A forced expansion failure in the SPA authenticator is now treated the

same as in other authenticators (it moves to the next authenticator).

4 files changed, 26 insertions, 14 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a06b29b49..6774dad4a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.45 2004/12/20 12:29:10 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.46 2004/12/20 14:57:05 ph10 Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -195,6 +195,13 @@ Exim version 4.50
     messages that were in split spool directories. Consequently, it was
     deleting retry records that should have stayed in existence.
 
+48. Steve fixed some bugs in eximstats.
+
+49. The SPA authentication driver was not abandoning authentication and moving
+    on to the next authenticator when an expansion was forced to fail,
+    contradicting the general specification for all authenticators. Instead it
+    was generating a temporary error. It now behaves as specified.
+
 
 Exim version 4.43
 -----------------
diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS
index fe092c448..a914262c7 100644
--- a/src/ACKNOWLEDGMENTS
+++ b/src/ACKNOWLEDGMENTS
@@ -1,4 +1,4 @@
-$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.7 2004/11/24 15:43:36 ph10 Exp $
+$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.8 2004/12/20 14:57:05 ph10 Exp $
 
 EXIM ACKNOWLEDGEMENTS
 
@@ -20,7 +20,7 @@ relatively small patches.
 Philip Hazel
 
 Lists created: 20 November 2002
-Last updated:  24 November 2004
+Last updated:  20 December 2004
 
 
 THE OLD LIST
@@ -158,6 +158,7 @@ Chris Liddiard            Fix for bug in exiqsumm
 Chris Lightfoot           Patch for -restore-times in exim_lock
 Edgar Lovecraft           Patch for ${str2b64:
 Torsten Luettgert         Suggested patch for proper integer overflow detection
+David Madole              Patch for SPA forced expansion failure bug
 Lionel Elie Mamane        Patch for IPv4/IPv6 listen() problem on USAGI Linux
                           Patch for recognizing IPv6 "scoped addresses"
                           Patch for callout caching bug
diff --git a/src/src/auths/README b/src/src/auths/README
index 190505f25..a25aaf0b0 100644
--- a/src/src/auths/README
+++ b/src/src/auths/README
@@ -1,4 +1,4 @@
-$Cambridge: exim/src/src/auths/README,v 1.1 2004/10/07 13:10:00 ph10 Exp $
+$Cambridge: exim/src/src/auths/README,v 1.2 2004/12/20 14:57:05 ph10 Exp $
 
 AUTHS
 
@@ -57,7 +57,8 @@ The yield of a server authentication check must be one of:
   OK          success
   DEFER       couldn't complete the check
   FAIL        authentication failed
-  CANCELLED   authentication forced to fail by "*" response to challenge
+  CANCELLED   authentication forced to fail by "*" response to challenge,
+                or by a forced string expansion failure 
   BAD64       bad base64 data received
   UNEXPECTED  unexpected data received
 
diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index 31451344e..dc859674e 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/auths/spa.c,v 1.1 2004/10/07 13:10:01 ph10 Exp $ */
+/* $Cambridge: exim/src/src/auths/spa.c,v 1.2 2004/12/20 14:57:05 ph10 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -258,19 +258,12 @@ auth_spa_client(
        char *domain = NULL;
        char *username, *password;
 
-    if (smtp_write_command(outblock, FALSE, "AUTH %s\r\n",
-         ablock->public_name) < 0)
-               return FAIL_SEND;
-
-       /* wait for the 3XX OK message */
-       if (!smtp_read_response(inblock, (uschar *)buffer, buffsize, '3', timeout))
-               return FAIL;
-
        /* Code added by PH to expand the options */
 
        username = CS expand_string(ob->spa_username);
        if (username == NULL)
          {
+         if (expand_string_forcedfail) return CANCELLED;
          string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
            "authenticator: %s", ob->spa_username, ablock->name,
            expand_string_message);
@@ -280,6 +273,7 @@ auth_spa_client(
        password = CS expand_string(ob->spa_password);
        if (password == NULL)
          {
+         if (expand_string_forcedfail) return CANCELLED;
          string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
            "authenticator: %s", ob->spa_password, ablock->name,
            expand_string_message);
@@ -291,6 +285,7 @@ auth_spa_client(
          domain = CS expand_string(ob->spa_domain);
          if (domain == NULL)
            {
+           if (expand_string_forcedfail) return CANCELLED;
            string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
              "authenticator: %s", ob->spa_domain, ablock->name,
              expand_string_message);
@@ -300,6 +295,14 @@ auth_spa_client(
 
        /* Original code */
 
+    if (smtp_write_command(outblock, FALSE, "AUTH %s\r\n",
+         ablock->public_name) < 0)
+               return FAIL_SEND;
+
+       /* wait for the 3XX OK message */
+       if (!smtp_read_response(inblock, (uschar *)buffer, buffsize, '3', timeout))
+               return FAIL;
+
        DSPA("\n\n%s authenticator: using domain %s\n\n",
                ablock->name, domain);