There's a "new" imap exentions for authentication called CRAM MD-5. Full specs can be found at the following RFC: http://www.imc.org/Searchable/rfc2195 The big advantage of using CRAM over our current auth methods for imap, include the fact that you are no longer sending clear text passwords (okay they were base 64 encoded before...but that's still not secure!!) across the wire. Using CRAM-MD5 you aren't sending the server your password at all. Instead, the server gives the client a challenge which the client then runs through a keyed MD5 hash computation using the password as the key. This hashed value is then sent to the server. I wrote an implementation for imap while at mail connect to help our poor standards story. I'm going to try to get permission to check this into beta2. I've been trying to test it all weekend. Unfortunately, the current version of psm expired this week so I always crash while trying to start up psm (I need psm to access their MD5 hash implementation). Hopefully iplanet will have the psm story fixed today and I can test this extension. Two more comments: 1) CRAM-MD5 can be re-used for pop and smtp. 2) At Mail Connect 11 out of the 12 companies there had servers which supported CRAM-MD5. Our client has got to be able to do this!
I think it would be better for Mozilla to have its own MD5 implementation than try to reuse the one in PSM. There are no export or patent issues and the code is small.
Should we implement DIGEST-MD5 too? Chris N. mentioned that DIGEST-MD5 is much better than CRAM-MD5. It works with a whole protocol suites.
I agree with John on the MD5 point. I've already emailed some guys over on cartman to see if they would give me their source for the open source tree. Jeff to answer your question about digest-MD5: 1) It's harder to implement and as such is a harder sell the PDT team. 2) not as many servers supported it. The big advantage there is that the server doesn't have to store the user's password in clear text on the server side. And it can be shared with http. I think the right thing for us is to focus on getting CRAM into the tree for 6.0. Digest MD5 would be great but is more work and not as big a bang for the buck. Lets look at that for the next release.
I have this working in my tree. I still need to add an MD5 implementation to xpcom/ds. I've set up the interface and the class but the actual MD5 methods just call through to cartman instead of implementing it themselves. I don't really think this feature is useable until I can get cartman out of the process.
Target Milestone: --- → M16
M16 has been out for a while now, these bugs target milestones need to be updated.
PSM 2.0 has landed, so you should be able to turn this code back on.
It would also be useful to be able to use CRAM-MD5 authentication for SMTP AUTH. I know it's supported by at least exim.
I've been working on adding CRAM-MD5 support for SMTP. The code seems simple if I just copy the CRAM-MD5 encoding from the IMAP code, however it's all commented out and I can't find nsIHashAlgorithm.h which presumably contains the MD5 code. There is lots of hash-related code in security/nss/lib/... Also there's a comment saying PSM 2.0 has landed ... Can I help sort this out? I need to have CRAM-MD5 to be able to send mail through my smtp server...
You can get MD5 hashes from nsISignatureVerifier
That's awesome news. So now I can get an inprocess MD-5 hash if PSM is part of the build. I'll try to resurrect my MD5 code now. The big problem with it before was I had to force the cartman process to start up as my MD5 hashing code needed cartman. That made it take much too long to log into your mail account.
Target Milestone: --- → mozilla1.0
Shouldn't this be SMTP rathter than IMAP?
This particular bug is for IMAP. CRAM-MD5 is also useful for SMTP and POP, though for POP APOP would be more useful than CRAM-MD5.
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+, topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword. Please send any questions or feedback about this to firstname.lastname@example.org. You can search for "Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
I suggest grouping bugs: 169375, 150212, 41594 . I need this bug to be fixed before I can make the switch from OE to Mozilla. My email service uses CRAM-MD5 auth. and I can not use it as an SMTP server until Mozillla supports this for SMTP.
*** Bug 198693 has been marked as a duplicate of this bug. ***
Here's some code that does an md5 hash. I don't know that this won't have the same problem as mscott was describing (launching psm) but I'm guessing it won't. #define DIGEST_LENGTH 16 nsresult rv; HASHContextStr *hid; unsigned char cbuf[DIGEST_LENGTH], *chash = cbuf; PRUint32 clen; mVerifier = do_GetService(SIGNATURE_VERIFIER_CONTRACTID, &rv); NS_ENSURE_SUCCESS(rv, rv); rv = mVerifier->HashBegin(nsISignatureVerifier::MD5, &hid); if (NS_FAILED(rv)) return rv; rv = mVerifier->HashUpdate(hid, buf, len); if (NS_FAILED(rv)) return rv; rv = mVerifier->HashEnd(hid, &chash, &clen, DIGEST_LENGTH); if (NS_FAILED(rv)) return rv; memcpy(mHashBuf, chash, DIGEST_LENGTH); return NS_OK; I'll try to write a little patch that at least compiles but I don't think I have an cram-md5 server to test against.
I have some rough code to hook this up for imap, but I still need an imap server to test it against. It turns out that none of the test servers I have access to at the moment support cram-md5.
taking, patch upcoming for imap.
Assignee: mscott → bienvenu
Created attachment 118916 [details] [diff] [review] proposed fix this patch probably needs a little cleanup, but it does make cram-md5 work for imap. Hooking it up to pop3 and smtp shouldn't be too hard. This does cause the security dlls to get loaded
fix checked in, r/sr = sspitzer. We do CRAM-MD5, not CRAM-DIGEST.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.