Authenticator gsasl: client support. Bug 2349

author: Jeremy Harris <jgh146exb@wizmail.org> 2019-12-27 18:37:19 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2019-12-27 18:37:19 +0000
commit: 14a806d6c13afdfb2f44dce64e50bffa6cb6869c (patch)
tree: c50d129d0e3e2c6eb6d26d2f2e49241fe08b1ec3 /doc
parent: 4533e306fc21e0dc3cce32db0e2bfa146a5dd78c (diff)
3 files changed, 31 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 42a393558..eea304d64 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27435,19 +27435,37 @@ auth_mechanisms = plain login ntlm
 .cindex "authentication" "DIGEST-MD5"
 .cindex "authentication" "CRAM-MD5"
 .cindex "authentication" "SCRAM-SHA-1"
-The &(gsasl)& authenticator provides server integration for the GNU SASL
+The &(gsasl)& authenticator provides integration for the GNU SASL
 library and the mechanisms it provides.  This is new as of the 4.80 release
 and there are a few areas where the library does not let Exim smoothly
 scale to handle future authentication mechanisms, so no guarantee can be
 made that any particular new authentication mechanism will be supported
 without code changes in Exim.
 
-Exim's &(gsasl)& authenticator does not have client-side support at this
-time; only the server-side support is implemented.  Patches welcome.
 
+.new
+.option client_authz gsasl string&!! unset
+This option can be used to supply an &'authorization id'&
+which is different to the &'authentication_id'& provided
+by $%client_username%& option.
+If unset or (after expansion) empty it is not used,
+which is the common case.
+
+.option client_channelbinding gsasl boolean false
+See $%server_channelbinding%& below.
+
+.option client_password gsasl string&!! unset
+This option is exapanded before use, and should result in
+the password to be used, in clear.
+
+.option client_username gsasl string&!! unset
+This option is exapanded before use, and should result in
+the account name to be used.
+.wen
 
 .option server_channelbinding gsasl boolean false
-Do not set this true without consulting a cryptographic engineer.
+Do not set this true and rely on the properties
+without consulting a cryptographic engineer.
 
 Some authentication mechanisms are able to use external context at both ends
 of the session to bind the authentication to that context, and fail the
@@ -27469,7 +27487,7 @@ This defaults off to ensure smooth upgrade across Exim releases, in case
 this option causes some clients to start failing.  Some future release
 of Exim might have switched the default to be true.
 
-However, Channel Binding in TLS has proven to be broken in current versions.
+However, Channel Binding in TLS has proven to be vulnerable in current versions.
 Do not plan to rely upon this feature for security, ever, without consulting
 with a subject matter expert (a cryptographic engineer).
 
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index cd380a3f3..6b163b8b2 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -17,6 +17,10 @@ Version 4.94
 
  3. A msg:defer event.
 
+ 4. Client-side support in the gsasl authenticator.  Tested against the plaintext
+    driver for PLAIN; only against itself for SCRAM-SHA-1 and SCRAM-SHA-1-PLUS
+    methods.
+
 
 Version 4.93
 ------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 1618e4279..2978aed35 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -127,12 +127,15 @@ check_spool_space                    integer         0             main
 check_string                         string          "From "       appendfile        3.03
                                                      unset         pipe              3.03
 check_srv                            string*         unset         dnslookup         4.31
+client_authz                         string*         unset         gsasl             4.94
 client_condition                     string*         unset         authenticators    4.68
 client_ignore_invalid_base64         boolean         false         plaintext         4.61
 client_name                          string*         +             cram_md5          3.10
+client_password                      string*         unset         gsasl             4.94
 client_secret                        string*         unset         cram_md5          3.10
 client_send                          string*         unset         plaintext         3.10
-client_send                          string*         unset         external (auth)   4.93
+                                                     unset         external (auth)   4.93
+client_username                      string*         unset         gsasl             4.94
 command                              string*         unset         lmtp              3.20
                                                      unset         pipe
                                                      unset         queryprogram      4.00
author	Jeremy Harris <jgh146exb@wizmail.org>	2019-12-27 18:37:19 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2019-12-27 18:37:19 +0000
commit	14a806d6c13afdfb2f44dce64e50bffa6cb6869c (patch)
tree	c50d129d0e3e2c6eb6d26d2f2e49241fe08b1ec3 /doc
parent	4533e306fc21e0dc3cce32db0e2bfa146a5dd78c (diff)