SMTP authentication: fix ordering of preferred authentication method

Fixed the order of the preferred SMTP authentication method to: AUTH CRAM-MD5, AUTH LOGIN then AUTH PLAIN. AUTH PLAIN should be the last as it slightly more insecure than AUTH LOGIN as the username and password are sent together - there is no handshaking between the client and server like there is with AUTH LOGIN.
2011-08-24 08:55:25 +02:00 · 2011-08-24 08:55:25 +02:00 · e882416e75
parent fd00b382b2
commit e882416e75
1 changed files with 35 additions and 34 deletions
--- a/lib/smtp.c
+++ b/lib/smtp.c
@ -401,7 +401,7 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
    l = 1;

    /* Check supported authentication mechanisms by decreasing order of
-       preference. */
+       security. */
    mech = (const char *) NULL;         /* Avoid compiler warnings. */
    state1 = SMTP_STOP;
    state2 = SMTP_STOP;
@ -413,18 +413,18 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
    }
    else
 #endif
-    if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
-      mech = "PLAIN";
-      state1 = SMTP_AUTHPLAIN;
-      state2 = SMTP_AUTH;
-      result = smtp_auth_plain_data(conn, &initresp, &l);
-    }
-    else if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
+    if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
      mech = "LOGIN";
      state1 = SMTP_AUTHLOGIN;
      state2 = SMTP_AUTHPASSWD;
      result = smtp_auth_login_user(conn, &initresp, &l);
    }
+    else if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
+      mech = "PLAIN";
+      state1 = SMTP_AUTHPLAIN;
+      state2 = SMTP_AUTH;
+      result = smtp_auth_plain_data(conn, &initresp, &l);
+    }
    else {
      infof(conn->data, "No known auth mechanisms supported!\n");
      result = CURLE_LOGIN_DENIED;      /* Other mechanisms not supported. */
@ -1083,9 +1083,9 @@ static CURLcode smtp_init(struct connectdata *conn)
 * smtp_connect() should do everything that is to be considered a part of
 * the connection phase.
 *
- * The variable 'done' points to will be TRUE if the protocol-layer connect
- * phase is done when this function returns, or FALSE is not. When called as
- * a part of the easy interface, it will always be TRUE.
+ * The variable pointed to by 'done' will be TRUE if the protocol-layer
+ * connect phase is done when this function returns, or FALSE if not. When
+ * called as a part of the easy interface, it will always be TRUE.
 */
 static CURLcode smtp_connect(struct connectdata *conn,
                             bool *done) /* see description above */
@ -1357,7 +1357,8 @@ static CURLcode smtp_quit(struct connectdata *conn)
 * Disconnect from an SMTP server. Cleanup protocol-specific per-connection
 * resources. BLOCKING.
 */
-static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection)
+static CURLcode smtp_disconnect(struct connectdata *conn,
+                                bool dead_connection)
 {
  struct smtp_conn *smtpc = &conn->proto.smtpc;