Hi Yang,

> Actually smtp_auth_ntlm() in this patch should not have
> the outlen parameter.

The outlen parameter is used in smtp_authenticate() when calculating if the
buffer is within length. This is how all the smtp_auth* functions work.

> It would be more clear if 'msg-typeX' or something were used in those
names.

No problems - I can change the state and function names if you would like me
to. I guess you could say, I am still trying to find the right balance
between meaningful names and not "too long" names for things within Curl.

> Aha!, but what actually happens is that you are introducing
> these to somehow allow disabling the 'initial-response'
> sending in the AUTH command for the NTLM authentication.

Not at all. The 'intial-response' disabling is not present in this patch and
as such the contents returned by smtp_auth_ntlm() will be the
'initial-response' in smtp_authenticate(). To a certain degree, you could
argue that smtp_auth_ntlm_resp() is not needed (at present), however, AUTH
PLAIN and AUTH LOGIN have a corresponding response function for when the
'initial-response' is disabled. In reality they never get called, as the
variable state1 only gets used when initresp is empty or the length of the
response is longer than 504 characters.

For the sake of clarity and consistency, and the odd occasion that the
output from smtp_auth_login_user(), smtp_auth_login_plain_data() and
smtp_auth_login_ntlm() is between 504 and 514 characters long, I have
provided the same - I am happy to remove smtp_auth_ntlm_resp() if you would
like me to, but I would also recommend removing smtp_state_authplain_resp()
and smtp_state_authlogin_resp() as well ;-)

> You also place NTLM authentication as the preferred method
> above any aother one. I wonder if this should be the preferred
> method and if STARTTLS influence should be considered in this
> placement.

This was based on my own testing with Exchange Server but I am happy to move
the placement of AUTH NTLM to below AUTH CRAM-MD5, if you would like me to,
as I don't know which of these mechanism's is more secure. However, NTLM is
more secure than both AUTH LOGIN AND AUTH PLAIN regardless of whether TLS is
on or off.

> In case mentioned problems above didn't exist, given that we
> are in feature freeze period and that it introduces functional
> changes we neither can accept it.

How would you like me to proceed with this, as this is functionality that
was present in my original two patches from July and is subsequently on
Daniel's TODO list for v7.22.0 as items 303 and 304?

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-08-26