We can specify NTLM as an authentication type.

svn path=/trunk/; revision=3160

7 files changed, 37 insertions, 43 deletions

diff --git a/NEWS b/NEWS
index ee711b8b..67645d61 100644
--- a/NEWS
+++ b/NEWS
@@ -3,7 +3,7 @@
 (The `lines' figures total .c, .h, .l, and .y files under version control.)
 
 * Updated Danish translation from Byrial Jensen.
-* Fixed bug in NTLM support
+* Fixed bug in NTLM support.  Separately, "auth ntlm" now works.
 
 fetchmail-5.6.8 (Thu Feb 22 02:57:31 EST 2001), 20110 lines:
 
diff --git a/conf.c b/conf.c
index 4b43b674..b348194f 100644
--- a/conf.c
+++ b/conf.c
@@ -277,6 +277,8 @@ void dump_config(struct runctl *runp, struct query *querylist)
 		stringdump("auth", "password");
 	    else if (ctl->server.authenticate == A_OTP)
 		stringdump("auth", "otp");
+	    else if (ctl->server.authenticate == A_NTLM)
+		stringdump("auth", "ntlm");
 	    else if (ctl->server.authenticate == A_CRAM_MD5)
 		stringdump("auth", "cram-md5");
 	    else if (ctl->server.authenticate == A_GSSAPI)
diff --git a/fetchmail.h b/fetchmail.h
index 3c7d4b9b..a044473e 100644
--- a/fetchmail.h
+++ b/fetchmail.h
@@ -40,12 +40,13 @@
 /* authentication types */
 #define		A_ANY		0	/* use the first method that works */
 #define		A_PASSWORD	1	/* password authentication */
-#define		A_CRAM_MD5	2	/* CRAM-MD5 shrouding (RFC2195) */
-#define		A_OTP		3	/* One-time password (RFC1508) */
-#define		A_KERBEROS_V4	4	/* authenticate w/ Kerberos V4 */
-#define		A_KERBEROS_V5	5	/* authenticate w/ Kerberos V5 */
-#define 	A_GSSAPI	6	/* authenticate with GSSAPI */
-#define		A_SSH		7	/* authentication at session level */
+#define		A_NTLM		2	/* Microsoft NTLM protocol */
+#define		A_CRAM_MD5	3	/* CRAM-MD5 shrouding (RFC2195) */
+#define		A_OTP		4	/* One-time password (RFC1508) */
+#define		A_KERBEROS_V4	5	/* authenticate w/ Kerberos V4 */
+#define		A_KERBEROS_V5	6	/* authenticate w/ Kerberos V5 */
+#define 	A_GSSAPI	7	/* authenticate with GSSAPI */
+#define		A_SSH		8	/* authentication at session level */
 
 /* some protocols (KERBEROS, GSSAPI, SSH) don't require a password */
 #define NO_PASSWORD(ctl)	((ctl)->server.authenticate > A_OTP || !MAILBOX_PROTOCOL(ctl))
diff --git a/fetchmail.man b/fetchmail.man
index 9de9e9c9..1cf83c25 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -503,14 +503,14 @@ This option permits you to specify an authentication type (see USER
 AUTHENTICATION below for details).  The possible values are \fBany\fR,
 \&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for
 excruciating exactness, `\fBkerberos_v4\fR'), \fRgssapi\fR,
-\fIcram-md5\fR, \fIotp\fR, and \fBssh\fR.  When \fBany\fR (the
+\fIcram-md5\fR, \fIotp\fR, \fIntlm\fR, and \fBssh\fR.  When \fBany\fR (the
 default) is specified, fetchmail tries first methods that don't
 require a password (GSSAPI, KERBEROS_IV); then it looks for methods
-that mask your password (CRAM-MD5, X-OTP); and only if the server
+that mask your password (CRAM-MD5, X-OTP, NTLM); and only if the server
 doesn't support any of those will it ship your password en clair.
 Other values may be used to force various authentication methods
 (\fBssh\fR suppresses authentication).  Any value other than
-\fIpassword\fR, \fIcram-md5\fR or \fIotp\fR suppresses fetchmail's
+\fIpassword\fR, \fIcram-md5\fR, \fIntlm\fR or \fIotp\fR suppresses fetchmail's
 normal inquiry for a password.  Specify \fBssh\fR when you are using
 an end-to-end secure connection such as an ssh tunnel; specify
 \fRgssapi\fR or \fBkerberos_v4\fR if you are using a protocol variant
diff --git a/imap.c b/imap.c
index 08ca65c5..b287ca75 100644
--- a/imap.c
+++ b/imap.c
@@ -316,7 +316,9 @@ int imap_getauth(int sock, struct query *ctl, char *greeting)
      * in a challenge-response.
      */
 
-    if (strstr(capabilities, "AUTH=CRAM-MD5"))
+    if ((ctl->server.authenticate == A_ANY 
+	 || ctl->server.authenticate==A_CRAM_MD5)
+	&& strstr(capabilities, "AUTH=CRAM-MD5"))
     {
 	if ((ok = do_cram_md5 (sock, "AUTHENTICATE", ctl)))
 	    /* SASL cancellation of authentication */
@@ -325,13 +327,17 @@ int imap_getauth(int sock, struct query *ctl, char *greeting)
     }
 
 #if OPIE_ENABLE
-    if (strstr(capabilities, "AUTH=X-OTP"))
+    if ((ctl->server.authenticate == A_ANY 
+	 || ctl->server.authenticate==A_OTP)
+	&& strstr(capabilities, "AUTH=X-OTP"))
 	return(do_otp(sock, ctl);
 #endif /* OPIE_ENABLE */
 
 #ifdef NTLM_ENABLE
-    if (strstr (capabilities, "AUTH=NTLM"))
-        return(do_imap_ntlm (sock, ctl));
+    if ((ctl->server.authenticate == A_ANY 
+	 || ctl->server.authenticate==A_NTLM)
+	&& strstr (capabilities, "AUTH=NTLM"))
+        return(do_imap_ntlm(sock, ctl));
 #endif /* NTLM_ENABLE */
 
 #ifdef __UNUSED__	/* The Cyrus IMAP4rev1 server chokes on this */
diff --git a/rcfile_l.l b/rcfile_l.l
index 9a2ed222..b2a76027 100644
--- a/rcfile_l.l
+++ b/rcfile_l.l
@@ -84,12 +84,14 @@ port		{ return PORT; }
 interval	{ return INTERVAL; }
 preauth(enticate)?	{ SETSTATE(AUTH); return AUTHENTICATE; }
 auth(enticate)?	{ SETSTATE(AUTH); return AUTHENTICATE; }
-any		{ SETSTATE(0); return ANY; }
-gssapi		{ SETSTATE(0); return GSSAPI; }
-kerberos(_v)?4	{ SETSTATE(0); return KERBEROS4; }
-kerberos(_v)?5	{ SETSTATE(0); return KERBEROS5; }
-kerberos	{ SETSTATE(0); return KERBEROS; }
-ssh		{ SETSTATE(0); return SSH; }
+any		{ SETSTATE(0); yylval.proto = A_ANY; return AUTHTYPE;}
+gssapi		{ SETSTATE(0); yylval.proto = A_GSSAPI; return AUTHTYPE;}
+kerberos(_v)?4	{ SETSTATE(0); yylval.proto = A_KERBEROS_V4; return AUTHTYPE;}
+kerberos(_v)?5	{ SETSTATE(0); yylval.proto = A_KERBEROS_V5; return AUTHTYPE;}
+kerberos	{ SETSTATE(0); yylval.proto = A_KERBEROS_V4; return AUTHTYPE;}
+ssh		{ SETSTATE(0); yylval.proto = A_SSH; return AUTHTYPE;}
+cram(-md5)?	{ SETSTATE(0); yylval.proto = A_CRAM_MD5; return AUTHTYPE;}
+ntlm		{ SETSTATE(0); yylval.proto = A_NTLM; return AUTHTYPE;}
 <AUTH>password { SETSTATE(0); return PASSWORD; }
 timeout		{ return TIMEOUT;}
 envelope	{ return ENVELOPE; }
diff --git a/rcfile_y.y b/rcfile_y.y
index 6398016d..92a4b11c 100644
--- a/rcfile_y.y
+++ b/rcfile_y.y
@@ -58,16 +58,16 @@ extern char * yytext;
   char *sval;
 }
 
-%token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL ANY
-%token AUTHENTICATE TIMEOUT KPOP SDPS KERBEROS4 KERBEROS5 KERBEROS GSSAPI
-%token SSH ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA BSMTP LMTP
+%token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL
+%token AUTHENTICATE TIMEOUT KPOP SDPS
+%token ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA BSMTP LMTP
 %token SMTPADDRESS SMTPNAME SPAMRESPONSE PRECONNECT POSTCONNECT LIMIT WARNINGS
 %token NETSEC INTERFACE MONITOR PLUGIN PLUGOUT
 %token IS HERE THERE TO MAP WILDCARD
 %token BATCHLIMIT FETCHLIMIT EXPUNGE PROPERTIES
 %token SET LOGFILE DAEMON SYSLOG IDFILE INVISIBLE POSTMASTER BOUNCEMAIL 
 %token SPAMBOUNCE SHOWDOTS
-%token <proto> PROTO
+%token <proto> PROTO AUTHTYPE
 %token <sval>  STRING
 %token <number> NUMBER
 %token NO KEEP FLUSH FETCHALL REWRITE FORCECR STRIPCR PASS8BITS 
@@ -182,25 +182,8 @@ serv_option	: AKA alias_list
 		}
 		| INTERVAL NUMBER
 			{current.server.interval = $2;}
-		| AUTHENTICATE ANY
-			{current.server.authenticate = A_ANY;}
-		| AUTHENTICATE PASSWORD
-			{current.server.authenticate = A_PASSWORD;}
-		| AUTHENTICATE GSSAPI
-			{current.server.authenticate = A_GSSAPI;}
-		| AUTHENTICATE KERBEROS4
-			{current.server.authenticate = A_KERBEROS_V4;}
-                | AUTHENTICATE KERBEROS5
-		 	{current.server.authenticate = A_KERBEROS_V5;}
-                | AUTHENTICATE KERBEROS         {
-#ifdef KERBEROS_V5
-		    current.server.authenticate = A_KERBEROS_V5;
-#else
-		    current.server.authenticate = A_KERBEROS_V4;
-#endif /* KERBEROS_V5 */
-		}
-                | AUTHENTICATE SSH
-		 	{current.server.authenticate = A_SSH;}
+		| AUTHENTICATE AUTHTYPE
+			{current.server.authenticate = $2;}
 		| TIMEOUT NUMBER
 			{current.server.timeout = $2;}
 		| ENVELOPE NUMBER STRING