2023-01-30 16:27:06 +03:00
package imapserver
import (
2023-02-05 18:29:03 +03:00
"crypto/hmac"
"crypto/md5"
2023-02-05 14:30:14 +03:00
"crypto/sha1"
"crypto/sha256"
2023-01-30 16:27:06 +03:00
"encoding/base64"
"errors"
2023-02-05 18:29:03 +03:00
"fmt"
2023-02-05 14:30:14 +03:00
"hash"
2023-01-30 16:27:06 +03:00
"strings"
"testing"
"github.com/mjl-/mox/scram"
)
func TestAuthenticatePlain ( t * testing . T ) {
tc := start ( t )
tc . transactf ( "no" , "authenticate bogus " )
tc . transactf ( "bad" , "authenticate plain not base64..." )
tc . transactf ( "no" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000baduser\u0000badpass" ) ) )
tc . xcode ( "AUTHENTICATIONFAILED" )
tc . transactf ( "no" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000mjl@mox.example\u0000badpass" ) ) )
tc . xcode ( "AUTHENTICATIONFAILED" )
tc . transactf ( "no" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000mjl\u0000badpass" ) ) ) // Need email, not account.
tc . xcode ( "AUTHENTICATIONFAILED" )
tc . transactf ( "no" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000mjl@mox.example\u0000test" ) ) )
tc . xcode ( "AUTHENTICATIONFAILED" )
tc . transactf ( "no" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000mjl@mox.example\u0000testtesttest" ) ) )
tc . xcode ( "AUTHENTICATIONFAILED" )
tc . transactf ( "bad" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000" ) ) )
tc . xcode ( "" )
tc . transactf ( "no" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "other\u0000mjl@mox.example\u0000testtest" ) ) )
tc . xcode ( "AUTHORIZATIONFAILED" )
tc . transactf ( "ok" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000mjl@mox.example\u0000testtest" ) ) )
tc . close ( )
tc = start ( t )
tc . transactf ( "ok" , "authenticate plain %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "mjl@mox.example\u0000mjl@mox.example\u0000testtest" ) ) )
tc . close ( )
tc = start ( t )
tc . client . AuthenticatePlain ( "mjl@mox.example" , "testtest" )
tc . close ( )
tc = start ( t )
defer tc . close ( )
tc . cmdf ( "" , "authenticate plain" )
tc . readprefixline ( "+ " )
tc . writelinef ( "*" ) // Aborts.
tc . readstatus ( "bad" )
tc . cmdf ( "" , "authenticate plain" )
2023-07-24 20:54:55 +03:00
tc . readprefixline ( "+ " )
2023-01-30 16:27:06 +03:00
tc . writelinef ( "%s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "\u0000mjl@mox.example\u0000testtest" ) ) )
tc . readstatus ( "ok" )
}
2023-02-05 14:30:14 +03:00
func TestAuthenticateSCRAMSHA1 ( t * testing . T ) {
testAuthenticateSCRAM ( t , "SCRAM-SHA-1" , sha1 . New )
}
2023-01-30 16:27:06 +03:00
func TestAuthenticateSCRAMSHA256 ( t * testing . T ) {
2023-02-05 14:30:14 +03:00
testAuthenticateSCRAM ( t , "SCRAM-SHA-256" , sha256 . New )
}
func testAuthenticateSCRAM ( t * testing . T , method string , h func ( ) hash . Hash ) {
2023-01-30 16:27:06 +03:00
tc := start ( t )
2023-02-05 14:30:14 +03:00
tc . client . AuthenticateSCRAM ( method , h , "mjl@mox.example" , "testtest" )
2023-01-30 16:27:06 +03:00
tc . close ( )
auth := func ( status string , serverFinalError error , username , password string ) {
t . Helper ( )
2023-02-05 14:30:14 +03:00
sc := scram . NewClient ( h , username , "" )
2023-01-30 16:27:06 +03:00
clientFirst , err := sc . ClientFirst ( )
tc . check ( err , "scram clientFirst" )
tc . client . LastTag = "x001"
2023-02-05 14:30:14 +03:00
tc . writelinef ( "%s authenticate %s %s" , tc . client . LastTag , method , base64 . StdEncoding . EncodeToString ( [ ] byte ( clientFirst ) ) )
2023-01-30 16:27:06 +03:00
xreadContinuation := func ( ) [ ] byte {
line , _ , result , rerr := tc . client . ReadContinuation ( )
tc . check ( rerr , "read continuation" )
if result . Status != "" {
tc . t . Fatalf ( "expected continuation" )
}
buf , err := base64 . StdEncoding . DecodeString ( line )
tc . check ( err , "parsing base64 from remote" )
return buf
}
serverFirst := xreadContinuation ( )
clientFinal , err := sc . ServerFirst ( serverFirst , password )
tc . check ( err , "scram clientFinal" )
tc . writelinef ( "%s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( clientFinal ) ) )
serverFinal := xreadContinuation ( )
err = sc . ServerFinal ( serverFinal )
if serverFinalError == nil {
tc . check ( err , "scram serverFinal" )
} else if err == nil || ! errors . Is ( err , serverFinalError ) {
t . Fatalf ( "server final, got err %#v, expected %#v" , err , serverFinalError )
}
2023-01-31 02:22:26 +03:00
if serverFinalError != nil {
tc . writelinef ( "*" )
} else {
tc . writelinef ( "" )
}
2023-01-30 16:27:06 +03:00
_ , result , err := tc . client . Response ( )
tc . check ( err , "read response" )
if string ( result . Status ) != strings . ToUpper ( status ) {
tc . t . Fatalf ( "got status %q, expected %q" , result . Status , strings . ToUpper ( status ) )
}
}
tc = start ( t )
auth ( "no" , scram . ErrInvalidProof , "mjl@mox.example" , "badpass" )
auth ( "no" , scram . ErrInvalidProof , "mjl@mox.example" , "" )
// todo: server aborts due to invalid username. we should probably make client continue with fake determinisitically generated salt and result in error in the end.
// auth("no", nil, "other@mox.example", "testtest")
tc . transactf ( "no" , "authenticate bogus " )
2023-02-05 14:30:14 +03:00
tc . transactf ( "bad" , "authenticate %s not base64..." , method )
tc . transactf ( "bad" , "authenticate %s %s" , method , base64 . StdEncoding . EncodeToString ( [ ] byte ( "bad data" ) ) )
2023-01-30 16:27:06 +03:00
tc . close ( )
}
2023-02-05 18:29:03 +03:00
func TestAuthenticateCRAMMD5 ( t * testing . T ) {
tc := start ( t )
tc . transactf ( "no" , "authenticate bogus " )
tc . transactf ( "bad" , "authenticate CRAM-MD5 not base64..." )
tc . transactf ( "bad" , "authenticate CRAM-MD5 %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "baddata" ) ) )
tc . transactf ( "bad" , "authenticate CRAM-MD5 %s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( "bad data" ) ) )
auth := func ( status string , username , password string ) {
t . Helper ( )
tc . client . LastTag = "x001"
tc . writelinef ( "%s authenticate CRAM-MD5" , tc . client . LastTag )
xreadContinuation := func ( ) [ ] byte {
line , _ , result , rerr := tc . client . ReadContinuation ( )
tc . check ( rerr , "read continuation" )
if result . Status != "" {
tc . t . Fatalf ( "expected continuation" )
}
buf , err := base64 . StdEncoding . DecodeString ( line )
tc . check ( err , "parsing base64 from remote" )
return buf
}
chal := xreadContinuation ( )
h := hmac . New ( md5 . New , [ ] byte ( password ) )
h . Write ( [ ] byte ( chal ) )
resp := fmt . Sprintf ( "%s %x" , username , h . Sum ( nil ) )
tc . writelinef ( "%s" , base64 . StdEncoding . EncodeToString ( [ ] byte ( resp ) ) )
_ , result , err := tc . client . Response ( )
tc . check ( err , "read response" )
if string ( result . Status ) != strings . ToUpper ( status ) {
tc . t . Fatalf ( "got status %q, expected %q" , result . Status , strings . ToUpper ( status ) )
}
}
auth ( "no" , "mjl@mox.example" , "badpass" )
auth ( "no" , "mjl@mox.example" , "" )
auth ( "no" , "other@mox.example" , "testtest" )
auth ( "ok" , "mjl@mox.example" , "testtest" )
tc . close ( )
}