Commit e882416e authored by Steve Holme's avatar Steve Holme Committed by Yang Tse
Browse files

SMTP authentication: fix ordering of preferred authentication method 

Fixed the order of the preferred SMTP authentication method to:
AUTH CRAM-MD5, AUTH LOGIN then AUTH PLAIN.

AUTH PLAIN should be the last as it slightly more insecure than AUTH LOGIN
as the username and password are sent together - there is no handshaking
between the client and server like there is with AUTH LOGIN.
parent fd00b382

lib/smtp.c

+35 −34
Original line number Diff line number Diff line
@@ -401,7 +401,7 @@ static CURLcode smtp_authenticate(struct connectdata *conn) 
    l = 1;



    /* Check supported authentication mechanisms by decreasing order of

       preference. */

       security. */

    mech = (const char *) NULL;         /* Avoid compiler warnings. */

    state1 = SMTP_STOP;

    state2 = SMTP_STOP;
@@ -413,18 +413,18 @@ static CURLcode smtp_authenticate(struct connectdata *conn) 
    }

    else

#endif

    if(smtpc->authmechs & SMTP_AUTH_PLAIN) {

      mech = "PLAIN";

      state1 = SMTP_AUTHPLAIN;

      state2 = SMTP_AUTH;

      result = smtp_auth_plain_data(conn, &initresp, &l);

    }

    else if(smtpc->authmechs & SMTP_AUTH_LOGIN) {

    if(smtpc->authmechs & SMTP_AUTH_LOGIN) {

      mech = "LOGIN";

      state1 = SMTP_AUTHLOGIN;

      state2 = SMTP_AUTHPASSWD;

      result = smtp_auth_login_user(conn, &initresp, &l);

    }

    else if(smtpc->authmechs & SMTP_AUTH_PLAIN) {

      mech = "PLAIN";

      state1 = SMTP_AUTHPLAIN;

      state2 = SMTP_AUTH;

      result = smtp_auth_plain_data(conn, &initresp, &l);

    }

    else {

      infof(conn->data, "No known auth mechanisms supported!\n");

      result = CURLE_LOGIN_DENIED;      /* Other mechanisms not supported. */
@@ -1083,9 +1083,9 @@ static CURLcode smtp_init(struct connectdata *conn) 
 * smtp_connect() should do everything that is to be considered a part of

 * the connection phase.

 *

 * The variable 'done' points to will be TRUE if the protocol-layer connect

 * phase is done when this function returns, or FALSE is not. When called as

 * a part of the easy interface, it will always be TRUE.

 * The variable pointed to by 'done' will be TRUE if the protocol-layer

 * connect phase is done when this function returns, or FALSE if not. When

 * called as a part of the easy interface, it will always be TRUE.

 */

static CURLcode smtp_connect(struct connectdata *conn,

                             bool *done) /* see description above */
@@ -1357,7 +1357,8 @@ static CURLcode smtp_quit(struct connectdata *conn) 
 * Disconnect from an SMTP server. Cleanup protocol-specific per-connection

 * resources. BLOCKING.

 */

static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection)

static CURLcode smtp_disconnect(struct connectdata *conn,

                                bool dead_connection)

{

  struct smtp_conn *smtpc = &conn->proto.smtpc;