generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SMTP authentication: fix ordering of preferred authentication method

Browse Source 
Fixed the order of the preferred SMTP authentication method to:
AUTH CRAM-MD5, AUTH LOGIN then AUTH PLAIN.

AUTH PLAIN should be the last as it slightly more insecure than AUTH LOGIN
as the username and password are sent together - there is no handshaking
between the client and server like there is with AUTH LOGIN.
This commit is contained in:
Steve Holme 2011-08-24 08:55:25 +02:00 committed by Yang Tse
parent fd00b382b2
commit e882416e75
1 changed files with 35 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
lib/smtp.c
View File

@ -283,7 +283,7 @@ static void state(struct connectdata *conn,
struct smtp_conn *smtpc = &conn->proto.smtpc;
#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
/* for debug purposes */
static const char * const names[]={
static const char * const names[] = {
"STOP",
"SERVERGREET",
"EHLO",
@ -401,7 +401,7 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
l = 1;
/* Check supported authentication mechanisms by decreasing order of
preference. */
security. */
mech = (const char *) NULL; /* Avoid compiler warnings. */
state1 = SMTP_STOP;
state2 = SMTP_STOP;
@ -413,18 +413,18 @@ static CURLcode smtp_authenticate(struct connectdata *conn)
}
else
#endif
if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
mech = "PLAIN";
state1 = SMTP_AUTHPLAIN;
state2 = SMTP_AUTH;
result = smtp_auth_plain_data(conn, &initresp, &l);
}
else if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
if(smtpc->authmechs & SMTP_AUTH_LOGIN) {
mech = "LOGIN";
state1 = SMTP_AUTHLOGIN;
state2 = SMTP_AUTHPASSWD;
result = smtp_auth_login_user(conn, &initresp, &l);
}
else if(smtpc->authmechs & SMTP_AUTH_PLAIN) {
mech = "PLAIN";
state1 = SMTP_AUTHPLAIN;
state2 = SMTP_AUTH;
result = smtp_auth_plain_data(conn, &initresp, &l);
}
else {
infof(conn->data, "No known auth mechanisms supported!\n");
result = CURLE_LOGIN_DENIED; /* Other mechanisms not supported. */
@ -927,7 +927,7 @@ static CURLcode smtp_statemach_act(struct connectdata *conn)
{
CURLcode result;
curl_socket_t sock = conn->sock[FIRSTSOCKET];
struct SessionHandle *data=conn->data;
struct SessionHandle *data = conn->data;
int smtpcode;
struct smtp_conn *smtpc = &conn->proto.smtpc;
struct pingpong *pp = &smtpc->pp;
@ -1083,17 +1083,17 @@ static CURLcode smtp_init(struct connectdata *conn)
* smtp_connect() should do everything that is to be considered a part of
* the connection phase.
*
* The variable 'done' points to will be TRUE if the protocol-layer connect
* phase is done when this function returns, or FALSE is not. When called as
* a part of the easy interface, it will always be TRUE.
* The variable pointed to by 'done' will be TRUE if the protocol-layer
* connect phase is done when this function returns, or FALSE if not. When
* called as a part of the easy interface, it will always be TRUE.
*/
static CURLcode smtp_connect(struct connectdata *conn,
bool *done) /* see description above */
{
CURLcode result;
struct smtp_conn *smtpc = &conn->proto.smtpc;
struct SessionHandle *data=conn->data;
struct pingpong *pp=&smtpc->pp;
struct SessionHandle *data = conn->data;
struct pingpong *pp = &smtpc->pp;
const char *path = conn->data->state.path;
int len;
char localhost[1024 + 1];
@ -1200,7 +1200,7 @@ static CURLcode smtp_done(struct connectdata *conn, CURLcode status,
{
struct SessionHandle *data = conn->data;
struct FTP *smtp = data->state.proto.smtp;
CURLcode result=CURLE_OK;
CURLcode result = CURLE_OK;
ssize_t bytes_written;
(void)premature;
@ -1230,7 +1230,7 @@ static CURLcode smtp_done(struct connectdata *conn, CURLcode status,
if(status == CURLE_OK) {
struct smtp_conn *smtpc = &conn->proto.smtpc;
struct pingpong *pp= &smtpc->pp;
struct pingpong *pp = &smtpc->pp;
pp->response = Curl_tvnow(); /* timeout relative now */
state(conn, SMTP_POSTDATA);
@ -1264,7 +1264,7 @@ CURLcode smtp_perform(struct connectdata *conn,
bool *dophase_done)
{
/* this is SMTP and no proxy */
CURLcode result=CURLE_OK;
CURLcode result = CURLE_OK;
DEBUGF(infof(conn->data, "DO phase starts\n"));
@ -1357,9 +1357,10 @@ static CURLcode smtp_quit(struct connectdata *conn)
* Disconnect from an SMTP server. Cleanup protocol-specific per-connection
* resources. BLOCKING.
*/
static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection)
static CURLcode smtp_disconnect(struct connectdata *conn,
bool dead_connection)
{
struct smtp_conn *smtpc= &conn->proto.smtpc;
struct smtp_conn *smtpc = &conn->proto.smtpc;
/* We cannot send quit unconditionally. If this connection is stale or
bad in any way, sending quit and waiting around here will make the
@ -1385,7 +1386,7 @@ static CURLcode smtp_dophase_done(struct connectdata *conn,
bool connected)
{
struct FTP *smtp = conn->data->state.proto.smtp;
struct smtp_conn *smtpc= &conn->proto.smtpc;
struct smtp_conn *smtpc = &conn->proto.smtpc;
(void)connected;
if(smtp->transfer != FTPTRANSFER_BODY)
@ -1426,8 +1427,8 @@ static
CURLcode smtp_regular_transfer(struct connectdata *conn,
bool *dophase_done)
{
CURLcode result=CURLE_OK;
bool connected=FALSE;
CURLcode result = CURLE_OK;
bool connected = FALSE;
struct SessionHandle *data = conn->data;
data->req.size = -1; /* make sure this is unknown at this point */
@ -1454,7 +1455,7 @@ CURLcode smtp_regular_transfer(struct connectdata *conn,
return result;
}
static CURLcode smtp_setup_connection(struct connectdata * conn)
static CURLcode smtp_setup_connection(struct connectdata *conn)
{
struct SessionHandle *data = conn->data;
@ -1501,7 +1502,7 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, ssize_t nread)
struct SessionHandle *data = conn->data;
if(data->state.scratch == NULL)
data->state.scratch = malloc(2*BUFSIZE);
data->state.scratch = malloc(2 * BUFSIZE);
if(data->state.scratch == NULL) {
failf (data, "Failed to alloc scratch buffer!");
return CURLE_OUT_OF_MEMORY;
@ -1511,9 +1512,9 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, ssize_t nread)
for(i = 0, si = 0; i < nread; i++, si++) {
ssize_t left = nread - i;
if(left>= (ssize_t)(SMTP_EOB_LEN-smtpc->eob)) {
if(!memcmp(SMTP_EOB+smtpc->eob, &data->req.upload_fromhere[i],
SMTP_EOB_LEN-smtpc->eob)) {
if(left >= (ssize_t)(SMTP_EOB_LEN - smtpc->eob)) {
if(!memcmp(SMTP_EOB + smtpc->eob, &data->req.upload_fromhere[i],
SMTP_EOB_LEN - smtpc->eob)) {
/* It matched, copy the replacement data to the target buffer
instead. Note that the replacement does not contain the
trailing CRLF but we instead continue to match on that one
@ -1521,14 +1522,14 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, ssize_t nread)
*/
memcpy(&data->state.scratch[si], SMTP_EOB_REPL,
SMTP_EOB_REPL_LEN);
si+=SMTP_EOB_REPL_LEN-1; /* minus one since the for() increments
si += SMTP_EOB_REPL_LEN - 1; /* minus one since the for() increments
it */
i+=SMTP_EOB_LEN-smtpc->eob-1-2;
i += SMTP_EOB_LEN - smtpc->eob - 1 - 2;
smtpc->eob = 0; /* start over */
continue;
}
}
else if(!memcmp(SMTP_EOB+smtpc->eob, &data->req.upload_fromhere[i],
else if(!memcmp(SMTP_EOB + smtpc->eob, &data->req.upload_fromhere[i],
left)) {
/* the last piece of the data matches the EOB so we can't send that
until we know the rest of it */