1package imapserver

2

3import (

4 "crypto/hmac"

5 "crypto/md5"

6 "crypto/sha1"

7 "crypto/sha256"

8 "encoding/base64"

9 "errors"

10 "fmt"

11 "hash"

12 "strings"

13 "testing"

14

15 "golang.org/x/text/secure/precis"

16

17 "github.com/mjl-/mox/scram"

18)

19

20func TestAuthenticateLogin(t *testing.T) {

21 // NFD username and PRECIS-cleaned password.

22 tc := start(t)

23 tc.client.Login("mo\u0301x@mox.example", password1)

24 tc.close()

25}

26

27func TestAuthenticatePlain(t *testing.T) {

28 tc := start(t)

29

30 tc.transactf("no", "authenticate bogus ")

31 tc.transactf("bad", "authenticate plain not base64...")

32 tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000baduser\u0000badpass")))

33 tc.xcode("AUTHENTICATIONFAILED")

34 tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000badpass")))

35 tc.xcode("AUTHENTICATIONFAILED")

36 tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl\u0000badpass"))) // Need email, not account.

37 tc.xcode("AUTHENTICATIONFAILED")

38 tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000test")))

39 tc.xcode("AUTHENTICATIONFAILED")

40 tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000test"+password0)))

41 tc.xcode("AUTHENTICATIONFAILED")

42 tc.transactf("bad", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000")))

43 tc.xcode("")

44 tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("other\u0000mjl@mox.example\u0000"+password0)))

45 tc.xcode("AUTHORIZATIONFAILED")

46 tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000"+password0)))

47 tc.close()

48

49 tc = start(t)

50 tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("mjl@mox.example\u0000mjl@mox.example\u0000"+password0)))

51 tc.close()

52

53 // NFD username and PRECIS-cleaned password.

54 tc = start(t)

55 tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("mo\u0301x@mox.example\u0000mo\u0301x@mox.example\u0000"+password1)))

56 tc.close()

57

58 tc = start(t)

59 tc.client.AuthenticatePlain("mjl@mox.example", password0)

60 tc.close()

61

62 tc = start(t)

63 defer tc.close()

64

65 tc.cmdf("", "authenticate plain")

66 tc.readprefixline("+ ")

67 tc.writelinef("*") // Aborts.

68 tc.readstatus("bad")

69

70 tc.cmdf("", "authenticate plain")

71 tc.readprefixline("+ ")

72 tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000"+password0)))

73 tc.readstatus("ok")

74}

75

76func TestAuthenticateSCRAMSHA1(t *testing.T) {

77 testAuthenticateSCRAM(t, false, "SCRAM-SHA-1", sha1.New)

78}

79

80func TestAuthenticateSCRAMSHA256(t *testing.T) {

81 testAuthenticateSCRAM(t, false, "SCRAM-SHA-256", sha256.New)

82}

83

84func TestAuthenticateSCRAMSHA1PLUS(t *testing.T) {

85 testAuthenticateSCRAM(t, true, "SCRAM-SHA-1-PLUS", sha1.New)

86}

87

88func TestAuthenticateSCRAMSHA256PLUS(t *testing.T) {

89 testAuthenticateSCRAM(t, true, "SCRAM-SHA-256-PLUS", sha256.New)

90}

91

92func testAuthenticateSCRAM(t *testing.T, tls bool, method string, h func() hash.Hash) {

93 tc := startArgs(t, true, tls, true, true, "mjl")

94 tc.client.AuthenticateSCRAM(method, h, "mjl@mox.example", password0)

95 tc.close()

96

97 auth := func(status string, serverFinalError error, username, password string) {

98 t.Helper()

99

100 noServerPlus := false

101 sc := scram.NewClient(h, username, "", noServerPlus, tc.client.TLSConnectionState())

102 clientFirst, err := sc.ClientFirst()

103 tc.check(err, "scram clientFirst")

104 tc.client.LastTag = "x001"

105 tc.writelinef("%s authenticate %s %s", tc.client.LastTag, method, base64.StdEncoding.EncodeToString([]byte(clientFirst)))

106

107 xreadContinuation := func() []byte {

108 line, _, result, rerr := tc.client.ReadContinuation()

109 tc.check(rerr, "read continuation")

110 if result.Status != "" {

111 tc.t.Fatalf("expected continuation")

112 }

113 buf, err := base64.StdEncoding.DecodeString(line)

114 tc.check(err, "parsing base64 from remote")

115 return buf

116 }

117

118 serverFirst := xreadContinuation()

119 clientFinal, err := sc.ServerFirst(serverFirst, password)

120 tc.check(err, "scram clientFinal")

121 tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte(clientFinal)))

122

123 serverFinal := xreadContinuation()

124 err = sc.ServerFinal(serverFinal)

125 if serverFinalError == nil {

126 tc.check(err, "scram serverFinal")

127 } else if err == nil || !errors.Is(err, serverFinalError) {

128 t.Fatalf("server final, got err %#v, expected %#v", err, serverFinalError)

129 }

130 if serverFinalError != nil {

131 tc.writelinef("*")

132 } else {

133 tc.writelinef("")

134 }

135 _, result, err := tc.client.Response()

136 tc.check(err, "read response")

137 if string(result.Status) != strings.ToUpper(status) {

138 tc.t.Fatalf("got status %q, expected %q", result.Status, strings.ToUpper(status))

139 }

140 }

141

142 tc = startArgs(t, true, tls, true, true, "mjl")

143 auth("no", scram.ErrInvalidProof, "mjl@mox.example", "badpass")

144 auth("no", scram.ErrInvalidProof, "mjl@mox.example", "")

145 // todo: server aborts due to invalid username. we should probably make client continue with fake determinisitically generated salt and result in error in the end.

146 // auth("no", nil, "other@mox.example", password0)

147

148 tc.transactf("no", "authenticate bogus ")

149 tc.transactf("bad", "authenticate %s not base64...", method)

150 tc.transactf("bad", "authenticate %s %s", method, base64.StdEncoding.EncodeToString([]byte("bad data")))

151

152 // NFD username, with PRECIS-cleaned password.

153 auth("ok", nil, "mo\u0301x@mox.example", password1)

154

155 tc.close()

156}

157

158func TestAuthenticateCRAMMD5(t *testing.T) {

159 tc := start(t)

160

161 tc.transactf("no", "authenticate bogus ")

162 tc.transactf("bad", "authenticate CRAM-MD5 not base64...")

163 tc.transactf("bad", "authenticate CRAM-MD5 %s", base64.StdEncoding.EncodeToString([]byte("baddata")))

164 tc.transactf("bad", "authenticate CRAM-MD5 %s", base64.StdEncoding.EncodeToString([]byte("bad data")))

165

166 auth := func(status string, username, password string) {

167 t.Helper()

168

169 tc.client.LastTag = "x001"

170 tc.writelinef("%s authenticate CRAM-MD5", tc.client.LastTag)

171

172 xreadContinuation := func() []byte {

173 line, _, result, rerr := tc.client.ReadContinuation()

174 tc.check(rerr, "read continuation")

175 if result.Status != "" {

176 tc.t.Fatalf("expected continuation")

177 }

178 buf, err := base64.StdEncoding.DecodeString(line)

179 tc.check(err, "parsing base64 from remote")

180 return buf

181 }

182

183 chal := xreadContinuation()

184 pw, err := precis.OpaqueString.String(password)

185 if err == nil {

186 password = pw

187 }

188 h := hmac.New(md5.New, []byte(password))

189 h.Write([]byte(chal))

190 resp := fmt.Sprintf("%s %x", username, h.Sum(nil))

191 tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte(resp)))

192

193 _, result, err := tc.client.Response()

194 tc.check(err, "read response")

195 if string(result.Status) != strings.ToUpper(status) {

196 tc.t.Fatalf("got status %q, expected %q", result.Status, strings.ToUpper(status))

197 }

198 }

199

200 auth("no", "mjl@mox.example", "badpass")

201 auth("no", "mjl@mox.example", "")

202 auth("no", "other@mox.example", password0)

203

204 auth("ok", "mjl@mox.example", password0)

205

206 tc.close()

207

208 // NFD username, with PRECIS-cleaned password.

209 tc = start(t)

210 auth("ok", "mo\u0301x@mox.example", password1)

211 tc.close()

212}

213