Don't advertise AUTH=PLAIN unless transport is secure

--HG--
branch : HEAD

diff --git a/src/imap-login/client-authenticate.c b/src/imap-login/client-authenticate.c
index f01f7ef48c05904028374174405c571e7e07ad9d..b9033f0dcd95f14325dff033ab9fdfe290593531 100644 (file)
--- a/src/imap-login/client-authenticate.c
+++ b/src/imap-login/client-authenticate.c
@@ -34,10 +34,17 @@ const char *client_authenticate_get_capabilities(int secured)
        str = t_str_new(128);
 
        for (i = 0; i < AUTH_MECH_COUNT; i++) {
-               if ((auth_mechs & auth_mech_desc[i].mech) &&
-                   auth_mech_desc[i].name != NULL &&
-                   (secured || !auth_mech_desc[i].plaintext ||
-                    !disable_plaintext_auth)) {
+               if ((auth_mechs & auth_mech_desc[i].mech) == 0)
+                       continue; /* not available */
+
+               /* a) transport is secured
+                  b) auth mechanism isn't plaintext
+                  c) we allow insecure authentication
+                       - but don't advertise AUTH=PLAIN, as RFC 2595 requires
+               */
+               if (secured || !auth_mech_desc[i].plaintext ||
+                   (!disable_plaintext_auth &&
+                    auth_mech_desc[i].mech != AUTH_MECH_PLAIN)) {
                        str_append_c(str, ' ');
                        str_append(str, "AUTH=");
                        str_append(str, auth_mech_desc[i].name);

diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index 6f5203ea69b5796fd18898f8d3a85301132c77d9..7001a56e27455e71ecf565cd3042e4b3e2c3925b 100644 (file)
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -34,10 +34,18 @@ int cmd_capa(struct pop3_client *client, const char *args __attr_unused__)
 
                str_append(str, "SASL");
                for (i = 0; i < AUTH_MECH_COUNT; i++) {
-                       if ((auth_mechs & auth_mech_desc[i].mech) &&
-                           auth_mech_desc[i].name != NULL &&
-                           (client->secured || !auth_mech_desc[i].plaintext ||
-                            !disable_plaintext_auth)) {
+                       if ((auth_mechs & auth_mech_desc[i].mech) == 0)
+                               continue; /* not available */
+
+                       /* a) transport is secured
+                          b) auth mechanism isn't plaintext
+                          c) we allow insecure authentication
+                              - but don't advertise AUTH=PLAIN,
+                                as RFC 2595 requires
+                       */
+                       if (client->secured || !auth_mech_desc[i].plaintext ||
+                           (!disable_plaintext_auth &&
+                            auth_mech_desc[i].mech != AUTH_MECH_PLAIN)) {
                                str_append_c(str, ' ');
                                str_append(str, auth_mech_desc[i].name);
                        }