gsasl authenticator: support crypted secrets, server side

6 files changed, 23 insertions, 20 deletions

diff --git a/test/confs/3820 b/test/confs/3820
index c80d4d414..7322c4b7e 100644
--- a/test/confs/3820
+++ b/test/confs/3820
@@ -23,6 +23,7 @@ client_r:
   driver =	accept
   condition =	${if !eq {SERVER}{server}}
   transport =	smtp
+  errors_to =
 
 begin transports
 
@@ -35,6 +36,8 @@ smtp:
   hosts_require_tls =	*
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
+.else
+  hosts_avoid_tls =	*
 .endif
   hosts_require_auth =	*
 
@@ -70,14 +73,11 @@ sasl3:
   public_name =		SCRAM-SHA-1
 .endif
 
-  # will need to give library salt, stored-key, server-key, itercount
-  #
-  # sigh
-  # gsasl takes props: GSASL_SCRAM_ITER, GSASL_SCRAM_SALT.  It _might_ take
-  # a GSASL_SCRAM_SALTED_PASSWORD - but that is only documented for client mode.
-
-  # unclear if the salt is given in binary or base64 to the library
   server_scram_salt =	${if eq {$auth1}{ph10} {QSXCR+Q6sek8bf92}}
+.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY
+  server_key =		D+CSWLOshSulAsxiupA+qs2/fTE=
+  server_skey =		6dlGYMOdZcOPutkcNY8U2g7vK9Y=
+.endif
   server_password =	${if eq {$auth1}{ph10} {pencil}{unset_password}}
   server_condition =	true
   server_set_id =	$auth1
@@ -85,6 +85,9 @@ sasl3:
   client_condition =	${if eq {scram_sha_1}{$local_part}}
   client_username =	ph10
   client_password =	pencil
+.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY
+  client_spassword =	1d96ee3a529b5a5f9e47c01f229a2cb8a6e15f7d
+.endif
 .ifdef TRUSTED
   client_channelbinding = true
 .endif
diff --git a/test/log/3821 b/test/log/3821
index bcb5741cf..6c79bedfd 100644
--- a/test/log/3821
+++ b/test/log/3821
@@ -7,5 +7,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl2:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl2:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpa A=sasl3:ph10 S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
diff --git a/test/log/3829 b/test/log/3829
index 3b630ba8e..69c2781d8 100644
--- a/test/log/3829
+++ b/test/log/3829
@@ -4,4 +4,4 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no A=sasl3:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtpsa X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no A=sasl3:ph10 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828
index 749dbf58d..74348f972 100644
--- a/test/scripts/3828-gsasl-scram-sha-256/3828
+++ b/test/scripts/3828-gsasl-scram-sha-256/3828
@@ -1,8 +1,8 @@
 # GSASL SCRAM-SHA-256
 #
-exim -DSERVER=server -DTRUSTED -bd -oX PORT_D
+exim -DSERVER=server -bd -oX PORT_D
 ****
-exim -odi -DTRUSTED scram_sha_256@test.ex
+exim -odi scram_sha_256@test.ex
 ****
 killdaemon
 no_msglog_check
diff --git a/test/stderr/3400 b/test/stderr/3400
index da04b7f37..9088befdf 100644
--- a/test/stderr/3400
+++ b/test/stderr/3400
@@ -438,13 +438,13 @@ host in "10.0.0.1"? no (end of list)
 host in "10.0.0.4"? no (end of list)
 host in "10.0.0.3 : 10.0.0.4"? no (end of list)
 host in auth_advertise_hosts? yes (matched "10.0.0.5")
-Evaluating advertise_condition for mylogin athenticator
-Evaluating advertise_condition for PLAIN athenticator
-Evaluating advertise_condition for EXPLAIN athenticator
-Evaluating advertise_condition for EXPANDED athenticator
-Evaluating advertise_condition for EXPANDFAIL athenticator
-Evaluating advertise_condition for DEFER athenticator
-Evaluating advertise_condition for LOGIN athenticator
+Evaluating advertise_condition for mylogin mylogin athenticator
+Evaluating advertise_condition for plain PLAIN athenticator
+Evaluating advertise_condition for extended_plain EXPLAIN athenticator
+Evaluating advertise_condition for expanded_prompt_plain EXPANDED athenticator
+Evaluating advertise_condition for expanded_prompt_plain_fail EXPANDFAIL athenticator
+Evaluating advertise_condition for defer DEFER athenticator
+Evaluating advertise_condition for login LOGIN athenticator
 host in chunking_advertise_hosts? no (end of list)
 SMTP>> 250-myhost.test.ex Hello CALLER at testing.testing [10.0.0.5]
 250-SIZE 52428800
diff --git a/test/stdout/3820 b/test/stdout/3820
index 25723136a..be1a2c53b 100644
--- a/test/stdout/3820
+++ b/test/stdout/3820
@@ -11,7 +11,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 250-
 <<< 250-PIPELINING
 ??? 250-
-<<< 250-AUTH ANONYMOUS PLAIN SCRAM-SHA-1
+<<< 250-AUTH ANONYMOUS PLAIN SCRAM-SHA-1 SCRAM-SHA-256
 ??? 250
 <<< 250 HELP
 >>> AUTH PLAIN AHBoMTAAc2VjcmV0