mirror of https://github.com/moparisthebest/curl
SMTP authentication: fix ordering of preferred authentication method
Fixed the order of the preferred SMTP authentication method to: AUTH CRAM-MD5, AUTH LOGIN then AUTH PLAIN. AUTH PLAIN should be the last as it slightly more insecure than AUTH LOGIN as the username and password are sent together - there is no handshaking between the client and server like there is with AUTH LOGIN.
This commit is contained in:
parent
fd00b382b2
commit
e882416e75
25
lib/smtp.c
25
lib/smtp.c
|
@ -401,7 +401,7 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
|
|||
l = 1;
|
||||
|
||||
/* Check supported authentication mechanisms by decreasing order of
|
||||
preference. */
|
||||
security. */
|
||||
mech = (const char *) NULL; /* Avoid compiler warnings. */
|
||||
state1 = SMTP_STOP;
|
||||
state2 = SMTP_STOP;
|
||||
|
@ -413,18 +413,18 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
|
|||
}
|
||||
else
|
||||
#endif
|
||||
if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
|
||||
mech = "PLAIN";
|
||||
state1 = SMTP_AUTHPLAIN;
|
||||
state2 = SMTP_AUTH;
|
||||
result = smtp_auth_plain_data(conn, &initresp, &l);
|
||||
}
|
||||
else if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
|
||||
if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
|
||||
mech = "LOGIN";
|
||||
state1 = SMTP_AUTHLOGIN;
|
||||
state2 = SMTP_AUTHPASSWD;
|
||||
result = smtp_auth_login_user(conn, &initresp, &l);
|
||||
}
|
||||
else if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
|
||||
mech = "PLAIN";
|
||||
state1 = SMTP_AUTHPLAIN;
|
||||
state2 = SMTP_AUTH;
|
||||
result = smtp_auth_plain_data(conn, &initresp, &l);
|
||||
}
|
||||
else {
|
||||
infof(conn->data, "No known auth mechanisms supported!\n");
|
||||
result = CURLE_LOGIN_DENIED; /* Other mechanisms not supported. */
|
||||
|
@ -1083,9 +1083,9 @@ static CURLcode smtp_init(struct connectdata *conn)
|
|||
* smtp_connect() should do everything that is to be considered a part of
|
||||
* the connection phase.
|
||||
*
|
||||
* The variable 'done' points to will be TRUE if the protocol-layer connect
|
||||
* phase is done when this function returns, or FALSE is not. When called as
|
||||
* a part of the easy interface, it will always be TRUE.
|
||||
* The variable pointed to by 'done' will be TRUE if the protocol-layer
|
||||
* connect phase is done when this function returns, or FALSE if not. When
|
||||
* called as a part of the easy interface, it will always be TRUE.
|
||||
*/
|
||||
static CURLcode smtp_connect(struct connectdata *conn,
|
||||
bool *done) /* see description above */
|
||||
|
@ -1357,7 +1357,8 @@ static CURLcode smtp_quit(struct connectdata *conn)
|
|||
* Disconnect from an SMTP server. Cleanup protocol-specific per-connection
|
||||
* resources. BLOCKING.
|
||||
*/
|
||||
static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection)
|
||||
static CURLcode smtp_disconnect(struct connectdata *conn,
|
||||
bool dead_connection)
|
||||
{
|
||||
struct smtp_conn *smtpc = &conn->proto.smtpc;
|
||||
|
||||
|
|
Loading…
Reference in New Issue