static void AssertScramSha256PlusTlsUnique(SaslMechanismScramSha256Plus sasl, string prefix)
        {
            const string expected   = "c=cD10bHMtdW5pcXVlLCxpbWFwOi8vZWx3b29kLmlubm9zb2Z0LmNvbS8=,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=r034Wumf+g5Cw9QvuK2TBTWHLa9hsT0TpUvksIr3P0I=";
            const string challenge1 = "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096";
            const string challenge2 = "v=ZfK3fb1tbWoyTuaEXvUTM2va2RSQgBVJ8QYsympnk8o=";
            const string entropy    = "rOprNGfwEbeRWgbNEkqO";
            string       token;

            sasl.cnonce = entropy;

            Assert.IsTrue(sasl.SupportsChannelBinding, "{0}: SupportsChannelBinding", prefix);
            Assert.IsTrue(sasl.SupportsInitialResponse, "{0}: SupportsInitialResponse", prefix);

            var challenge = Encoding.UTF8.GetString(Convert.FromBase64String(sasl.Challenge(null)));

            Assert.AreEqual("p=tls-unique,,n=user,r=" + entropy, challenge, "{0}: initial SCRAM-SHA-256-PLUS challenge response does not match the expected string.", prefix);
            Assert.IsFalse(sasl.IsAuthenticated, "{0}: should not be authenticated yet.", prefix);

            token     = Convert.ToBase64String(Encoding.UTF8.GetBytes(challenge1));
            challenge = Encoding.UTF8.GetString(Convert.FromBase64String(sasl.Challenge(token)));

            Assert.AreEqual(expected, challenge, "{0}: second SCRAM-SHA-256-PLUS challenge response does not match the expected string.", prefix);
            Assert.IsFalse(sasl.IsAuthenticated, "{0}: should not be authenticated yet.", prefix);

            token     = Convert.ToBase64String(Encoding.UTF8.GetBytes(challenge2));
            challenge = Encoding.UTF8.GetString(Convert.FromBase64String(sasl.Challenge(token)));
            Assert.AreEqual(string.Empty, challenge, "{0}: third SCRAM-SHA-256-PLUS challenge should be an empty string.", prefix);
            Assert.IsTrue(sasl.IsAuthenticated, "{0}: SCRAM-SHA-256-PLUS should be authenticated now.", prefix);
            Assert.IsTrue(sasl.NegotiatedChannelBinding, "{0}: NegotiatedChannelBinding", prefix);
            Assert.IsFalse(sasl.NegotiatedSecurityLayer, "{0}: NegotiatedSecurityLayer", prefix);

            Assert.AreEqual(string.Empty, sasl.Challenge(string.Empty), "{0}: challenge while authenticated.", prefix);
        }
        static void AssertScramSha256PlusTlsServerEndpoint(SaslMechanismScramSha256Plus sasl, string prefix)
        {
            const string expected   = "c=cD10bHMtc2VydmVyLWVuZC1wb2ludCwsaW1hcDovL2Vsd29vZC5pbm5vc29mdC5jb20v,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=5mTXE52q6omlPLhl1OBywbbmUZoqUb8TZ0rQcSODGrg=";
            const string challenge1 = "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096";
            const string challenge2 = "v=iTfhTdj45V52spZKUcXtZGOkyhurIJ8/UAxKKJZcmRQ=";
            const string entropy    = "rOprNGfwEbeRWgbNEkqO";
            string       token;

            sasl.cnonce = entropy;

            Assert.IsTrue(sasl.SupportsChannelBinding, "{0}: SupportsChannelBinding", prefix);
            Assert.IsTrue(sasl.SupportsInitialResponse, "{0}: SupportsInitialResponse", prefix);

            var challenge = Encoding.UTF8.GetString(Convert.FromBase64String(sasl.Challenge(null)));

            Assert.AreEqual("p=tls-server-end-point,,n=user,r=" + entropy, challenge, "{0}: initial SCRAM-SHA-256-PLUS challenge response does not match the expected string.", prefix);
            Assert.IsFalse(sasl.IsAuthenticated, "{0}: should not be authenticated yet.", prefix);

            token     = Convert.ToBase64String(Encoding.UTF8.GetBytes(challenge1));
            challenge = Encoding.UTF8.GetString(Convert.FromBase64String(sasl.Challenge(token)));

            Assert.AreEqual(expected, challenge, "{0}: second SCRAM-SHA-256-PLUS challenge response does not match the expected string.", prefix);
            Assert.IsFalse(sasl.IsAuthenticated, "{0}: should not be authenticated yet.", prefix);

            token     = Convert.ToBase64String(Encoding.UTF8.GetBytes(challenge2));
            challenge = Encoding.UTF8.GetString(Convert.FromBase64String(sasl.Challenge(token)));
            Assert.AreEqual(string.Empty, challenge, "{0}: third SCRAM-SHA-256-PLUS challenge should be an empty string.", prefix);
            Assert.IsTrue(sasl.IsAuthenticated, "{0}: SCRAM-SHA-256-PLUS should be authenticated now.", prefix);
            Assert.IsTrue(sasl.NegotiatedChannelBinding, "{0}: NegotiatedChannelBinding", prefix);
            Assert.IsFalse(sasl.NegotiatedSecurityLayer, "{0}: NegotiatedSecurityLayer", prefix);

            Assert.AreEqual(string.Empty, sasl.Challenge(string.Empty), "{0}: challenge while authenticated.", prefix);
        }
        public void TestArgumentExceptions()
        {
            var credentials = new NetworkCredential("username", "password");

            var sasl = new SaslMechanismScramSha256(credentials);

            Assert.DoesNotThrow(() => sasl.Challenge(null));

            Assert.Throws <ArgumentNullException> (() => new SaslMechanismScramSha256(null));
            Assert.Throws <ArgumentNullException> (() => new SaslMechanismScramSha256(null, "password"));
            Assert.Throws <ArgumentNullException> (() => new SaslMechanismScramSha256("username", null));

            sasl = new SaslMechanismScramSha256Plus(credentials);
            Assert.DoesNotThrow(() => sasl.Challenge(null));

            Assert.Throws <ArgumentNullException> (() => new SaslMechanismScramSha256Plus(null));
            Assert.Throws <ArgumentNullException> (() => new SaslMechanismScramSha256Plus(null, "password"));
            Assert.Throws <ArgumentNullException> (() => new SaslMechanismScramSha256Plus("username", null));
        }