[exim-cvs] gsasl authenticator: support crypted secrets, ser…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] gsasl authenticator: support crypted secrets, server side
Gitweb: https://git.exim.org/exim.git/commitdiff/49d478067ba22d087c65b35a8bb9b782be1ee173
Commit:     49d478067ba22d087c65b35a8bb9b782be1ee173
Parent:     870ce70e11912e8858ef4c071f2778b93a4b2ac9
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Jan 15 14:22:42 2020 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Wed Jan 15 14:57:00 2020 +0000


    gsasl authenticator: support crypted secrets, server side
---
 doc/doc-docbook/spec.xfpt                  |  53 ++++++-
 doc/doc-txt/NewStuff                       |   5 +-
 src/src/auths/gsasl_exim.c                 | 227 ++++++++++++++++++++---------
 src/src/auths/gsasl_exim.h                 |   3 +
 src/src/smtp_in.c                          |   4 +-
 test/confs/3820                            |  17 ++-
 test/log/3821                              |   4 +-
 test/log/3829                              |   2 +-
 test/scripts/3828-gsasl-scram-sha-256/3828 |   4 +-
 test/stderr/3400                           |  14 +-
 test/stdout/3820                           |   2 +-
 11 files changed, 242 insertions(+), 93 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1d6fa53..c57f1a2 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27553,6 +27553,19 @@ This option is exapanded before use, and should result in
the account name to be used.
.wen

+.new
+.option client_spassword gsasl string&!! unset
+If a SCRAM mechanism is being used and this option is set
+it is used in preference to $%client_password%&.
+The value after expansion should be
+a 40 (for SHA-1) or 64 (for SHA-256) character string
+with the PBKDF2-prepared password, hex-encoded.
+Note that this value will depend on the salt and iteration-count
+supplied by the server.
+.wen
+
+
+
.option server_channelbinding gsasl boolean false
Do not set this true and rely on the properties
without consulting a cryptographic engineer.
@@ -27629,7 +27642,8 @@ Some mechanisms will use this data.
.option server_scram_iter gsasl string&!! 4096
This option provides data for the SCRAM family of mechanisms.
.new
-The &$auth1$&, &$auth2$& and &$auth3$& variables are available for expansion.
+The &$auth1$&, &$auth2$& and &$auth3$& variables are available
+when this option is expanded.

The result of expansion should be a decimal number,
and represents both a lower-bound on the security, and
@@ -27637,19 +27651,50 @@ a compute cost factor imposed on the client
(if it does not cache results, or the server changes
either the iteration count or the salt).
A minimum value of 4096 is required by the standards
-for all current CRAM mechanism variants.
+for all current SCRAM mechanism variants.
.wen

-
.option server_scram_salt gsasl string&!! unset
This option provides data for the SCRAM family of mechanisms.
.new
-The &$auth1$&, &$auth2$& and &$auth3$& variables are available for expansion.
+The &$auth1$&, &$auth2$& and &$auth3$& variables are available
+when this option is expanded.
+The value should be a base64-encoded string,
+of random data typically 4-to-16 bytes long.
If unset or empty after expansion the library will provides a value for the
protocol conversation.
.wen


+.new
+.option server_key gsasl string&!! unset
+.option server_skey gsasl string&!! unset
+These options can be used for the SCRAM family of mechanisms
+to provide stored information related to a password,
+the storage of which is preferable to plaintext.
+
+&%server_key%& is the value defined in the SCRAM standards as ServerKey;
+&%server_skey%& is StoredKey.
+
+They are only available for version 1.9.0 (or later) of the gsasl library.
+When this is so, the macros
+_OPT_AUTHENTICATOR_GSASL_SERVER_KEY
+and _HAVE_AUTH_GSASL_SCRAM_S_KEY
+will be defined.
+
+The &$authN$& variables are available when these options are expanded.
+
+If set, the results of expansion should for each
+should be a 28 (for SHA-1) or 44 (for SHA-256) character string
+of base64-coded data, and will be used in preference to the
+&%server_password%& option.
+If unset or not of the right length, &%server_password%& will be used.
+
+The libgsasl library release includes a utility &'gsasl'& which can be used
+to generate these values.
+.wen
+
+
 .option server_service gsasl string &`smtp`&
 This is the SASL service that the server claims to implement.
 Some mechanisms will use this data.
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 8a00bfc..f5421a7 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -21,7 +21,10 @@ Version 4.94
     driver for PLAIN; only against itself for SCRAM-SHA-1 and SCRAM-SHA-1-PLUS
     methods.


- 5. Variable $local_part_verified, set by the router check_local_part condition
+ 5. Server-side support in the gsasl authenticator for encrypted passwords, as an
+    alternate for the existing plaintext.
+
+ 6. Variable $local_part_verified, set by the router check_local_part condition
     with untainted data.



diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index 80ae354..1c4af92 100644
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -42,6 +42,10 @@ static void dummy(int x) { dummy2(x-1); }

#if GSASL_VERSION_MINOR >= 9
# define EXIM_GSASL_HAVE_SCRAM_SHA_256
+
+# if GSASL_VERSION_PATCH >= 1
+# define EXIM_GSASL_SCRAM_S_KEY
+# endif
#endif


@@ -51,34 +55,42 @@ we only ever handle one mechanism at a time, I didn't see the point in keeping
 that.  In case someone sees a point, I've left the condition_check() API
 alone. */
 optionlist auth_gsasl_options[] = {
-  { "client_authz",          opt_stringptr,
+  { "client_authz",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, client_authz)) },
-  { "client_channelbinding", opt_bool,
+  { "client_channelbinding",    opt_bool,
       (void *)(offsetof(auth_gsasl_options_block, client_channelbinding)) },
-  { "client_password",      opt_stringptr,
+  { "client_password",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, client_password)) },
-  { "client_username",      opt_stringptr,
+  { "client_spassword",        opt_stringptr,
+      (void *)(offsetof(auth_gsasl_options_block, client_spassword)) },
+  { "client_username",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, client_username)) },


-  { "server_channelbinding", opt_bool,
+  { "server_channelbinding",    opt_bool,
       (void *)(offsetof(auth_gsasl_options_block, server_channelbinding)) },
-  { "server_hostname",      opt_stringptr,
+  { "server_hostname",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, server_hostname)) },
-  { "server_mech",          opt_stringptr,
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  { "server_key",        opt_stringptr,
+      (void *)(offsetof(auth_gsasl_options_block, server_key)) },
+#endif
+  { "server_mech",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, server_mech)) },
-  { "server_password",      opt_stringptr,
+  { "server_password",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, server_password)) },
-  { "server_realm",         opt_stringptr,
+  { "server_realm",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, server_realm)) },
-  { "server_scram_iter",    opt_stringptr,
+  { "server_scram_iter",    opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, server_scram_iter)) },
-  { "server_scram_salt",    opt_stringptr,
+  { "server_scram_salt",    opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, server_scram_salt)) },
-  { "server_service",       opt_stringptr,
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  { "server_skey",        opt_stringptr,
+      (void *)(offsetof(auth_gsasl_options_block, server_s_key)) },
+#endif
+  { "server_service",        opt_stringptr,
       (void *)(offsetof(auth_gsasl_options_block, server_service)) }
 };
-/* GSASL_SCRAM_SALTED_PASSWORD documented only for client, so not implementing
-hooks to avoid cleartext passwords in the Exim server. */


int auth_gsasl_options_count =
sizeof(auth_gsasl_options)/sizeof(optionlist);
@@ -93,6 +105,7 @@ auth_gsasl_options_block auth_gsasl_option_defaults = {


#ifdef MACRO_PREDEF
+# include "../macro_predef.h"

/* Dummy values */
void auth_gsasl_init(auth_instance *ablock) {}
@@ -107,6 +120,9 @@ auth_gsasl_macros(void)
# ifdef EXIM_GSASL_HAVE_SCRAM_SHA_256
builtin_macro_create(US"_HAVE_AUTH_GSASL_SCRAM_SHA_256");
# endif
+# ifdef EXIM_GSASL_SCRAM_S_KEY
+ builtin_macro_create(US"_HAVE_AUTH_GSASL_SCRAM_S_KEY");
+# endif
}

#else /*!MACRO_PREDEF*/
@@ -289,6 +305,56 @@ return rc;


 /*************************************************
+*             Debug service function             *
+*************************************************/
+static const uschar * 
+gsasl_prop_code_to_name(Gsasl_property prop)
+{
+switch (prop)
+  {
+  case GSASL_AUTHID: return US"AUTHID";
+  case GSASL_AUTHZID: return US"AUTHZID";
+  case GSASL_PASSWORD: return US"PASSWORD";
+  case GSASL_ANONYMOUS_TOKEN: return US"ANONYMOUS_TOKEN";
+  case GSASL_SERVICE: return US"SERVICE";
+  case GSASL_HOSTNAME: return US"HOSTNAME";
+  case GSASL_GSSAPI_DISPLAY_NAME: return US"GSSAPI_DISPLAY_NAME";
+  case GSASL_PASSCODE: return US"PASSCODE";
+  case GSASL_SUGGESTED_PIN: return US"SUGGESTED_PIN";
+  case GSASL_PIN: return US"PIN";
+  case GSASL_REALM: return US"REALM";
+  case GSASL_DIGEST_MD5_HASHED_PASSWORD: return US"DIGEST_MD5_HASHED_PASSWORD";
+  case GSASL_QOPS: return US"QOPS";
+  case GSASL_QOP: return US"QOP";
+  case GSASL_SCRAM_ITER: return US"SCRAM_ITER";
+  case GSASL_SCRAM_SALT: return US"SCRAM_SALT";
+  case GSASL_SCRAM_SALTED_PASSWORD: return US"SCRAM_SALTED_PASSWORD";
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  case GSASL_SCRAM_STOREDKEY: return US"SCRAM_STOREDKEY";
+  case GSASL_SCRAM_SERVERKEY: return US"SCRAM_SERVERKEY";
+#endif
+  case GSASL_CB_TLS_UNIQUE: return US"CB_TLS_UNIQUE";
+  case GSASL_SAML20_IDP_IDENTIFIER: return US"SAML20_IDP_IDENTIFIER";
+  case GSASL_SAML20_REDIRECT_URL: return US"SAML20_REDIRECT_URL";
+  case GSASL_OPENID20_REDIRECT_URL: return US"OPENID20_REDIRECT_URL";
+  case GSASL_OPENID20_OUTCOME_DATA: return US"OPENID20_OUTCOME_DATA";
+  case GSASL_SAML20_AUTHENTICATE_IN_BROWSER: return US"SAML20_AUTHENTICATE_IN_BROWSER";
+  case GSASL_OPENID20_AUTHENTICATE_IN_BROWSER: return US"OPENID20_AUTHENTICATE_IN_BROWSER";
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  case GSASL_SCRAM_CLIENTKEY: return US"SCRAM_CLIENTKEY";
+#endif
+  case GSASL_VALIDATE_SIMPLE: return US"VALIDATE_SIMPLE";
+  case GSASL_VALIDATE_EXTERNAL: return US"VALIDATE_EXTERNAL";
+  case GSASL_VALIDATE_ANONYMOUS: return US"VALIDATE_ANONYMOUS";
+  case GSASL_VALIDATE_GSSAPI: return US"VALIDATE_GSSAPI";
+  case GSASL_VALIDATE_SECURID: return US"VALIDATE_SECURID";
+  case GSASL_VALIDATE_SAML20: return US"VALIDATE_SAML20";
+  case GSASL_VALIDATE_OPENID20: return US"VALIDATE_OPENID20";
+  }
+return CUS string_sprintf("(unknown prop: %d)", (int)prop);
+}
+
+/*************************************************
 *             Server entry point                 *
 *************************************************/


@@ -440,6 +506,7 @@ do {
       goto STOP_INTERACTION;
     }


+  /*XXX having our caller send the final smtp "235" is unfortunate; wastes a roundtrip */
   if ((rc == GSASL_NEEDS_MORE) || (to_send && *to_send))
     exim_error = auth_get_no64_data(USS &received, US to_send);


@@ -457,6 +524,21 @@ do {
STOP_INTERACTION:
auth_result = rc;

+HDEBUG(D_auth)
+  {
+  const uschar * s;
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_ITER)))
+    debug_printf(" - itercnt:   '%s'\n", s);
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SALT)))
+    debug_printf(" - salt:      '%s'\n", s);
+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SERVERKEY)))
+    debug_printf(" - ServerKey: '%s'\n", s);
+  if ((s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_STOREDKEY)))
+    debug_printf(" - StoredKey: '%s'\n", s);
+#endif
+  }
+
 gsasl_finish(sctx);


/* Can return: OK DEFER FAIL CANCELLED BAD64 UNEXPECTED */
@@ -531,18 +613,35 @@ set_exim_authvar_from_prop(sctx, GSASL_REALM);


 static int
+prop_from_option(Gsasl_session * sctx, Gsasl_property prop,
+  const uschar * option)
+{
+HDEBUG(D_auth) debug_printf(" %s\n", gsasl_prop_code_to_name(prop));
+if (option)
+  {
+  set_exim_authvars_from_a_az_r_props(sctx);
+  option = expand_cstring(option);
+  HDEBUG(D_auth) debug_printf("  '%s'\n", option);
+  if (*option)
+    gsasl_property_set(sctx, prop, CCS option);
+  return GSASL_OK;
+  }
+HDEBUG(D_auth) debug_printf("  option not set\n");
+return GSASL_NO_CALLBACK;
+}
+
+static int
 server_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop,
   auth_instance *ablock)
 {
 char *tmps;
-uschar *propval;
+uschar *s, *propval;
 int cbrc = GSASL_NO_CALLBACK;
 auth_gsasl_options_block *ob =
   (auth_gsasl_options_block *)(ablock->options_block);


-HDEBUG(D_auth)
-  debug_printf("GNU SASL callback %d for %s/%s as server\n",
-      prop, ablock->name, ablock->public_name);
+HDEBUG(D_auth) debug_printf("GNU SASL callback %s for %s/%s as server\n",
+        gsasl_prop_code_to_name(prop), ablock->name, ablock->public_name);


 for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
 expand_nmax = 0;
@@ -550,7 +649,6 @@ expand_nmax = 0;
 switch (prop)
   {
   case GSASL_VALIDATE_SIMPLE:
-    HDEBUG(D_auth) debug_printf(" VALIDATE_SIMPLE\n");
     /* GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSWORD */
     set_exim_authvar_from_prop(sctx, GSASL_AUTHID);
     set_exim_authvar_from_prop(sctx, GSASL_AUTHZID);
@@ -561,7 +659,6 @@ switch (prop)
     break;


   case GSASL_VALIDATE_EXTERNAL:
-    HDEBUG(D_auth) debug_printf(" VALIDATE_EXTERNAL\n");
     if (!ablock->server_condition)
       {
       HDEBUG(D_auth) debug_printf("No server_condition supplied, to validate EXTERNAL\n");
@@ -576,7 +673,6 @@ switch (prop)
     break;


   case GSASL_VALIDATE_ANONYMOUS:
-    HDEBUG(D_auth) debug_printf(" VALIDATE_ANONYMOUS\n");
     if (!ablock->server_condition)
       {
       HDEBUG(D_auth) debug_printf("No server_condition supplied, to validate ANONYMOUS\n");
@@ -591,7 +687,6 @@ switch (prop)
     break;


   case GSASL_VALIDATE_GSSAPI:
-    HDEBUG(D_auth) debug_printf(" VALIDATE_GSSAPI\n");
     /* GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME
     The display-name is authenticated as part of GSS, the authzid is claimed
     by the SASL integration after authentication; protected against tampering
@@ -613,37 +708,25 @@ switch (prop)
     break;


   case GSASL_SCRAM_ITER:
-    HDEBUG(D_auth) debug_printf(" SCRAM_ITER\n");
-    if (ob->server_scram_iter)
-      {
-      set_exim_authvars_from_a_az_r_props(sctx);
-      tmps = CS expand_string(ob->server_scram_iter);
-      HDEBUG(D_auth) debug_printf("  '%s'\n", tmps);
-      gsasl_property_set(sctx, GSASL_SCRAM_ITER, tmps);
-      cbrc = GSASL_OK;
-      }
-    else
-      HDEBUG(D_auth) debug_printf("  option not set\n");
+    cbrc = prop_from_option(sctx, prop, ob->server_scram_iter);
     break;


   case GSASL_SCRAM_SALT:
-    HDEBUG(D_auth) debug_printf(" SCRAM_SALT\n");
-    if (ob->server_scram_salt)
-      {
-      set_exim_authvars_from_a_az_r_props(sctx);
-      tmps = CS expand_string(ob->server_scram_salt);
-      HDEBUG(D_auth) debug_printf("  '%s'\n", tmps);
-      if (*tmps)
-    gsasl_property_set(sctx, GSASL_SCRAM_SALT, tmps);
-      cbrc = GSASL_OK;
-      }
-    else
-      HDEBUG(D_auth) debug_printf("  option not set\n");
+    cbrc = prop_from_option(sctx, prop, ob->server_scram_salt);
     break;


+#ifdef EXIM_GSASL_SCRAM_S_KEY
+  case GSASL_SCRAM_STOREDKEY:
+    cbrc = prop_from_option(sctx, prop, ob->server_s_key);
+    break;
+
+  case GSASL_SCRAM_SERVERKEY:
+    cbrc = prop_from_option(sctx, prop, ob->server_key);
+    break;
+#endif
+
   case GSASL_PASSWORD:
-    HDEBUG(D_auth) debug_printf(" PASSWORD\n");
-    /* SCRAM-SHA-1: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM
+    /* SCRAM-*: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM
        DIGEST-MD5: GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM
        CRAM-MD5: GSASL_AUTHID
        PLAIN: GSASL_AUTHID and GSASL_AUTHZID
@@ -651,12 +734,12 @@ switch (prop)
      */
     set_exim_authvars_from_a_az_r_props(sctx);


-    if (!ob->server_password)
+    if (!(s = ob->server_password))
       {
       HDEBUG(D_auth) debug_printf("option not set\n");
       break;
       }
-    if (!(tmps = CS expand_string(ob->server_password)))
+    if (!(tmps = CS expand_string(s)))
       {
       sasl_error_should_defer = !f.expand_string_forcedfail;
       HDEBUG(D_auth) debug_printf("server_password expansion failed, so "
@@ -691,19 +774,25 @@ return cbrc;
 #define PROP_OPTIONAL    BIT(0)


static BOOL
-client_prop(Gsasl_session * sctx, Gsasl_property propnum, uschar * val,
- const uschar * why, unsigned flags, uschar * buffer, int buffsize)
+set_client_prop(Gsasl_session * sctx, Gsasl_property prop, uschar * val,
+ unsigned flags, uschar * buffer, int buffsize)
{
uschar * s;
int rc;

-if (flags & PROP_OPTIONAL && !val) return TRUE;
+if (!val) return !!(flags & PROP_OPTIONAL);
 if (!(s = expand_string(val)) || !(flags & PROP_OPTIONAL) && !*s)
   {
   string_format(buffer, buffsize, "%s", expand_string_message);
   return FALSE;
   }
-if (*s) gsasl_property_set(sctx, propnum, CS s);
+if (*s)
+  {
+  HDEBUG(D_auth) debug_printf("%s: set %s = '%s'\n", __FUNCTION__,
+    gsasl_prop_code_to_name(prop), s);
+  gsasl_property_set(sctx, prop, CS s);
+  }
+
 return TRUE;
 }


@@ -770,11 +859,14 @@ gsasl_session_hook_set(sctx, &cb_state);

/* Set properties */

-if (  !client_prop(sctx, GSASL_PASSWORD, ob->client_password, US"password",
+if (  !set_client_prop(sctx, GSASL_SCRAM_SALTED_PASSWORD, ob->client_spassword,
           0, buffer, buffsize)
-   || !client_prop(sctx, GSASL_AUTHID, ob->client_username, US"username",
+      &&
+      !set_client_prop(sctx, GSASL_PASSWORD, ob->client_password,
           0, buffer, buffsize)
-   || !client_prop(sctx, GSASL_AUTHZID, ob->client_authz, US"authz",
+   || !set_client_prop(sctx, GSASL_AUTHID, ob->client_username,
+          0, buffer, buffsize)
+   || !set_client_prop(sctx, GSASL_AUTHZID, ob->client_authz,
           PROP_OPTIONAL, buffer, buffsize)
    )
   return ERROR;
@@ -848,6 +940,12 @@ for(s = NULL; ;)
   }


 done:
+HDEBUG(D_auth)
+  {
+  const uschar * s = CUS gsasl_property_fast(sctx, GSASL_SCRAM_SALTED_PASSWORD);
+  if (s) debug_printf(" - SaltedPassword: '%s'\n", s);
+  }
+
 gsasl_finish(sctx);
 return yield;
 }
@@ -855,22 +953,19 @@ return yield;
 static int
 client_callback(Gsasl *ctx, Gsasl_session *sctx, Gsasl_property prop, auth_instance *ablock)
 {
-HDEBUG(D_auth) debug_printf("GNU SASL callback %d for %s/%s as client\n",
-        prop, ablock->name, ablock->public_name);
+HDEBUG(D_auth) debug_printf("GNU SASL callback %s for %s/%s as client\n",
+        gsasl_prop_code_to_name(prop), ablock->name, ablock->public_name);
 switch (prop)
   {
-  case GSASL_AUTHZID:
-    HDEBUG(D_auth) debug_printf(" inquired for AUTHZID; not providing one\n");
-    break;
-  case GSASL_SCRAM_SALTED_PASSWORD:
-    HDEBUG(D_auth)
-      debug_printf(" inquired for SCRAM_SALTED_PASSWORD; not providing one\n");
-    break;
   case GSASL_CB_TLS_UNIQUE:
     HDEBUG(D_auth)
-      debug_printf(" inquired for CB_TLS_UNIQUE, filling in\n");
+      debug_printf(" filling in\n");
     gsasl_property_set(sctx, GSASL_CB_TLS_UNIQUE, CCS tls_out.channelbinding);
     break;
+  default:
+    HDEBUG(D_auth)
+      debug_printf(" not providing one\n");
+    break;
   }
 return GSASL_NO_CALLBACK;
 }
diff --git a/src/src/auths/gsasl_exim.h b/src/src/auths/gsasl_exim.h
index cceec77..3cd64bd 100644
--- a/src/src/auths/gsasl_exim.h
+++ b/src/src/auths/gsasl_exim.h
@@ -18,12 +18,15 @@ typedef struct {
   uschar *server_realm;
   uschar *server_mech;
   uschar *server_password;
+  uschar *server_key;
+  uschar *server_s_key;
   uschar *server_scram_iter;
   uschar *server_scram_salt;


uschar *client_username;
uschar *client_password;
uschar *client_authz;
+ uschar *client_spassword;

   BOOL    server_channelbinding;
   BOOL      client_channelbinding;
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 0ae89a4..6062e81 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -4408,8 +4408,8 @@ while (done <= 0)
         if (au->server)
           {
           DEBUG(D_auth+D_expand) debug_printf_indent(
-        "Evaluating advertise_condition for %s athenticator\n",
-        au->public_name);
+        "Evaluating advertise_condition for %s %s athenticator\n",
+        au->name, au->public_name);
           if (  !au->advertise_condition
          || expand_check_condition(au->advertise_condition, au->name,
             US"authenticator")
diff --git a/test/confs/3820 b/test/confs/3820
index c80d4d4..7322c4b 100644
--- a/test/confs/3820
+++ b/test/confs/3820
@@ -23,6 +23,7 @@ client_r:
   driver =    accept
   condition =    ${if !eq {SERVER}{server}}
   transport =    smtp
+  errors_to =


begin transports

@@ -35,6 +36,8 @@ smtp:
   hosts_require_tls =    *
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
+.else
+  hosts_avoid_tls =    *
 .endif
   hosts_require_auth =    *


@@ -70,14 +73,11 @@ sasl3:
   public_name =        SCRAM-SHA-1
 .endif


-  # will need to give library salt, stored-key, server-key, itercount
-  #
-  # sigh
-  # gsasl takes props: GSASL_SCRAM_ITER, GSASL_SCRAM_SALT.  It _might_ take
-  # a GSASL_SCRAM_SALTED_PASSWORD - but that is only documented for client mode.
-
-  # unclear if the salt is given in binary or base64 to the library
   server_scram_salt =    ${if eq {$auth1}{ph10} {QSXCR+Q6sek8bf92}}
+.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY
+  server_key =        D+CSWLOshSulAsxiupA+qs2/fTE=
+  server_skey =        6dlGYMOdZcOPutkcNY8U2g7vK9Y=
+.endif
   server_password =    ${if eq {$auth1}{ph10} {pencil}{unset_password}}
   server_condition =    true
   server_set_id =    $auth1
@@ -85,6 +85,9 @@ sasl3:
   client_condition =    ${if eq {scram_sha_1}{$local_part}}
   client_username =    ph10
   client_password =    pencil
+.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY
+  client_spassword =    1d96ee3a529b5a5f9e47c01f229a2cb8a6e15f7d
+.endif
 .ifdef TRUSTED
   client_channelbinding = true
 .endif
diff --git a/test/log/3821 b/test/log/3821
index bcb5741..6c79bed 100644
--- a/test/log/3821
+++ b/test/log/3821
@@ -7,5 +7,5 @@


******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl2:ph10 S=sss id=E10HmaX-0005vi-00@???
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl2:ph10 S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@???
diff --git a/test/log/3829 b/test/log/3829
index 3b630ba..69c2781 100644
--- a/test/log/3829
+++ b/test/log/3829
@@ -4,4 +4,4 @@

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no A=sasl3:ph10 S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no A=sasl3:ph10 S=sss id=E10HmaX-0005vi-00@???
diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828
index 749dbf5..74348f9 100644
--- a/test/scripts/3828-gsasl-scram-sha-256/3828
+++ b/test/scripts/3828-gsasl-scram-sha-256/3828
@@ -1,8 +1,8 @@
# GSASL SCRAM-SHA-256
#
-exim -DSERVER=server -DTRUSTED -bd -oX PORT_D
+exim -DSERVER=server -bd -oX PORT_D
****
-exim -odi -DTRUSTED scram_sha_256@???
+exim -odi scram_sha_256@???
****
killdaemon
no_msglog_check
diff --git a/test/stderr/3400 b/test/stderr/3400
index da04b7f..9088bef 100644
--- a/test/stderr/3400
+++ b/test/stderr/3400
@@ -438,13 +438,13 @@ host in "10.0.0.1"? no (end of list)
host in "10.0.0.4"? no (end of list)
host in "10.0.0.3 : 10.0.0.4"? no (end of list)
host in auth_advertise_hosts? yes (matched "10.0.0.5")
-Evaluating advertise_condition for mylogin athenticator
-Evaluating advertise_condition for PLAIN athenticator
-Evaluating advertise_condition for EXPLAIN athenticator
-Evaluating advertise_condition for EXPANDED athenticator
-Evaluating advertise_condition for EXPANDFAIL athenticator
-Evaluating advertise_condition for DEFER athenticator
-Evaluating advertise_condition for LOGIN athenticator
+Evaluating advertise_condition for mylogin mylogin athenticator
+Evaluating advertise_condition for plain PLAIN athenticator
+Evaluating advertise_condition for extended_plain EXPLAIN athenticator
+Evaluating advertise_condition for expanded_prompt_plain EXPANDED athenticator
+Evaluating advertise_condition for expanded_prompt_plain_fail EXPANDFAIL athenticator
+Evaluating advertise_condition for defer DEFER athenticator
+Evaluating advertise_condition for login LOGIN athenticator
host in chunking_advertise_hosts? no (end of list)
SMTP>> 250-myhost.test.ex Hello CALLER at testing.testing [10.0.0.5]

250-SIZE 52428800
diff --git a/test/stdout/3820 b/test/stdout/3820
index 2572313..be1a2c5 100644
--- a/test/stdout/3820
+++ b/test/stdout/3820
@@ -11,7 +11,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
??? 250-
<<< 250-PIPELINING
??? 250-
-<<< 250-AUTH ANONYMOUS PLAIN SCRAM-SHA-1
+<<< 250-AUTH ANONYMOUS PLAIN SCRAM-SHA-1 SCRAM-SHA-256
??? 250
<<< 250 HELP
>>> AUTH PLAIN AHBoMTAAc2VjcmV0