Hi Yang, > Actually smtp_auth_ntlm() in this patch should not have > the outlen parameter.
The outlen parameter is used in smtp_authenticate() when calculating if the buffer is within length. This is how all the smtp_auth* functions work. > It would be more clear if 'msg-typeX' or something were used in those names. No problems - I can change the state and function names if you would like me to. I guess you could say, I am still trying to find the right balance between meaningful names and not "too long" names for things within Curl. > Aha!, but what actually happens is that you are introducing > these to somehow allow disabling the 'initial-response' > sending in the AUTH command for the NTLM authentication. Not at all. The 'intial-response' disabling is not present in this patch and as such the contents returned by smtp_auth_ntlm() will be the 'initial-response' in smtp_authenticate(). To a certain degree, you could argue that smtp_auth_ntlm_resp() is not needed (at present), however, AUTH PLAIN and AUTH LOGIN have a corresponding response function for when the 'initial-response' is disabled. In reality they never get called, as the variable state1 only gets used when initresp is empty or the length of the response is longer than 504 characters. For the sake of clarity and consistency, and the odd occasion that the output from smtp_auth_login_user(), smtp_auth_login_plain_data() and smtp_auth_login_ntlm() is between 504 and 514 characters long, I have provided the same - I am happy to remove smtp_auth_ntlm_resp() if you would like me to, but I would also recommend removing smtp_state_authplain_resp() and smtp_state_authlogin_resp() as well ;-) > You also place NTLM authentication as the preferred method > above any aother one. I wonder if this should be the preferred > method and if STARTTLS influence should be considered in this > placement. This was based on my own testing with Exchange Server but I am happy to move the placement of AUTH NTLM to below AUTH CRAM-MD5, if you would like me to, as I don't know which of these mechanism's is more secure. However, NTLM is more secure than both AUTH LOGIN AND AUTH PLAIN regardless of whether TLS is on or off. > In case mentioned problems above didn't exist, given that we > are in feature freeze period and that it introduces functional > changes we neither can accept it. How would you like me to proceed with this, as this is functionality that was present in my original two patches from July and is subsequently on Daniel's TODO list for v7.22.0 as items 303 and 304? Kind Regards Steve ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
