Bug#980893: [PATCH] Support SCRAM-SHA-1 etc via libgsasl

2021-01-24 Thread Andreas Metzler 
On 2021-01-23 Simon Josefsson  wrote:
> Package: exim4
> Tags: patch

> Hi!

> The patch below links exim4-daemon-heavy to libgsasl to enable the
> 'gsasl' authenticator support in exim, see:

> https://exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html

> This makes it possible to enable SCRAM-SHA-1 and SCRAM-SHA-256 in Exim
> via libgsasl.

> Any chance this could make it into bullseye?  Thanks :)
[...]

Hello Simon,

I am very reluctant to link exim against another SASL library since it
is already linked against the Cyrus SASL library.

cu Andreas

Bug#980893: [PATCH] Support SCRAM-SHA-1 etc via libgsasl

2021-01-23 Thread Simon Josefsson 
Package: exim4
Tags: patch

Hi!

The patch below links exim4-daemon-heavy to libgsasl to enable the
'gsasl' authenticator support in exim, see:

https://exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html

This makes it possible to enable SCRAM-SHA-1 and SCRAM-SHA-256 in Exim
via libgsasl.

Any chance this could make it into bullseye?  Thanks :)

I have done some testing using a minimal gsasl driver, and it seems to
work.  Configuration on the server side:

root@sid:/etc/exim4# cat conf.d/auth/50-sid
gsasl:
  driver = gsasl
  public_name = SCRAM-SHA-1
  server_password = foo
  server_set_id = ${quote:$auth1}
  server_condition = yes
root@sid:/etc/exim4# 

Client side works:

jas@latte:~$ LANG=C gsasl x.y.z.q 587 --no-starttls --mechanism SCRAM-SHA-1 -a 
jas --password foo -d
Trying 'x.y.z.q'...
220 sid ESMTP Exim 4.94 Sat, 23 Jan 2021 22:20:48 +
EHLO [127.0.0.1]
250-sid Hello ...
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH SCRAM-SHA-1
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
AUTH SCRAM-SHA-1
334 
biwsbj1qYXMscj1oOEh0TmFxci9UclA4eDlrbHlOeFhQTWc=
334 
cj1oOEh0TmFxci9UclA4eDlrbHlOeFhQTWdPYkNqUnQ2OFU1Y0pJblR5ZWtyam12aVEscz15QnU1N3JNN3RwenFlNUpiLGk9NDA5Ng==
Yz1iaXdzLHI9aDhIdE5hcXIvVHJQOHg5a2x5TnhYUE1nT2JDalJ0NjhVNWNKSW5UeWVrcmptdmlRLHA9V1hVWGliY05tYTVZMk9UVExqQnlmWUNJT1NVPQ==
334 dj1pNkgzeW9IWWhVTXJxdERYd3VPaURYM0t6T2s9

235 Authentication succeeded
Client authentication finished (server trusted)...
Session finished...
QUIT
221 sid closing connection
jas@latte:~$ 

/Simon
diff --git a/debian/EDITME.exim4-heavy.diff b/debian/EDITME.exim4-heavy.diff
index b95c091d..d9943647 100644
--- a/debian/EDITME.exim4-heavy.diff
+++ b/debian/EDITME.exim4-heavy.diff
@@ -76,7 +76,7 @@
  
  # If you have content scanning you may wish to only include some of the scanner
  # interfaces.  Uncomment any of these lines to remove that code.
-@@ -757,8 +760,8 @@
+@@ -757,9 +760,9 @@
  # configuration to make use of the mechanism(s) selected.
  
  AUTH_CRAM_MD5=yes
@@ -85,8 +85,10 @@
 +AUTH_CYRUS_SASL=yes
 +AUTH_DOVECOT=yes
  # AUTH_EXTERNAL=yes
- # AUTH_GSASL=yes
+-# AUTH_GSASL=yes
++AUTH_GSASL=yes
  # AUTH_GSASL_PC=libgsasl
+ # AUTH_HEIMDAL_GSSAPI=yes
 @@ -766,8 +769,8 @@
  # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
  # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
@@ -103,7 +105,7 @@
  # Ditto for AUTH_HEIMDAL_GSSAPI(_PC).
  
 -# AUTH_LIBS=-lsasl2
-+AUTH_LIBS=-lsasl2
++AUTH_LIBS=-lsasl2 -lgsasl
  # AUTH_LIBS=-lgsasl
  # AUTH_LIBS=-lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lhcrypto -lasn1 -lwind -lroken -lcrypt
  
diff --git a/debian/changelog b/debian/changelog
index fa073995..681abcbd 100644
diff --git a/debian/control b/debian/control
index 31390e45..5ef32e4a 100644
--- a/debian/control
+++ b/debian/control
@@ -17,6 +17,7 @@ Build-Depends:
  docbook-xsl,
  libdb5.3-dev,
  libgnutls28-dev (>= 3.5.7),
+ libgsasl7-dev,
  libident-dev,
  libidn11-dev,
  libidn2-dev,


signature.asc
Description: PGP signature