From: Jeremy Harris Date: Mon, 30 Dec 2019 22:45:21 +0000 (+0000) Subject: Testsuite: testcase for GSASL SCRAM-SHA-256 X-Git-Url: https://git.exim.org/users/jgh/exim.git/commitdiff_plain/fdc7c95ecb7281cc0b60ffb0b518380f3ff252a4 Testsuite: testcase for GSASL SCRAM-SHA-256 --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 19888e96d..560b72066 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27435,6 +27435,9 @@ auth_mechanisms = plain login ntlm .cindex "authentication" "DIGEST-MD5" .cindex "authentication" "CRAM-MD5" .cindex "authentication" "SCRAM-SHA-1" +.cindex "authentication" "SCRAM-SHA-1-PLUS" +.cindex "authentication" "SCRAM-SHA-256" +.cindex "authentication" "SCRAM-SHA-256-PLUS" The &(gsasl)& authenticator provides integration for the GNU SASL library and the mechanisms it provides. This is new as of the 4.80 release and there are a few areas where the library does not let Exim smoothly @@ -27442,8 +27445,13 @@ scale to handle future authentication mechanisms, so no guarantee can be made that any particular new authentication mechanism will be supported without code changes in Exim. - .new +The library is expected to add support in an upcoming +realease for the SCRAM-SHA-256 method. +The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined +when this happens. + + .option client_authz gsasl string&!! unset This option can be used to supply an &'authorization id'& which is different to the &'authentication_id'& provided @@ -27481,6 +27489,7 @@ server to see different identifiers and authentication will fail. This is only usable by mechanisms which support "channel binding"; at time of writing, that's the SCRAM family. +When using this feature the "-PLUS" variants of the method names need to be used. .wen This defaults off to ensure smooth upgrade across Exim releases, in case @@ -40571,9 +40580,8 @@ defines the location of a text file of valid top level domains the opendmarc library uses during domain parsing. Maintained by Mozilla, the most current version can be downloaded -from a link at &url(https://publicsuffix.org/list/, currently pointing -at https://publicsuffix.org/list/public_suffix_list.dat) -See also util/renew-opendmarc-tlds.sh script. +from a link at &url(https://publicsuffix.org/list/public_suffix_list.dat). +See also the util/renew-opendmarc-tlds.sh script. .new The default for the option is unset. If not set, DMARC processing is disabled. diff --git a/test/confs/3820 b/test/confs/3820 index 023ed751d..b60e467a3 100644 --- a/test/confs/3820 +++ b/test/confs/3820 @@ -27,16 +27,16 @@ client_r: begin transports smtp: - driver = smtp - hosts = 127.0.0.1 + driver = smtp + hosts = 127.0.0.1 allow_localhost - port = PORT_D + port = PORT_D .ifdef TRUSTED - hosts_require_tls = * + hosts_require_tls = * tls_verify_certificates = DIR/aux-fixed/cert1 tls_verify_cert_hostnames = : .endif - hosts_require_auth = * + hosts_require_auth = * # ----- Authentication ----- @@ -44,14 +44,14 @@ begin authenticators .ifndef TRUSTED sasl1: - driver = gsasl - public_name = ANONYMOUS + driver = gsasl + public_name = ANONYMOUS server_set_id = $auth1 server_condition = true sasl2: - driver = gsasl - public_name = PLAIN + driver = gsasl + public_name = PLAIN server_set_id = $auth1 server_condition = ${if eq {$auth3}{pencil}} @@ -61,13 +61,13 @@ sasl2: .endif sasl3: - driver = gsasl + driver = gsasl .ifdef TRUSTED - public_name = SCRAM-SHA-1-PLUS + public_name = SCRAM-SHA-1-PLUS server_advertise_condition = ${if def:tls_in_cipher} server_channelbinding = true .else - public_name = SCRAM-SHA-1 + public_name = SCRAM-SHA-1 .endif # will need to give library salt, stored-key, server-key, itercount @@ -89,5 +89,29 @@ sasl3: client_channelbinding = true .endif +.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256 +sasl4: + driver = gsasl +.ifdef TRUSTED + public_name = SCRAM-SHA-256-PLUS + server_advertise_condition = ${if def:tls_in_cipher} + server_channelbinding = true +.else + public_name = SCRAM-SHA-256 +.endif + + server_scram_salt = QSXCR+Q6sek8bf92 + server_password = pencil + server_condition = true + server_set_id = $auth1 + + client_condition = ${if eq {scram_sha_256}{$local_part}} + client_username = ph10 + client_password = pencil +.ifdef TRUSTED + client_channelbinding = true +.endif +.endif + # End diff --git a/test/confs/3825 b/test/confs/3825 new file mode 100644 index 000000000..61483569f --- /dev/null +++ b/test/confs/3825 @@ -0,0 +1,66 @@ +# Exim test configuration 3825 + +SERVER= + +.include DIR/aux-var/std_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept +queue_only + + +begin routers + +client_r: + driver = accept + condition = ${if !eq {SERVER}{server}} + transport = smtp + +begin transports + +smtp: + driver = smtp + hosts = 127.0.0.1 + allow_localhost + port = PORT_D + hosts_require_auth = * + +# ----- Authentication ----- + +begin authenticators + +.ifndef OPT +sasl1: + driver = plaintext + public_name = PLAIN + server_prompts = : + server_condition = ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}} + server_set_id = $auth2 + +sasl2: + driver = gsasl + public_name = PLAIN + client_condition = ${if eq {plain}{$local_part}} + client_username = ph10 + client_password = mysecret + +.else +sasl3: + driver = gsasl + public_name = PLAIN + server_condition = ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}} + server_set_id = $auth1 + +sasl4: + driver = plaintext + public_name = PLAIN + client_condition = ${if eq {plain}{$local_part}} + client_send = ^ph10^mysecret + +.endif + + +# End diff --git a/test/confs/3828 b/test/confs/3828 deleted file mode 100644 index aa9db9467..000000000 --- a/test/confs/3828 +++ /dev/null @@ -1,66 +0,0 @@ -# Exim test configuration 3828 - -SERVER= - -.include DIR/aux-var/std_conf_prefix - -primary_hostname = myhost.test.ex - -# ----- Main settings ----- - -acl_smtp_rcpt = accept -queue_only - - -begin routers - -client_r: - driver = accept - condition = ${if !eq {SERVER}{server}} - transport = smtp - -begin transports - -smtp: - driver = smtp - hosts = 127.0.0.1 - allow_localhost - port = PORT_D - hosts_require_auth = * - -# ----- Authentication ----- - -begin authenticators - -.ifndef OPT -sasl1: - driver = plaintext - public_name = PLAIN - server_prompts = : - server_condition = ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}} - server_set_id = $auth2 - -sasl2: - driver = gsasl - public_name = PLAIN - client_condition = ${if eq {plain}{$local_part}} - client_username = ph10 - client_password = mysecret - -.else -sasl3: - driver = gsasl - public_name = PLAIN - server_condition = ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}} - server_set_id = $auth1 - -sasl4: - driver = plaintext - public_name = PLAIN - client_condition = ${if eq {plain}{$local_part}} - client_send = ^ph10^mysecret - -.endif - - -# End diff --git a/test/confs/3828 b/test/confs/3828 new file mode 120000 index 000000000..d8f3286c4 --- /dev/null +++ b/test/confs/3828 @@ -0,0 +1 @@ +3820 \ No newline at end of file diff --git a/test/log/3825 b/test/log/3825 new file mode 100644 index 000000000..038a795d7 --- /dev/null +++ b/test/log/3825 @@ -0,0 +1,12 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl2 C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl4 C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl1:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex diff --git a/test/log/3828 b/test/log/3828 deleted file mode 100644 index 038a795d7..000000000 --- a/test/log/3828 +++ /dev/null @@ -1,12 +0,0 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaX-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl2 C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => plain@test.ex R=client_r T=smtp H=127.0.0.1 [127.0.0.1] A=sasl4 C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl1:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex diff --git a/test/scripts/3825-gsasl-plaintext/3825 b/test/scripts/3825-gsasl-plaintext/3825 new file mode 100644 index 000000000..a30888f3d --- /dev/null +++ b/test/scripts/3825-gsasl-plaintext/3825 @@ -0,0 +1,16 @@ +# GSASL PLAIN authentication: gsasl driver vs. plaintext driver +# +# gsasl client against plaintext server +exim -DSERVER=server -bd -oX PORT_D +**** +exim -odi plain@test.ex +**** +killdaemon +# +# plaintext client against gsasl server +exim -DSERVER=server -DOPT=y -bd -oX PORT_D +**** +exim -odi -DOPT=y plain@test.ex +**** +killdaemon +no_msglog_check diff --git a/test/scripts/3825-gsasl-plaintext/REQUIRES b/test/scripts/3825-gsasl-plaintext/REQUIRES new file mode 100644 index 000000000..905a62278 --- /dev/null +++ b/test/scripts/3825-gsasl-plaintext/REQUIRES @@ -0,0 +1,2 @@ +authenticator gsasl +authenticator plaintext diff --git a/test/scripts/3828-gsasl-plaintext/3828 b/test/scripts/3828-gsasl-plaintext/3828 deleted file mode 100644 index a30888f3d..000000000 --- a/test/scripts/3828-gsasl-plaintext/3828 +++ /dev/null @@ -1,16 +0,0 @@ -# GSASL PLAIN authentication: gsasl driver vs. plaintext driver -# -# gsasl client against plaintext server -exim -DSERVER=server -bd -oX PORT_D -**** -exim -odi plain@test.ex -**** -killdaemon -# -# plaintext client against gsasl server -exim -DSERVER=server -DOPT=y -bd -oX PORT_D -**** -exim -odi -DOPT=y plain@test.ex -**** -killdaemon -no_msglog_check diff --git a/test/scripts/3828-gsasl-plaintext/REQUIRES b/test/scripts/3828-gsasl-plaintext/REQUIRES deleted file mode 100644 index 905a62278..000000000 --- a/test/scripts/3828-gsasl-plaintext/REQUIRES +++ /dev/null @@ -1,2 +0,0 @@ -authenticator gsasl -authenticator plaintext diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828 new file mode 100644 index 000000000..749dbf58d --- /dev/null +++ b/test/scripts/3828-gsasl-scram-sha-256/3828 @@ -0,0 +1,8 @@ +# GSASL SCRAM-SHA-256 +# +exim -DSERVER=server -DTRUSTED -bd -oX PORT_D +**** +exim -odi -DTRUSTED scram_sha_256@test.ex +**** +killdaemon +no_msglog_check diff --git a/test/scripts/3828-gsasl-scram-sha-256/REQUIRES b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES new file mode 100644 index 000000000..89fd50833 --- /dev/null +++ b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES @@ -0,0 +1,2 @@ +authenticator gsasl +feature _HAVE_AUTH_GSASL_SCRAM_SHA_256