[exim.git] / src / src / auths / spa.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2018 */
/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */

/* This file, which provides support for Microsoft's Secure Password
Authentication, was contributed by Marc Prud'hommeaux. Tom Kistner added SPA
server support. I (PH) have only modified it in very trivial ways.

References:
  http://www.innovation.ch/java/ntlm.html
  http://www.kuro5hin.org/story/2002/4/28/1436/66154
  http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5bMS-SMTP%5d.pdf

 * It seems that some systems have existing but different definitions of some
 * of the following types. I received a complaint about "int16" causing
 * compilation problems. So I (PH) have renamed them all, to be on the safe
 * side, by adding 'x' on the end. See auths/auth-spa.h.

 * typedef signed short int16;
 * typedef unsigned short uint16;
 * typedef unsigned uint32;
 * typedef unsigned char  uint8;

07-August-2003:  PH: Patched up the code to avoid assert bombouts for stupid
                     input data. Find appropriate comment by grepping for "PH".
16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
05-June-2010:    PP: handle SASL initial response
*/


#include "../exim.h"
#include "spa.h"

/* #define DEBUG_SPA */

#ifdef DEBUG_SPA
#define DSPA(x,y,z)   debug_printf(x,y,z)
#else
#define DSPA(x,y,z)
#endif

/* Options specific to the spa authentication mechanism. */

optionlist auth_spa_options[] = {
  { "client_domain",             opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_domain) },
  { "client_password",           opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_password) },
  { "client_username",           opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_username) },
  { "server_password",           opt_stringptr,
      OPT_OFF(auth_spa_options_block, spa_serverpassword) }
};

/* Size of the options list. An extern variable has to be used so that its
address can appear in the tables drtables.c. */

int auth_spa_options_count =
  sizeof(auth_spa_options)/sizeof(optionlist);

/* Default private options block for the condition authentication method. */

auth_spa_options_block auth_spa_option_defaults = {
  NULL,              /* spa_password */
  NULL,              /* spa_username */
  NULL,              /* spa_domain */
  NULL               /* spa_serverpassword (for server side use) */
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_spa_init(auth_instance *ablock) {}
int auth_spa_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_spa_client(auth_instance *ablock, void * sx, int timeout,
    uschar *buffer, int buffsize) {return 0;}

#else   /*!MACRO_PREDEF*/


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

void
auth_spa_init(auth_instance *ablock)
{
auth_spa_options_block *ob =
  (auth_spa_options_block *)(ablock->options_block);

/* The public name defaults to the authenticator name */

if (ablock->public_name == NULL) ablock->public_name = ablock->name;

/* Both username and password must be set for a client */

if ((ob->spa_username == NULL) != (ob->spa_password == NULL))
  log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator:\n  "
      "one of client_username and client_password cannot be set without "
      "the other", ablock->name);
ablock->client = ob->spa_username != NULL;

/* For a server we have just one option */

ablock->server = ob->spa_serverpassword != NULL;
}


/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

#define CVAL(buf,pos) ((US (buf))[pos])
#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
#define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
#define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)

int
auth_spa_server(auth_instance *ablock, uschar *data)
{
auth_spa_options_block *ob = (auth_spa_options_block *)(ablock->options_block);
uint8x lmRespData[24];
uint8x ntRespData[24];
SPAAuthRequest request;
SPAAuthChallenge challenge;
SPAAuthResponse  response;
SPAAuthResponse  *responseptr = &response;
uschar msgbuf[2048];
uschar *clearpass, *s;
unsigned off;

/* send a 334, MS Exchange style, and grab the client's request,
unless we already have it via an initial response. */

if (!*data && auth_get_no64_data(&data, US"NTLM supported") != OK)
  return FAIL;

if (spa_base64_to_bits(CS &request, sizeof(request), CCS data) < 0)
  {
  DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
    "request: %s\n", data);
  return FAIL;
  }

/* create a challenge and send it back */

spa_build_auth_challenge(&request, &challenge);
spa_bits_to_base64(msgbuf, US &challenge, spa_request_length(&challenge));

if (auth_get_no64_data(&data, msgbuf) != OK)
  return FAIL;

/* dump client response */
if (spa_base64_to_bits(CS &response, sizeof(response), CCS data) < 0)
  {
  DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
    "response: %s\n", data);
  return FAIL;
  }

/***************************************************************
PH 07-Aug-2003: The original code here was this:

Ustrcpy(msgbuf, unicodeToString(((char*)responseptr) +
  IVAL(&responseptr->uUser.offset,0),
  SVAL(&responseptr->uUser.len,0)/2) );

However, if the response data is too long, unicodeToString bombs out on
an assertion failure. It uses a 1024 fixed buffer. Bombing out is not a good
idea. It's too messy to try to rework that function to return an error because
it is called from a number of other places in the auth-spa.c module. Instead,
since it is a very small function, I reproduce its code here, with a size check
that causes failure if the size of msgbuf is exceeded. ****/

  {
  int i;
  char * p;
  int len = SVAL(&responseptr->uUser.len,0)/2;

  if (  (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
     || len >= sizeof(responseptr->buffer)/2
     || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
     )
    {
    DEBUG(D_auth)
      debug_printf("auth_spa_server(): bad uUser spec in response\n");
    return FAIL;
    }

  if (len + 1 >= sizeof(msgbuf)) return FAIL;
  for (i = 0; i < len; ++i)
    {
    msgbuf[i] = *p & 0x7f;
    p += 2;
    }
  msgbuf[i] = 0;
  }

/***************************************************************/

/* Put the username in $auth1 and $1. The former is now the preferred variable;
the latter is the original variable. These have to be out of stack memory, and
need to be available once known even if not authenticated, for error messages
(server_set_id, which only makes it to authenticated_id if we return OK) */

auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
expand_nlength[1] = Ustrlen(msgbuf);
expand_nmax = 1;

debug_print_string(ablock->server_debug_string);    /* customized debug */

/* look up password */

if (!(clearpass = expand_string(ob->spa_serverpassword)))
  if (f.expand_string_forcedfail)
    {
    DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
      "expanding spa_serverpassword\n");
    return FAIL;
    }
  else
    {
    DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
      "spa_serverpassword: %s\n", expand_string_message);
    return DEFER;
    }

/* create local hash copy */

spa_smb_encrypt(clearpass, challenge.challengeData, lmRespData);
spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);

/* compare NT hash (LM may not be available) */

off = IVAL(&responseptr->ntResponse.offset,0);
if (off >= sizeof(SPAAuthResponse) - 24)
  {
  DEBUG(D_auth)
    debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
  return FAIL;
  }
s = (US responseptr) + off;

if (memcmp(ntRespData, s, 24) == 0)
  return auth_check_serv_cond(ablock);	/* success. we have a winner. */

  /* Expand server_condition as an authorization check (PH) */

return FAIL;
}


/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_spa_client(
  auth_instance *ablock,                 /* authenticator block */
  void * sx,				 /* connection */
  int timeout,                           /* command timeout */
  uschar *buffer,                        /* buffer for reading response */
  int buffsize)                          /* size of buffer */
{
auth_spa_options_block *ob =
       (auth_spa_options_block *)(ablock->options_block);
SPAAuthRequest   request;
SPAAuthChallenge challenge;
SPAAuthResponse  response;
char msgbuf[2048];
char *domain = NULL;
char *username, *password;

/* Code added by PH to expand the options */

*buffer = 0;    /* Default no message when cancelled */

if (!(username = CS expand_string(ob->spa_username)))
  {
  if (f.expand_string_forcedfail) return CANCELLED;
  string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
   "authenticator: %s", ob->spa_username, ablock->name,
   expand_string_message);
  return ERROR;
  }

if (!(password = CS expand_string(ob->spa_password)))
  {
  if (f.expand_string_forcedfail) return CANCELLED;
  string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
   "authenticator: %s", ob->spa_password, ablock->name,
   expand_string_message);
  return ERROR;
  }

if (ob->spa_domain)
  if (!(domain = CS expand_string(ob->spa_domain)))
    {
    if (f.expand_string_forcedfail) return CANCELLED;
    string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
		  "authenticator: %s", ob->spa_domain, ablock->name,
		  expand_string_message);
    return ERROR;
    }

/* Original code */

if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
  return FAIL_SEND;

/* wait for the 3XX OK message */
if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
  return FAIL;

DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);

spa_build_auth_request(&request, CS username, domain);
spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));

DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);

/* send the encrypted password */
if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
  return FAIL_SEND;

/* wait for the auth challenge */
if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
  return FAIL;

/* convert the challenge into the challenge struct */
DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));

spa_build_auth_response(&challenge, &response, CS username, CS password);
spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);

/* send the challenge response */
if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
       return FAIL_SEND;

/* If we receive a success response from the server, authentication
has succeeded. There may be more data to send, but is there any point
in provoking an error here? */

if (smtp_read_response(sx, US buffer, buffsize, '2', timeout))
  return OK;

/* Not a success response. If errno != 0 there is some kind of transmission
error. Otherwise, check the response code in the buffer. If it starts with
'3', more data is expected. */

if (errno != 0 || buffer[0] != '3')
  return FAIL;

return FAIL;
}

#endif   /*!MACRO_PREDEF*/
/* End of spa.c */
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) University of Cambridge 1995 - 2018 */
	6	/* Copyright (c) The Exim Maintainers 2020 */
	7	/* See the file NOTICE for conditions of use and distribution. */
	8
	9	/* This file, which provides support for Microsoft's Secure Password
	10	Authentication, was contributed by Marc Prud'hommeaux. Tom Kistner added SPA
	11	server support. I (PH) have only modified it in very trivial ways.
	12
	13	References:
	14	http://www.innovation.ch/java/ntlm.html
	15	http://www.kuro5hin.org/story/2002/4/28/1436/66154
	16	http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5bMS-SMTP%5d.pdf
	17
	18	* It seems that some systems have existing but different definitions of some
	19	* of the following types. I received a complaint about "int16" causing
	20	* compilation problems. So I (PH) have renamed them all, to be on the safe
	21	* side, by adding 'x' on the end. See auths/auth-spa.h.
	22
	23	* typedef signed short int16;
	24	* typedef unsigned short uint16;
	25	* typedef unsigned uint32;
	26	* typedef unsigned char uint8;
	27
	28	07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid
	29	input data. Find appropriate comment by grepping for "PH".
	30	16-October-2006: PH: Added a call to auth_check_serv_cond() at the end
	31	05-June-2010: PP: handle SASL initial response
	32	*/
	33
	34
	35	#include "../exim.h"
	36	#include "spa.h"
	37
	38	/* #define DEBUG_SPA */
	39
	40	#ifdef DEBUG_SPA
	41	#define DSPA(x,y,z) debug_printf(x,y,z)
	42	#else
	43	#define DSPA(x,y,z)
	44	#endif
	45
	46	/* Options specific to the spa authentication mechanism. */
	47
	48	optionlist auth_spa_options[] = {
	49	{ "client_domain", opt_stringptr,
	50	OPT_OFF(auth_spa_options_block, spa_domain) },
	51	{ "client_password", opt_stringptr,
	52	OPT_OFF(auth_spa_options_block, spa_password) },
	53	{ "client_username", opt_stringptr,
	54	OPT_OFF(auth_spa_options_block, spa_username) },
	55	{ "server_password", opt_stringptr,
	56	OPT_OFF(auth_spa_options_block, spa_serverpassword) }
	57	};
	58
	59	/* Size of the options list. An extern variable has to be used so that its
	60	address can appear in the tables drtables.c. */
	61
	62	int auth_spa_options_count =
	63	sizeof(auth_spa_options)/sizeof(optionlist);
	64
	65	/* Default private options block for the condition authentication method. */
	66
	67	auth_spa_options_block auth_spa_option_defaults = {
	68	NULL, /* spa_password */
	69	NULL, /* spa_username */
	70	NULL, /* spa_domain */
	71	NULL /* spa_serverpassword (for server side use) */
	72	};
	73
	74
	75	#ifdef MACRO_PREDEF
	76
	77	/* Dummy values */
	78	void auth_spa_init(auth_instance *ablock) {}
	79	int auth_spa_server(auth_instance ablock, uschar data) {return 0;}
	80	int auth_spa_client(auth_instance ablock, void sx, int timeout,
	81	uschar *buffer, int buffsize) {return 0;}
	82
	83	#else /!MACRO_PREDEF/
	84
	85
	86
	87
	88	/*************************************************
	89	* Initialization entry point *
	90	*************************************************/
	91
	92	/* Called for each instance, after its options have been read, to
	93	enable consistency checks to be done, or anything else that needs
	94	to be set up. */
	95
	96	void
	97	auth_spa_init(auth_instance *ablock)
	98	{
	99	auth_spa_options_block *ob =
	100	(auth_spa_options_block *)(ablock->options_block);
	101
	102	/* The public name defaults to the authenticator name */
	103
	104	if (ablock->public_name == NULL) ablock->public_name = ablock->name;
	105
	106	/* Both username and password must be set for a client */
	107
	108	if ((ob->spa_username == NULL) != (ob->spa_password == NULL))
	109	log_write(0, LOG_PANIC_DIE\|LOG_CONFIG_FOR, "%s authenticator:\n "
	110	"one of client_username and client_password cannot be set without "
	111	"the other", ablock->name);
	112	ablock->client = ob->spa_username != NULL;
	113
	114	/* For a server we have just one option */
	115
	116	ablock->server = ob->spa_serverpassword != NULL;
	117	}
	118
	119
	120
	121	/*************************************************
	122	* Server entry point *
	123	*************************************************/
	124
	125	/* For interface, see auths/README */
	126
	127	#define CVAL(buf,pos) ((US (buf))[pos])
	128	#define PVAL(buf,pos) ((unsigned)CVAL(buf,pos))
	129	#define SVAL(buf,pos) (PVAL(buf,pos)\|PVAL(buf,(pos)+1)<<8)
	130	#define IVAL(buf,pos) (SVAL(buf,pos)\|SVAL(buf,(pos)+2)<<16)
	131
	132	int
	133	auth_spa_server(auth_instance ablock, uschar data)
	134	{
	135	auth_spa_options_block ob = (auth_spa_options_block )(ablock->options_block);
	136	uint8x lmRespData[24];
	137	uint8x ntRespData[24];
	138	SPAAuthRequest request;
	139	SPAAuthChallenge challenge;
	140	SPAAuthResponse response;
	141	SPAAuthResponse *responseptr = &response;
	142	uschar msgbuf[2048];
	143	uschar clearpass, s;
	144	unsigned off;
	145
	146	/* send a 334, MS Exchange style, and grab the client's request,
	147	unless we already have it via an initial response. */
	148
	149	if (!*data && auth_get_no64_data(&data, US"NTLM supported") != OK)
	150	return FAIL;
	151
	152	if (spa_base64_to_bits(CS &request, sizeof(request), CCS data) < 0)
	153	{
	154	DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
	155	"request: %s\n", data);
	156	return FAIL;
	157	}
	158
	159	/* create a challenge and send it back */
	160
	161	spa_build_auth_challenge(&request, &challenge);
	162	spa_bits_to_base64(msgbuf, US &challenge, spa_request_length(&challenge));
	163
	164	if (auth_get_no64_data(&data, msgbuf) != OK)
	165	return FAIL;
	166
	167	/* dump client response */
	168	if (spa_base64_to_bits(CS &response, sizeof(response), CCS data) < 0)
	169	{
	170	DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
	171	"response: %s\n", data);
	172	return FAIL;
	173	}
	174
	175	/***************************************************************
	176	PH 07-Aug-2003: The original code here was this:
	177
	178	Ustrcpy(msgbuf, unicodeToString(((char*)responseptr) +
	179	IVAL(&responseptr->uUser.offset,0),
	180	SVAL(&responseptr->uUser.len,0)/2) );
	181
	182	However, if the response data is too long, unicodeToString bombs out on
	183	an assertion failure. It uses a 1024 fixed buffer. Bombing out is not a good
	184	idea. It's too messy to try to rework that function to return an error because
	185	it is called from a number of other places in the auth-spa.c module. Instead,
	186	since it is a very small function, I reproduce its code here, with a size check
	187	that causes failure if the size of msgbuf is exceeded. ****/
	188
	189	{
	190	int i;
	191	char * p;
	192	int len = SVAL(&responseptr->uUser.len,0)/2;
	193
	194	if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
	195	\|\| len >= sizeof(responseptr->buffer)/2
	196	\|\| (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
	197	)
	198	{
	199	DEBUG(D_auth)
	200	debug_printf("auth_spa_server(): bad uUser spec in response\n");
	201	return FAIL;
	202	}
	203
	204	if (len + 1 >= sizeof(msgbuf)) return FAIL;
	205	for (i = 0; i < len; ++i)
	206	{
	207	msgbuf[i] = *p & 0x7f;
	208	p += 2;
	209	}
	210	msgbuf[i] = 0;
	211	}
	212
	213	/***************************************************************/
	214
	215	/* Put the username in $auth1 and $1. The former is now the preferred variable;
	216	the latter is the original variable. These have to be out of stack memory, and
	217	need to be available once known even if not authenticated, for error messages
	218	(server_set_id, which only makes it to authenticated_id if we return OK) */
	219
	220	auth_vars[0] = expand_nstring[1] = string_copy(msgbuf);
	221	expand_nlength[1] = Ustrlen(msgbuf);
	222	expand_nmax = 1;
	223
	224	debug_print_string(ablock->server_debug_string); /* customized debug */
	225
	226	/* look up password */
	227
	228	if (!(clearpass = expand_string(ob->spa_serverpassword)))
	229	if (f.expand_string_forcedfail)
	230	{
	231	DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while "
	232	"expanding spa_serverpassword\n");
	233	return FAIL;
	234	}
	235	else
	236	{
	237	DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding "
	238	"spa_serverpassword: %s\n", expand_string_message);
	239	return DEFER;
	240	}
	241
	242	/* create local hash copy */
	243
	244	spa_smb_encrypt(clearpass, challenge.challengeData, lmRespData);
	245	spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);
	246
	247	/* compare NT hash (LM may not be available) */
	248
	249	off = IVAL(&responseptr->ntResponse.offset,0);
	250	if (off >= sizeof(SPAAuthResponse) - 24)
	251	{
	252	DEBUG(D_auth)
	253	debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
	254	return FAIL;
	255	}
	256	s = (US responseptr) + off;
	257
	258	if (memcmp(ntRespData, s, 24) == 0)
	259	return auth_check_serv_cond(ablock); /* success. we have a winner. */
	260
	261	/* Expand server_condition as an authorization check (PH) */
	262
	263	return FAIL;
	264	}
	265
	266
	267	/*************************************************
	268	* Client entry point *
	269	*************************************************/
	270
	271	/* For interface, see auths/README */
	272
	273	int
	274	auth_spa_client(
	275	auth_instance ablock, / authenticator block */
	276	void * sx, /* connection */
	277	int timeout, /* command timeout */
	278	uschar buffer, / buffer for reading response */
	279	int buffsize) /* size of buffer */
	280	{
	281	auth_spa_options_block *ob =
	282	(auth_spa_options_block *)(ablock->options_block);
	283	SPAAuthRequest request;
	284	SPAAuthChallenge challenge;
	285	SPAAuthResponse response;
	286	char msgbuf[2048];
	287	char *domain = NULL;
	288	char username, password;
	289
	290	/* Code added by PH to expand the options */
	291
	292	buffer = 0; / Default no message when cancelled */
	293
	294	if (!(username = CS expand_string(ob->spa_username)))
	295	{
	296	if (f.expand_string_forcedfail) return CANCELLED;
	297	string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
	298	"authenticator: %s", ob->spa_username, ablock->name,
	299	expand_string_message);
	300	return ERROR;
	301	}
	302
	303	if (!(password = CS expand_string(ob->spa_password)))
	304	{
	305	if (f.expand_string_forcedfail) return CANCELLED;
	306	string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
	307	"authenticator: %s", ob->spa_password, ablock->name,
	308	expand_string_message);
	309	return ERROR;
	310	}
	311
	312	if (ob->spa_domain)
	313	if (!(domain = CS expand_string(ob->spa_domain)))
	314	{
	315	if (f.expand_string_forcedfail) return CANCELLED;
	316	string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
	317	"authenticator: %s", ob->spa_domain, ablock->name,
	318	expand_string_message);
	319	return ERROR;
	320	}
	321
	322	/* Original code */
	323
	324	if (smtp_write_command(sx, SCMD_FLUSH, "AUTH %s\r\n", ablock->public_name) < 0)
	325	return FAIL_SEND;
	326
	327	/* wait for the 3XX OK message */
	328	if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
	329	return FAIL;
	330
	331	DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
	332
	333	spa_build_auth_request(&request, CS username, domain);
	334	spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));
	335
	336	DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);
	337
	338	/* send the encrypted password */
	339	if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
	340	return FAIL_SEND;
	341
	342	/* wait for the auth challenge */
	343	if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))
	344	return FAIL;
	345
	346	/* convert the challenge into the challenge struct */
	347	DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
	348	spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
	349
	350	spa_build_auth_response(&challenge, &response, CS username, CS password);
	351	spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
	352	DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);
	353
	354	/* send the challenge response */
	355	if (smtp_write_command(sx, SCMD_FLUSH, "%s\r\n", msgbuf) < 0)
	356	return FAIL_SEND;
	357
	358	/* If we receive a success response from the server, authentication
	359	has succeeded. There may be more data to send, but is there any point
	360	in provoking an error here? */
	361
	362	if (smtp_read_response(sx, US buffer, buffsize, '2', timeout))
	363	return OK;
	364
	365	/* Not a success response. If errno != 0 there is some kind of transmission
	366	error. Otherwise, check the response code in the buffer. If it starts with
	367	'3', more data is expected. */
	368
	369	if (errno != 0 \|\| buffer[0] != '3')
	370	return FAIL;
	371
	372	return FAIL;
	373	}
	374
	375	#endif /!MACRO_PREDEF/
	376	/* End of spa.c */