X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/b1206957506a8d30e54c3d76c3ada5f247118666..55c75993b43ac91069a5fbe9cc7a8d48cda84ee0:/src/src/auths/spa.c diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c index dc859674e..5647b0c1f 100644 --- a/src/src/auths/spa.c +++ b/src/src/auths/spa.c @@ -1,10 +1,10 @@ -/* $Cambridge: exim/src/src/auths/spa.c,v 1.2 2004/12/20 14:57:05 ph10 Exp $ */ +/* $Cambridge: exim/src/src/auths/spa.c,v 1.11 2010/06/05 10:16:36 pdp Exp $ */ /************************************************* * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2004 */ +/* Copyright (c) University of Cambridge 1995 - 2009 */ /* See the file NOTICE for conditions of use and distribution. */ /* This file, which provides support for Microsoft's Secure Password @@ -14,6 +14,7 @@ server support. I (PH) have only modified it in very trivial ways. References: http://www.innovation.ch/java/ntlm.html http://www.kuro5hin.org/story/2002/4/28/1436/66154 + http://download.microsoft.com/download/9/5/e/95ef66af-9026-4bb0-a41d-a4f81802d92c/%5bMS-SMTP%5d.pdf * It seems that some systems have existing but different definitions of some * of the following types. I received a complaint about "int16" causing @@ -25,8 +26,10 @@ References: * typedef unsigned uint32; * typedef unsigned char uint8; -07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid - input data. Find appropriate comment by grepping for "PH". +07-August-2003: PH: Patched up the code to avoid assert bombouts for stupid + input data. Find appropriate comment by grepping for "PH". +16-October-2006: PH: Added a call to auth_check_serv_cond() at the end +05-June-2010: PP: handle SASL initial response */ @@ -127,15 +130,17 @@ SPAAuthResponse *responseptr = &response; uschar msgbuf[2048]; uschar *clearpass; -/* send a 334, MS Exchange style, and grab the client's request */ +/* send a 334, MS Exchange style, and grab the client's request, +unless we already have it via an initial response. */ -if (auth_get_no64_data(&data, US"NTLM supported") != OK) +if ((*data == '\0') && + (auth_get_no64_data(&data, US"NTLM supported") != OK)) { /* something borked */ return FAIL; } -if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0) +if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0) { DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " "request: %s\n", data); @@ -155,15 +160,13 @@ if (auth_get_no64_data(&data, msgbuf) != OK) } /* dump client response */ -if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0) +if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0) { DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " "response: %s\n", data); return FAIL; } -/* get username and put it in $1 */ - /*************************************************************** PH 07-Aug-2003: The original code here was this: @@ -194,10 +197,15 @@ that causes failure if the size of msgbuf is exceeded. ****/ /***************************************************************/ -expand_nstring[1] = msgbuf; +/* Put the username in $auth1 and $1. The former is now the preferred variable; +the latter is the original variable. */ + +auth_vars[0] = expand_nstring[1] = msgbuf; expand_nlength[1] = Ustrlen(msgbuf); expand_nmax = 1; +debug_print_string(ablock->server_debug_string); /* customized debug */ + /* look up password */ clearpass = expand_string(ob->spa_serverpassword); @@ -228,7 +236,9 @@ if (memcmp(ntRespData, ((unsigned char*)responseptr)+IVAL(&responseptr->ntResponse.offset,0), 24) == 0) /* success. we have a winner. */ - return OK; + + /* Expand server_condition as an authorization check (PH) */ + return auth_check_serv_cond(ablock); return FAIL; } @@ -260,6 +270,8 @@ auth_spa_client( /* Code added by PH to expand the options */ + *buffer = 0; /* Default no message when cancelled */ + username = CS expand_string(ob->spa_username); if (username == NULL) { @@ -324,7 +336,7 @@ auth_spa_client( /* convert the challenge into the challenge struct */ DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4); - spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4)); + spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4)); spa_build_auth_response (&challenge, &response, CS username, CS password);