[exim.git] / src / src / auths / spa.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2018 */
/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */

/* This file, which provides support for Microsoft's Secure Password
Authentication, was contributed by Marc Prud'hommeaux. Tom Kistner added SPA
server support. I (PH) have only modified it in very trivial ways.

References:
  http://www.innovation.ch/java/ntlm.html
  http://www.kuro5hin.org/story/2002/4/28/1436/66154
  http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5bMS-SMTP%5d.pdf

 * It seems that some systems have existing but different definitions of some
 * of the following types. I received a complaint about "int16" causing
 * compilation problems. So I (PH) have renamed them all, to be on the safe
 * side, by adding 'x' on the end. See auths/auth-spa.h.

 * typedef signed short int16;
 * typedef unsigned short uint16;
 * typedef unsigned uint32;
 * typedef unsigned char  uint8;

07-August-2003:  PH: Patched up the code to avoid assert bombouts for stupid
                     input data. Find appropriate comment by grepping for "PH".
16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
05-June-2010:    PP: handle SASL initial response
*/


#include "../exim.h"
#include "spa.h"

/* #define DEBUG_SPA */

#ifdef DEBUG_SPA
#define DSPA(x,y,z)   debug_printf(x,y,z)
#else
#define DSPA(x,y,z)
#endif

/* Options specific to the spa authentication mechanism. */

optionlist auth_spa_options[] = {
  { "client_domain",             opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_domain) },
  { "client_password",           opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_password) },
  { "client_username",           opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_username) },
  { "server_password",           opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_serverpassword) }
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_spa_options_count =
  sizeof(auth_spa_options)/sizeof(optionlist);

/* Default private options block for the condition authentication method. */

auth_spa_options_block auth_spa_option_defaults = {
  NULL,              /* spa_password */
  NULL,              /* spa_username */
  NULL,              /* spa_domain */
  NULL               /* spa_serverpassword (for server side use) */
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_spa_init(auth_instance *ablock) {}
int auth_spa_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_spa_client(auth_instance *ablock, void * sx, int timeout,
    uschar *buffer, int buffsize) {return 0;}

#else   /*!MACRO_PREDEF*/


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

void
auth_spa_init(auth_instance *ablock)
{
auth_spa_options_block *ob =
  (auth_spa_options_block *)(ablock->options_block);

/* The public name defaults to the authenticator name */

if (ablock->public_name == NULL) ablock->public_name = ablock->name;

/* Both username and password must be set for a client */

if ((ob->spa_username == NULL) != (ob->spa_password == NULL))
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:\n  "
      "one of client_username and client_password cannot be set without "
      "the other", ablock->name);
ablock->client = ob->spa_username != NULL;

/* For a server we have just one option */

ablock->server = ob->spa_serverpassword != NULL;
}


/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

#define CVAL(buf,pos) ((US (buf))[pos])
#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
#define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
#define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)

int
auth_spa_server(auth_instance *ablock, uschar *data)
{
auth_spa_options_block *ob = (auth_spa_options_block *)(ablock->options_block);
uint8x lmRespData[24];
uint8x ntRespData[24];
SPAAuthRequest request;
SPAAuthChallenge challenge;
SPAAuthResponse  response;
SPAAuthResponse  *responseptr = &response;
uschar msgbuf[2048];
uschar *clearpass, *s;
unsigned off;

/* send a 334, MS Exchange style, and grab the client's request,
unless we already have it via an initial response. */

if (!*data && auth_get_no64_data(&data, US"NTLM supported") != OK)
  return FAIL;

if (spa_base64_to_bits(CS &request, sizeof(request), CCS data) < 0)
  {
  DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
    "request: %s\n", data);
  return FAIL;
  }

/* create a challenge and send it back */

spa_build_auth_challenge(&request, &challenge);
spa_bits_to_base64(msgbuf, US &challenge, spa_request_length(&challenge));

if (auth_get_no64_data(&data, msgbuf) != OK)
  return FAIL;

/* dump client response */
if (spa_base64_to_bits(CS &response, sizeof(response), CCS data) < 0)
  {
  DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
    "response: %s\n", data);
  return FAIL;
  }

/***************************************************************
PH 07-Aug-2003: The original code here was this:

Ustrcpy(msgbuf, unicodeToString(((char*)responseptr) +
  IVAL(&responseptr->uUser.offset,0),
  SVAL(&responseptr->uUser.len,0)/2) );

However, if the response data is too long, unicodeToString bombs out on
an assertion failure. It uses a 1024 fixed buffer. Bombing out is not a good
idea. It's too messy to try to rework that function to return an error because
it is called from a number of other places in the auth-spa.c module. Instead,
since it is a very small function, I reproduce its code here, with a size check
that causes failure if the size of msgbuf is exceeded. ****/

  {
  int i;
  char * p;
  int len = SVAL(&responseptr->uUser.len,0)/2;

  if (  (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
     || len >= sizeof(responseptr->buffer)/2
     || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
     )
    {
    DEBUG(D_auth)
      debug_printf("auth_spa_server(): bad uUser spec in response\n");
    return FAIL;
    }

  if (len + 1 >= sizeof(msgbuf)) return FAIL;
  for (i = 0; i < len; ++i)
    {
    msgbuf[i] = *p & 0x7f;
    p += 2;
    }
  msgbuf[i] = 0;
  }

/***************************************************************/

/* Put the username in $auth1 and $1. The former is now the preferred variable;
the latter is the original variable. These have to be out of stack memory, and
need to be available once known even if not authenticated, for error messages
(server_set_id, which only makes it to authenticated_id if we return OK) */

auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
expand_nlength[1] = Ustrlen(msgbuf);
expand_nmax = 1;

debug_print_string(ablock->server_debug_string);    /* customized debug */

/* look up password */

if (!(clearpass = expand_string(ob->spa_serverpassword)))
  if (f.expand_string_forcedfail)
    {
    DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
      "expanding spa_serverpassword\n");
    return FAIL;
    }
  else
    {
    DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
      "spa_serverpassword: %s\n", expand_string_message);
    return DEFER;
    }

/* create local hash copy */

spa_smb_encrypt(clearpass, challenge.challengeData, lmRespData);
spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);

/* compare NT hash (LM may not be available) */

off = IVAL(&responseptr->ntResponse.offset,0);
if (off >= sizeof(SPAAuthResponse) - 24)
  {
  DEBUG(D_auth)
    debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
  return FAIL;
  }
s = (US responseptr) + off;

if (memcmp(ntRespData, s, 24) == 0)
  return auth_check_serv_cond(ablock);	/* success. we have a winner. */

  /* Expand server_condition as an authorization check (PH) */

return FAIL;
}


/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_spa_client(
  auth_instance *ablock,                 /* authenticator block */
  void * sx,				 /* connection */
  int timeout,                           /* command timeout */
  uschar *buffer,                        /* buffer for reading response */
  int buffsize)                          /* size of buffer */
{
auth_spa_options_block *ob =
       (auth_spa_options_block *)(ablock->options_block);
SPAAuthRequest   request;
SPAAuthChallenge challenge;
SPAAuthResponse  response;
char msgbuf[2048];
char *domain = NULL;
char *username, *password;

/* Code added by PH to expand the options */

*buffer = 0;    /* Default no message when cancelled */

if (!(username = CS expand_string(ob->spa_username)))
  {
  if (f.expand_string_forcedfail) return CANCELLED;
  string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
   "authenticator: %s", ob->spa_username, ablock->name,
   expand_string_message);
  return ERROR;
  }

if (!(password = CS expand_string(ob->spa_password)))
  {
  if (f.expand_string_forcedfail) return CANCELLED;
  string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
   "authenticator: %s", ob->spa_password, ablock->name,
   expand_string_message);
  return ERROR;
  }

if (ob->spa_domain)
  if (!(domain = CS expand_string(ob->spa_domain)))
    {
    if (f.expand_string_forcedfail) return CANCELLED;
    string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
		  "authenticator: %s", ob->spa_domain, ablock->name,
		  expand_string_message);
    return ERROR;
    }

/* Original code */

if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
  return FAIL_SEND;

/* wait for the 3XX OK message */
if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
  return FAIL;

DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);

spa_build_auth_request(&request, CS username, domain);
spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));

DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);

/* send the encrypted password */
if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
  return FAIL_SEND;

/* wait for the auth challenge */
if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
  return FAIL;

/* convert the challenge into the challenge struct */
DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));

spa_build_auth_response(&challenge, &response, CS username, CS password);
spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);

/* send the challenge response */
if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
       return FAIL_SEND;

/* If we receive a success response from the server, authentication
has succeeded. There may be more data to send, but is there any point
in provoking an error here? */

if (smtp_read_response(sx, US buffer, buffsize, '2', timeout))
  return OK;

/* Not a success response. If errno != 0 there is some kind of transmission
error. Otherwise, check the response code in the buffer. If it starts with
'3', more data is expected. */

if (errno != 0 || buffer[0] != '3')
  return FAIL;

return FAIL;
}

#endif   /*!MACRO_PREDEF*/
/* End of spa.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
f9ba5e22	5	/* Copyright (c) University of Cambridge 1995 - 2018 */
1e1ddfac	6	/* Copyright (c) The Exim Maintainers 2020 */
0756eb3c PH	7	/* See the file NOTICE for conditions of use and distribution. */
	8
	9	/* This file, which provides support for Microsoft's Secure Password
	10	Authentication, was contributed by Marc Prud'hommeaux. Tom Kistner added SPA
	11	server support. I (PH) have only modified it in very trivial ways.
	12
	13	References:
	14	http://www.innovation.ch/java/ntlm.html
	15	http://www.kuro5hin.org/story/2002/4/28/1436/66154
55c75993	16	http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5bMS-SMTP%5d.pdf
0756eb3c PH	17
	18	* It seems that some systems have existing but different definitions of some
	19	* of the following types. I received a complaint about "int16" causing
	20	* compilation problems. So I (PH) have renamed them all, to be on the safe
	21	* side, by adding 'x' on the end. See auths/auth-spa.h.
	22
	23	* typedef signed short int16;
	24	* typedef unsigned short uint16;
	25	* typedef unsigned uint32;
	26	* typedef unsigned char uint8;
	27
16ff981e PH	28	07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
	29	input data. Find appropriate comment by grepping for "PH".
	30	16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
55c75993	31	05-June-2010: PP: handle SASL initial response
0756eb3c PH	32	*/
	33
	34
	35	#include "../exim.h"
	36	#include "spa.h"
	37
	38	/* #define DEBUG_SPA */
	39
	40	#ifdef DEBUG_SPA
	41	#define DSPA(x,y,z) debug_printf(x,y,z)
	42	#else
	43	#define DSPA(x,y,z)
	44	#endif
	45
	46	/* Options specific to the spa authentication mechanism. */
	47
	48	optionlist auth_spa_options[] = {
	49	{ "client_domain", opt_stringptr,
13a4b4c1	50	OPT_OFF(auth_spa_options_block, spa_domain) },
0756eb3c	51	{ "client_password", opt_stringptr,
13a4b4c1	52	OPT_OFF(auth_spa_options_block, spa_password) },
0756eb3c	53	{ "client_username", opt_stringptr,
13a4b4c1	54	OPT_OFF(auth_spa_options_block, spa_username) },
0756eb3c	55	{ "server_password", opt_stringptr,
13a4b4c1	56	OPT_OFF(auth_spa_options_block, spa_serverpassword) }
0756eb3c PH	57	};
	58
	59	/* Size of the options list. An extern variable has to be used so that its
	60	address can appear in the tables drtables.c. */
	61
	62	int auth_spa_options_count =
	63	sizeof(auth_spa_options)/sizeof(optionlist);
	64
4c04137d	65	/* Default private options block for the condition authentication method. */
0756eb3c PH	66
	67	auth_spa_options_block auth_spa_option_defaults = {
	68	NULL, /* spa_password */
	69	NULL, /* spa_username */
	70	NULL, /* spa_domain */
	71	NULL /* spa_serverpassword (for server side use) */
	72	};
	73
	74
d185889f JH	75	#ifdef MACRO_PREDEF
	76
	77	/* Dummy values */
	78	void auth_spa_init(auth_instance *ablock) {}
	79	int auth_spa_server(auth_instance ablock, uschar data) {return 0;}
251b9eb4 JH	80	int auth_spa_client(auth_instance ablock, void sx, int timeout,
251b9eb4 JH	81	uschar *buffer, int buffsize) {return 0;}
d185889f JH	82
	83	#else /!MACRO_PREDEF/
	84
	85
	86
	87
0756eb3c PH	88	/*************************************************
	89	* Initialization entry point *
	90	*************************************************/
	91
	92	/* Called for each instance, after its options have been read, to
	93	enable consistency checks to be done, or anything else that needs
	94	to be set up. */
	95
	96	void
	97	auth_spa_init(auth_instance *ablock)
	98	{
	99	auth_spa_options_block *ob =
	100	(auth_spa_options_block *)(ablock->options_block);
	101
	102	/* The public name defaults to the authenticator name */
	103
	104	if (ablock->public_name == NULL) ablock->public_name = ablock->name;
	105
	106	/* Both username and password must be set for a client */
	107
	108	if ((ob->spa_username == NULL) != (ob->spa_password == NULL))
	109	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator:\n "
	110	"one of client_username and client_password cannot be set without "
	111	"the other", ablock->name);
	112	ablock->client = ob->spa_username != NULL;
	113
	114	/* For a server we have just one option */
	115
	116	ablock->server = ob->spa_serverpassword != NULL;
	117	}
	118
	119
	120
	121	/*************************************************
	122	* Server entry point *
	123	*************************************************/
	124
	125	/* For interface, see auths/README */
	126
5903c6ff	127	#define CVAL(buf,pos) ((US (buf))[pos])
0756eb3c PH	128	#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
	129	#define SVAL(buf,pos) (PVAL(buf,pos)\|PVAL(buf,(pos)+1)<<8)
	130	#define IVAL(buf,pos) (SVAL(buf,pos)\|SVAL(buf,(pos)+2)<<16)
	131
	132	int
	133	auth_spa_server(auth_instance ablock, uschar data)
	134	{
	135	auth_spa_options_block ob = (auth_spa_options_block )(ablock->options_block);
	136	uint8x lmRespData[24];
	137	uint8x ntRespData[24];
	138	SPAAuthRequest request;
	139	SPAAuthChallenge challenge;
	140	SPAAuthResponse response;
	141	SPAAuthResponse *responseptr = &response;
	142	uschar msgbuf[2048];
57aa14b2	143	uschar clearpass, s;
a04174dc	144	unsigned off;
0756eb3c	145
55c75993 PP	146	/* send a 334, MS Exchange style, and grab the client's request,
55c75993 PP	147	unless we already have it via an initial response. */
0756eb3c	148
99dbdcf4	149	if (!*data && auth_get_no64_data(&data, US"NTLM supported") != OK)
0756eb3c	150	return FAIL;
0756eb3c	151
99dbdcf4	152	if (spa_base64_to_bits(CS &request, sizeof(request), CCS data) < 0)
0756eb3c PH	153	{
0756eb3c PH	154	DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
99dbdcf4	155	"request: %s\n", data);
0756eb3c PH	156	return FAIL;
	157	}
	158
	159	/* create a challenge and send it back */
	160
99dbdcf4 JH	161	spa_build_auth_challenge(&request, &challenge);
99dbdcf4 JH	162	spa_bits_to_base64(msgbuf, US &challenge, spa_request_length(&challenge));
0756eb3c PH	163
0756eb3c PH	164	if (auth_get_no64_data(&data, msgbuf) != OK)
0756eb3c	165	return FAIL;
0756eb3c PH	166
0756eb3c PH	167	/* dump client response */
99dbdcf4	168	if (spa_base64_to_bits(CS &response, sizeof(response), CCS data) < 0)
0756eb3c PH	169	{
0756eb3c PH	170	DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
99dbdcf4	171	"response: %s\n", data);
0756eb3c PH	172	return FAIL;
	173	}
	174
0756eb3c PH	175	/***************************************************************
	176	PH 07-Aug-2003: The original code here was this:
	177
	178	Ustrcpy(msgbuf, unicodeToString(((char*)responseptr) +
	179	IVAL(&responseptr->uUser.offset,0),
	180	SVAL(&responseptr->uUser.len,0)/2) );
	181
	182	However, if the response data is too long, unicodeToString bombs out on
	183	an assertion failure. It uses a 1024 fixed buffer. Bombing out is not a good
	184	idea. It's too messy to try to rework that function to return an error because
	185	it is called from a number of other places in the auth-spa.c module. Instead,
	186	since it is a very small function, I reproduce its code here, with a size check
	187	that causes failure if the size of msgbuf is exceeded. ****/
	188
	189	{
	190	int i;
a04174dc	191	char * p;
0756eb3c PH	192	int len = SVAL(&responseptr->uUser.len,0)/2;
0756eb3c PH	193
a04174dc JH	194	if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
	195	\|\| len >= sizeof(responseptr->buffer)/2
	196	\|\| (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
	197	)
57aa14b2 JH	198	{
	199	DEBUG(D_auth)
	200	debug_printf("auth_spa_server(): bad uUser spec in response\n");
	201	return FAIL;
	202	}
	203
0756eb3c PH	204	if (len + 1 >= sizeof(msgbuf)) return FAIL;
	205	for (i = 0; i < len; ++i)
	206	{
	207	msgbuf[i] = *p & 0x7f;
	208	p += 2;
	209	}
	210	msgbuf[i] = 0;
	211	}
	212
	213	/***************************************************************/
	214
f78eb7c6	215	/* Put the username in $auth1 and $1. The former is now the preferred variable;
f68fe5f6 PP	216	the latter is the original variable. These have to be out of stack memory, and
	217	need to be available once known even if not authenticated, for error messages
	218	(server_set_id, which only makes it to authenticated_id if we return OK) */
f78eb7c6	219
f68fe5f6	220	auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
0756eb3c PH	221	expand_nlength[1] = Ustrlen(msgbuf);
	222	expand_nmax = 1;
	223
f78eb7c6 PH	224	debug_print_string(ablock->server_debug_string); /* customized debug */
f78eb7c6 PH	225
0756eb3c PH	226	/* look up password */
0756eb3c PH	227
99dbdcf4	228	if (!(clearpass = expand_string(ob->spa_serverpassword)))
8768d548	229	if (f.expand_string_forcedfail)
0756eb3c PH	230	{
	231	DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
	232	"expanding spa_serverpassword\n");
f68fe5f6	233	return FAIL;
0756eb3c PH	234	}
	235	else
	236	{
	237	DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
	238	"spa_serverpassword: %s\n", expand_string_message);
f68fe5f6	239	return DEFER;
0756eb3c	240	}
0756eb3c PH	241
	242	/* create local hash copy */
	243
99dbdcf4 JH	244	spa_smb_encrypt(clearpass, challenge.challengeData, lmRespData);
99dbdcf4 JH	245	spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);
0756eb3c PH	246
	247	/* compare NT hash (LM may not be available) */
	248
a04174dc JH	249	off = IVAL(&responseptr->ntResponse.offset,0);
a04174dc JH	250	if (off >= sizeof(SPAAuthResponse) - 24)
57aa14b2 JH	251	{
	252	DEBUG(D_auth)
	253	debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
	254	return FAIL;
	255	}
a04174dc	256	s = (US responseptr) + off;
57aa14b2 JH	257
57aa14b2 JH	258	if (memcmp(ntRespData, s, 24) == 0)
99dbdcf4	259	return auth_check_serv_cond(ablock); /* success. we have a winner. */
16ff981e PH	260
16ff981e PH	261	/* Expand server_condition as an authorization check (PH) */
0756eb3c	262
f68fe5f6	263	return FAIL;
0756eb3c PH	264	}
	265
	266
	267	/*************************************************
	268	* Client entry point *
	269	*************************************************/
	270
	271	/* For interface, see auths/README */
	272
	273	int
	274	auth_spa_client(
	275	auth_instance ablock, / authenticator block */
251b9eb4	276	void * sx, /* connection */
0756eb3c PH	277	int timeout, /* command timeout */
	278	uschar buffer, / buffer for reading response */
	279	int buffsize) /* size of buffer */
	280	{
4e910c01 JH	281	auth_spa_options_block *ob =
	282	(auth_spa_options_block *)(ablock->options_block);
	283	SPAAuthRequest request;
	284	SPAAuthChallenge challenge;
	285	SPAAuthResponse response;
	286	char msgbuf[2048];
	287	char *domain = NULL;
	288	char username, password;
	289
	290	/* Code added by PH to expand the options */
	291
	292	buffer = 0; / Default no message when cancelled */
	293
	294	if (!(username = CS expand_string(ob->spa_username)))
	295	{
8768d548	296	if (f.expand_string_forcedfail) return CANCELLED;
4e910c01 JH	297	string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
	298	"authenticator: %s", ob->spa_username, ablock->name,
	299	expand_string_message);
	300	return ERROR;
	301	}
	302
	303	if (!(password = CS expand_string(ob->spa_password)))
	304	{
8768d548	305	if (f.expand_string_forcedfail) return CANCELLED;
4e910c01 JH	306	string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
	307	"authenticator: %s", ob->spa_password, ablock->name,
	308	expand_string_message);
	309	return ERROR;
	310	}
	311
	312	if (ob->spa_domain)
4e910c01 JH	313	if (!(domain = CS expand_string(ob->spa_domain)))
4e910c01 JH	314	{
8768d548	315	if (f.expand_string_forcedfail) return CANCELLED;
4e910c01 JH	316	string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
	317	"authenticator: %s", ob->spa_domain, ablock->name,
	318	expand_string_message);
	319	return ERROR;
	320	}
4e910c01 JH	321
	322	/* Original code */
	323
251b9eb4	324	if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
4e910c01 JH	325	return FAIL_SEND;
	326
	327	/* wait for the 3XX OK message */
251b9eb4	328	if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
4e910c01 JH	329	return FAIL;
	330
	331	DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
	332
99dbdcf4 JH	333	spa_build_auth_request(&request, CS username, domain);
99dbdcf4 JH	334	spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));
4e910c01 JH	335
	336	DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);
	337
	338	/* send the encrypted password */
251b9eb4	339	if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
4e910c01 JH	340	return FAIL_SEND;
	341
	342	/* wait for the auth challenge */
251b9eb4	343	if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
4e910c01 JH	344	return FAIL;
	345
	346	/* convert the challenge into the challenge struct */
	347	DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
99dbdcf4	348	spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
4e910c01	349
99dbdcf4 JH	350	spa_build_auth_response(&challenge, &response, CS username, CS password);
99dbdcf4 JH	351	spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
4e910c01 JH	352	DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);
	353
	354	/* send the challenge response */
251b9eb4	355	if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
4e910c01 JH	356	return FAIL_SEND;
	357
	358	/* If we receive a success response from the server, authentication
	359	has succeeded. There may be more data to send, but is there any point
	360	in provoking an error here? */
	361
251b9eb4	362	if (smtp_read_response(sx, US buffer, buffsize, '2', timeout))
4e910c01 JH	363	return OK;
	364
	365	/* Not a success response. If errno != 0 there is some kind of transmission
	366	error. Otherwise, check the response code in the buffer. If it starts with
	367	'3', more data is expected. */
	368
	369	if (errno != 0 \|\| buffer[0] != '3')
	370	return FAIL;
	371
	372	return FAIL;
0756eb3c PH	373	}
0756eb3c PH	374
d185889f	375	#endif /!MACRO_PREDEF/
0756eb3c	376	/* End of spa.c */