Gitweb:
https://git.exim.org/exim.git/commitdiff/fdc7c95ecb7281cc0b60ffb0b518380f3ff252a4
Commit: fdc7c95ecb7281cc0b60ffb0b518380f3ff252a4
Parent: 25bd12fdff615275da6b811570b0f65d57ddc441
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Dec 30 22:45:21 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Dec 30 23:05:36 2019 +0000
Testsuite: testcase for GSASL SCRAM-SHA-256
---
doc/doc-docbook/spec.xfpt | 16 ++++--
test/confs/3820 | 48 ++++++++++++----
test/confs/{3828 => 3825} | 2 +-
test/confs/3828 | 67 +---------------------
test/log/{3828 => 3825} | 0
.../3828 => 3825-gsasl-plaintext/3825} | 0
.../REQUIRES | 0
test/scripts/3828-gsasl-scram-sha-256/3828 | 8 +++
test/scripts/3828-gsasl-scram-sha-256/REQUIRES | 2 +
9 files changed, 60 insertions(+), 83 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 19888e9..560b720 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27435,6 +27435,9 @@ auth_mechanisms = plain login ntlm
.cindex "authentication" "DIGEST-MD5"
.cindex "authentication" "CRAM-MD5"
.cindex "authentication" "SCRAM-SHA-1"
+.cindex "authentication" "SCRAM-SHA-1-PLUS"
+.cindex "authentication" "SCRAM-SHA-256"
+.cindex "authentication" "SCRAM-SHA-256-PLUS"
The &(gsasl)& authenticator provides integration for the GNU SASL
library and the mechanisms it provides. This is new as of the 4.80 release
and there are a few areas where the library does not let Exim smoothly
@@ -27442,8 +27445,13 @@ scale to handle future authentication mechanisms, so no guarantee can be
made that any particular new authentication mechanism will be supported
without code changes in Exim.
-
.new
+The library is expected to add support in an upcoming
+realease for the SCRAM-SHA-256 method.
+The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined
+when this happens.
+
+
.option client_authz gsasl string&!! unset
This option can be used to supply an &'authorization id'&
which is different to the &'authentication_id'& provided
@@ -27481,6 +27489,7 @@ server to see different identifiers and authentication will fail.
This is
only usable by mechanisms which support "channel binding"; at time of
writing, that's the SCRAM family.
+When using this feature the "-PLUS" variants of the method names need to be used.
.wen
This defaults off to ensure smooth upgrade across Exim releases, in case
@@ -40571,9 +40580,8 @@ defines the location of a text file of valid
top level domains the opendmarc library uses
during domain parsing. Maintained by Mozilla,
the most current version can be downloaded
-from a link at &url(
https://publicsuffix.org/list/, currently pointing
-at
https://publicsuffix.org/list/public_suffix_list.dat)
-See also util/renew-opendmarc-tlds.sh script.
+from a link at &url(
https://publicsuffix.org/list/public_suffix_list.dat).
+See also the util/renew-opendmarc-tlds.sh script.
.new
The default for the option is unset.
If not set, DMARC processing is disabled.
diff --git a/test/confs/3820 b/test/confs/3820
index 023ed75..b60e467 100644
--- a/test/confs/3820
+++ b/test/confs/3820
@@ -27,16 +27,16 @@ client_r:
begin transports
smtp:
- driver = smtp
- hosts = 127.0.0.1
+ driver = smtp
+ hosts = 127.0.0.1
allow_localhost
- port = PORT_D
+ port = PORT_D
.ifdef TRUSTED
- hosts_require_tls = *
+ hosts_require_tls = *
tls_verify_certificates = DIR/aux-fixed/cert1
tls_verify_cert_hostnames = :
.endif
- hosts_require_auth = *
+ hosts_require_auth = *
# ----- Authentication -----
@@ -44,14 +44,14 @@ begin authenticators
.ifndef TRUSTED
sasl1:
- driver = gsasl
- public_name = ANONYMOUS
+ driver = gsasl
+ public_name = ANONYMOUS
server_set_id = $auth1
server_condition = true
sasl2:
- driver = gsasl
- public_name = PLAIN
+ driver = gsasl
+ public_name = PLAIN
server_set_id = $auth1
server_condition = ${if eq {$auth3}{pencil}}
@@ -61,13 +61,13 @@ sasl2:
.endif
sasl3:
- driver = gsasl
+ driver = gsasl
.ifdef TRUSTED
- public_name = SCRAM-SHA-1-PLUS
+ public_name = SCRAM-SHA-1-PLUS
server_advertise_condition = ${if def:tls_in_cipher}
server_channelbinding = true
.else
- public_name = SCRAM-SHA-1
+ public_name = SCRAM-SHA-1
.endif
# will need to give library salt, stored-key, server-key, itercount
@@ -89,5 +89,29 @@ sasl3:
client_channelbinding = true
.endif
+.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256
+sasl4:
+ driver = gsasl
+.ifdef TRUSTED
+ public_name = SCRAM-SHA-256-PLUS
+ server_advertise_condition = ${if def:tls_in_cipher}
+ server_channelbinding = true
+.else
+ public_name = SCRAM-SHA-256
+.endif
+
+ server_scram_salt = QSXCR+Q6sek8bf92
+ server_password = pencil
+ server_condition = true
+ server_set_id = $auth1
+
+ client_condition = ${if eq {scram_sha_256}{$local_part}}
+ client_username = ph10
+ client_password = pencil
+.ifdef TRUSTED
+ client_channelbinding = true
+.endif
+.endif
+
# End
diff --git a/test/confs/3828 b/test/confs/3825
similarity index 97%
copy from test/confs/3828
copy to test/confs/3825
index aa9db94..6148356 100644
--- a/test/confs/3828
+++ b/test/confs/3825
@@ -1,4 +1,4 @@
-# Exim test configuration 3828
+# Exim test configuration 3825
SERVER=
diff --git a/test/confs/3828 b/test/confs/3828
deleted file mode 100644
index aa9db94..0000000
--- a/test/confs/3828
+++ /dev/null
@@ -1,66 +0,0 @@
-# Exim test configuration 3828
-
-SERVER=
-
-.include DIR/aux-var/std_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-queue_only
-
-
-begin routers
-
-client_r:
- driver = accept
- condition = ${if !eq {SERVER}{server}}
- transport = smtp
-
-begin transports
-
-smtp:
- driver = smtp
- hosts = 127.0.0.1
- allow_localhost
- port = PORT_D
- hosts_require_auth = *
-
-# ----- Authentication -----
-
-begin authenticators
-
-.ifndef OPT
-sasl1:
- driver = plaintext
- public_name = PLAIN
- server_prompts = :
- server_condition = ${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
- server_set_id = $auth2
-
-sasl2:
- driver = gsasl
- public_name = PLAIN
- client_condition = ${if eq {plain}{$local_part}}
- client_username = ph10
- client_password = mysecret
-
-.else
-sasl3:
- driver = gsasl
- public_name = PLAIN
- server_condition = ${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
- server_set_id = $auth1
-
-sasl4:
- driver = plaintext
- public_name = PLAIN
- client_condition = ${if eq {plain}{$local_part}}
- client_send = ^ph10^mysecret
-
-.endif
-
-
-# End
diff --git a/test/confs/3828 b/test/confs/3828
new file mode 120000
index 0000000..d8f3286
--- /dev/null
+++ b/test/confs/3828
@@ -0,0 +1 @@
+3820
\ No newline at end of file
diff --git a/test/log/3828 b/test/log/3825
similarity index 100%
rename from test/log/3828
rename to test/log/3825
diff --git a/test/scripts/3828-gsasl-plaintext/3828 b/test/scripts/3825-gsasl-plaintext/3825
similarity index 100%
rename from test/scripts/3828-gsasl-plaintext/3828
rename to test/scripts/3825-gsasl-plaintext/3825
diff --git a/test/scripts/3828-gsasl-plaintext/REQUIRES b/test/scripts/3825-gsasl-plaintext/REQUIRES
similarity index 100%
rename from test/scripts/3828-gsasl-plaintext/REQUIRES
rename to test/scripts/3825-gsasl-plaintext/REQUIRES
diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828
new file mode 100644
index 0000000..749dbf5
--- /dev/null
+++ b/test/scripts/3828-gsasl-scram-sha-256/3828
@@ -0,0 +1,8 @@
+# GSASL SCRAM-SHA-256
+#
+exim -DSERVER=server -DTRUSTED -bd -oX PORT_D
+****
+exim -odi -DTRUSTED scram_sha_256@???
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/3828-gsasl-scram-sha-256/REQUIRES b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES
new file mode 100644
index 0000000..89fd508
--- /dev/null
+++ b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES
@@ -0,0 +1,2 @@
+authenticator gsasl
+feature _HAVE_AUTH_GSASL_SCRAM_SHA_256
