add CRAM-MD5 auth support

RESOLVED FIXED in mozilla1.2alpha


MailNews Core
Networking: IMAP
18 years ago
10 years ago


(Reporter: Scott MacGregor, Assigned: Bienvenu)


Windows NT

Firefox Tracking Flags

(Not tracked)




(1 attachment)



18 years ago
There's a "new" imap exentions for authentication called CRAM MD-5. Full specs
can be found at the following RFC:

The big advantage of using CRAM over our current auth methods for imap, include
the fact that you are no longer sending clear text passwords (okay they were
base 64 encoded before...but that's still not secure!!) across the wire. Using
CRAM-MD5 you aren't sending the server your password at all. Instead, the server
gives the client a challenge which the client then runs through a keyed MD5 hash
computation using the password as the key. This hashed value is then sent to the

I wrote an implementation for imap while at mail connect to help our poor
standards story. I'm going to try to get permission to check this into beta2.

I've been trying to test it all weekend. Unfortunately, the current version of
psm expired this week so I always crash while trying to start up psm (I need psm
to access their MD5 hash implementation).

Hopefully iplanet will have the psm story fixed today and I can test this

Two more comments:
1) CRAM-MD5 can be re-used for pop and smtp.
2) At Mail Connect 11 out of the 12 companies there had servers which supported
CRAM-MD5. Our client has got to be able to do this!

Comment 1

18 years ago
I think it would be better for Mozilla to have its own MD5 implementation than 
try to reuse the one in PSM.  There are no export or patent issues and the code 
is small.

Comment 2

18 years ago
Should we implement DIGEST-MD5 too? Chris N. mentioned that DIGEST-MD5 is much 
better than CRAM-MD5. It works with a whole protocol suites.

Comment 3

18 years ago
I agree with John on the MD5 point. I've already emailed some guys over on
cartman to see if they would give me their source for the open source tree.

Jeff to answer your question about digest-MD5: 1) It's harder to implement and
as such is a harder sell the PDT team. 2) not as many servers supported it.

The big advantage there is that the server doesn't have to store the user's
password in clear text on the server side. And it can be shared with http.

I think the right thing for us is to focus on getting CRAM into the tree for
6.0. Digest MD5 would be great but is more work and not as big a bang for the
buck. Lets look at that for the next release.

Comment 4

18 years ago
I have this working in my tree. I still need to add an MD5 implementation to
xpcom/ds. I've set up the interface and the class but the actual MD5 methods
just call through to cartman instead of implementing it themselves.

I don't really think this feature is useable until I can get cartman out of the

Target Milestone: --- → M16

Comment 5

18 years ago
M16 has been out for a while now, these bugs target milestones need to be 


18 years ago
Target Milestone: M16 → M18


18 years ago
Target Milestone: M18 → ---

Comment 6

17 years ago
PSM 2.0 has landed, so you should be able to turn this code back on.


17 years ago
Severity: normal → enhancement

Comment 7

17 years ago
It would also be useful to be able to use CRAM-MD5 authentication for SMTP AUTH.
 I know it's supported by at least exim.

Comment 8

17 years ago
I've been working on adding CRAM-MD5 support for SMTP.
The code seems simple if I just copy the CRAM-MD5 encoding from
the IMAP code, however it's all commented out and I can't find 
nsIHashAlgorithm.h which presumably contains the MD5 code. There is
lots of hash-related code in security/nss/lib/...
Also there's a comment saying PSM 2.0 has landed ...
Can I help sort this out? I need to have CRAM-MD5 to be able to send mail
through my smtp server...

Comment 9

17 years ago
You can get MD5 hashes from nsISignatureVerifier

Comment 10

17 years ago
That's awesome news. So now I can get an inprocess MD-5 hash if PSM is part of
the build. I'll try to resurrect my MD5 code now. The big problem with it before
was I had to force the cartman process to start up as my MD5 hashing code needed
cartman. That made it take much too long to log into your mail account. 
Target Milestone: --- → mozilla1.0

Comment 11

16 years ago
Shouldn't this be SMTP rathter than IMAP?

Comment 12

16 years ago
This particular bug is for IMAP.  CRAM-MD5 is also useful for SMTP and POP,
though for POP APOP would be more useful than CRAM-MD5.

Comment 13

16 years ago
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+,
topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword.  Please send any
questions or feedback about this to  You can search for
"Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2


16 years ago
Blocks: 150212

Comment 14

15 years ago
I suggest grouping bugs: 169375, 150212, 41594 . I need this bug to be fixed
before I can make the switch from OE to Mozilla. My email service uses CRAM-MD5
auth. and I can not use it as an SMTP server until Mozillla supports this for SMTP.

Comment 15

15 years ago
*** Bug 198693 has been marked as a duplicate of this bug. ***

Comment 16

15 years ago
Here's some code that does an md5 hash. I don't know that this won't have the
same problem as mscott was describing (launching psm) but I'm guessing it won't.

#define DIGEST_LENGTH 16
  nsresult rv;
  HASHContextStr *hid;
  unsigned char cbuf[DIGEST_LENGTH], *chash = cbuf;
  PRUint32 clen;

  mVerifier = do_GetService(SIGNATURE_VERIFIER_CONTRACTID, &rv);
  rv = mVerifier->HashBegin(nsISignatureVerifier::MD5, &hid);
  if (NS_FAILED(rv)) return rv;

  rv = mVerifier->HashUpdate(hid, buf, len);
  if (NS_FAILED(rv)) return rv;

  rv = mVerifier->HashEnd(hid, &chash, &clen, DIGEST_LENGTH);
  if (NS_FAILED(rv)) return rv;

  memcpy(mHashBuf, chash, DIGEST_LENGTH);
  return NS_OK;

I'll try to write a little patch that at least compiles but I don't think I have
an cram-md5 server to test against.

Comment 17

15 years ago
I have some rough code to hook this up for imap, but I still need an imap server
to test it against. It turns out that none of the test servers I have access to
at the moment support cram-md5.

Comment 18

15 years ago
taking, patch upcoming for imap.
Assignee: mscott → bienvenu

Comment 19

15 years ago
Created attachment 118916 [details] [diff] [review]
proposed fix

this patch probably needs a little cleanup, but it does make cram-md5 work for
imap. Hooking it up to pop3 and smtp shouldn't be too hard. This does cause the
security dlls to get loaded

Comment 20

15 years ago
fix checked in, r/sr = sspitzer. We do CRAM-MD5, not CRAM-DIGEST.
Last Resolved: 15 years ago
Resolution: --- → FIXED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.