9 files changed, 125 insertions, 82 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 19888e96d..560b72066 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27435,6 +27435,9 @@ auth_mechanisms = plain login ntlm
 .cindex "authentication" "DIGEST-MD5"
 .cindex "authentication" "CRAM-MD5"
 .cindex "authentication" "SCRAM-SHA-1"
+.cindex "authentication" "SCRAM-SHA-1-PLUS"
+.cindex "authentication" "SCRAM-SHA-256"
+.cindex "authentication" "SCRAM-SHA-256-PLUS"
 The &(gsasl)& authenticator provides integration for the GNU SASL
 library and the mechanisms it provides.  This is new as of the 4.80 release
 and there are a few areas where the library does not let Exim smoothly
@@ -27442,8 +27445,13 @@ scale to handle future authentication mechanisms, so no guarantee can be
 made that any particular new authentication mechanism will be supported
 without code changes in Exim.
 
-
 .new
+The library is expected to add support in an upcoming
+realease for the SCRAM-SHA-256 method.
+The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined
+when this happens.
+
+
 .option client_authz gsasl string&!! unset
 This option can be used to supply an &'authorization id'&
 which is different to the &'authentication_id'& provided
@@ -27481,6 +27489,7 @@ server to see different identifiers and authentication will fail.
 This is
 only usable by mechanisms which support "channel binding"; at time of
 writing, that's the SCRAM family.
+When using this feature the "-PLUS" variants of the method names need to be used.
 .wen
 
 This defaults off to ensure smooth upgrade across Exim releases, in case
@@ -40571,9 +40580,8 @@ defines the location of a text file of valid
 top level domains the opendmarc library uses
 during domain parsing. Maintained by Mozilla,
 the most current version can be downloaded
-from a link at &url(https://publicsuffix.org/list/, currently pointing
-at https://publicsuffix.org/list/public_suffix_list.dat)
-See also util/renew-opendmarc-tlds.sh script.
+from a link at &url(https://publicsuffix.org/list/public_suffix_list.dat).
+See also the util/renew-opendmarc-tlds.sh script.
 .new
 The default for the option is unset.
 If not set, DMARC processing is disabled.
diff --git a/test/confs/3820 b/test/confs/3820
index 023ed751d..b60e467a3 100644
--- a/test/confs/3820
+++ b/test/confs/3820
@@ -27,16 +27,16 @@ client_r:
 begin transports
 
 smtp:
-  driver =	smtp
-  hosts =	127.0.0.1
+  driver =		smtp
+  hosts =		127.0.0.1
   allow_localhost
-  port =	PORT_D
+  port =		PORT_D
 .ifdef TRUSTED
-  hosts_require_tls = *
+  hosts_require_tls =	*
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
 .endif
-  hosts_require_auth = *
+  hosts_require_auth =	*
 
 # ----- Authentication -----
 
@@ -44,14 +44,14 @@ begin authenticators
 
 .ifndef TRUSTED
 sasl1:
-  driver = gsasl
-  public_name = ANONYMOUS
+  driver =		gsasl
+  public_name =		ANONYMOUS
   server_set_id =	$auth1
   server_condition =	true
 
 sasl2:
-  driver = gsasl
-  public_name = PLAIN
+  driver =		gsasl
+  public_name =		PLAIN
   server_set_id =	$auth1
   server_condition =	${if eq {$auth3}{pencil}}
 
@@ -61,13 +61,13 @@ sasl2:
 .endif
 
 sasl3:
-  driver = gsasl
+  driver =		gsasl
 .ifdef TRUSTED
-  public_name = SCRAM-SHA-1-PLUS
+  public_name =		SCRAM-SHA-1-PLUS
   server_advertise_condition =	${if def:tls_in_cipher}
   server_channelbinding =	true
 .else
-  public_name = SCRAM-SHA-1
+  public_name =		SCRAM-SHA-1
 .endif
 
   # will need to give library salt, stored-key, server-key, itercount
@@ -89,5 +89,29 @@ sasl3:
   client_channelbinding = true
 .endif
 
+.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256
+sasl4:
+  driver =		gsasl
+.ifdef TRUSTED
+  public_name =		SCRAM-SHA-256-PLUS
+  server_advertise_condition =	${if def:tls_in_cipher}
+  server_channelbinding =	true
+.else
+  public_name =		SCRAM-SHA-256
+.endif
+
+  server_scram_salt =	QSXCR+Q6sek8bf92
+  server_password =	pencil
+  server_condition =	true
+  server_set_id =	$auth1
+
+  client_condition =	${if eq {scram_sha_256}{$local_part}}
+  client_username =	ph10
+  client_password =	pencil
+.ifdef TRUSTED
+  client_channelbinding = true
+.endif
+.endif
+
 
 # End
diff --git a/test/confs/3825 b/test/confs/3825
new file mode 100644
index 000000000..61483569f
--- /dev/null
+++ b/test/confs/3825
@@ -0,0 +1,66 @@
+# Exim test configuration 3825
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+queue_only
+
+
+begin routers
+
+client_r:
+  driver =	accept
+  condition =	${if !eq {SERVER}{server}}
+  transport =	smtp
+
+begin transports
+
+smtp:
+  driver =	smtp
+  hosts =	127.0.0.1
+  allow_localhost
+  port =	PORT_D
+  hosts_require_auth = *
+
+# ----- Authentication -----
+
+begin authenticators
+
+.ifndef OPT
+sasl1:
+  driver =		plaintext
+  public_name =		PLAIN
+  server_prompts =	:
+  server_condition =	${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
+  server_set_id =	$auth2
+
+sasl2:
+  driver =		gsasl
+  public_name =		PLAIN
+  client_condition =	${if eq {plain}{$local_part}}
+  client_username =	ph10
+  client_password =	mysecret
+
+.else
+sasl3:
+  driver =		gsasl
+  public_name =		PLAIN
+  server_condition =	${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
+  server_set_id =	$auth1
+
+sasl4:
+  driver =		plaintext
+  public_name =		PLAIN
+  client_condition =	${if eq {plain}{$local_part}}
+  client_send =		^ph10^mysecret
+
+.endif
+
+
+# End
diff --git a/test/confs/3828 b/test/confs/3828
index aa9db9467..d8f3286c4 100644..120000
--- a/test/confs/3828
+++ b/test/confs/3828
@@ -1,66 +1 @@
-# Exim test configuration 3828
-
-SERVER=
-
-.include DIR/aux-var/std_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-queue_only
-
-
-begin routers
-
-client_r:
-  driver =	accept
-  condition =	${if !eq {SERVER}{server}}
-  transport =	smtp
-
-begin transports
-
-smtp:
-  driver =	smtp
-  hosts =	127.0.0.1
-  allow_localhost
-  port =	PORT_D
-  hosts_require_auth = *
-
-# ----- Authentication -----
-
-begin authenticators
-
-.ifndef OPT
-sasl1:
-  driver =		plaintext
-  public_name =		PLAIN
-  server_prompts =	:
-  server_condition =	${if and {{eq{$auth2}{ph10}}{eq{$auth3}{mysecret}}}}
-  server_set_id =	$auth2
-
-sasl2:
-  driver =		gsasl
-  public_name =		PLAIN
-  client_condition =	${if eq {plain}{$local_part}}
-  client_username =	ph10
-  client_password =	mysecret
-
-.else
-sasl3:
-  driver =		gsasl
-  public_name =		PLAIN
-  server_condition =	${if and {{eq{$auth1}{ph10}}{eq{$auth3}{mysecret}}}}
-  server_set_id =	$auth1
-
-sasl4:
-  driver =		plaintext
-  public_name =		PLAIN
-  client_condition =	${if eq {plain}{$local_part}}
-  client_send =		^ph10^mysecret
-
-.endif
-
-
-# End
+3820
\ No newline at end of file
diff --git a/test/log/3828 b/test/log/3825
index 038a795d7..038a795d7 100644
--- a/test/log/3828
+++ b/test/log/3825
diff --git a/test/scripts/3828-gsasl-plaintext/3828 b/test/scripts/3825-gsasl-plaintext/3825
index a30888f3d..a30888f3d 100644
--- a/test/scripts/3828-gsasl-plaintext/3828
+++ b/test/scripts/3825-gsasl-plaintext/3825
diff --git a/test/scripts/3828-gsasl-plaintext/REQUIRES b/test/scripts/3825-gsasl-plaintext/REQUIRES
index 905a62278..905a62278 100644
--- a/test/scripts/3828-gsasl-plaintext/REQUIRES
+++ b/test/scripts/3825-gsasl-plaintext/REQUIRES
diff --git a/test/scripts/3828-gsasl-scram-sha-256/3828 b/test/scripts/3828-gsasl-scram-sha-256/3828
new file mode 100644
index 000000000..749dbf58d
--- /dev/null
+++ b/test/scripts/3828-gsasl-scram-sha-256/3828
@@ -0,0 +1,8 @@
+# GSASL SCRAM-SHA-256
+#
+exim -DSERVER=server -DTRUSTED -bd -oX PORT_D
+****
+exim -odi -DTRUSTED scram_sha_256@test.ex
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/3828-gsasl-scram-sha-256/REQUIRES b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES
new file mode 100644
index 000000000..89fd50833
--- /dev/null
+++ b/test/scripts/3828-gsasl-scram-sha-256/REQUIRES
@@ -0,0 +1,2 @@
+authenticator gsasl
+feature _HAVE_AUTH_GSASL_SCRAM_SHA_256