irctest.server_tests.sasl

RegistrationTestCase
	bahamut	bahamut-anope	bahamut-atheme	charybdis	ergo	hybrid	inspircd	inspircd-anope	inspircd-atheme	irc2	ircu2	nefarious	ngircd	ngircd-anope	ngircd-atheme	plexus4	sable	solanum	solanum-anope	solanum-atheme	unrealircd	unrealircd-anope	unrealircd-atheme
testRegistration	d	.	.	.	.	.	d	.	.	d	d	d	d	.	.	.	.	d	.	.	d	.	.
SaslTestCase
	bahamut	bahamut-anope	bahamut-atheme	charybdis	ergo	hybrid	inspircd	inspircd-anope	inspircd-atheme	irc2	ircu2	nefarious	ngircd	ngircd-anope	ngircd-atheme	plexus4	sable	solanum	solanum-anope	solanum-atheme	unrealircd	unrealircd-anope	unrealircd-atheme
testAbort Tests that the server sends 906 when client aborts authentication. "The client can abort an authentication by sending an asterisk as the data. The server will send a 906 numeric." -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testAuthenticateWithoutCapReq Tests that AUTHENTICATE without CAP REQ sasl is handled gracefully. Some servers may allow AUTHENTICATE without first requesting the sasl capability. This test verifies the server handles this case without crashing or misbehaving.	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testDifferentAuthzid Tests authentication with different authzid and authcid. "The server will [...] verify that the authentication credentials permit the client to act as the (presented or derived) authorization identity (authzid)." -- <https://tools.ietf.org/html/rfc4616#section-2> This should fail unless the server allows authorization identity impersonation.	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testEmptyAuthcid Tests that authentication fails when authcid (username) is empty. "If preparation fails or results in an empty string, verification SHALL fail." -- <https://tools.ietf.org/html/rfc4616#section-2>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testEmptyPassword Tests that authentication fails when password is empty. "If preparation fails or results in an empty string, verification SHALL fail." -- <https://tools.ietf.org/html/rfc4616#section-2>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testInvalidBase64 Tests that the server rejects invalid base64 in AUTHENTICATE.	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testMechanismNotAvailable “If authentication fails, a 904 or 905 numeric will be sent” -- <http://ircv3.net/specs/extensions/sasl-3.1.html#the-authenticate-command>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testNickUserDuringSasl NICK and USER within a SASL session should not abort SASL	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testNulInPassword[sesa\x00me] Tests that authentication fails when password contains NUL. NUL is disallowed in authcid/authzid/passwd (https://tools.ietf.org/html/rfc4616#section-2)	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testNulInPassword[sesame\x00] Tests that authentication fails when password contains NUL. NUL is disallowed in authcid/authzid/passwd (https://tools.ietf.org/html/rfc4616#section-2)	d	d	d	X	.	s	d	X	X	d	d	d	d	s	s	s	.	d	X	X	d	X	X
testNulInPassword[sesame\x00extra] Tests that authentication fails when password contains NUL. NUL is disallowed in authcid/authzid/passwd (https://tools.ietf.org/html/rfc4616#section-2)	d	d	d	X	.	s	d	.	X	d	d	d	d	s	s	s	.	d	.	X	d	.	X
testPlain PLAIN authentication with correct username/password.	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testPlainFailure PLAIN authentication with incorrect username/password.	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testPlainLarge Test the client splits large AUTHENTICATE messages whose payload is not a multiple of 400. <http://ircv3.net/specs/extensions/sasl-3.1.html#the-authenticate-command>	d	d	d	s	.	s	d	X	s	d	d	d	d	s	s	s	.	d	X	s	d	X	s
testPlainLarge800 Test AUTHENTICATE with exactly 800-byte payload (two 400-byte chunks). "If the last chunk was exactly 400 bytes long, it must also be followed by AUTHENTICATE + to signal end of response" -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>	d	d	d	s	X	s	d	X	s	d	d	d	d	s	s	s	s	d	X	s	d	X	s
testPlainLargeEquals400 Test the client splits large AUTHENTICATE messages whose payload is not a multiple of 400. <http://ircv3.net/specs/extensions/sasl-3.1.html#the-authenticate-command>	d	d	d	s	.	s	d	.	s	d	d	d	d	s	s	s	.	d	.	s	d	.	s
testPlainNoAuthzid “message = [authzid] UTF8NUL authcid UTF8NUL passwd […] Upon receipt of the message, the server will verify the presented (in the message) authentication identity (authcid) and password (passwd) with the system authentication database, and it will verify that the authentication credentials permit the client to act as the (presented or derived) authorization identity (authzid). If both steps succeed, the user is authenticated. […] When no authorization identity is provided, the server derives an authorization identity from the prepared representation of the provided authentication identity string. This ensures that the derivation of different representations of the authentication identity produces the same authorization identity.” -- <https://tools.ietf.org/html/rfc4616#section-2>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testPlainNonAscii	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testPlainPostRegistration "Servers SHOULD allow a client, authenticated or otherwise, to reauthenticate by sending a new AUTHENTICATE message at any time." -- https://ircv3.net/specs/extensions/sasl-3.2	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	s	d	.	.	d	.	.
testPlainPostRegistrationAndReAuthenticate "Servers SHOULD allow a client, authenticated or otherwise, to reauthenticate by sending a new AUTHENTICATE message at any time." -- https://ircv3.net/specs/extensions/sasl-3.2	d	d	d	X	s	s	d	.	X	d	d	d	d	s	X	s	s	d	.	X	d	.	X
testPlainReAuthenticate "Servers SHOULD allow a client, authenticated or otherwise, to reauthenticate by sending a new AUTHENTICATE message at any time." -- https://ircv3.net/specs/extensions/sasl-3.2	d	d	d	.	s	s	d	.	X	d	d	d	d	s	X	s	s	d	.	.	d	.	.
testRegistrationDuringSasl Tests that the server handles registration during SASL gracefully. "If the client completes registration (with CAP END, NICK, USER and any other necessary messages) while the SASL authentication is still in progress, the server SHOULD abort it and send a 906 numeric, then register the client without authentication." -- <https://ircv3.net/specs/extensions/sasl-3.1>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testRetryAfterFail Tests that authentication can be retried after failure. "If authentication fails, a 904 or 905 numeric will be sent and the client MAY retry from the AUTHENTICATE <mechanism> command." -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testRetryAfterInvalidBase64 Tests that authentication can be retried after failure. "If authentication fails, a 904 or 905 numeric will be sent and the client MAY retry from the AUTHENTICATE <mechanism> command." -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testSaslMechsContent[non-strict] Tests that 908 RPL_SASLMECHS contains a valid mechanism list. "RPL_SASLMECHS MAY be sent in reply to an AUTHENTICATE command which requests an unsupported mechanism." -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension> "The numeric contains a comma-separated list of mechanisms supported by the server (or network, services). :server 908 <nick> <mechanisms> :are available SASL mechanisms" -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension> "sasl-mech = 1*20mech-char mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE" -- https://datatracker.ietf.org/doc/html/rfc4422#section-3.1 The 20-char limit is not enforced unless in strict mode, as ECDSA-NIST256P-CHALLENGE is common on IRC and blessed by IANA.	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testSaslMechsContent[strict] Tests that 908 RPL_SASLMECHS contains a valid mechanism list. "RPL_SASLMECHS MAY be sent in reply to an AUTHENTICATE command which requests an unsupported mechanism." -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension> "The numeric contains a comma-separated list of mechanisms supported by the server (or network, services). :server 908 <nick> <mechanisms> :are available SASL mechanisms" -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension> "sasl-mech = 1*20mech-char mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE" -- https://datatracker.ietf.org/doc/html/rfc4422#section-3.1 The 20-char limit is not enforced unless in strict mode, as ECDSA-NIST256P-CHALLENGE is common on IRC and blessed by IANA.	d	d	d	d	.	s	d	d	d	d	d	d	d	d	d	s	d	d	d	d	d	d	d
testSaslTooLong Tests that the server rejects AUTHENTICATE payloads over 400 bytes. "The response is encoded in Base64 (RFC 4648), then split to 400-byte chunks" -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command> Servers should reply with 905 (ERR_SASLTOOLONG) if a single AUTHENTICATE parameter exceeds 400 bytes.	d	d	d	.	.	s	d	.	.	d	d	d	d	s	s	s	.	d	.	.	d	.	.
testScramSha256Failure	d	d	d	s	.	s	d	s	s	d	d	d	d	s	s	s	s	d	s	s	d	s	s
testScramSha256Success	d	d	d	s	.	s	d	s	s	d	d	d	d	s	s	s	s	d	s	s	d	s	s

RegistrationTestCase

bahamut

bahamut-anope

bahamut-atheme

charybdis

ergo

hybrid

inspircd

inspircd-anope

inspircd-atheme

irc2

ircu2

nefarious

ngircd

ngircd-anope

ngircd-atheme

plexus4

sable

solanum

solanum-anope

solanum-atheme

unrealircd

unrealircd-anope

unrealircd-atheme

testRegistration

SaslTestCase

bahamut

bahamut-anope

bahamut-atheme

charybdis

ergo

hybrid

inspircd

inspircd-anope

inspircd-atheme

irc2

ircu2

nefarious

ngircd

ngircd-anope

ngircd-atheme

plexus4

sable

solanum

solanum-anope

solanum-atheme

unrealircd

unrealircd-anope

unrealircd-atheme

testAbort

Tests that the server sends 906 when client aborts authentication.

"The client can abort an authentication by sending an asterisk as the data. The server will send a 906 numeric." -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>

testAuthenticateWithoutCapReq

Tests that AUTHENTICATE without CAP REQ sasl is handled gracefully.

Some servers may allow AUTHENTICATE without first requesting the sasl capability. This test verifies the server handles this case without crashing or misbehaving.

testDifferentAuthzid

Tests authentication with different authzid and authcid.

"The server will [...] verify that the authentication credentials permit the client to act as the (presented or derived) authorization identity (authzid)." -- <https://tools.ietf.org/html/rfc4616#section-2>

This should fail unless the server allows authorization identity impersonation.

testEmptyAuthcid

Tests that authentication fails when authcid (username) is empty.

"If preparation fails or results in an empty string, verification SHALL fail." -- <https://tools.ietf.org/html/rfc4616#section-2>

testEmptyPassword

Tests that authentication fails when password is empty.

"If preparation fails or results in an empty string, verification SHALL fail." -- <https://tools.ietf.org/html/rfc4616#section-2>

testInvalidBase64

Tests that the server rejects invalid base64 in AUTHENTICATE.

testMechanismNotAvailable

“If authentication fails, a 904 or 905 numeric will be sent”: -- <http://ircv3.net/specs/extensions/sasl-3.1.html#the-authenticate-command>

testNickUserDuringSasl

NICK and USER within a SASL session should not abort SASL

testNulInPassword[sesa\x00me]

Tests that authentication fails when password contains NUL.

NUL is disallowed in authcid/authzid/passwd (https://tools.ietf.org/html/rfc4616#section-2)

testNulInPassword[sesame\x00]

Tests that authentication fails when password contains NUL.

NUL is disallowed in authcid/authzid/passwd (https://tools.ietf.org/html/rfc4616#section-2)

testNulInPassword[sesame\x00extra]

Tests that authentication fails when password contains NUL.

NUL is disallowed in authcid/authzid/passwd (https://tools.ietf.org/html/rfc4616#section-2)

testPlain

PLAIN authentication with correct username/password.

testPlainFailure

PLAIN authentication with incorrect username/password.

testPlainLarge

Test the client splits large AUTHENTICATE messages whose payload: is not a multiple of 400. <http://ircv3.net/specs/extensions/sasl-3.1.html#the-authenticate-command>

testPlainLarge800

Test AUTHENTICATE with exactly 800-byte payload (two 400-byte chunks).

"If the last chunk was exactly 400 bytes long, it must also be followed by AUTHENTICATE + to signal end of response" -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>

testPlainLargeEquals400

Test the client splits large AUTHENTICATE messages whose payload: is not a multiple of 400. <http://ircv3.net/specs/extensions/sasl-3.1.html#the-authenticate-command>

testPlainNoAuthzid

“message = [authzid] UTF8NUL authcid UTF8NUL passwd

[…]

Upon receipt of the message, the server will verify the presented (in the message) authentication identity (authcid) and password (passwd) with the system authentication database, and it will verify that the authentication credentials permit the client to act as the (presented or derived) authorization identity (authzid). If both steps succeed, the user is authenticated.

[…]

When no authorization identity is provided, the server derives an authorization identity from the prepared representation of the provided authentication identity string. This ensures that the derivation of different representations of the authentication identity produces the same authorization identity.” -- <https://tools.ietf.org/html/rfc4616#section-2>

testPlainNonAscii

testPlainPostRegistration

"Servers SHOULD allow a client, authenticated or otherwise, to reauthenticate by sending a new AUTHENTICATE message at any time." -- https://ircv3.net/specs/extensions/sasl-3.2

testPlainPostRegistrationAndReAuthenticate

"Servers SHOULD allow a client, authenticated or otherwise, to reauthenticate by sending a new AUTHENTICATE message at any time." -- https://ircv3.net/specs/extensions/sasl-3.2

testPlainReAuthenticate

"Servers SHOULD allow a client, authenticated or otherwise, to reauthenticate by sending a new AUTHENTICATE message at any time." -- https://ircv3.net/specs/extensions/sasl-3.2

testRegistrationDuringSasl

Tests that the server handles registration during SASL gracefully.

"If the client completes registration (with CAP END, NICK, USER and any other necessary messages) while the SASL authentication is still in progress, the server SHOULD abort it and send a 906 numeric, then register the client without authentication." -- <https://ircv3.net/specs/extensions/sasl-3.1>

testRetryAfterFail

Tests that authentication can be retried after failure.

"If authentication fails, a 904 or 905 numeric will be sent and the client MAY retry from the AUTHENTICATE <mechanism> command." -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>

testRetryAfterInvalidBase64

Tests that authentication can be retried after failure.

"If authentication fails, a 904 or 905 numeric will be sent and the client MAY retry from the AUTHENTICATE <mechanism> command." -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>

testSaslMechsContent[non-strict]

Tests that 908 RPL_SASLMECHS contains a valid mechanism list.

"RPL_SASLMECHS MAY be sent in reply to an AUTHENTICATE command which requests an unsupported mechanism." -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension>

"The numeric contains a comma-separated list of mechanisms supported by the server (or network, services). :server 908 <nick> <mechanisms> :are available SASL mechanisms" -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension>

"sasl-mech = 1*20mech-char mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE" -- https://datatracker.ietf.org/doc/html/rfc4422#section-3.1

The 20-char limit is not enforced unless in strict mode, as ECDSA-NIST256P-CHALLENGE is common on IRC and blessed by IANA.

testSaslMechsContent[strict]

Tests that 908 RPL_SASLMECHS contains a valid mechanism list.

"RPL_SASLMECHS MAY be sent in reply to an AUTHENTICATE command which requests an unsupported mechanism." -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension>

"The numeric contains a comma-separated list of mechanisms supported by the server (or network, services). :server 908 <nick> <mechanisms> :are available SASL mechanisms" -- <https://ircv3.net/specs/extensions/sasl-3.1#numerics-used-by-this-extension>

"sasl-mech = 1*20mech-char mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE" -- https://datatracker.ietf.org/doc/html/rfc4422#section-3.1

The 20-char limit is not enforced unless in strict mode, as ECDSA-NIST256P-CHALLENGE is common on IRC and blessed by IANA.

testSaslTooLong

Tests that the server rejects AUTHENTICATE payloads over 400 bytes.

"The response is encoded in Base64 (RFC 4648), then split to 400-byte chunks" -- <https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command>

Servers should reply with 905 (ERR_SASLTOOLONG) if a single AUTHENTICATE parameter exceeds 400 bytes.

testScramSha256Failure

testScramSha256Success