1 /* $Cambridge: exim/src/src/auths/plaintext.c,v 1.4 2006/02/10 14:25:43 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2006 */
8 /* See the file NOTICE for conditions of use and distribution. */
11 #include "plaintext.h"
14 /* Options specific to the plaintext authentication mechanism. */
16 optionlist auth_plaintext_options[] = {
17 { "client_send", opt_stringptr,
18 (void *)(offsetof(auth_plaintext_options_block, client_send)) },
19 { "server_condition", opt_stringptr,
20 (void *)(offsetof(auth_plaintext_options_block, server_condition)) },
21 { "server_prompts", opt_stringptr,
22 (void *)(offsetof(auth_plaintext_options_block, server_prompts)) }
25 /* Size of the options list. An extern variable has to be used so that its
26 address can appear in the tables drtables.c. */
28 int auth_plaintext_options_count =
29 sizeof(auth_plaintext_options)/sizeof(optionlist);
31 /* Default private options block for the plaintext authentication method. */
33 auth_plaintext_options_block auth_plaintext_option_defaults = {
34 NULL, /* server_condition */
35 NULL, /* server_prompts */
36 NULL /* client_send */
40 /*************************************************
41 * Initialization entry point *
42 *************************************************/
44 /* Called for each instance, after its options have been read, to
45 enable consistency checks to be done, or anything else that needs
49 auth_plaintext_init(auth_instance *ablock)
51 auth_plaintext_options_block *ob =
52 (auth_plaintext_options_block *)(ablock->options_block);
53 if (ablock->public_name == NULL) ablock->public_name = ablock->name;
54 if (ob->server_condition != NULL) ablock->server = TRUE;
55 if (ob->client_send != NULL) ablock->client = TRUE;
60 /*************************************************
61 * Server entry point *
62 *************************************************/
64 /* For interface, see auths/README */
67 auth_plaintext_server(auth_instance *ablock, uschar *data)
69 auth_plaintext_options_block *ob =
70 (auth_plaintext_options_block *)(ablock->options_block);
71 uschar *prompts = ob->server_prompts;
72 uschar *clear, *cond, *end, *s;
77 /* Expand a non-empty list of prompt strings */
81 prompts = expand_string(prompts);
84 auth_defer_msg = expand_string_message;
89 /* If data was supplied on the AUTH command, decode it, and split it up into
90 multiple items at binary zeros. The strings are put into $auth1, $auth2, etc,
91 up to a maximum. To retain backwards compatibility, they are also put int $1,
92 $2, etc. If the data consists of the string "=" it indicates a single, empty
97 if (Ustrcmp(data, "=") == 0)
99 auth_vars[0] = expand_nstring[++expand_nmax] = US"";
100 expand_nlength[expand_nmax] = 0;
104 if ((len = auth_b64decode(data, &clear)) < 0) return BAD64;
106 while (clear < end && expand_nmax < EXPAND_MAXN)
108 if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
109 expand_nstring[++expand_nmax] = clear;
110 while (*clear != 0) clear++;
111 expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
116 /* Now go through the list of prompt strings. Skip over any whose data has
117 already been provided as part of the AUTH command. For the rest, send them
118 out as prompts, and get a data item back. If the data item is "*", abandon the
119 authentication attempt. Otherwise, split it into items as above. */
121 while ((s = string_nextinlist(&prompts, &sep, big_buffer, big_buffer_size))
122 != NULL && expand_nmax < EXPAND_MAXN)
124 if (number++ <= expand_nmax) continue;
125 if ((rc = auth_get_data(&data, s, Ustrlen(s))) != OK) return rc;
126 if ((len = auth_b64decode(data, &clear)) < 0) return BAD64;
129 /* This loop must run at least once, in case the length is zero */
132 if (expand_nmax < AUTH_VARS) auth_vars[expand_nmax] = clear;
133 expand_nstring[++expand_nmax] = clear;
134 while (*clear != 0) clear++;
135 expand_nlength[expand_nmax] = clear++ - expand_nstring[expand_nmax];
137 while (clear < end && expand_nmax < EXPAND_MAXN);
140 /* We now have a number of items of data in $auth1, $auth2, etc (and also, for
141 compatibility, in $1, $2, etc). Match against the decoded data by expanding the
144 cond = expand_string(ob->server_condition);
149 debug_printf("%s authenticator:\n", ablock->name);
150 for (i = 0; i < AUTH_VARS; i++)
152 if (auth_vars[i] != NULL)
153 debug_printf(" $auth%d = %s\n", i + 1, auth_vars[i]);
155 for (i = 1; i <= expand_nmax; i++)
156 debug_printf(" $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
157 debug_print_string(ablock->server_debug_string); /* customized debug */
159 debug_printf("expansion failed: %s\n", expand_string_message);
161 debug_printf("expanded string: %s\n", cond);
164 /* A forced expansion failure causes authentication to fail. Other expansion
165 failures yield DEFER, which will cause a temporary error code to be returned to
166 the AUTH command. The problem is at the server end, so the client should try
171 if (expand_string_forcedfail) return FAIL;
172 auth_defer_msg = expand_string_message;
176 /* Return FAIL for empty string, "0", "no", and "false"; return OK for
177 "1", "yes", and "true"; return DEFER for anything else, with the string
178 available as an error text for the user. */
181 Ustrcmp(cond, "0") == 0 ||
182 strcmpic(cond, US"no") == 0 ||
183 strcmpic(cond, US"false") == 0)
186 if (Ustrcmp(cond, "1") == 0 ||
187 strcmpic(cond, US"yes") == 0 ||
188 strcmpic(cond, US"true") == 0)
191 auth_defer_msg = cond;
192 auth_defer_user_msg = string_sprintf(": %s", cond);
198 /*************************************************
199 * Client entry point *
200 *************************************************/
202 /* For interface, see auths/README */
205 auth_plaintext_client(
206 auth_instance *ablock, /* authenticator block */
207 smtp_inblock *inblock, /* connection inblock */
208 smtp_outblock *outblock, /* connection outblock */
209 int timeout, /* command timeout */
210 uschar *buffer, /* buffer for reading response */
211 int buffsize) /* size of buffer */
213 auth_plaintext_options_block *ob =
214 (auth_plaintext_options_block *)(ablock->options_block);
215 uschar *text = ob->client_send;
220 /* The text is broken up into a number of different data items, which are
221 sent one by one. The first one is sent with the AUTH command; the remainder are
222 sent in response to subsequent prompts. Each is expanded before being sent. */
224 while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)) != NULL)
227 uschar *ss = expand_string(s);
229 /* Forced expansion failure is not an error; authentication is abandoned. On
230 all but the first string, we have to abandon the authentication attempt by
231 sending a line containing "*". Save the failed expansion string, because it
232 is in big_buffer, and that gets used by the sending function. */
236 uschar *ssave = string_copy(s);
239 if (smtp_write_command(outblock, FALSE, "*\r\n") >= 0)
240 (void) smtp_read_response(inblock, US buffer, buffsize, '2', timeout);
242 if (expand_string_forcedfail) return CANCELLED;
243 string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
244 "authenticator: %s", ssave, ablock->name, expand_string_message);
250 /* The character ^ is used as an escape for a binary zero character, which is
251 needed for the PLAIN mechanism. It must be doubled if really needed. */
253 for (i = 0; i < len; i++)
257 if (ss[i+1] != '^') ss[i] = 0; else
261 memmove(ss + i, ss + i + 1, len - i);
266 /* The first string is attached to the AUTH command; others are sent
272 if (smtp_write_command(outblock, FALSE, "AUTH %s%s%s\r\n",
273 ablock->public_name, (len == 0)? "" : " ",
274 auth_b64encode(ss, len)) < 0)
279 if (smtp_write_command(outblock, FALSE, "%s\r\n",
280 auth_b64encode(ss, len)) < 0)
284 /* If we receive a success response from the server, authentication
285 has succeeded. There may be more data to send, but is there any point
286 in provoking an error here? */
288 if (smtp_read_response(inblock, US buffer, buffsize, '2', timeout)) return OK;
290 /* Not a success response. If errno != 0 there is some kind of transmission
291 error. Otherwise, check the response code in the buffer. If it starts with
292 '3', more data is expected. */
294 if (errno != 0 || buffer[0] != '3') return FAIL;
296 /* If there is no more data to send, we have to cancel the authentication
297 exchange and return ERROR. */
301 if (smtp_write_command(outblock, FALSE, "*\r\n") >= 0)
302 (void)smtp_read_response(inblock, US buffer, buffsize, '2', timeout);
303 string_format(buffer, buffsize, "Too few items in client_send in %s "
304 "authenticator", ablock->name);
309 /* Control should never actually get here. */
314 /* End of plaintext.c */