From: Timo Sirainen Date: Tue, 11 Nov 2003 09:59:27 +0000 (+0200) Subject: cram-md5 updates. X-Git-Tag: 1.1.alpha1~4227 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c07b8ddc5e894feead4d422075b079451721241;p=thirdparty%2Fdovecot%2Fcore.git cram-md5 updates. --HG-- branch : HEAD --- diff --git a/doc/auth.txt b/doc/auth.txt index 8035f3635a..4e77d70721 100644 --- a/doc/auth.txt +++ b/doc/auth.txt @@ -8,6 +8,8 @@ Currently supported authentication mechanisms: - DIGEST-MD5: Should be quite secure by itself. It also supports integrity protecting and crypting the rest of the communication, but we don't support those yet. + - CRAM-MD5: Protects the secret in transit from eavesdroppers. Doesn't + provide any integrity guarantees. - ANONYMOUS: No authentication required. User will be logged in as the user specified by auth_anonymous_username setting (default "anonymous"). There's no special restrictions given for anonymous users so you have to make sure @@ -46,6 +48,7 @@ Password schemes supporting plaintext authentication and more: - PLAIN: Although not that good idea, it enables support for all current and future authentication mechanisms. + - HMAC-MD5: HMAC-MD5 context of password, for the CRAM-MD5 mechanism. - DIGEST-MD5: MD5 sum of "user:realm:password", as required by DIGEST-MD5 mechanism. diff --git a/dovecot-example.conf b/dovecot-example.conf index 474a93b3a7..e416392873 100644 --- a/dovecot-example.conf +++ b/dovecot-example.conf @@ -386,7 +386,7 @@ protocol pop3 { auth default { # Space separated list of wanted authentication mechanisms: - # plain digest-md5 anonymous + # plain digest-md5 cram-md5 anonymous mechanisms = plain # Where user database is kept: diff --git a/src/auth/mech-cram-md5.c b/src/auth/mech-cram-md5.c index 8331d27cf2..9ad886e056 100644 --- a/src/auth/mech-cram-md5.c +++ b/src/auth/mech-cram-md5.c @@ -32,7 +32,7 @@ struct cram_auth_request { static const char *get_cram_challenge(void) { - char buf[17]; + unsigned char buf[17]; size_t i; hostpid_init(); @@ -42,8 +42,8 @@ static const char *get_cram_challenge(void) buf[i] = (buf[i] % 10) + '0'; buf[sizeof(buf)-1] = '\0'; - return t_strdup_printf("%s.%s@%s", buf, dec2str(ioloop_time), - my_hostname); + return t_strdup_printf("<%s.%s@%s>", (const char *) buf, + dec2str(ioloop_time), my_hostname); } static int verify_credentials(struct cram_auth_request *auth, diff --git a/src/auth/passdb.c b/src/auth/passdb.c index 5ffae69b05..01b9c9f268 100644 --- a/src/auth/passdb.c +++ b/src/auth/passdb.c @@ -25,7 +25,7 @@ passdb_credentials_to_str(enum passdb_credentials credentials) case PASSDB_CREDENTIALS_CRYPT: return "CRYPT"; case PASSDB_CREDENTIALS_CRAM_MD5: - return "CRAM-MD5"; + return "HMAC-MD5"; case PASSDB_CREDENTIALS_DIGEST_MD5: return "DIGEST-MD5"; } diff --git a/src/auth/password-scheme-cram-md5.c b/src/auth/password-scheme-cram-md5.c index 7f00bea455..123fb35c71 100644 --- a/src/auth/password-scheme-cram-md5.c +++ b/src/auth/password-scheme-cram-md5.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2003 Timo Sirainen */ +/* Copyright (C) 2003 Timo Sirainen / Joshua Goodall */ #include "lib.h" #include "md5.h" diff --git a/src/auth/password-scheme.c b/src/auth/password-scheme.c index 9d746d5596..dfcfe99b31 100644 --- a/src/auth/password-scheme.c +++ b/src/auth/password-scheme.c @@ -30,6 +30,11 @@ int password_verify(const char *plaintext, const char *password, if (strcasecmp(scheme, "PLAIN") == 0) return strcmp(password, plaintext) == 0; + if (strcasecmp(scheme, "HMAC-MD5") == 0) { + str = password_generate_cram_md5(plaintext); + return strcmp(str, password) == 0; + } + if (strcasecmp(scheme, "DIGEST-MD5") == 0) { /* user:realm:passwd */ realm = strchr(user, '@'); @@ -110,7 +115,7 @@ const char *password_generate(const char *plaintext, const char *user, if (strcasecmp(scheme, "PLAIN") == 0) return plaintext; - if (strcasecmp(scheme, "CRAM-MD5") == 0) + if (strcasecmp(scheme, "HMAC-MD5") == 0) return password_generate_cram_md5(plaintext); if (strcasecmp(scheme, "DIGEST-MD5") == 0) {