From: Karl Fleischmann <karl.fleischmann@open-xchange.com>
Date: Tue, 28 Apr 2026 11:41:12 +0000 (+0200)
Subject: lib-auth: scram - Add test to ensure invalid client proof is rejected
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=56f53bed556cefd050dbcbcaa673264354625a1d;p=thirdparty%2Fdovecot%2Fcore.git

lib-auth: scram - Add test to ensure invalid client proof is rejected
---

diff --git a/src/lib-auth/test-auth-scram.c b/src/lib-auth/test-auth-scram.c
index 5f13d5495a..88a0d965ea 100644
--- a/src/lib-auth/test-auth-scram.c
+++ b/src/lib-auth/test-auth-scram.c
@@ -173,6 +173,15 @@ test_auth_client_output(struct backend_context *bctx,
 		case 21:
 			output = "n,,n=frop,r=0980923401388";
 			break;
+		case 22:
+			output = "p";
+			break;
+		case 23:
+			output = "p=";
+			break;
+		case 24:
+			output = "p.a";
+			break;
 		default:
 			auth_scram_client_output(&bctx->asclient, output_r,
 						 output_len_r);
@@ -219,6 +228,18 @@ test_auth_client_output(struct backend_context *bctx,
 					     "q=frop",
 					     NULL);
 			break;
+		case 25:
+			output = t_strconcat(parts[0], ",", parts[1], ",",
+					     "p", NULL);
+			break;
+		case 26:
+			output = t_strconcat(parts[0], ",", parts[1], ",",
+					     "p=", NULL);
+			break;
+		case 27:
+			output = t_strconcat(parts[0], ",", parts[1], ",",
+					     "p.a", NULL);
+			break;
 		default:
 			return;
 		}
@@ -542,6 +563,42 @@ static void test_auth_server_error(void)
 		&hash_method_sha1, AUTH_SCRAM_CBIND_SERVER_SUPPORT_REQUIRED,
 		AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION, 21);
 	test_end();
+
+	test_begin("auth server error sha1 - invalid client proof (missing '=' and payload)");
+	test_auth_server_error_one(
+		&hash_method_sha1, AUTH_SCRAM_CBIND_SERVER_SUPPORT_AVAILABLE,
+		AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION, 22);
+	test_end();
+
+	test_begin("auth server error sha1 - invalid client proof (missing payload)");
+	test_auth_server_error_one(
+		&hash_method_sha1, AUTH_SCRAM_CBIND_SERVER_SUPPORT_AVAILABLE,
+		AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION, 23);
+	test_end();
+
+	test_begin("auth server error sha1 - invalid client proof (missing '=')");
+	test_auth_server_error_one(
+		&hash_method_sha1, AUTH_SCRAM_CBIND_SERVER_SUPPORT_AVAILABLE,
+		AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION, 24);
+	test_end();
+
+	test_begin("auth server error sha1 - invalid client proof in final (missing '=' and payload)");
+	test_auth_server_error_one(
+		&hash_method_sha1, AUTH_SCRAM_CBIND_SERVER_SUPPORT_NONE,
+		AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION, 25);
+	test_end();
+
+	test_begin("auth server error sha1 - invalid client proof in final (missing payload)");
+	test_auth_server_error_one(
+		&hash_method_sha1, AUTH_SCRAM_CBIND_SERVER_SUPPORT_NONE,
+		AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION, 26);
+	test_end();
+
+	test_begin("auth server error sha1 - invalid client proof in final (missing '=')");
+	test_auth_server_error_one(
+		&hash_method_sha1, AUTH_SCRAM_CBIND_SERVER_SUPPORT_NONE,
+		AUTH_SCRAM_SERVER_ERROR_PROTOCOL_VIOLATION, 27);
+	test_end();
 }
 
 int main(void)