(&k_ipad, sizeof(k_ipad)); - OPENSSL_cleanse(&k_opad, sizeof(k_opad)); - OPENSSL_cleanse(&tk, sizeof(tk)); - - /* and we're done. */ -} - -/* The precalc and import routines here rely on the fact that we pad - * the key out to 64 bytes and use that to initialize the md5 - * contexts, and that updating an md5 context with 64 bytes of data - * leaves nothing left over; all of the interesting state is contained - * in the state field, and none of it is left over in the count and - * buffer fields. So all we have to do is save the state field; we - * can zero the others when we reload it. Which is why the decision - * was made to pad the key out to 64 bytes in the first place. */ -void _sasl_hmac_md5_precalc(HMAC_MD5_STATE *state, - const unsigned char *key, - int key_len) -{ - HMAC_MD5_CTX hmac; - - _sasl_hmac_md5_init(&hmac, key, key_len); - - state->istate[0] = htonl(hmac.ictx.A); - state->istate[1] = htonl(hmac.ictx.B); - state->istate[2] = htonl(hmac.ictx.C); - state->istate[3] = htonl(hmac.ictx.D); - - state->ostate[0] = htonl(hmac.octx.A); - state->ostate[1] = htonl(hmac.octx.B); - state->ostate[2] = htonl(hmac.octx.C); - state->ostate[3] = htonl(hmac.octx.D); - - OPENSSL_cleanse(&hmac, sizeof(hmac)); -} - - -void _sasl_hmac_md5_import(HMAC_MD5_CTX *hmac, - HMAC_MD5_STATE *state) -{ - OPENSSL_cleanse(hmac, sizeof(HMAC_MD5_CTX)); - - hmac->ictx.A = ntohl(state->istate[0]); - hmac->ictx.B = ntohl(state->istate[1]); - hmac->ictx.C = ntohl(state->istate[2]); - hmac->ictx.D = ntohl(state->istate[3]); - - hmac->octx.A = ntohl(state->ostate[0]); - hmac->octx.B = ntohl(state->ostate[1]); - hmac->octx.C = ntohl(state->ostate[2]); - hmac->octx.D = ntohl(state->ostate[3]); - - /* Init the counts to account for our having applied - * 64 bytes of key; this works out to 0x200 (64 << 3; see - * MD5Update above...) */ - hmac->ictx.Nl = hmac->octx.Nl = 0x200; -} - -/* hmac_md5_update() is just a call to MD5Update on inner context. - Returns 1 for success, 0 otherwise. */ -int _sasl_hmac_md5_update(HMAC_MD5_CTX *hmac, - const void *data, - unsigned long len) -{ - return MD5_Update(&(hmac)->ictx, data, len); -} - -void _sasl_hmac_md5_final(unsigned char digest[HMAC_MD5_SIZE], - HMAC_MD5_CTX *hmac) -{ - MD5_Final(digest, &hmac->ictx); /* Finalize inner md5 */ - MD5_Update(&hmac->octx, digest, HMAC_MD5_SIZE); /* Update outer ctx */ - MD5_Final(digest, &hmac->octx); /* Finalize outer md5 */ -} -#endif /* HAVE_MD5 */ diff --git a/lib/server.c b/lib/server.c index bff461f8..c69e58b8 100644 --- a/lib/server.c +++ b/lib/server.c @@ -949,7 +949,6 @@ int sasl_server_init(const sasl_callback_t *callbacks, * for them in the passwd database for other * stronger mechanism * - * for example PLAIN -> CRAM-MD5 */ static int _sasl_transition(sasl_conn_t * conn, diff --git a/lib/staticopen.h b/lib/staticopen.h index 03b82316..341100e5 100644 --- a/lib/staticopen.h +++ b/lib/staticopen.h @@ -80,10 +80,6 @@ sasl_canonuser_init_t x##_canonuser_plug_init extern SPECIFIC_SERVER_PLUG_INIT_PROTO( anonymous ); extern SPECIFIC_CLIENT_PLUG_INIT_PROTO( anonymous ); #endif -#ifdef STATIC_CRAMMD5 -extern SPECIFIC_SERVER_PLUG_INIT_PROTO( crammd5 ); -extern SPECIFIC_CLIENT_PLUG_INIT_PROTO( crammd5 ); -#endif #ifdef STATIC_SCRAM extern SPECIFIC_SERVER_PLUG_INIT_PROTO( scram ); extern SPECIFIC_CLIENT_PLUG_INIT_PROTO( scram ); @@ -123,10 +119,6 @@ _sasl_plug_rec _sasl_static_plugins[] = { SPECIFIC_SERVER_PLUG_INIT( anonymous, "ANONYMOUS" ), SPECIFIC_CLIENT_PLUG_INIT( anonymous, "ANONYMOUS" ), #endif -#ifdef STATIC_CRAMMD5 - SPECIFIC_SERVER_PLUG_INIT( crammd5, "CRAM-MD5" ), - SPECIFIC_CLIENT_PLUG_INIT( crammd5, "CRAM-MD5" ), -#endif #ifdef STATIC_GSSAPIV2 SPECIFIC_SERVER_PLUG_INIT( gssapiv2, "GSSAPI" ), SPECIFIC_CLIENT_PLUG_INIT( gssapiv2, "GSSAPI" ), diff --git a/m4/openssl.m4 b/m4/openssl.m4 index 67b89063..6f99e6e3 100644 --- a/m4/openssl.m4 +++ b/m4/openssl.m4 @@ -28,10 +28,7 @@ AC_ARG_WITH(openssl, AC_CHECK_LIB(crypto, EVP_DigestInit, [AC_CHECK_LIB(crypto, SHA512, AC_DEFINE(HAVE_SHA512,[], - [Do we have SHA512?])) - AC_CHECK_LIB(crypto, MD5_Init, - AC_DEFINE(HAVE_MD5,[], - [Do we have legacy MD5?]))], + [Do we have SHA512?]))], with_openssl="no", $LIB_RSAREF)], with_openssl="no") ]) diff --git a/mac/include/sasl_crammd5_plugin_decl.h b/mac/include/sasl_crammd5_plugin_decl.h deleted file mode 100755 index 285bad2c..00000000 --- a/mac/include/sasl_crammd5_plugin_decl.h +++ /dev/null @@ -1,5 +0,0 @@ -#ifdef SASL_MONOLITHIC -#define sasl_server_plug_init cram_sasl_server_plug_init -#define sasl_client_plug_init cram_sasl_client_plug_init -#endif -#include diff --git a/mac/mac_lib/mac_monolithic_dlopen.c b/mac/mac_lib/mac_monolithic_dlopen.c index 99ed065c..68119090 100755 --- a/mac/mac_lib/mac_monolithic_dlopen.c +++ b/mac/mac_lib/mac_monolithic_dlopen.c @@ -53,10 +53,6 @@ #undef sasl_server_plug_init #undef sasl_client_plug_init -#include -#undef sasl_server_plug_init -#undef sasl_client_plug_init - #include #undef sasl_server_plug_init #undef sasl_client_plug_init @@ -76,13 +72,11 @@ int _sasl_get_mech_list(const char *entryname, if(strcmp(entryname,"sasl_client_plug_init")==0) { (*add_plugin)(kerberos4_sasl_client_plug_init,(void*)1); (*add_plugin)(anonymous_sasl_client_plug_init,(void*)1); - (*add_plugin)(cram_sasl_client_plug_init,(void*)1); (*add_plugin)(scram_sasl_client_plug_init,(void*)1); (*add_plugin)(plain_sasl_client_plug_init,(void*)1); } else if(strcmp(entryname,"sasl_server_plug_init")==0) { (*add_plugin)(kerberos4_sasl_server_plug_init,(void*)1); (*add_plugin)(anonymous_sasl_server_plug_init,(void*)1); - (*add_plugin)(cram_sasl_server_plug_init,(void*)1); (*add_plugin)(scram_sasl_server_plug_init,(void*)1); (*add_plugin)(plain_sasl_server_plug_init,(void*)1); } else diff --git a/plugins/Makefile.am b/plugins/Makefile.am index dc39b7b0..05d4f0c1 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am @@ -73,7 +73,7 @@ endif plugindir = @plugindir@ plugin_LTLIBRARIES = @SASL_MECHS@ -EXTRA_LTLIBRARIES = libplain.la libanonymous.la libcrammd5.la \ +EXTRA_LTLIBRARIES = libplain.la libanonymous.la \ libgs2.la libgssapiv2.la liblogin.la libsrp.la libotp.la \ libscram.la libpassdss.la libsasldb.la libsql.la libldapdb.la libopaque.la @@ -93,10 +93,6 @@ libgssapiv2_la_SOURCES = gssapi.c gssapiv2_init.c libgssapiv2_la_DEPENDENCIES = $(COMPAT_OBJS) $(PLUGIN_COMMON_OBJS) libgssapiv2_la_LIBADD = $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET) $(COMPAT_OBJS) $(PLUGIN_COMMON_OBJS) -libcrammd5_la_SOURCES = cram.c crammd5_init.c -libcrammd5_la_DEPENDENCIES = $(COMPAT_OBJS) $(PLUGIN_COMMON_OBJS) -libcrammd5_la_LIBADD = $(LIB_SOCKET) $(COMPAT_OBJS) $(PLUGIN_COMMON_OBJS) - libscram_la_SOURCES = scram.c scram_init.c libscram_la_DEPENDENCIES = $(COMPAT_OBJS) $(PLUGIN_COMMON_OBJS) libscram_la_LIBADD = $(SCRAM_LIBS) $(LIB_SOCKET) $(COMPAT_OBJS) $(PLUGIN_COMMON_OBJS) @@ -138,7 +134,7 @@ libsql_la_LIBADD = $(COMPAT_OBJS) $(PLUGIN_COMMON_OBJS) # Instructions for making the _init files -init_src=anonymous_init.c crammd5_init.c scram_init.c gs2_init.c gssapiv2_init.c \ +init_src=anonymous_init.c scram_init.c gs2_init.c gssapiv2_init.c \ login_init.c plain_init.c srp_init.c opaque_init.c otp_init.c \ passdss_init.c sasldb_init.c sql_init.c ldapdb_init.c diff --git a/plugins/NTMakefile b/plugins/NTMakefile index 890062da..b71872ea 100755 --- a/plugins/NTMakefile +++ b/plugins/NTMakefile @@ -40,13 +40,12 @@ SQLITE_LIBS = "/libpath:$(SQLITE_LIBPATH3)" libsqlite3.lib PLUGINS=saslANONYMOUS.dll \ saslPLAIN.dll \ - saslCRAMMD5.dll \ saslLOGIN.dll \ saslSCRAM.dll \ $(PLUGINS_EXT) \ saslSASLDB.dll -generated_rc=saslANONYMOUS.rc saslPLAIN.rc saslCRAMMD5.rc saslLOGIN.rc saslSCRAM.rc saslGSSAPI.rc saslSRP.rc saslOTP.rc saslSASLDB.rc saslSQLITE.rc saslLDAPDB.rc +generated_rc=saslANONYMOUS.rc saslPLAIN.rc saslLOGIN.rc saslSCRAM.rc saslGSSAPI.rc saslSRP.rc saslOTP.rc saslSASLDB.rc saslSQLITE.rc saslLDAPDB.rc # WS2tcpip.h included in Visual Studio 7 provides getaddrinfo, ... # emulation on Windows, so there is no need to build getaddrinfo.c @@ -63,9 +62,6 @@ saslANONYMOUS_out = saslANONYMOUS.dll saslANONYMOUS.exp saslANONYMOUS.lib saslPLAIN_objs = plain.obj plain_init.obj $(common_objs) saslPLAIN_out = saslPLAIN.dll saslPLAIN.exp saslPLAIN.lib -saslCRAMMD5_objs = cram.obj crammd5_init.obj $(common_objs) -saslCRAMMD5_out = saslCRAMMD5.dll saslCRAMMD5.exp saslCRAMMD5.lib - saslLOGIN_objs = login.obj login_init.obj $(common_objs) saslLOGIN_out = saslLOGIN.dll saslLOGIN.exp saslLOGIN.lib @@ -116,15 +112,13 @@ DB_LIBS="/libpath:$(LMDB_LIBPATH)" lmdb.lib libsasldb_objs = allockey.obj db_lmdb.obj !ENDIF -CRAM_FLAGS=/DOBSOLETE_CRAM_ATTR=1 - SCRAM_FLAGS=/DHAVE_SHA512=1 saslSASLDB_objs = sasldb.obj sasldb_init.obj $(libsasldb_objs) $(common_objs) saslSASLDB_out = saslSASLDB.dll saslSASLDB.exp saslSASLDB.lib -all_objs = $(saslANONYMOUS_objs) $(saslPLAIN_objs) $(saslCRAMMD5_objs) $(saslLOGIN_objs) $(saslSCRAM_objs) $(saslGSSAPI_objs) $(saslSRP_objs) $(saslOTP_objs) $(saslSASLDB_objs) $(saslSQL_objs) $(saslLDAPDB_objs) -all_out = $(saslANONYMOUS_out) $(saslPLAIN_out) $(saslCRAMMD5_out) $(saslLOGIN_out) $(saslSCRAM_out) $(saslGSSAPI_out) $(saslSRP_out) $(saslOTP_out) $(saslSASLDB_out) $(saslSQL_out) $(saslLDAPDB_out) +all_objs = $(saslANONYMOUS_objs) $(saslPLAIN_objs) $(saslLOGIN_objs) $(saslSCRAM_objs) $(saslGSSAPI_objs) $(saslSRP_objs) $(saslOTP_objs) $(saslSASLDB_objs) $(saslSQL_objs) $(saslLDAPDB_objs) +all_out = $(saslANONYMOUS_out) $(saslPLAIN_out) $(saslLOGIN_out) $(saslSCRAM_out) $(saslGSSAPI_out) $(saslSRP_out) $(saslOTP_out) $(saslSASLDB_out) $(saslSQL_out) $(saslLDAPDB_out) # LIBSASL_EXPORTS is required to export additional DB routines from sasldb DB_FLAGS = /I "$(DB_INCLUDE)" /I "..\sasldb" /D "LIBSASL_EXPORTS" /D "KEEP_DB_OPEN" @@ -133,7 +127,7 @@ DB_FLAGS = /I "$(DB_INCLUDE)" /I "..\sasldb" /D "LIBSASL_EXPORTS" /D "KEEP_DB_OP EXTRA_FLAGS = /D TARGET_WIN_SYSTEM=$(TARGET_WIN_SYSTEM) $(EXTRA_FLAGS) !ENDIF -EXTRA_FLAGS=$(EXTRA_FLAGS) $(DB_FLAGS) $(OPENSSL_FLAGS) $(GSS_FLAGS) $(SRP_FLAGS) $(SQL_FLAGS) $(CRAM_FLAGS) $(SCRAM_FLAGS) $(LDAP_FLAGS) +EXTRA_FLAGS=$(EXTRA_FLAGS) $(DB_FLAGS) $(OPENSSL_FLAGS) $(GSS_FLAGS) $(SRP_FLAGS) $(SQL_FLAGS) $(SCRAM_FLAGS) $(LDAP_FLAGS) CPPFLAGS = /I "..\win32\include" /I "." /I "..\include" /I "..\common" $(EXTRA_FLAGS) /D "_WIN32" $(COMMON_CPPFLAGS) OPENSSL_LIBS="/libpath:$(OPENSSL_LIBPATH)" @@ -182,11 +176,6 @@ saslPLAIN.dll: $(saslPLAIN_objs) saslPLAIN.res << IF EXIST $@.manifest mt -manifest $@.manifest -outputresource:$@;2 -saslCRAMMD5.dll: $(saslCRAMMD5_objs) saslCRAMMD5.res - $(LINK32DLL) @<< $(LINK32DLL_FLAGS) /out:"saslCRAMMD5.dll" /implib:"saslCRAMMD5.lib" $(saslCRAMMD5_objs) saslCRAMMD5.res -<< - IF EXIST $@.manifest mt -manifest $@.manifest -outputresource:$@;2 - saslLOGIN.dll: $(saslLOGIN_objs) saslLOGIN.res $(LINK32DLL) @<< $(LINK32DLL_FLAGS) /out:"saslLOGIN.dll" /implib:"saslLOGIN.lib" $(saslLOGIN_objs) saslLOGIN.res << diff --git a/plugins/cram.c b/plugins/cram.c deleted file mode 100644 index 6598ea69..00000000 --- a/plugins/cram.c +++ /dev/null @@ -1,692 +0,0 @@ -/* CRAM-MD5 SASL plugin - * Rob Siemborski - * Tim Martin - */ -/* - * Copyright (c) 1998-2016 Carnegie Mellon University. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. The name "Carnegie Mellon University" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For permission or any other legal - * details, please contact - * Carnegie Mellon University - * Center for Technology Transfer and Enterprise Creation - * 4615 Forbes Avenue - * Suite 302 - * Pittsburgh, PA 15213 - * (412) 268-7393, fax: (412) 268-7395 - * innovation@andrew.cmu.edu - * - * 4. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by Computing Services - * at Carnegie Mellon University (http://www.cmu.edu/computing/)." - * - * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO - * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE - * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN - * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include -#include -#include -#ifndef macintosh -#include -#endif -#include - -#ifdef HAVE_TIME_H -#include -#endif - -#include -#include -#include - -#include - -#include "plugin_common.h" - -#ifdef macintosh -#include -#endif - -/***************************** Common Section *****************************/ - -/* convert a string of 8bit chars to it's representation in hex - * using lowercase letters - */ -static char *convert16(unsigned char *in, int inlen, const sasl_utils_t *utils) -{ - static char hex[]="0123456789abcdef"; - int lup; - char *out; - - out = utils->malloc(inlen*2+1); - if (out == NULL) return NULL; - - for (lup=0; lup < inlen; lup++) { - out[lup*2] = hex[in[lup] >> 4]; - out[lup*2+1] = hex[in[lup] & 15]; - } - - out[lup*2] = 0; - return out; -} - - -/***************************** Server Section *****************************/ - -typedef struct server_context { - int state; - - char *challenge; -} server_context_t; - -static int -crammd5_server_mech_new(void *glob_context __attribute__((unused)), - sasl_server_params_t *sparams, - const char *challenge __attribute__((unused)), - unsigned challen __attribute__((unused)), - void **conn_context) -{ - server_context_t *text; - - /* holds state are in */ - text = sparams->utils->malloc(sizeof(server_context_t)); - if (text == NULL) { - MEMERROR( sparams->utils ); - return SASL_NOMEM; - } - - memset(text, 0, sizeof(server_context_t)); - - text->state = 1; - - *conn_context = text; - - return SASL_OK; -} - -/* - * Returns the current time (or part of it) in string form - * maximum length=15 - */ -static char *gettime(sasl_server_params_t *sparams) -{ - char *ret; - time_t t; - - t=time(NULL); - ret= sparams->utils->malloc(15); - if (ret==NULL) return NULL; - - /* the bottom bits are really the only random ones so if - we overflow we don't want to loose them */ - snprintf(ret,15,"%lu",t%(0xFFFFFF)); - - return ret; -} - -static char *randomdigits(sasl_server_params_t *sparams) -{ - unsigned int num; - char *ret; - unsigned char temp[5]; /* random 32-bit number */ - - sparams->utils->rand(sparams->utils->rpool,(char *) temp,4); - num=(temp[0] * 256 * 256 * 256) + - (temp[1] * 256 * 256) + - (temp[2] * 256) + - (temp[3] ); - - ret = sparams->utils->malloc(15); /* there's no way an unsigned can be longer than this right? */ - if (ret == NULL) return NULL; - sprintf(ret, "%u", num); - - return ret; -} - -static int -crammd5_server_mech_step1(server_context_t *text, - sasl_server_params_t *sparams, - const char *clientin __attribute__((unused)), - unsigned clientinlen, - const char **serverout, - unsigned *serveroutlen, - sasl_out_params_t *oparams __attribute__((unused))) -{ - char *time, *randdigits; - - /* we shouldn't have received anything */ - if (clientinlen != 0) { - SETERROR(sparams->utils, "CRAM-MD5 does not accept initial data"); - return SASL_BADPROT; - } - - /* get time and a random number for the nonce */ - time = gettime(sparams); - randdigits = randomdigits(sparams); - if ((time == NULL) || (randdigits == NULL)) { - MEMERROR( sparams->utils ); - return SASL_NOMEM; - } - - /* allocate some space for the challenge */ - text->challenge = sparams->utils->malloc(200 + 1); - if (text->challenge == NULL) { - MEMERROR(sparams->utils); - return SASL_NOMEM; - } - - /* create the challenge */ - snprintf(text->challenge, 200, "<%s.%s@%s>", randdigits, time, - sparams->serverFQDN); - - *serverout = text->challenge; - *serveroutlen = (unsigned) strlen(text->challenge); - - /* free stuff */ - sparams->utils->free(time); - sparams->utils->free(randdigits); - - text->state = 2; - - return SASL_CONTINUE; -} - -static int -crammd5_server_mech_step2(server_context_t *text, - sasl_server_params_t *sparams, - const char *clientin, - unsigned clientinlen, - const char **serverout __attribute__((unused)), - unsigned *serveroutlen __attribute__((unused)), - sasl_out_params_t *oparams) -{ - char *userid = NULL; - sasl_secret_t *sec = NULL; - int pos; - size_t len; - int result = SASL_FAIL; - const char *password_request[] = { SASL_AUX_PASSWORD, -#if defined(OBSOLETE_CRAM_ATTR) - "*cmusaslsecretCRAM-MD5", -#endif - NULL }; - struct propval auxprop_values[3]; - HMAC_MD5_CTX tmphmac; - HMAC_MD5_STATE md5state; - int clear_md5state = 0; - char *digest_str = NULL; - uint32_t digest[4]; - - /* extract userid; everything before last space */ - pos = clientinlen-1; - while ((pos > 0) && (clientin[pos] != ' ')) pos--; - - if (pos <= 0) { - SETERROR( sparams->utils,"need authentication name"); - return SASL_BADPROT; - } - - userid = (char *) sparams->utils->malloc(pos+1); - if (userid == NULL) { - MEMERROR( sparams->utils); - return SASL_NOMEM; - } - - /* copy authstr out */ - memcpy(userid, clientin, pos); - userid[pos] = '\0'; - - result = sparams->utils->prop_request(sparams->propctx, password_request); - if (result != SASL_OK) goto done; - - /* this will trigger the getting of the aux properties */ - result = sparams->canon_user(sparams->utils->conn, - userid, 0, SASL_CU_AUTHID | SASL_CU_AUTHZID, - oparams); - if (result != SASL_OK) goto done; - - result = sparams->utils->prop_getnames(sparams->propctx, - password_request, - auxprop_values); - if (result < 0 || - ((!auxprop_values[0].name || !auxprop_values[0].values) -#if defined(OBSOLETE_CRAM_ATTR) - && (!auxprop_values[1].name || !auxprop_values[1].values) -#endif - )) { - /* We didn't find this username */ - sparams->utils->seterror(sparams->utils->conn,0, - "no secret in database"); - result = sparams->transition ? SASL_TRANS : SASL_NOUSER; - goto done; - } - - if (auxprop_values[0].name && auxprop_values[0].values) { - len = strlen(auxprop_values[0].values[0]); - if (len == 0) { - sparams->utils->seterror(sparams->utils->conn,0, - "empty secret"); - result = SASL_FAIL; - goto done; - } - - sec = sparams->utils->malloc(sizeof(sasl_secret_t) + len); - if (!sec) goto done; - - sec->len = (unsigned) len; - strncpy((char *)sec->data, auxprop_values[0].values[0], len + 1); - - clear_md5state = 1; - /* Do precalculation on plaintext secret */ - sparams->utils->hmac_md5_precalc(&md5state, /* OUT */ - sec->data, - sec->len); -#if defined(OBSOLETE_CRAM_ATTR) - } else if (auxprop_values[1].name && auxprop_values[1].values) { - /* We have a precomputed secret */ - memcpy(&md5state, auxprop_values[1].values[0], - sizeof(HMAC_MD5_STATE)); -#endif - } else { - sparams->utils->seterror(sparams->utils->conn, 0, - "Have neither type of secret"); - return SASL_FAIL; - } - - /* erase the plaintext password */ - sparams->utils->prop_erase(sparams->propctx, password_request[0]); - - /* ok this is annoying: - so we have this half-way hmac transform instead of the plaintext - that means we have to: - -import it back into a md5 context - -do an md5update with the nonce - -finalize it - */ - sparams->utils->hmac_md5_import(&tmphmac, (HMAC_MD5_STATE *) &md5state); - sparams->utils->hmac_md5_update(&tmphmac, - text->challenge, - (unsigned) strlen(text->challenge)); - sparams->utils->hmac_md5_final((unsigned char *) &digest, &tmphmac); - - /* convert to base 16 with lower case letters */ - digest_str = convert16((unsigned char *) digest, 16, sparams->utils); - - /* if same then verified - * - we know digest_str is null terminated but clientin might not be - * - verify the length of clientin anyway! - */ - len = strlen(digest_str); - if (clientinlen-pos-1 < len || - strncmp(digest_str, clientin+pos+1, len) != 0) { - sparams->utils->seterror(sparams->utils->conn, 0, - "incorrect digest response"); - result = SASL_BADAUTH; - goto done; - } - - /* set oparams */ - oparams->doneflag = 1; - oparams->mech_ssf = 0; - oparams->maxoutbuf = 0; - oparams->encode_context = NULL; - oparams->encode = NULL; - oparams->decode_context = NULL; - oparams->decode = NULL; - oparams->param_version = 0; - - result = SASL_OK; - - done: - if (userid) sparams->utils->free(userid); - if (sec) _plug_free_secret(sparams->utils, &sec); - - if (digest_str) sparams->utils->free(digest_str); - if (clear_md5state) memset(&md5state, 0, sizeof(md5state)); - - return result; -} - -static int crammd5_server_mech_step(void *conn_context, - sasl_server_params_t *sparams, - const char *clientin, - unsigned clientinlen, - const char **serverout, - unsigned *serveroutlen, - sasl_out_params_t *oparams) -{ - server_context_t *text = (server_context_t *) conn_context; - - *serverout = NULL; - *serveroutlen = 0; - - if (text == NULL) { - return SASL_BADPROT; - } - - /* this should be well more than is ever needed */ - if (clientinlen > 1024) { - SETERROR(sparams->utils, "CRAM-MD5 input longer than 1024 bytes"); - return SASL_BADPROT; - } - - switch (text->state) { - - case 1: - return crammd5_server_mech_step1(text, sparams, - clientin, clientinlen, - serverout, serveroutlen, - oparams); - - case 2: - return crammd5_server_mech_step2(text, sparams, - clientin, clientinlen, - serverout, serveroutlen, - oparams); - - default: /* should never get here */ - sparams->utils->log(NULL, SASL_LOG_ERR, - "Invalid CRAM-MD5 server step %d\n", text->state); - return SASL_FAIL; - } - - return SASL_FAIL; /* should never get here */ -} - -static void crammd5_server_mech_dispose(void *conn_context, - const sasl_utils_t *utils) -{ - server_context_t *text = (server_context_t *) conn_context; - - if (!text) return; - - if (text->challenge) _plug_free_string(utils,&(text->challenge)); - - utils->free(text); -} - -static sasl_server_plug_t crammd5_server_plugins[] = -{ - { - "CRAM-MD5", /* mech_name */ - 0, /* max_ssf */ - SASL_SEC_NOPLAINTEXT - | SASL_SEC_NOANONYMOUS, /* security_flags */ - SASL_FEAT_SERVER_FIRST, /* features */ - NULL, /* glob_context */ - &crammd5_server_mech_new, /* mech_new */ - &crammd5_server_mech_step, /* mech_step */ - &crammd5_server_mech_dispose, /* mech_dispose */ - NULL, /* mech_free */ - NULL, /* setpass */ - NULL, /* user_query */ - NULL, /* idle */ - NULL, /* mech avail */ - NULL /* spare */ - } -}; - -int crammd5_server_plug_init(const sasl_utils_t *utils, - int maxversion, - int *out_version, - sasl_server_plug_t **pluglist, - int *plugcount) -{ - if (maxversion < SASL_SERVER_PLUG_VERSION) { - SETERROR( utils, "CRAM version mismatch"); - return SASL_BADVERS; - } - - *out_version = SASL_SERVER_PLUG_VERSION; - *pluglist = crammd5_server_plugins; - *plugcount = 1; - - return SASL_OK; -} - -/***************************** Client Section *****************************/ - -typedef struct client_context { - char *out_buf; - unsigned out_buf_len; -} client_context_t; - -static int crammd5_client_mech_new(void *glob_context __attribute__((unused)), - sasl_client_params_t *params, - void **conn_context) -{ - client_context_t *text; - - /* holds state are in */ - text = params->utils->malloc(sizeof(client_context_t)); - if (text == NULL) { - MEMERROR(params->utils); - return SASL_NOMEM; - } - - memset(text, 0, sizeof(client_context_t)); - - *conn_context = text; - - return SASL_OK; -} - -static char *make_hashed(sasl_secret_t *sec, const unsigned char *nonce, - int noncelen, const sasl_utils_t *utils) -{ - unsigned char digest[24]; - char *in16; - - if (sec == NULL) return NULL; - - /* do the hmac md5 hash output 128 bits */ - HMAC(EVP_md5(), sec->data, sec->len, nonce, noncelen, digest, NULL); - - /* convert that to hex form */ - in16 = convert16(digest, 16, utils); - if (in16 == NULL) return NULL; - - return in16; -} - -static int crammd5_client_mech_step(void *conn_context, - sasl_client_params_t *params, - const char *serverin, - unsigned serverinlen, - sasl_interact_t **prompt_need, - const char **clientout, - unsigned *clientoutlen, - sasl_out_params_t *oparams) -{ - client_context_t *text = (client_context_t *) conn_context; - const char *authid = NULL; - sasl_secret_t *password = NULL; - unsigned int free_password = 0; /* set if we need to free password */ - int auth_result = SASL_OK; - int pass_result = SASL_OK; - int result; - size_t maxsize; - char *in16 = NULL; - - *clientout = NULL; - *clientoutlen = 0; - - /* First check for absurd lengths */ - if (serverinlen > 1024) { - params->utils->seterror(params->utils->conn, 0, - "CRAM-MD5 input longer than 1024 bytes"); - return SASL_BADPROT; - } - - /* check if sec layer strong enough */ - if (params->props.min_ssf > params->external_ssf) { - SETERROR( params->utils, "SSF requested of CRAM-MD5 plugin"); - return SASL_TOOWEAK; - } - - /* try to get the userid */ - if (oparams->authid == NULL) { - auth_result=_plug_get_authid(params->utils, &authid, prompt_need); - - if ((auth_result != SASL_OK) && (auth_result != SASL_INTERACT)) - return auth_result; - } - - /* try to get the password */ - if (password == NULL) { - pass_result=_plug_get_password(params->utils, &password, - &free_password, prompt_need); - - if ((pass_result != SASL_OK) && (pass_result != SASL_INTERACT)) - return pass_result; - } - - /* free prompts we got */ - if (prompt_need && *prompt_need) { - params->utils->free(*prompt_need); - *prompt_need = NULL; - } - - /* if there are prompts not filled in */ - if ((auth_result == SASL_INTERACT) || (pass_result == SASL_INTERACT)) { - /* make the prompt list */ - result = - _plug_make_prompts(params->utils, prompt_need, - NULL, NULL, - auth_result == SASL_INTERACT ? - "Please enter your authentication name" : NULL, - NULL, - pass_result == SASL_INTERACT ? - "Please enter your password" : NULL, NULL, - NULL, NULL, NULL, - NULL, NULL, NULL); - if (result != SASL_OK) goto cleanup; - - return SASL_INTERACT; - } - - if (!password) { - PARAMERROR(params->utils); - return SASL_BADPARAM; - } - - result = params->canon_user(params->utils->conn, authid, 0, - SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams); - if (result != SASL_OK) goto cleanup; - - /* - * username SP digest (keyed md5 where key is passwd) - */ - - in16 = make_hashed(password, (const unsigned char *) serverin, serverinlen, - params->utils); - - if (in16 == NULL) { - SETERROR(params->utils, "whoops, make_hashed failed us this time"); - result = SASL_FAIL; - goto cleanup; - } - - maxsize = 32+1+strlen(oparams->authid)+30; - result = _plug_buf_alloc(params->utils, &(text->out_buf), - &(text->out_buf_len), (unsigned) maxsize); - if (result != SASL_OK) goto cleanup; - - snprintf(text->out_buf, maxsize, "%s %s", oparams->authid, in16); - - *clientout = text->out_buf; - *clientoutlen = (unsigned) strlen(*clientout); - - /* set oparams */ - oparams->doneflag = 1; - oparams->mech_ssf = 0; - oparams->maxoutbuf = 0; - oparams->encode_context = NULL; - oparams->encode = NULL; - oparams->decode_context = NULL; - oparams->decode = NULL; - oparams->param_version = 0; - - result = SASL_OK; - - cleanup: - /* get rid of private information */ - if (in16) _plug_free_string(params->utils, &in16); - - /* get rid of all sensitive info */ - if (free_password) _plug_free_secret(params-> utils, &password); - - return result; -} - -static void crammd5_client_mech_dispose(void *conn_context, - const sasl_utils_t *utils) -{ - client_context_t *text = (client_context_t *) conn_context; - - if (!text) return; - - if (text->out_buf) utils->free(text->out_buf); - - utils->free(text); -} - -static sasl_client_plug_t crammd5_client_plugins[] = -{ - { - "CRAM-MD5", /* mech_name */ - 0, /* max_ssf */ - SASL_SEC_NOPLAINTEXT - | SASL_SEC_NOANONYMOUS, /* security_flags */ - SASL_FEAT_SERVER_FIRST, /* features */ - NULL, /* required_prompts */ - NULL, /* glob_context */ - &crammd5_client_mech_new, /* mech_new */ - &crammd5_client_mech_step, /* mech_step */ - &crammd5_client_mech_dispose, /* mech_dispose */ - NULL, /* mech_free */ - NULL, /* idle */ - NULL, /* spare */ - NULL /* spare */ - } -}; - -int crammd5_client_plug_init(const sasl_utils_t *utils, - int maxversion, - int *out_version, - sasl_client_plug_t **pluglist, - int *plugcount) -{ - if (maxversion < SASL_CLIENT_PLUG_VERSION) { - SETERROR( utils, "CRAM version mismatch"); - return SASL_BADVERS; - } - - *out_version = SASL_CLIENT_PLUG_VERSION; - *pluglist = crammd5_client_plugins; - *plugcount = 1; - - return SASL_OK; -} diff --git a/plugins/makeinit.sh b/plugins/makeinit.sh index 6852307b..029cb051 100644 --- a/plugins/makeinit.sh +++ b/plugins/makeinit.sh @@ -1,6 +1,6 @@ plugin_init="$1" # mechanism plugins -for mech in anonymous crammd5 scram gssapiv2 login opaque otp passdss plain srp gs2; do +for mech in anonymous scram gssapiv2 login opaque otp passdss plain srp gs2; do if [ ${plugin_init} = "${mech}_init.c" ];then echo " diff --git a/saslauthd/LDAP_SASLAUTHD b/saslauthd/LDAP_SASLAUTHD index 52b43bd5..e0aa76a1 100644 --- a/saslauthd/LDAP_SASLAUTHD +++ b/saslauthd/LDAP_SASLAUTHD @@ -256,7 +256,7 @@ SASL bind should be used with the 'fastbind' auth_method: ldap_servers: ldaps://10.1.1.2/ ldap_use_sasl: yes -ldap_mech: CRAM-MD5 +ldap_mech: SCRAM-SHA-512 ldap_auth_method: fastbind At this time this is not the best performing solution because openldap (2.1.x) diff --git a/saslauthd/saslauthd-main.c b/saslauthd/saslauthd-main.c index ca88c6f2..855d7901 100644 --- a/saslauthd/saslauthd-main.c +++ b/saslauthd/saslauthd-main.c @@ -62,7 +62,7 @@ * code that requires superuser privileges (for example, access to * the shadow password file) into a single easily audited module. It * can also act as an authentication proxy between plaintext-equivelent - * authentication schemes (i.e. CRAM-MD5) and more secure authentication + * authentication schemes (e.g. SCRAM-SHA-512) and more secure authentication * services such as Kerberos, although such usage is STRONGLY discouraged * because it exposes the strong credentials via the insecure plaintext * mechanisms. diff --git a/utils/saslpasswd.c b/utils/saslpasswd.c index ff1702a5..b1168f70 100644 --- a/utils/saslpasswd.c +++ b/utils/saslpasswd.c @@ -430,8 +430,7 @@ main(int argc, char *argv[]) exit_sasl(result, NULL); else { struct propctx *propctx = NULL; - const char *delete_request[] = { "cmusaslsecretCRAM-MD5", - "cmusaslsecretPLAIN", + const char *delete_request[] = { "cmusaslsecretPLAIN", NULL }; int ret = SASL_OK; /* Either we were setting and succeeded or we were disabling and @@ -443,7 +442,6 @@ main(int argc, char *argv[]) if (!propctx) ret = SASL_FAIL; if (!ret) ret = prop_request(propctx, delete_request); if (!ret) { - ret = prop_set(propctx, "cmusaslsecretCRAM-MD5", NULL, 0); ret = prop_set(propctx, "cmusaslsecretPLAIN", NULL, 0); ret = sasl_auxprop_store(conn, propctx, userid); } diff --git a/win32/cyrus-sasl-all-in-one.sln b/win32/cyrus-sasl-all-in-one.sln index a0425c1b..cb3d8187 100644 --- a/win32/cyrus-sasl-all-in-one.sln +++ b/win32/cyrus-sasl-all-in-one.sln @@ -22,9 +22,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution ..\include\exits.h = ..\include\exits.h ..\include\gai.h = ..\include\gai.h generate_conan.cmd = generate_conan.cmd - ..\include\hmac-md5.h = ..\include\hmac-md5.h makeinit.ps1 = makeinit.ps1 - ..\include\md5.h = ..\include\md5.h ..\include\prop.h = ..\include\prop.h README.md = README.md ..\include\sasl.h = ..\include\sasl.h diff --git a/win32/cyrus-sasl-common.sln b/win32/cyrus-sasl-common.sln index e2d5776b..120bdcfc 100644 --- a/win32/cyrus-sasl-common.sln +++ b/win32/cyrus-sasl-common.sln @@ -12,9 +12,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution ..\include\exits.h = ..\include\exits.h ..\include\gai.h = ..\include\gai.h generate_conan.cmd = generate_conan.cmd - ..\include\hmac-md5.h = ..\include\hmac-md5.h makeinit.ps1 = makeinit.ps1 - ..\include\md5.h = ..\include\md5.h ..\include\prop.h = ..\include\prop.h README.md = README.md ..\include\sasl.h = ..\include\sasl.h diff --git a/win32/cyrus-sasl-core.sln b/win32/cyrus-sasl-core.sln index d34dde2d..87053dcf 100644 --- a/win32/cyrus-sasl-core.sln +++ b/win32/cyrus-sasl-core.sln @@ -22,9 +22,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution ..\include\exits.h = ..\include\exits.h ..\include\gai.h = ..\include\gai.h generate_conan.cmd = generate_conan.cmd - ..\include\hmac-md5.h = ..\include\hmac-md5.h makeinit.ps1 = makeinit.ps1 - ..\include\md5.h = ..\include\md5.h ..\include\prop.h = ..\include\prop.h README.md = README.md ..\include\sasl.h = ..\include\sasl.h diff --git a/win32/cyrus-sasl-gssapiv2.sln b/win32/cyrus-sasl-gssapiv2.sln index d1e9df5c..eccabe00 100644 --- a/win32/cyrus-sasl-gssapiv2.sln +++ b/win32/cyrus-sasl-gssapiv2.sln @@ -12,9 +12,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution ..\include\exits.h = ..\include\exits.h ..\include\gai.h = ..\include\gai.h generate_conan.cmd = generate_conan.cmd - ..\include\hmac-md5.h = ..\include\hmac-md5.h makeinit.ps1 = makeinit.ps1 - ..\include\md5.h = ..\include\md5.h ..\include\prop.h = ..\include\prop.h README.md = README.md ..\include\sasl.h = ..\include\sasl.h diff --git a/win32/cyrus-sasl-sasldb.sln b/win32/cyrus-sasl-sasldb.sln index 3aff5dc5..7f7024df 100644 --- a/win32/cyrus-sasl-sasldb.sln +++ b/win32/cyrus-sasl-sasldb.sln @@ -12,9 +12,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution ..\include\exits.h = ..\include\exits.h ..\include\gai.h = ..\include\gai.h generate_conan.cmd = generate_conan.cmd - ..\include\hmac-md5.h = ..\include\hmac-md5.h makeinit.ps1 = makeinit.ps1 - ..\include\md5.h = ..\include\md5.h ..\include\prop.h = ..\include\prop.h README.md = README.md ..\include\sasl.h = ..\include\sasl.h diff --git a/win32/include/config.h b/win32/include/config.h index 27766219..94556d36 100755 --- a/win32/include/config.h +++ b/win32/include/config.h @@ -95,9 +95,7 @@ typedef int intptr_t; #ifndef NO_STATIC_PLUGINS /* which mechs can we link statically? */ #define STATIC_ANONYMOUS 1 -/* #define STATIC_CRAMMD5 1 */ /* #define STATIC_GSSAPIV2 1 */ -/* #undef STATIC_KERBEROS4 */ #define STATIC_LOGIN 1 /* #undef STATIC_MYSQL */ /* #define STATIC_OTP 1 */ diff --git a/win32/makeinit.ps1 b/win32/makeinit.ps1 index 60c9967f..576041b7 100644 --- a/win32/makeinit.ps1 +++ b/win32/makeinit.ps1 @@ -1,4 +1,4 @@ -$mechanism = @("anonymous", "crammd5", "scram", "gssapiv2", "login", "otp", "passdss", "plain", "srp", "gs2") +$mechanism = @("anonymous", "scram", "gssapiv2", "login", "otp", "passdss", "plain", "srp", "gs2") $pluginsDir = "..\plugins\" for ($i = 0; $i -le $mechanism.Count - 1; $i++)