From 49d478067ba22d087c65b35a8bb9b782be1ee173 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 15 Jan 2020 14:22:42 +0000 Subject: [PATCH] gsasl authenticator: support crypted secrets, server side --- doc/doc-docbook/spec.xfpt | 53 ++++- doc/doc-txt/NewStuff | 5 +- src/src/auths/gsasl_exim.c | 227 +++++++++++++++------ src/src/auths/gsasl_exim.h | 3 + src/src/smtp_in.c | 4 +- test/confs/3820 | 17 +- test/log/3821 | 4 +- test/log/3829 | 2 +- test/scripts/3828-gsasl-scram-sha-256/3828 | 4 +- test/stderr/3400 | 14 +- test/stdout/3820 | 2 +- 11 files changed, 242 insertions(+), 93 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 1d6fa536b..c57f1a23f 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27553,6 +27553,19 @@ This option is exapanded before use, and should result in the account name to be used. .wen +.new +.option client_spassword gsasl string&!! unset +If a SCRAM mechanism is being used and this option is set +it is used in preference to $%client_password%&. +The value after expansion should be +a 40 (for SHA-1) or 64 (for SHA-256) character string +with the PBKDF2-prepared password, hex-encoded. +Note that this value will depend on the salt and iteration-count +supplied by the server. +.wen + + + .option server_channelbinding gsasl boolean false Do not set this true and rely on the properties without consulting a cryptographic engineer. @@ -27629,7 +27642,8 @@ Some mechanisms will use this data. .option server_scram_iter gsasl string&!! 4096 This option provides data for the SCRAM family of mechanisms. .new -The &$auth1$&, &$auth2$& and &$auth3$& variables are available for expansion. +The &$auth1$&, &$auth2$& and &$auth3$& variables are available +when this option is expanded. The result of expansion should be a decimal number, and represents both a lower-bound on the security, and @@ -27637,19 +27651,50 @@ a compute cost factor imposed on the client (if it does not cache results, or the server changes either the iteration count or the salt). A minimum value of 4096 is required by the standards -for all current CRAM mechanism variants. +for all current SCRAM mechanism variants. .wen - .option server_scram_salt gsasl string&!! unset This option provides data for the SCRAM family of mechanisms. .new -The &$auth1$&, &$auth2$& and &$auth3$& variables are available for expansion. +The &$auth1$&, &$auth2$& and &$auth3$& variables are available +when this option is expanded. +The value should be a base64-encoded string, +of random data typically 4-to-16 bytes long. If unset or empty after expansion the library will provides a value for the protocol conversation. .wen +.new +.option server_key gsasl string&!! unset +.option server_skey gsasl string&!! unset +These options can be used for the SCRAM family of mechanisms +to provide stored information related to a password, +the storage of which is preferable to plaintext. + +&%server_key%& is the value defined in the SCRAM standards as ServerKey; +&%server_skey%& is StoredKey. + +They are only available for version 1.9.0 (or later) of the gsasl library. +When this is so, the macros +_OPT_AUTHENTICATOR_GSASL_SERVER_KEY +and _HAVE_AUTH_GSASL_SCRAM_S_KEY +will be defined. + +The &$authN$& variables are available when these options are expanded. + +If set, the results of expansion should for each +should be a 28 (for SHA-1) or 44 (for SHA-256) character string +of base64-coded data, and will be used in preference to the +&%server_password%& option. +If unset or not of the right length, &%server_password%& will be used. + +The libgsasl library release includes a utility &'gsasl'& which can be used +to generate these values. +.wen + + .option server_service gsasl string &`smtp`& This is the SASL service that the server claims to implement. Some mechanisms will use this data. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 8a00bfc67..f5421a7f2 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -21,7 +21,10 @@ Version 4.94 driver for PLAIN; only against itself for SCRAM-SHA-1 and SCRAM-SHA-1-PLUS methods. - 5. Variable $local_part_verified, set by the router check_local_part condition + 5. Server-side support in the gsasl authenticator for encrypted passwords, as an + alternate for the existing plaintext. + + 6. Variable $local_part_verified, set by the router check_local_part condition with untainted data. diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c index 80ae354f9..1c4af92fc 100644 --- a/src/src/auths/gsasl_exim.c +++ b/src/src/auths/gsasl_exim.c @@ -42,6 +42,10 @@ static void dummy(int x) { dummy2(x-1); } #if GSASL_VERSION_MINOR >= 9 # define EXIM_GSASL_HAVE_SCRAM_SHA_256 + +# if GSASL_VERSION_PATCH >= 1 +# define EXIM_GSASL_SCRAM_S_KEY +# endif #endif @@ -51,34 +55,42 @@ we only ever handle one mechanism at a time, I didn't see the point in keeping that. In case someone sees a point, I've left the condition_check() API alone. */ optionlist auth_gsasl_options[] = { - { "client_authz", opt_stringptr, + { "client_authz", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, client_authz)) }, - { "client_channelbinding", opt_bool, + { "client_channelbinding", opt_bool, (void *)(offsetof(auth_gsasl_options_block, client_channelbinding)) }, - { "client_password", opt_stringptr, + { "client_password", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, client_password)) }, - { "client_username", opt_stringptr, + { "client_spassword", opt_stringptr, + (void *)(offsetof(auth_gsasl_options_block, client_spassword)) }, + { "client_username", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, client_username)) }, - { "server_channelbinding", opt_bool, + { "server_channelbinding", opt_bool, (void *)(offsetof(auth_gsasl_options_block, server_channelbinding)) }, - { "server_hostname", opt_stringptr, + { "server_hostname", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, server_hostname)) }, - { "server_mech", opt_stringptr, +#ifdef EXIM_GSASL_SCRAM_S_KEY + { "server_key", opt_stringptr, + (void *)(offsetof(auth_gsasl_options_block, server_key)) }, +#endif + { "server_mech", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, server_mech)) }, - { "server_password", opt_stringptr, + { "server_password", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, server_password)) }, - { "server_realm", opt_stringptr, + { "server_realm", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, server_realm)) }, - { "server_scram_iter", opt_stringptr, + { "server_scram_iter", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, server_scram_iter)) }, - { "server_scram_salt", opt_stringptr, + { "server_scram_salt", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, server_scram_salt)) }, - { "server_service", opt_stringptr, +#ifdef EXIM_GSASL_SCRAM_S_KEY + { "server_skey", opt_stringptr, + (void *)(offsetof(auth_gsasl_options_block, server_s_key)) }, +#endif + { "server_service", opt_stringptr, (void *)(offsetof(auth_gsasl_options_block, server_service)) } }; -/* GSASL_SCRAM_SALTED_PASSWORD documented only for client, so not implementing -hooks to avoid cleartext passwords in the Exim server. */ int auth_gsasl_options_count = sizeof(auth_gsasl_options)/sizeof(optionlist); @@ -93,6 +105,7 @@ auth_gsasl_options_block auth_gsasl_option_defaults = { #ifdef MACRO_PREDEF +# include "../macro_predef.h" /* Dummy values */ void auth_gsasl_init(auth_instance *ablock) {} @@ -107,6 +120,9 @@ auth_gsasl_macros(void) # ifdef EXIM_GSASL_HAVE_SCRAM_SHA_256 builtin_macro_create(US"_HAVE_AUTH_GSASL_SCRAM_SHA_256"); # endif +# ifdef EXIM_GSASL_SCRAM_S_KEY + builtin_macro_create(US"_HAVE_AUTH_GSASL_SCRAM_S_KEY"); +# endif } #else /*!MACRO_PREDEF*/ @@ -288,6 +304,56 @@ return rc; } +/************************************************* +* Debug service function * +*************************************************/ +static const uschar * +gsasl_prop_code_to_name(Gsasl_property prop) +{ +switch (prop) + { + case GSASL_AUTHID: return US"AUTHID"; + case GSASL_AUTHZID: return US"AUTHZID"; + case GSASL_PASSWORD: return US"PASSWORD"; + case GSASL_ANONYMOUS_TOKEN: return US"ANONYMOUS_TOKEN"; + case GSASL_SERVICE: return US"SERVICE"; + case GSASL_HOSTNAME: return US"HOSTNAME"; + case GSASL_GSSAPI_DISPLAY_NAME: return US"GSSAPI_DISPLAY_NAME"; + case GSASL_PASSCODE: return US"PASSCODE"; + case GSASL_SUGGESTED_PIN: return US"SUGGESTED_PIN"; + case GSASL_PIN: return US"PIN"; + case GSASL_REALM: return US"REALM"; + case GSASL_DIGEST_MD5_HASHED_PASSWORD: return US"DIGEST_MD5_HASHED_PASSWORD"; + case GSASL_QOPS: return US"QOPS"; + case GSASL_QOP: return US"QOP"; + case GSASL_SCRAM_ITER: return US"SCRAM_ITER"; + case GSASL_SCRAM_SALT: return US"SCRAM_SALT"; + case GSASL_SCRAM_SALTED_PASSWORD: return US"SCRAM_SALTED_PASSWORD"; +#ifdef EXIM_GSASL_SCRAM_S_KEY + case GSASL_SCRAM_STOREDKEY: return US"SCRAM_STOREDKEY"; + case GSASL_SCRAM_SERVERKEY: return US"SCRAM_SERVERKEY"; +#endif + case GSASL_CB_TLS_UNIQUE: return US"CB_TLS_UNIQUE"; + case GSASL_SAML20_IDP_IDENTIFIER: return US"SAML20_IDP_IDENTIFIER"; + case GSASL_SAML20_REDIRECT_URL: return US"SAML20_REDIRECT_URL"; + case GSASL_OPENID20_REDIRECT_URL: return US"OPENID20_REDIRECT_URL"; + case GSASL_OPENID20_OUTCOME_DATA: return US"OPENID20_OUTCOME_DATA"; + case GSASL_SAML20_AUTHENTICATE_IN_BROWSER: return US"SAML20_AUTHENTICATE_IN_BROWSER"; + case GSASL_OPENID20_AUTHENTICATE_IN_BROWSER: return US"OPENID20_AUTHENTICATE_IN_BROWSER"; +#ifdef EXIM_GSASL_SCRAM_S_KEY + case GSASL_SCRAM_CLIENTKEY: return US"SCRAM_CLIENTKEY"; +#endif + case GSASL_VALIDATE_SIMPLE: return US"VALIDATE_SIMPLE"; + case GSASL_VALIDATE_EXTERNAL: return US"VALIDATE_EXTERNAL"; + case GSASL_VALIDATE_ANONYMOUS: return US"VALIDATE_ANONYMOUS"; + case GSASL_VALIDATE_GSSAPI: return US"VALIDATE_GSSAPI"; + case GSASL_VALIDATE_SECURID: return US"VALIDATE_SECURID"; + case GSASL_VALIDATE_SAML20: return US"VALIDATE_SAML20"; + case GSASL_VALIDATE_OPENID20: return US"VALIDATE_OPENID20"; + } +return CUS string_sprintf("(unknown prop: %d)", (int)prop); +} + /************************************************* * Server entry point * *************************************************/ @@ -440,6 +506,7 @@ do { goto STOP_INTERACTION; } + /*XXX having our caller send the final smtp "235" is unfortunate; wastes a roundtrip */ if ((rc == GSASL_NEEDS_MORE) || (to_send && *to_send)) exim_error = auth_get_no64_data(USS &received, US to_send); @@ -457,6 +524,21 @@ do { STOP_INTERACTION: auth_result = rc; +HDEBUG(D_auth) + { + const uschar * s; + if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_ITER))) + debug_printf(" - itercnt: '%s'\n", s); + if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SALT))) + debug_printf(" - salt: '%s'\n", s); +#ifdef EXIM_GSASL_SCRAM_S_KEY + if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SERVERKEY))) + debug_printf(" - ServerKey: '%s'\n", s); + if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_STOREDKEY))) + debug_printf(" - StoredKey: '%s'\n", s); +#endif + } + gsasl_finish(sctx); /* Can return: OK DEFER FAIL CANCELLED BAD64 UNEXPECTED */ @@ -530,19 +612,36 @@ set_exim_authvar_from_prop(sctx, GSASL_REALM); } +static int +prop_from_option(Gsasl_session * sctx, Gsasl_property prop, + const uschar * option) +{ +HDEBUG(D_auth) debug_printf(" %s\n", gsasl_prop_code_to_name(prop)); +if (option) + { + set_exim_authvars_from_a_az_r_props(sctx); + option = expand_cstring(option); + HDEBUG(D_auth) debug_printf(" '%s'\n", option); + if (*option) + gsasl_property_set(sctx, prop, CCS option); + return GSASL_OK; + } +HDEBUG(D_auth) debug_printf(" option not set\n"); +return GSASL_NO_CALLBACK; +} + static int server_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_instance *ablock) { char *tmps; -uschar *propval; +uschar *s, *propval; int cbrc = GSASL_NO_CALLBACK; auth_gsasl_options_block *ob = (auth_gsasl_options_block *)(ablock->options_block); -HDEBUG(D_auth) - debug_printf("GNU SASL callback %d for %s/%s as server\n", - prop, ablock->name, ablock->public_name); +HDEBUG(D_auth) debug_printf("GNU SASL callback %s for %s/%s as server\n", + gsasl_prop_code_to_name(prop), ablock->name, ablock->public_name); for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL; expand_nmax = 0; @@ -550,7 +649,6 @@ expand_nmax = 0; switch (prop) { case GSASL_VALIDATE_SIMPLE: - HDEBUG(D_auth) debug_printf(" VALIDATE_SIMPLE\n"); /* GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD */ set_exim_authvar_from_prop(sctx, GSASL_AUTHID); set_exim_authvar_from_prop(sctx, GSASL_AUTHZID); @@ -561,7 +659,6 @@ switch (prop) break; case GSASL_VALIDATE_EXTERNAL: - HDEBUG(D_auth) debug_printf(" VALIDATE_EXTERNAL\n"); if (!ablock->server_condition) { HDEBUG(D_auth) debug_printf("No server_condition supplied, to validate EXTERNAL\n"); @@ -576,7 +673,6 @@ switch (prop) break; case GSASL_VALIDATE_ANONYMOUS: - HDEBUG(D_auth) debug_printf(" VALIDATE_ANONYMOUS\n"); if (!ablock->server_condition) { HDEBUG(D_auth) debug_printf("No server_condition supplied, to validate ANONYMOUS\n"); @@ -591,7 +687,6 @@ switch (prop) break; case GSASL_VALIDATE_GSSAPI: - HDEBUG(D_auth) debug_printf(" VALIDATE_GSSAPI\n"); /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME The display-name is authenticated as part of GSS, the authzid is claimed by the SASL integration after authentication; protected against tampering @@ -613,37 +708,25 @@ switch (prop) break; case GSASL_SCRAM_ITER: - HDEBUG(D_auth) debug_printf(" SCRAM_ITER\n"); - if (ob->server_scram_iter) - { - set_exim_authvars_from_a_az_r_props(sctx); - tmps = CS expand_string(ob->server_scram_iter); - HDEBUG(D_auth) debug_printf(" '%s'\n", tmps); - gsasl_property_set(sctx, GSASL_SCRAM_ITER, tmps); - cbrc = GSASL_OK; - } - else - HDEBUG(D_auth) debug_printf(" option not set\n"); + cbrc = prop_from_option(sctx, prop, ob->server_scram_iter); break; case GSASL_SCRAM_SALT: - HDEBUG(D_auth) debug_printf(" SCRAM_SALT\n"); - if (ob->server_scram_salt) - { - set_exim_authvars_from_a_az_r_props(sctx); - tmps = CS expand_string(ob->server_scram_salt); - HDEBUG(D_auth) debug_printf(" '%s'\n", tmps); - if (*tmps) - gsasl_property_set(sctx, GSASL_SCRAM_SALT, tmps); - cbrc = GSASL_OK; - } - else - HDEBUG(D_auth) debug_printf(" option not set\n"); + cbrc = prop_from_option(sctx, prop, ob->server_scram_salt); break; +#ifdef EXIM_GSASL_SCRAM_S_KEY + case GSASL_SCRAM_STOREDKEY: + cbrc = prop_from_option(sctx, prop, ob->server_s_key); + break; + + case GSASL_SCRAM_SERVERKEY: + cbrc = prop_from_option(sctx, prop, ob->server_key); + break; +#endif + case GSASL_PASSWORD: - HDEBUG(D_auth) debug_printf(" PASSWORD\n"); - /* SCRAM-SHA-1: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM + /* SCRAM-*: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM DIGEST-MD5: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM CRAM-MD5: GSASL_AUTHID PLAIN: GSASL_AUTHID and GSASL_AUTHZID @@ -651,12 +734,12 @@ switch (prop) */ set_exim_authvars_from_a_az_r_props(sctx); - if (!ob->server_password) + if (!(s = ob->server_password)) { HDEBUG(D_auth) debug_printf("option not set\n"); break; } - if (!(tmps = CS expand_string(ob->server_password))) + if (!(tmps = CS expand_string(s))) { sasl_error_should_defer = !f.expand_string_forcedfail; HDEBUG(D_auth) debug_printf("server_password expansion failed, so " @@ -691,19 +774,25 @@ return cbrc; #define PROP_OPTIONAL BIT(0) static BOOL -client_prop(Gsasl_session * sctx, Gsasl_property propnum, uschar * val, - const uschar * why, unsigned flags, uschar * buffer, int buffsize) +set_client_prop(Gsasl_session * sctx, Gsasl_property prop, uschar * val, + unsigned flags, uschar * buffer, int buffsize) { uschar * s; int rc; -if (flags & PROP_OPTIONAL && !val) return TRUE; +if (!val) return !!(flags & PROP_OPTIONAL); if (!(s = expand_string(val)) || !(flags & PROP_OPTIONAL) && !*s) { string_format(buffer, buffsize, "%s", expand_string_message); return FALSE; } -if (*s) gsasl_property_set(sctx, propnum, CS s); +if (*s) + { + HDEBUG(D_auth) debug_printf("%s: set %s = '%s'\n", __FUNCTION__, + gsasl_prop_code_to_name(prop), s); + gsasl_property_set(sctx, prop, CS s); + } + return TRUE; } @@ -770,11 +859,14 @@ gsasl_session_hook_set(sctx, &cb_state); /* Set properties */ -if ( !client_prop(sctx, GSASL_PASSWORD, ob->client_password, US"password", +if ( !set_client_prop(sctx, GSASL_SCRAM_SALTED_PASSWORD, ob->client_spassword, 0, buffer, buffsize) - || !client_prop(sctx, GSASL_AUTHID, ob->client_username, US"username", + && + !set_client_prop(sctx, GSASL_PASSWORD, ob->client_password, 0, buffer, buffsize) - || !client_prop(sctx, GSASL_AUTHZID, ob->client_authz, US"authz", + || !set_client_prop(sctx, GSASL_AUTHID, ob->client_username, + 0, buffer, buffsize) + || !set_client_prop(sctx, GSASL_AUTHZID, ob->client_authz, PROP_OPTIONAL, buffer, buffsize) ) return ERROR; @@ -848,6 +940,12 @@ for(s = NULL; ;) } done: +HDEBUG(D_auth) + { + const uschar * s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SALTED_PASSWORD); + if (s) debug_printf(" - SaltedPassword: '%s'\n", s); + } + gsasl_finish(sctx); return yield; } @@ -855,22 +953,19 @@ return yield; static int client_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_instance *ablock) { -HDEBUG(D_auth) debug_printf("GNU SASL callback %d for %s/%s as client\n", - prop, ablock->name, ablock->public_name); +HDEBUG(D_auth) debug_printf("GNU SASL callback %s for %s/%s as client\n", + gsasl_prop_code_to_name(prop), ablock->name, ablock->public_name); switch (prop) { - case GSASL_AUTHZID: - HDEBUG(D_auth) debug_printf(" inquired for AUTHZID; not providing one\n"); - break; - case GSASL_SCRAM_SALTED_PASSWORD: - HDEBUG(D_auth) - debug_printf(" inquired for SCRAM_SALTED_PASSWORD; not providing one\n"); - break; case GSASL_CB_TLS_UNIQUE: HDEBUG(D_auth) - debug_printf(" inquired for CB_TLS_UNIQUE, filling in\n"); + debug_printf(" filling in\n"); gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, CCS tls_out.channelbinding); break; + default: + HDEBUG(D_auth) + debug_printf(" not providing one\n"); + break; } return GSASL_NO_CALLBACK; } diff --git a/src/src/auths/gsasl_exim.h b/src/src/auths/gsasl_exim.h index cceec77a8..3cd64bdc0 100644 --- a/src/src/auths/gsasl_exim.h +++ b/src/src/auths/gsasl_exim.h @@ -18,12 +18,15 @@ typedef struct { uschar *server_realm; uschar *server_mech; uschar *server_password; + uschar *server_key; + uschar *server_s_key; uschar *server_scram_iter; uschar *server_scram_salt; uschar *client_username; uschar *client_password; uschar *client_authz; + uschar *client_spassword; BOOL server_channelbinding; BOOL client_channelbinding; diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 0ae89a48c..6062e8118 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -4408,8 +4408,8 @@ while (done <= 0) if (au->server) { DEBUG(D_auth+D_expand) debug_printf_indent( - "Evaluating advertise_condition for %s athenticator\n", - au->public_name); + "Evaluating advertise_condition for %s %s athenticator\n", + au->name, au->public_name); if ( !au->advertise_condition || expand_check_condition(au->advertise_condition, au->name, US"authenticator") diff --git a/test/confs/3820 b/test/confs/3820 index c80d4d414..7322c4b7e 100644 --- a/test/confs/3820 +++ b/test/confs/3820 @@ -23,6 +23,7 @@ client_r: driver = accept condition = ${if !eq {SERVER}{server}} transport = smtp + errors_to = begin transports @@ -35,6 +36,8 @@ smtp: hosts_require_tls = * tls_verify_certificates = DIR/aux-fixed/cert1 tls_verify_cert_hostnames = : +.else + hosts_avoid_tls = * .endif hosts_require_auth = * @@ -70,14 +73,11 @@ sasl3: public_name = SCRAM-SHA-1 .endif - # will need to give library salt, stored-key, server-key, itercount - # - # sigh - # gsasl takes props: GSASL_SCRAM_ITER, GSASL_SCRAM_SALT. It _might_ take - # a GSASL_SCRAM_SALTED_PASSWORD - but that is only documented for client mode. - - # unclear if the salt is given in binary or base64 to the library server_scram_salt = ${if eq {$auth1}{ph10} {QSXCR+Q6sek8bf92}} +.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY + server_key = D+CSWLOshSulAsxiupA+qs2/fTE= + server_skey = 6dlGYMOdZcOPutkcNY8U2g7vK9Y= +.endif server_password = ${if eq {$auth1}{ph10} {pencil}{unset_password}} server_condition = true server_set_id = $auth1 @@ -85,6 +85,9 @@ sasl3: client_condition = ${if eq {scram_sha_1}{$local_part}} client_username = ph10 client_password = pencil +.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY + client_spassword = 1d96ee3a529b5a5f9e47c01f229a2cb8a6e15f7d +.endif .ifdef TRUSTED client_channelbinding = true .endif diff --git a/test/log/3821 b/test/log/3821 index bcb5741cf..6c79bedfd 100644 --- a/test/log/3821 +++ b/test/log/3821 @@ -7,5 +7,5 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl2:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl2:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex diff --git a/test/log/3829 b/test/log/3829 index 3b630ba8e..69c2781d8 100644 --- a/test/log/3829 +++ b/test/log/3829 @@ -4,4 +4,4 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no A=sasl3:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no A=sasl3:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828 index 749dbf58d..74348f972 100644 --- a/test/scripts/3828-gsasl-scram-sha-256/3828 +++ b/test/scripts/3828-gsasl-scram-sha-256/3828 @@ -1,8 +1,8 @@ # GSASL SCRAM-SHA-256 # -exim -DSERVER=server -DTRUSTED -bd -oX PORT_D +exim -DSERVER=server -bd -oX PORT_D **** -exim -odi -DTRUSTED scram_sha_256@test.ex +exim -odi scram_sha_256@test.ex **** killdaemon no_msglog_check diff --git a/test/stderr/3400 b/test/stderr/3400 index da04b7f37..9088befdf 100644 --- a/test/stderr/3400 +++ b/test/stderr/3400 @@ -438,13 +438,13 @@ host in "10.0.0.1"? no (end of list) host in "10.0.0.4"? no (end of list) host in "10.0.0.3 : 10.0.0.4"? no (end of list) host in auth_advertise_hosts? yes (matched "10.0.0.5") -Evaluating advertise_condition for mylogin athenticator -Evaluating advertise_condition for PLAIN athenticator -Evaluating advertise_condition for EXPLAIN athenticator -Evaluating advertise_condition for EXPANDED athenticator -Evaluating advertise_condition for EXPANDFAIL athenticator -Evaluating advertise_condition for DEFER athenticator -Evaluating advertise_condition for LOGIN athenticator +Evaluating advertise_condition for mylogin mylogin athenticator +Evaluating advertise_condition for plain PLAIN athenticator +Evaluating advertise_condition for extended_plain EXPLAIN athenticator +Evaluating advertise_condition for expanded_prompt_plain EXPANDED athenticator +Evaluating advertise_condition for expanded_prompt_plain_fail EXPANDFAIL athenticator +Evaluating advertise_condition for defer DEFER athenticator +Evaluating advertise_condition for login LOGIN athenticator host in chunking_advertise_hosts? no (end of list) SMTP>> 250-myhost.test.ex Hello CALLER at testing.testing [10.0.0.5] 250-SIZE 52428800 diff --git a/test/stdout/3820 b/test/stdout/3820 index 25723136a..be1a2c53b 100644 --- a/test/stdout/3820 +++ b/test/stdout/3820 @@ -11,7 +11,7 @@ Connecting to 127.0.0.1 port 1225 ... connected ??? 250- <<< 250-PIPELINING ??? 250- -<<< 250-AUTH ANONYMOUS PLAIN SCRAM-SHA-1 +<<< 250-AUTH ANONYMOUS PLAIN SCRAM-SHA-1 SCRAM-SHA-256 ??? 250 <<< 250 HELP >>> AUTH PLAIN AHBoMTAAc2VjcmV0 -- 2.30.2