Re: [Exim] SQL-based SMTP AUTH.

Top Page
Delete this message
Reply to this message
Author: Steve Haslam
Date:  
To: exim-users
CC: Eric Renfro
Subject: Re: [Exim] SQL-based SMTP AUTH.
On Thu, Oct 24, 2002 at 10:33:44AM +0100, Philip Hazel wrote:
> On Wed, 23 Oct 2002, Eric Renfro wrote:
> >           challenge = <17696.1035403810@???>
> >           received  = 5cb4301be6c19a10bc555491921cf89e
> >           digest    = 6ba2869e37c4d041dafb41c538de1407

>
> Indeed. The fact that it output that info, however, shows that it ran
> through the CRAM-MD5 code.
>
> Given that you know the correct password, you could compute which digest
> is actually correct. In principle, it could either be the one received
> or the one computed.
>
> You have to take the MD5 digest of the password concatenated with the
> challenge string, with some padding. From the comments in the code:
>
> The CRAM-MD5 algorithm is described in RFC 2195. It computes
>
> MD5((secret XOR opad), MD5((secret XOR ipad), challenge))
>
> where secret is padded out to 64 characters (after being reduced to an MD5
> digest if longer than 64) and ipad and opad are 64-byte strings of 0x36 and
> 0x5c respectively, and comma means concatenation.
>
> I realize that this is a non-trivial exercise!


I was disucussing this with Eric on IRC, and it seems to me that this should
be a quick way of double-checking:

perl -MDigest::HMAC_MD5=hmac_md5_hex -le \
'print hmac_md5_hex($challenge, $secret)'

(with $challenge and $secret substituted for the correct strings of course).

However, Eric got an digest that mismatched on the authentication that
failed, which was puzzling. But maybe someone who actually uses CRAM-MD5
day-to-day (I don't) could explore this?

SRH
--
Steve Haslam      Reading, UK                           araqnid@???
Debian GNU/Linux Maintainer                               araqnid@???
                               maybe the human race deserves to be wiped out