Closed Bug 983167 Opened 10 years ago Closed 10 years ago

[email/POP3] broken node-crypto.js shim causes auth failure when attempting APOP auth

Categories

(Firefox OS Graveyard :: Gaia::E-Mail, defect)

ARM
Gonk (Firefox OS)
defect
Not set
normal

Tracking

(blocking-b2g:1.3+, b2g-v1.3 fixed, b2g-v1.3T fixed, b2g-v1.4 fixed, b2g-v2.0 fixed)

RESOLVED FIXED
1.4 S4 (28mar)
blocking-b2g 1.3+
Tracking Status
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed

People

(Reporter: hcondei, Assigned: mcav)

Details

(Whiteboard: [SUMO-b2g][p=3])

Attachments

(1 file)

Hello,

We have a user on the forum who has issues with setting up his email account on Alcatel one touch fire on v 1.3 pre-release. After he sets all parameters the application is blocking and he can only can see the Account config screen. 
Tried with imap.mydomain.it 143 or pop3.mydomain.it 110 & he is getting an error message like [unresponsive-server]. 
Same parameters on his laptop - it works/connects to the server.
IMAP - already discussed (he had to pay to activate it-have to check this with user) but POP3 seems broken.

Forum thread: https://support.mozilla.org/en-US/questions/989376

We've reproduced the error on master:

I/GeckoDump( 2221): ERR: onerror reporting: TypeError: crypto.createHash(...).update(...) is undefined @ app://email.gaiamobile.org/js/ext/mailapi/composite/configurator.js : 6862
2:26 E/GeckoConsole( 2221): [JavaScript Error: "TypeError: crypto.createHash(...).update(...) is undefined" {file: "app://email.gaiamobile.org/js/ext/mailapi/composite/configurator.js" line: 6862}]

possible root cause (self signed server in certificate chain
that may make the certificate verification fail): 

https://pastebin.mozilla.org/4574229

Could you please advise?

Thx,
Hermina
The certificates validate for me.  This is a failure of our fake node-crypto implementation breaking APOP.

Our md5 usage in pop3/pop3.js is:
  return crypto.createHash('md5').update(s).digest('hex').toLowerCase();

Unfortunately, although our poor man's node-crypto.js implementation does support md5, its update method does not chain properly; it returns nothing when it should return 'this'.

:mcav, do you concur, and do you have some time for this one?  That fix is pretty straight-forward, but making sure we have APOP test coverage will take slightly more effort.

This likely wants to be a POP3 blocker, although we could also resolve the problem by not using APOP.
Flags: needinfo?(m)
Summary: Email configuration issue → [email/POP3]
blocking-b2g: --- → 1.3?
Summary: [email/POP3] → [email/POP3] broken node-crypto.js shim causes auth failure when attempting APOP auth
Andrew, do you know how widespread this issue might be?  We're trying to determine if this is going to affect many mail servers.  

For now, I'm moving to backlog.  If, however, you believe this may indeed be widespread, please re-nom.
Flags: needinfo?(bugmail)
A big problem for the POP3 effort was that it was never clear what servers we could actually expect the POP3 client to be used against where IMAP was not available.  I've now heard of one real-world POP3 use case and it's on this bug.  So basically I have no idea.

We'll fix it either way and request approval to land on v1.3, not blocking could make sense.
Flags: needinfo?(bugmail)
blocking-b2g: 1.3? → backlog
OS: Mac OS X → Gonk (Firefox OS)
Hardware: x86 → ARM
Assignee: nobody → m
Status: NEW → ASSIGNED
Attachment #8393854 - Flags: review?(bugmail)
Flags: needinfo?(m)
Target Milestone: --- → 1.4 S4 (28mar)
Comment on attachment 8393854 [details] [review]
Link to Github pull-request: https://github.com/mozilla-b2g/gaia-email-libs-and-more/pull/292

thanks! r=asuth.  I see the other Travis failures, and they are obviously going to be unrelated to this patch.  I'll take a look at the logs if they recur after you land and travis-artifacts actually manages to upload the logs.
Attachment #8393854 - Flags: review?(bugmail) → review+
Landed in GELAM: https://github.com/mozilla-b2g/gaia-email-libs-and-more/commit/60a20a86ad4f36c4a523c0d9986b9add013ea20c

Landed in Gaia: https://github.com/mozilla-b2g/gaia/commit/0aeb073db451fdb5ad8d97571aadc7dec6ae8542

The Travis failure in GELAM changed, unrelated, perhaps to be seen another day.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment on attachment 8393854 [details] [review]
Link to Github pull-request: https://github.com/mozilla-b2g/gaia-email-libs-and-more/pull/292

Asking for approval for both 1.3 and 1.4.

Per :asuth's thoughts above, if possible, we'd like to get this into 1.3. It is a very small, low-risk fix that would allow certain POP3 users to create accounts (where without this patch, they would get an error during setup).

[Approval Request Comment]
[Bug caused by] (feature/regressing bug #): POP3 support, added in 1.3.
[User impact] if declined: Users who use POP3 servers that support APOP will be unable to set up an e-mail account.
[Testing completed]: Unit tests / manual verification.
[Risk to taking this patch] (and alternatives if risky): Very low risk.
[String changes made]: None.
Attachment #8393854 - Flags: approval-gaia-v1.4?(fabrice)
Attachment #8393854 - Flags: approval-gaia-v1.3?(fabrice)
Hello Marcus,

Cannot approve for gaia 1.3 as the last date was 1/31/14.

For 1.3, I am nom'ing this request and triage will 1.3+ it.

Once it is 1.3+ we don't need to ask for 1.4 approval.
blocking-b2g: backlog → 1.3?
Comment on attachment 8393854 [details] [review]
Link to Github pull-request: https://github.com/mozilla-b2g/gaia-email-libs-and-more/pull/292

Marcus, for 1.3 you need to wait for the blocking decision. I'm forwarding the 1.4 approval to Release Management as I don't do these approvals.
Attachment #8393854 - Flags: approval-gaia-v1.4?(fabrice)
Attachment #8393854 - Flags: approval-gaia-v1.4?(bbajaj)
Attachment #8393854 - Flags: approval-gaia-v1.3?(fabrice)
Comment on attachment 8393854 [details] [review]
Link to Github pull-request: https://github.com/mozilla-b2g/gaia-email-libs-and-more/pull/292

Looks good to land on 1.4 given the risk. Also adding verifyme so someone in QA could verify this in parallel.
Attachment #8393854 - Flags: approval-gaia-v1.4?(bbajaj) → approval-gaia-v1.4+
As far as I can tell, there is no easy way to verify this.   Is it possible to have the original reporter from the forum test the fix on this?
We already made an active decision to decline blocking on this bug because it was only known to reproduce on a custom email server, not an existing widely used production email server. So this remains as a non-blocker.
blocking-b2g: 1.3? → backlog
(In reply to Jason Smith [:jsmith] from comment #12)
> We already made an active decision to decline blocking on this bug because
> it was only known to reproduce on a custom email server, not an existing
> widely used production email server. So this remains as a non-blocker.

I just did some legwork and according to https://hosting.aruba.it/ChiSiamo.asp?Lang=EN, aruba.it hosts 6 million e-mail accounts.  I also know from previous research on this bug that aruba.it requires users to pay extra for IMAP over POP3.  So there is potentially a large user-base that will be affected.

I've also just verified that Verizon e-mail hosting at least for POP3, which they also only provide for new accounts (old accounts may be serviced by yahoo or AOL which both offer IMAP), also advertises APOP functionality which will trigger the bug.  According to http://en.wikipedia.org/wiki/Verizon_Communications Verizon has 5.9 million customers.

It sounds like we need blocking=1.3+ to be allowed to land this trivial patch on 1.3, so I am re-requesting it based on the fact that a large number of users (let's say 12 million) with shoddy e-mail service may be affected.
blocking-b2g: backlog → 1.3?
(In reply to Andrew Sutherland (:asuth) from comment #13)
> I've also just verified that Verizon e-mail hosting at least for POP3, which
> they also only provide for new accounts (old accounts may be serviced by
> yahoo or AOL which both offer IMAP), also advertises APOP functionality
> which will trigger the bug.  According to
> http://en.wikipedia.org/wiki/Verizon_Communications Verizon has 5.9 million
> customers.

I didn't quite finish editing this paragraph.  Re-phrased:  Verizon FiOS internet provides only POP3 email.  Verizon FiOS internet has 5.9 million customers as of September 2013.  I believe Verizon may also provide DSL services and verizon wireless might also do something.
v1.4: cbf00a68ab81f963ff4165d15b430f2a1674cd8a
Can't skip a release. Its been ok'ed for 1.4 so would like to see in 1.3 as well.
blocking-b2g: 1.3? → 1.3+
Comment on attachment 8393854 [details] [review]
Link to Github pull-request: https://github.com/mozilla-b2g/gaia-email-libs-and-more/pull/292

Re-requesting approval-gaia-1.3 now that we have blocking-b2g 1.3+.

[Approval Request Comment]
[Bug caused by] (feature/regressing bug #): POP3 support, added in 1.3.
[User impact] if declined: Users who use POP3 servers that support APOP will be unable to set up an e-mail account.
[Testing completed]: Unit tests / manual verification.
[Risk to taking this patch] (and alternatives if risky): Very low risk.
[String changes made]: None.
Attachment #8393854 - Flags: approval-gaia-v1.3?(fabrice)
Attachment #8393854 - Flags: approval-gaia-v1.3?(fabrice) → approval-gaia-v1.3+
v1.3: db47ab2a0da08459b08aa4bd5414b2608221d145
Whiteboard: [SUMO-b2g] → [SUMO-b2g][p=3]
hi,

I have verified the fault when the mail client wants to use APOP authentication

In the Flame reference phone (FirefoxOS 1.3), the debug log say:

 ERR: onerror reporting: crypto.createHash(...).update(...) is undefined @ app://email.gaiamobile.org/js/ext/mailapi/composite/configurator.js : 6856

 [JavaScript Error: "crypto.createHash(...).update(...) is undefined" {file: "app://email.gaiamobile.org/js/ext/mailapi/composite/configurator.js" line: 6856}]
D/SST_QC_B2G(  299): Signal Strength changed; sending info to content process

I/Gecko   (18920): WERR: Unsolicited response from server: -ERR POP timeout from iServer04.xxxxxxxx.com.ar

I think it is important to solve this bug, because in south america most ISPs provide POP service only.

I guess in Africa and Asia the situation is similar, and since this is a low cost device, these markets will be more attractive to launch this platform.

> We already made an active decision to decline blocking on this bug because
> it was only known to reproduce on a custom email server, not an existing
> widely used production email server. So this remains as a non-blocker.

The production mail server in this regions are POP3. Think about this.

Regards.
This should be fixed on v1.3.  It's possible that the Flame v1.3 build was cut before this fix landed.  Can you provide your build id and revision?  See https://wiki.mozilla.org/Gaia/Email/RequiredBugInfo near the top.

In general I'd suggest updating your build to a more recent version.  See https://developer.mozilla.org/en-US/Firefox_OS/Developer_phone_guide/Flame#Updating_your_Flame%27s_software

Although you will want to install the v123 base image from the above first, you can use the tool at https://github.com/digitarald/flash-b2g to automate and simplify the gaia/gecko flashing.  You may need to use the "font fix" mentioned on the wiki page above too.
Hi,

I update the Flame reference Phone tu FirefoxOS 1.4 (thanks so much Andrew Sutherland) form the problem in the POP3 connection.

The script for updtate process is shallow_flash.sh.

Now, the Flame connecto to mail server, but PROBE:POP3 say "I/Gecko   ( 5481): WWAR: PROBE:POP3 sad. pop-server-not-great | The server does not support UIDL, which is required. | undefined".

I checked connecting by telnet and the server response to the UIDL command correctly. I will search another thread for this problem or will open a new thread.

Thanks You very much!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: