From eb84ca3ea8f793ecbedf7865c41a8d1b9f59efb7 Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Thu, 18 Apr 2019 21:54:35 +0100
Subject: sasl: Don't send authcid as authzid for the PLAIN mechanism as per
 RFC 4616

RFC 4616 specifies the authzid is optional in the client authentication
message and that the server will derive the authorisation identity
(authzid) from the authentication identity (authcid) when not specified
by the client.
---
 lib/curl_sasl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 94b51e541..c609b1ded 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -367,7 +367,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
       sasl->authused = SASL_MECH_PLAIN;
 
       if(force_ir || data->set.sasl_ir)
-        result = Curl_auth_create_plain_message(data, conn->user, conn->user,
+        result = Curl_auth_create_plain_message(data, NULL, conn->user,
                                                 conn->passwd, &resp, &len);
     }
     else if(enabledmechs & SASL_MECH_LOGIN) {
@@ -450,7 +450,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
     *progress = SASL_DONE;
     return result;
   case SASL_PLAIN:
-    result = Curl_auth_create_plain_message(data, conn->user, conn->user,
+    result = Curl_auth_create_plain_message(data, NULL, conn->user,
                                             conn->passwd, &resp, &len);
     break;
   case SASL_LOGIN:
-- 
cgit v1.2.1