summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2020-01-15 14:22:42 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2020-01-15 14:57:00 +0000
commit49d478067ba22d087c65b35a8bb9b782be1ee173 (patch)
tree50a5e3d606cf84bd5dc692661cfedc36ab2e79bf /doc
parent870ce70e11912e8858ef4c071f2778b93a4b2ac9 (diff)
gsasl authenticator: support crypted secrets, server side
Diffstat (limited to 'doc')
-rw-r--r--doc/doc-docbook/spec.xfpt53
-rw-r--r--doc/doc-txt/NewStuff5
2 files changed, 53 insertions, 5 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1d6fa536b..c57f1a23f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27553,6 +27553,19 @@ This option is exapanded before use, and should result in
the account name to be used.
.wen
+.new
+.option client_spassword gsasl string&!! unset
+If a SCRAM mechanism is being used and this option is set
+it is used in preference to $%client_password%&.
+The value after expansion should be
+a 40 (for SHA-1) or 64 (for SHA-256) character string
+with the PBKDF2-prepared password, hex-encoded.
+Note that this value will depend on the salt and iteration-count
+supplied by the server.
+.wen
+
+
+
.option server_channelbinding gsasl boolean false
Do not set this true and rely on the properties
without consulting a cryptographic engineer.
@@ -27629,7 +27642,8 @@ Some mechanisms will use this data.
.option server_scram_iter gsasl string&!! 4096
This option provides data for the SCRAM family of mechanisms.
.new
-The &$auth1$&, &$auth2$& and &$auth3$& variables are available for expansion.
+The &$auth1$&, &$auth2$& and &$auth3$& variables are available
+when this option is expanded.
The result of expansion should be a decimal number,
and represents both a lower-bound on the security, and
@@ -27637,19 +27651,50 @@ a compute cost factor imposed on the client
(if it does not cache results, or the server changes
either the iteration count or the salt).
A minimum value of 4096 is required by the standards
-for all current CRAM mechanism variants.
+for all current SCRAM mechanism variants.
.wen
-
.option server_scram_salt gsasl string&!! unset
This option provides data for the SCRAM family of mechanisms.
.new
-The &$auth1$&, &$auth2$& and &$auth3$& variables are available for expansion.
+The &$auth1$&, &$auth2$& and &$auth3$& variables are available
+when this option is expanded.
+The value should be a base64-encoded string,
+of random data typically 4-to-16 bytes long.
If unset or empty after expansion the library will provides a value for the
protocol conversation.
.wen
+.new
+.option server_key gsasl string&!! unset
+.option server_skey gsasl string&!! unset
+These options can be used for the SCRAM family of mechanisms
+to provide stored information related to a password,
+the storage of which is preferable to plaintext.
+
+&%server_key%& is the value defined in the SCRAM standards as ServerKey;
+&%server_skey%& is StoredKey.
+
+They are only available for version 1.9.0 (or later) of the gsasl library.
+When this is so, the macros
+_OPT_AUTHENTICATOR_GSASL_SERVER_KEY
+and _HAVE_AUTH_GSASL_SCRAM_S_KEY
+will be defined.
+
+The &$authN$& variables are available when these options are expanded.
+
+If set, the results of expansion should for each
+should be a 28 (for SHA-1) or 44 (for SHA-256) character string
+of base64-coded data, and will be used in preference to the
+&%server_password%& option.
+If unset or not of the right length, &%server_password%& will be used.
+
+The libgsasl library release includes a utility &'gsasl'& which can be used
+to generate these values.
+.wen
+
+
.option server_service gsasl string &`smtp`&
This is the SASL service that the server claims to implement.
Some mechanisms will use this data.
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 8a00bfc67..f5421a7f2 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -21,7 +21,10 @@ Version 4.94
driver for PLAIN; only against itself for SCRAM-SHA-1 and SCRAM-SHA-1-PLUS
methods.
- 5. Variable $local_part_verified, set by the router check_local_part condition
+ 5. Server-side support in the gsasl authenticator for encrypted passwords, as an
+ alternate for the existing plaintext.
+
+ 6. Variable $local_part_verified, set by the router check_local_part condition
with untainted data.