Testsuite: testcase for GSASL SCRAM-SHA-256

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 19888e96d052b06df3f11f9a7b4ad02935cc283a..560b720661244754b0e81035bb8594ff79eb6105 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27435,6 +27435,9 @@ auth_mechanisms = plain login ntlm
 .cindex "authentication" "DIGEST-MD5"
 .cindex "authentication" "CRAM-MD5"
 .cindex "authentication" "SCRAM-SHA-1"
 .cindex "authentication" "DIGEST-MD5"
 .cindex "authentication" "CRAM-MD5"
 .cindex "authentication" "SCRAM-SHA-1"

+.cindex "authentication" "SCRAM-SHA-1-PLUS"
+.cindex "authentication" "SCRAM-SHA-256"
+.cindex "authentication" "SCRAM-SHA-256-PLUS"

 The &(gsasl)& authenticator provides integration for the GNU SASL
 library and the mechanisms it provides.  This is new as of the 4.80 release
 and there are a few areas where the library does not let Exim smoothly
 The &(gsasl)& authenticator provides integration for the GNU SASL
 library and the mechanisms it provides.  This is new as of the 4.80 release
 and there are a few areas where the library does not let Exim smoothly


@@ -27442,8 +27445,13 @@ scale to handle future authentication mechanisms, so no guarantee can be
 made that any particular new authentication mechanism will be supported
 without code changes in Exim.
 
 made that any particular new authentication mechanism will be supported
 without code changes in Exim.
 

-

 .new
 .new

+The library is expected to add support in an upcoming
+realease for the SCRAM-SHA-256 method.
+The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined
+when this happens.
+
+

 .option client_authz gsasl string&!! unset
 This option can be used to supply an &'authorization id'&
 which is different to the &'authentication_id'& provided
 .option client_authz gsasl string&!! unset
 This option can be used to supply an &'authorization id'&
 which is different to the &'authentication_id'& provided


@@ -27481,6 +27489,7 @@ server to see different identifiers and authentication will fail.
 This is
 only usable by mechanisms which support "channel binding"; at time of
 writing, that's the SCRAM family.
 This is
 only usable by mechanisms which support "channel binding"; at time of
 writing, that's the SCRAM family.

+When using this feature the "-PLUS" variants of the method names need to be used.

 .wen
 
 This defaults off to ensure smooth upgrade across Exim releases, in case
 .wen
 
 This defaults off to ensure smooth upgrade across Exim releases, in case


@@ -40571,9 +40580,8 @@ defines the location of a text file of valid
 top level domains the opendmarc library uses
 during domain parsing. Maintained by Mozilla,
 the most current version can be downloaded
 top level domains the opendmarc library uses
 during domain parsing. Maintained by Mozilla,
 the most current version can be downloaded

-from a link at &url(https://publicsuffix.org/list/, currently pointing
-at https://publicsuffix.org/list/public_suffix_list.dat)
-See also util/renew-opendmarc-tlds.sh script.
+from a link at &url(https://publicsuffix.org/list/public_suffix_list.dat).
+See also the util/renew-opendmarc-tlds.sh script.

 .new
 The default for the option is unset.
 If not set, DMARC processing is disabled.
 .new
 The default for the option is unset.
 If not set, DMARC processing is disabled.

diff --git a/test/confs/3820 b/test/confs/3820
index 023ed751d1c0c1c60512b874e55b519db92a0934..b60e467a3536192b304b23104f381d09e267ab0f 100644 (file)
--- a/test/confs/3820
+++ b/test/confs/3820
@@ -27,16 +27,16 @@ client_r:
 begin transports
 
 smtp:
 begin transports
 
 smtp:

-  driver =     smtp
-  hosts =      127.0.0.1
+  driver =             smtp
+  hosts =              127.0.0.1

   allow_localhost
   allow_localhost

-  port =       PORT_D
+  port =               PORT_D

 .ifdef TRUSTED
 .ifdef TRUSTED

-  hosts_require_tls = *
+  hosts_require_tls =  *

   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
 .endif
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
 .endif

-  hosts_require_auth = *
+  hosts_require_auth = *

 
 # ----- Authentication -----
 
 
 # ----- Authentication -----
 


@@ -44,14 +44,14 @@ begin authenticators
 
 .ifndef TRUSTED
 sasl1:
 
 .ifndef TRUSTED
 sasl1:

-  driver = gsasl
-  public_name = ANONYMOUS
+  driver =             gsasl
+  public_name =                ANONYMOUS

   server_set_id =      $auth1
   server_condition =   true
 
 sasl2:
   server_set_id =      $auth1
   server_condition =   true
 
 sasl2:

-  driver = gsasl
-  public_name = PLAIN
+  driver =             gsasl
+  public_name =                PLAIN

   server_set_id =      $auth1
   server_condition =   ${if eq {$auth3}{pencil}}
 
   server_set_id =      $auth1
   server_condition =   ${if eq {$auth3}{pencil}}
 


@@ -61,13 +61,13 @@ sasl2:
 .endif
 
 sasl3:
 .endif
 
 sasl3:

-  driver = gsasl
+  driver =             gsasl

 .ifdef TRUSTED
 .ifdef TRUSTED

-  public_name = SCRAM-SHA-1-PLUS
+  public_name =                SCRAM-SHA-1-PLUS

   server_advertise_condition = ${if def:tls_in_cipher}
   server_channelbinding =      true
 .else
   server_advertise_condition = ${if def:tls_in_cipher}
   server_channelbinding =      true
 .else

-  public_name = SCRAM-SHA-1
+  public_name =                SCRAM-SHA-1

 .endif
 
   # will need to give library salt, stored-key, server-key, itercount
 .endif
 
   # will need to give library salt, stored-key, server-key, itercount


@@ -89,5 +89,29 @@ sasl3:
   client_channelbinding = true
 .endif
 
   client_channelbinding = true
 .endif
 

+.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256
+sasl4:
+  driver =             gsasl
+.ifdef TRUSTED
+  public_name =                SCRAM-SHA-256-PLUS
+  server_advertise_condition = ${if def:tls_in_cipher}
+  server_channelbinding =      true
+.else
+  public_name =                SCRAM-SHA-256
+.endif
+
+  server_scram_salt =  QSXCR+Q6sek8bf92
+  server_password =    pencil
+  server_condition =   true
+  server_set_id =      $auth1
+
+  client_condition =   ${if eq {scram_sha_256}{$local_part}}
+  client_username =    ph10
+  client_password =    pencil
+.ifdef TRUSTED
+  client_channelbinding = true
+.endif
+.endif
+

 
 # End
 
 # End

diff --git a/test/confs/3825 b/test/confs/3825
new file mode 100644 (file)
index 0000000..6148356
--- /dev/null
+++ b/test/confs/3825
@@ -0,0 +1,66 @@
+# Exim test configuration 3825
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+queue_only
+
+
+begin routers
+
+client_r:
+  driver =     accept
+  condition =  ${if !eq {SERVER}{server}}
+  transport =  smtp
+
+begin transports
+
+smtp:
+  driver =     smtp
+  hosts =      127.0.0.1
+  allow_localhost
+  port =       PORT_D
+  hosts_require_auth = *
+
+# ----- Authentication -----
+
+begin authenticators
+
+.ifndef OPT
+sasl1:
+  driver =             plaintext
+  public_name =                PLAIN
+  server_prompts =     :
+  server_condition =   ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
+  server_set_id =      $auth2
+
+sasl2:
+  driver =             gsasl
+  public_name =                PLAIN
+  client_condition =   ${if eq {plain}{$local_part}}
+  client_username =    ph10
+  client_password =    mysecret
+
+.else
+sasl3:
+  driver =             gsasl
+  public_name =                PLAIN
+  server_condition =   ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
+  server_set_id =      $auth1
+
+sasl4:
+  driver =             plaintext
+  public_name =                PLAIN
+  client_condition =   ${if eq {plain}{$local_part}}
+  client_send =                ^ph10^mysecret
+
+.endif
+
+
+# End

diff --git a/test/confs/3828 b/test/confs/3828
deleted file mode 100644 (file)
index aa9db9467fb522f5950c8558d06d33b3a012588a..0000000000000000000000000000000000000000
--- a/test/confs/3828
+++ /dev/null
@@ -1,66 +0,0 @@
-# Exim test configuration 3828
-
-SERVER=
-
-.include DIR/aux-var/std_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-queue_only
-
-
-begin routers
-
-client_r:
-  driver =     accept
-  condition =  ${if !eq {SERVER}{server}}
-  transport =  smtp
-
-begin transports
-
-smtp:
-  driver =     smtp
-  hosts =      127.0.0.1
-  allow_localhost
-  port =       PORT_D
-  hosts_require_auth = *
-
-# ----- Authentication -----
-
-begin authenticators
-
-.ifndef OPT
-sasl1:
-  driver =             plaintext
-  public_name =                PLAIN
-  server_prompts =     :
-  server_condition =   ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
-  server_set_id =      $auth2
-
-sasl2:
-  driver =             gsasl
-  public_name =                PLAIN
-  client_condition =   ${if eq {plain}{$local_part}}
-  client_username =    ph10
-  client_password =    mysecret
-
-.else
-sasl3:
-  driver =             gsasl
-  public_name =                PLAIN
-  server_condition =   ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
-  server_set_id =      $auth1
-
-sasl4:
-  driver =             plaintext
-  public_name =                PLAIN
-  client_condition =   ${if eq {plain}{$local_part}}
-  client_send =                ^ph10^mysecret
-
-.endif
-
-
-# End

diff --git a/test/confs/3828 b/test/confs/3828
new file mode 120000 (symlink)
index 0000000000000000000000000000000000000000..d8f3286c4a324ee53143928dfeffb054fdd248a8
--- /dev/null
+++ b/test/confs/3828
@@ -0,0 +1 @@
+3820
\ No newline at end of file

diff --git a/test/log/3825 b/test/log/3825
new file mode 100644 (file)
index 0000000..038a795
--- /dev/null
+++ b/test/log/3825
@@ -0,0 +1,12 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl2 C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl4 C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl1:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex

diff --git a/test/log/3828 b/test/log/3828
deleted file mode 100644 (file)
index 038a795..0000000
--- a/test/log/3828
+++ /dev/null
@@ -1,12 +0,0 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl2 C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl4 C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl1:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex

diff --git a/test/scripts/3825-gsasl-plaintext/3825 b/test/scripts/3825-gsasl-plaintext/3825
new file mode 100644 (file)
index 0000000..a30888f
--- /dev/null
+++ b/test/scripts/3825-gsasl-plaintext/3825
@@ -0,0 +1,16 @@
+# GSASL PLAIN authentication: gsasl driver vs. plaintext driver
+#
+# gsasl client against plaintext server
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim -odi plain@test.ex
+****
+killdaemon
+#
+# plaintext client against gsasl server
+exim -DSERVER=server -DOPT=y -bd -oX PORT_D
+****
+exim -odi -DOPT=y plain@test.ex
+****
+killdaemon
+no_msglog_check

diff --git a/test/scripts/3825-gsasl-plaintext/REQUIRES b/test/scripts/3825-gsasl-plaintext/REQUIRES
new file mode 100644 (file)
index 0000000..905a622
--- /dev/null
+++ b/test/scripts/3825-gsasl-plaintext/REQUIRES
@@ -0,0 +1,2 @@
+authenticator gsasl
+authenticator plaintext

diff --git a/test/scripts/3828-gsasl-plaintext/3828 b/test/scripts/3828-gsasl-plaintext/3828
deleted file mode 100644 (file)
index a30888f..0000000
--- a/test/scripts/3828-gsasl-plaintext/3828
+++ /dev/null
@@ -1,16 +0,0 @@
-# GSASL PLAIN authentication: gsasl driver vs. plaintext driver
-#
-# gsasl client against plaintext server
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -odi plain@test.ex
-****
-killdaemon
-#
-# plaintext client against gsasl server
-exim -DSERVER=server -DOPT=y -bd -oX PORT_D
-****
-exim -odi -DOPT=y plain@test.ex
-****
-killdaemon
-no_msglog_check

diff --git a/test/scripts/3828-gsasl-plaintext/REQUIRES b/test/scripts/3828-gsasl-plaintext/REQUIRES
deleted file mode 100644 (file)
index 905a622..0000000
--- a/test/scripts/3828-gsasl-plaintext/REQUIRES
+++ /dev/null
@@ -1,2 +0,0 @@
-authenticator gsasl
-authenticator plaintext

diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828
new file mode 100644 (file)
index 0000000..749dbf5
--- /dev/null
+++ b/test/scripts/3828-gsasl-scram-sha-256/3828
@@ -0,0 +1,8 @@
+# GSASL SCRAM-SHA-256
+#
+exim -DSERVER=server -DTRUSTED -bd -oX PORT_D
+****
+exim -odi -DTRUSTED scram_sha_256@test.ex
+****
+killdaemon
+no_msglog_check

diff --git a/test/scripts/3828-gsasl-scram-sha-256/REQUIRES b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES
new file mode 100644 (file)
index 0000000..89fd508
--- /dev/null
+++ b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES
@@ -0,0 +1,2 @@
+authenticator gsasl
+feature _HAVE_AUTH_GSASL_SCRAM_SHA_256