Testsuite: testcase for GSASL SCRAM-SHA-256
authorJeremy Harris <jgh146exb@wizmail.org>
Mon, 30 Dec 2019 22:45:21 +0000 (22:45 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Mon, 30 Dec 2019 23:05:36 +0000 (23:05 +0000)
doc/doc-docbook/spec.xfpt
test/confs/3820
test/confs/3825 [new file with mode: 0644]
test/confs/3828 [changed from file to symlink]
test/log/3825 [moved from test/log/3828 with 100% similarity]
test/scripts/3825-gsasl-plaintext/3825 [moved from test/scripts/3828-gsasl-plaintext/3828 with 100% similarity]
test/scripts/3825-gsasl-plaintext/REQUIRES [moved from test/scripts/3828-gsasl-plaintext/REQUIRES with 100% similarity]
test/scripts/3828-gsasl-scram-sha-256/3828 [new file with mode: 0644]
test/scripts/3828-gsasl-scram-sha-256/REQUIRES [new file with mode: 0644]

index 19888e96d052b06df3f11f9a7b4ad02935cc283a..560b720661244754b0e81035bb8594ff79eb6105 100644 (file)
@@ -27435,6 +27435,9 @@ auth_mechanisms = plain login ntlm
 .cindex "authentication" "DIGEST-MD5"
 .cindex "authentication" "CRAM-MD5"
 .cindex "authentication" "SCRAM-SHA-1"
+.cindex "authentication" "SCRAM-SHA-1-PLUS"
+.cindex "authentication" "SCRAM-SHA-256"
+.cindex "authentication" "SCRAM-SHA-256-PLUS"
 The &(gsasl)& authenticator provides integration for the GNU SASL
 library and the mechanisms it provides.  This is new as of the 4.80 release
 and there are a few areas where the library does not let Exim smoothly
@@ -27442,8 +27445,13 @@ scale to handle future authentication mechanisms, so no guarantee can be
 made that any particular new authentication mechanism will be supported
 without code changes in Exim.
 
-
 .new
+The library is expected to add support in an upcoming
+realease for the SCRAM-SHA-256 method.
+The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined
+when this happens.
+
+
 .option client_authz gsasl string&!! unset
 This option can be used to supply an &'authorization id'&
 which is different to the &'authentication_id'& provided
@@ -27481,6 +27489,7 @@ server to see different identifiers and authentication will fail.
 This is
 only usable by mechanisms which support "channel binding"; at time of
 writing, that's the SCRAM family.
+When using this feature the "-PLUS" variants of the method names need to be used.
 .wen
 
 This defaults off to ensure smooth upgrade across Exim releases, in case
@@ -40571,9 +40580,8 @@ defines the location of a text file of valid
 top level domains the opendmarc library uses
 during domain parsing. Maintained by Mozilla,
 the most current version can be downloaded
-from a link at &url(https://publicsuffix.org/list/, currently pointing
-at https://publicsuffix.org/list/public_suffix_list.dat)
-See also util/renew-opendmarc-tlds.sh script.
+from a link at &url(https://publicsuffix.org/list/public_suffix_list.dat).
+See also the util/renew-opendmarc-tlds.sh script.
 .new
 The default for the option is unset.
 If not set, DMARC processing is disabled.
index 023ed751d1c0c1c60512b874e55b519db92a0934..b60e467a3536192b304b23104f381d09e267ab0f 100644 (file)
@@ -27,16 +27,16 @@ client_r:
 begin transports
 
 smtp:
-  driver =     smtp
-  hosts =      127.0.0.1
+  driver =             smtp
+  hosts =              127.0.0.1
   allow_localhost
-  port =       PORT_D
+  port =               PORT_D
 .ifdef TRUSTED
-  hosts_require_tls = *
+  hosts_require_tls =  *
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
 .endif
-  hosts_require_auth = *
+  hosts_require_auth = *
 
 # ----- Authentication -----
 
@@ -44,14 +44,14 @@ begin authenticators
 
 .ifndef TRUSTED
 sasl1:
-  driver = gsasl
-  public_name = ANONYMOUS
+  driver =             gsasl
+  public_name =                ANONYMOUS
   server_set_id =      $auth1
   server_condition =   true
 
 sasl2:
-  driver = gsasl
-  public_name = PLAIN
+  driver =             gsasl
+  public_name =                PLAIN
   server_set_id =      $auth1
   server_condition =   ${if eq {$auth3}{pencil}}
 
@@ -61,13 +61,13 @@ sasl2:
 .endif
 
 sasl3:
-  driver = gsasl
+  driver =             gsasl
 .ifdef TRUSTED
-  public_name = SCRAM-SHA-1-PLUS
+  public_name =                SCRAM-SHA-1-PLUS
   server_advertise_condition = ${if def:tls_in_cipher}
   server_channelbinding =      true
 .else
-  public_name = SCRAM-SHA-1
+  public_name =                SCRAM-SHA-1
 .endif
 
   # will need to give library salt, stored-key, server-key, itercount
@@ -89,5 +89,29 @@ sasl3:
   client_channelbinding = true
 .endif
 
+.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256
+sasl4:
+  driver =             gsasl
+.ifdef TRUSTED
+  public_name =                SCRAM-SHA-256-PLUS
+  server_advertise_condition = ${if def:tls_in_cipher}
+  server_channelbinding =      true
+.else
+  public_name =                SCRAM-SHA-256
+.endif
+
+  server_scram_salt =  QSXCR+Q6sek8bf92
+  server_password =    pencil
+  server_condition =   true
+  server_set_id =      $auth1
+
+  client_condition =   ${if eq {scram_sha_256}{$local_part}}
+  client_username =    ph10
+  client_password =    pencil
+.ifdef TRUSTED
+  client_channelbinding = true
+.endif
+.endif
+
 
 # End
diff --git a/test/confs/3825 b/test/confs/3825
new file mode 100644 (file)
index 0000000..6148356
--- /dev/null
@@ -0,0 +1,66 @@
+# Exim test configuration 3825
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+queue_only
+
+
+begin routers
+
+client_r:
+  driver =     accept
+  condition =  ${if !eq {SERVER}{server}}
+  transport =  smtp
+
+begin transports
+
+smtp:
+  driver =     smtp
+  hosts =      127.0.0.1
+  allow_localhost
+  port =       PORT_D
+  hosts_require_auth = *
+
+# ----- Authentication -----
+
+begin authenticators
+
+.ifndef OPT
+sasl1:
+  driver =             plaintext
+  public_name =                PLAIN
+  server_prompts =     :
+  server_condition =   ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
+  server_set_id =      $auth2
+
+sasl2:
+  driver =             gsasl
+  public_name =                PLAIN
+  client_condition =   ${if eq {plain}{$local_part}}
+  client_username =    ph10
+  client_password =    mysecret
+
+.else
+sasl3:
+  driver =             gsasl
+  public_name =                PLAIN
+  server_condition =   ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
+  server_set_id =      $auth1
+
+sasl4:
+  driver =             plaintext
+  public_name =                PLAIN
+  client_condition =   ${if eq {plain}{$local_part}}
+  client_send =                ^ph10^mysecret
+
+.endif
+
+
+# End
deleted file mode 100644 (file)
index aa9db9467fb522f5950c8558d06d33b3a012588a..0000000000000000000000000000000000000000
+++ /dev/null
@@ -1,66 +0,0 @@
-# Exim test configuration 3828
-
-SERVER=
-
-.include DIR/aux-var/std_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-queue_only
-
-
-begin routers
-
-client_r:
-  driver =     accept
-  condition =  ${if !eq {SERVER}{server}}
-  transport =  smtp
-
-begin transports
-
-smtp:
-  driver =     smtp
-  hosts =      127.0.0.1
-  allow_localhost
-  port =       PORT_D
-  hosts_require_auth = *
-
-# ----- Authentication -----
-
-begin authenticators
-
-.ifndef OPT
-sasl1:
-  driver =             plaintext
-  public_name =                PLAIN
-  server_prompts =     :
-  server_condition =   ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
-  server_set_id =      $auth2
-
-sasl2:
-  driver =             gsasl
-  public_name =                PLAIN
-  client_condition =   ${if eq {plain}{$local_part}}
-  client_username =    ph10
-  client_password =    mysecret
-
-.else
-sasl3:
-  driver =             gsasl
-  public_name =                PLAIN
-  server_condition =   ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
-  server_set_id =      $auth1
-
-sasl4:
-  driver =             plaintext
-  public_name =                PLAIN
-  client_condition =   ${if eq {plain}{$local_part}}
-  client_send =                ^ph10^mysecret
-
-.endif
-
-
-# End
new file mode 120000 (symlink)
index 0000000000000000000000000000000000000000..d8f3286c4a324ee53143928dfeffb054fdd248a8
--- /dev/null
@@ -0,0 +1 @@
+3820
\ No newline at end of file
similarity index 100%
rename from test/log/3828
rename to test/log/3825
diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828
new file mode 100644 (file)
index 0000000..749dbf5
--- /dev/null
@@ -0,0 +1,8 @@
+# GSASL SCRAM-SHA-256
+#
+exim -DSERVER=server -DTRUSTED -bd -oX PORT_D
+****
+exim -odi -DTRUSTED scram_sha_256@test.ex
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/3828-gsasl-scram-sha-256/REQUIRES b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES
new file mode 100644 (file)
index 0000000..89fd508
--- /dev/null
@@ -0,0 +1,2 @@
+authenticator gsasl
+feature _HAVE_AUTH_GSASL_SCRAM_SHA_256