From fdc7c95ecb7281cc0b60ffb0b518380f3ff252a4 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 30 Dec 2019 22:45:21 +0000 Subject: [PATCH 1/1] Testsuite: testcase for GSASL SCRAM-SHA-256 --- doc/doc-docbook/spec.xfpt | 16 +++-- test/confs/3820 | 48 +++++++++---- test/confs/3825 | 66 ++++++++++++++++++ test/confs/3828 | 67 +------------------ test/log/{3828 => 3825} | 0 .../3828 => 3825-gsasl-plaintext/3825} | 0 .../REQUIRES | 0 test/scripts/3828-gsasl-scram-sha-256/3828 | 8 +++ .../scripts/3828-gsasl-scram-sha-256/REQUIRES | 2 + 9 files changed, 125 insertions(+), 82 deletions(-) create mode 100644 test/confs/3825 mode change 100644 => 120000 test/confs/3828 rename test/log/{3828 => 3825} (100%) rename test/scripts/{3828-gsasl-plaintext/3828 => 3825-gsasl-plaintext/3825} (100%) rename test/scripts/{3828-gsasl-plaintext => 3825-gsasl-plaintext}/REQUIRES (100%) create mode 100644 test/scripts/3828-gsasl-scram-sha-256/3828 create mode 100644 test/scripts/3828-gsasl-scram-sha-256/REQUIRES diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 19888e96d..560b72066 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27435,6 +27435,9 @@ auth_mechanisms = plain login ntlm .cindex "authentication" "DIGEST-MD5" .cindex "authentication" "CRAM-MD5" .cindex "authentication" "SCRAM-SHA-1" +.cindex "authentication" "SCRAM-SHA-1-PLUS" +.cindex "authentication" "SCRAM-SHA-256" +.cindex "authentication" "SCRAM-SHA-256-PLUS" The &(gsasl)& authenticator provides integration for the GNU SASL library and the mechanisms it provides. This is new as of the 4.80 release and there are a few areas where the library does not let Exim smoothly @@ -27442,8 +27445,13 @@ scale to handle future authentication mechanisms, so no guarantee can be made that any particular new authentication mechanism will be supported without code changes in Exim. - .new +The library is expected to add support in an upcoming +realease for the SCRAM-SHA-256 method. +The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined +when this happens. + + .option client_authz gsasl string&!! unset This option can be used to supply an &'authorization id'& which is different to the &'authentication_id'& provided @@ -27481,6 +27489,7 @@ server to see different identifiers and authentication will fail. This is only usable by mechanisms which support "channel binding"; at time of writing, that's the SCRAM family. +When using this feature the "-PLUS" variants of the method names need to be used. .wen This defaults off to ensure smooth upgrade across Exim releases, in case @@ -40571,9 +40580,8 @@ defines the location of a text file of valid top level domains the opendmarc library uses during domain parsing. Maintained by Mozilla, the most current version can be downloaded -from a link at &url(https://publicsuffix.org/list/, currently pointing -at https://publicsuffix.org/list/public_suffix_list.dat) -See also util/renew-opendmarc-tlds.sh script. +from a link at &url(https://publicsuffix.org/list/public_suffix_list.dat). +See also the util/renew-opendmarc-tlds.sh script. .new The default for the option is unset. If not set, DMARC processing is disabled. diff --git a/test/confs/3820 b/test/confs/3820 index 023ed751d..b60e467a3 100644 --- a/test/confs/3820 +++ b/test/confs/3820 @@ -27,16 +27,16 @@ client_r: begin transports smtp: - driver = smtp - hosts = 127.0.0.1 + driver = smtp + hosts = 127.0.0.1 allow_localhost - port = PORT_D + port = PORT_D .ifdef TRUSTED - hosts_require_tls = * + hosts_require_tls = * tls_verify_certificates = DIR/aux-fixed/cert1 tls_verify_cert_hostnames = : .endif - hosts_require_auth = * + hosts_require_auth = * # ----- Authentication ----- @@ -44,14 +44,14 @@ begin authenticators .ifndef TRUSTED sasl1: - driver = gsasl - public_name = ANONYMOUS + driver = gsasl + public_name = ANONYMOUS server_set_id = $auth1 server_condition = true sasl2: - driver = gsasl - public_name = PLAIN + driver = gsasl + public_name = PLAIN server_set_id = $auth1 server_condition = ${if eq {$auth3}{pencil}} @@ -61,13 +61,13 @@ sasl2: .endif sasl3: - driver = gsasl + driver = gsasl .ifdef TRUSTED - public_name = SCRAM-SHA-1-PLUS + public_name = SCRAM-SHA-1-PLUS server_advertise_condition = ${if def:tls_in_cipher} server_channelbinding = true .else - public_name = SCRAM-SHA-1 + public_name = SCRAM-SHA-1 .endif # will need to give library salt, stored-key, server-key, itercount @@ -89,5 +89,29 @@ sasl3: client_channelbinding = true .endif +.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256 +sasl4: + driver = gsasl +.ifdef TRUSTED + public_name = SCRAM-SHA-256-PLUS + server_advertise_condition = ${if def:tls_in_cipher} + server_channelbinding = true +.else + public_name = SCRAM-SHA-256 +.endif + + server_scram_salt = QSXCR+Q6sek8bf92 + server_password = pencil + server_condition = true + server_set_id = $auth1 + + client_condition = ${if eq {scram_sha_256}{$local_part}} + client_username = ph10 + client_password = pencil +.ifdef TRUSTED + client_channelbinding = true +.endif +.endif + # End diff --git a/test/confs/3825 b/test/confs/3825 new file mode 100644 index 000000000..61483569f --- /dev/null +++ b/test/confs/3825 @@ -0,0 +1,66 @@ +# Exim test configuration 3825 + +SERVER= + +.include DIR/aux-var/std_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept +queue_only + + +begin routers + +client_r: + driver = accept + condition = ${if !eq {SERVER}{server}} + transport = smtp + +begin transports + +smtp: + driver = smtp + hosts = 127.0.0.1 + allow_localhost + port = PORT_D + hosts_require_auth = * + +# ----- Authentication ----- + +begin authenticators + +.ifndef OPT +sasl1: + driver = plaintext + public_name = PLAIN + server_prompts = : + server_condition = ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}} + server_set_id = $auth2 + +sasl2: + driver = gsasl + public_name = PLAIN + client_condition = ${if eq {plain}{$local_part}} + client_username = ph10 + client_password = mysecret + +.else +sasl3: + driver = gsasl + public_name = PLAIN + server_condition = ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}} + server_set_id = $auth1 + +sasl4: + driver = plaintext + public_name = PLAIN + client_condition = ${if eq {plain}{$local_part}} + client_send = ^ph10^mysecret + +.endif + + +# End diff --git a/test/confs/3828 b/test/confs/3828 deleted file mode 100644 index aa9db9467..000000000 --- a/test/confs/3828 +++ /dev/null @@ -1,66 +0,0 @@ -# Exim test configuration 3828 - -SERVER= - -.include DIR/aux-var/std_conf_prefix - -primary_hostname = myhost.test.ex - -# ----- Main settings ----- - -acl_smtp_rcpt = accept -queue_only - - -begin routers - -client_r: - driver = accept - condition = ${if !eq {SERVER}{server}} - transport = smtp - -begin transports - -smtp: - driver = smtp - hosts = 127.0.0.1 - allow_localhost - port = PORT_D - hosts_require_auth = * - -# ----- Authentication ----- - -begin authenticators - -.ifndef OPT -sasl1: - driver = plaintext - public_name = PLAIN - server_prompts = : - server_condition = ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}} - server_set_id = $auth2 - -sasl2: - driver = gsasl - public_name = PLAIN - client_condition = ${if eq {plain}{$local_part}} - client_username = ph10 - client_password = mysecret - -.else -sasl3: - driver = gsasl - public_name = PLAIN - server_condition = ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}} - server_set_id = $auth1 - -sasl4: - driver = plaintext - public_name = PLAIN - client_condition = ${if eq {plain}{$local_part}} - client_send = ^ph10^mysecret - -.endif - - -# End diff --git a/test/confs/3828 b/test/confs/3828 new file mode 120000 index 000000000..d8f3286c4 --- /dev/null +++ b/test/confs/3828 @@ -0,0 +1 @@ +3820 \ No newline at end of file diff --git a/test/log/3828 b/test/log/3825 similarity index 100% rename from test/log/3828 rename to test/log/3825 diff --git a/test/scripts/3828-gsasl-plaintext/3828 b/test/scripts/3825-gsasl-plaintext/3825 similarity index 100% rename from test/scripts/3828-gsasl-plaintext/3828 rename to test/scripts/3825-gsasl-plaintext/3825 diff --git a/test/scripts/3828-gsasl-plaintext/REQUIRES b/test/scripts/3825-gsasl-plaintext/REQUIRES similarity index 100% rename from test/scripts/3828-gsasl-plaintext/REQUIRES rename to test/scripts/3825-gsasl-plaintext/REQUIRES diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828 new file mode 100644 index 000000000..749dbf58d --- /dev/null +++ b/test/scripts/3828-gsasl-scram-sha-256/3828 @@ -0,0 +1,8 @@ +# GSASL SCRAM-SHA-256 +# +exim -DSERVER=server -DTRUSTED -bd -oX PORT_D +**** +exim -odi -DTRUSTED scram_sha_256@test.ex +**** +killdaemon +no_msglog_check diff --git a/test/scripts/3828-gsasl-scram-sha-256/REQUIRES b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES new file mode 100644 index 000000000..89fd50833 --- /dev/null +++ b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES @@ -0,0 +1,2 @@ +authenticator gsasl +feature _HAVE_AUTH_GSASL_SCRAM_SHA_256 -- 2.30.2