SMTP authentication: fix ordering of preferred authentication method

Fixed the order of the preferred SMTP authentication method to:
AUTH CRAM-MD5, AUTH LOGIN then AUTH PLAIN.

AUTH PLAIN should be the last as it slightly more insecure than AUTH LOGIN
as the username and password are sent together - there is no handshaking
between the client and server like there is with AUTH LOGIN.
This commit is contained in:
Steve Holme 2011-08-24 08:55:25 +02:00 committed by Yang Tse
parent fd00b382b2
commit e882416e75
1 changed files with 35 additions and 34 deletions

View File

@ -401,7 +401,7 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
l = 1;
/* Check supported authentication mechanisms by decreasing order of
preference. */
security. */
mech = (const char *) NULL; /* Avoid compiler warnings. */
state1 = SMTP_STOP;
state2 = SMTP_STOP;
@ -413,18 +413,18 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
}
else
#endif
if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
mech = "PLAIN";
state1 = SMTP_AUTHPLAIN;
state2 = SMTP_AUTH;
result = smtp_auth_plain_data(conn, &initresp, &l);
}
else if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
mech = "LOGIN";
state1 = SMTP_AUTHLOGIN;
state2 = SMTP_AUTHPASSWD;
result = smtp_auth_login_user(conn, &initresp, &l);
}
else if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
mech = "PLAIN";
state1 = SMTP_AUTHPLAIN;
state2 = SMTP_AUTH;
result = smtp_auth_plain_data(conn, &initresp, &l);
}
else {
infof(conn->data, "No known auth mechanisms supported!\n");
result = CURLE_LOGIN_DENIED; /* Other mechanisms not supported. */
@ -1083,9 +1083,9 @@ static CURLcode smtp_init(struct connectdata *conn)
* smtp_connect() should do everything that is to be considered a part of
* the connection phase.
*
* The variable 'done' points to will be TRUE if the protocol-layer connect
* phase is done when this function returns, or FALSE is not. When called as
* a part of the easy interface, it will always be TRUE.
* The variable pointed to by 'done' will be TRUE if the protocol-layer
* connect phase is done when this function returns, or FALSE if not. When
* called as a part of the easy interface, it will always be TRUE.
*/
static CURLcode smtp_connect(struct connectdata *conn,
bool *done) /* see description above */
@ -1357,7 +1357,8 @@ static CURLcode smtp_quit(struct connectdata *conn)
* Disconnect from an SMTP server. Cleanup protocol-specific per-connection
* resources. BLOCKING.
*/
static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection)
static CURLcode smtp_disconnect(struct connectdata *conn,
bool dead_connection)
{
struct smtp_conn *smtpc = &conn->proto.smtpc;