Mercurial > dovecot > original-hg > dovecot-1.2

diff src/imap-login/client-authenticate.c @ 1949:d2755efdd187 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Don't advertise AUTH=PLAIN unless transport is secure
author Timo Sirainen <tss@iki.fi>
date Sat, 01 May 2004 22:09:34 +0300
parents 07324c0d1d0a
children dc5d0da1abe9
line wrap: on
line diff
--- a/src/imap-login/client-authenticate.c	Sat May 01 21:44:40 2004 +0300
+++ b/src/imap-login/client-authenticate.c	Sat May 01 22:09:34 2004 +0300
@@ -34,10 +34,17 @@
 	str = t_str_new(128);
 
 	for (i = 0; i < AUTH_MECH_COUNT; i++) {
-		if ((auth_mechs & auth_mech_desc[i].mech) &&
-		    auth_mech_desc[i].name != NULL &&
-		    (secured || !auth_mech_desc[i].plaintext ||
-		     !disable_plaintext_auth)) {
+		if ((auth_mechs & auth_mech_desc[i].mech) == 0)
+			continue; /* not available */
+
+		/* a) transport is secured
+		   b) auth mechanism isn't plaintext
+		   c) we allow insecure authentication
+		        - but don't advertise AUTH=PLAIN, as RFC 2595 requires
+		*/
+		if (secured || !auth_mech_desc[i].plaintext ||
+		    (!disable_plaintext_auth &&
+		     auth_mech_desc[i].mech != AUTH_MECH_PLAIN)) {
 			str_append_c(str, ' ');
 			str_append(str, "AUTH=");
 			str_append(str, auth_mech_desc[i].name);