5 files changed, 32 insertions, 16 deletions

diff --git a/configure.in b/configure.in
index 84dae585..8fd6d8e7 100644
--- a/configure.in
+++ b/configure.in
@@ -205,6 +205,11 @@ AC_ARG_ENABLE(netsec,
           echo '           for network security support. Either it does not exist, or it was';
           echo '           not built with network security support enabled.';
           exit 1]) ])
+          unset ac_cv_header_net_security_h; AC_CHECK_HEADER(net/security.h,,
+        [ unset ac_cv_header_net_security_h; CPPFLAGS="$CPPFLAGS -I/usr/inet6/include"; CFLAGS="$CFLAGS -I/usr/inet6/include"; AC_CHECK_HEADER(net/security.h,,
+	[ echo 'configure: cannot find <net/security.h>, which is required for network security';
+          echo '           support.';
+          exit 1]) ])
           AC_DEFINE(NET_SECURITY, 1) ])
   
 ###	use option --with-gssapi=DIR to compile in GSSAPI support
diff --git a/imap.c b/imap.c
index b4f52489..0924a822 100644
--- a/imap.c
+++ b/imap.c
@@ -122,7 +122,7 @@ static int do_otp(int sock, struct query *ctl)
   char challenge[OPIE_CHALLENGE_MAX+1];
   char response[OPIE_RESPONSE_MAX+1];
 
-  gen_send(sock, "AUTHENTICATE OTP");
+  gen_send(sock, "AUTHENTICATE X-OTP");
 
   if (rval = gen_recv(sock, buffer, sizeof(buffer)))
     return rval;
@@ -597,10 +597,11 @@ int imap_getauth(int sock, struct query *ctl, char *greeting)
     peek_capable = (imap_version >= IMAP4);
 
 #if OPIE
-    if ((ctl->server.protocol == P_IMAP) && strstr(capabilities, "AUTH=OTP")) {
+    if ((ctl->server.protocol == P_IMAP) && strstr(capabilities, "AUTH=X-OTP")) {
       if (outlevel == O_VERBOSE)
         error(0, 0, "OTP authentication is supported");
-      return do_otp(sock, ctl);
+      if (do_otp(sock, ctl) == PS_SUCCESS)
+        return PS_SUCCESS;
     };
 #endif /* OPIE */
 
@@ -647,6 +648,11 @@ int imap_getauth(int sock, struct query *ctl, char *greeting)
     }
 #endif /* KERBEROS_V4 */
 
+    if ((imap_version >= IMAP4) && (!strstr(capabilities, "AUTH=LOGIN"))) {
+      error(0,-1, "Required LOGIN capability not supported by server");
+      return PS_AUTHFAIL;
+    };
+
     /* try to get authorized in the ordinary (AUTH=LOGIN) way */
     ok = gen_transact(sock, "LOGIN %s \"%s\"", ctl->remotename, ctl->password);
     if (ok)
diff --git a/options.c b/options.c
index c0adeff2..9849299f 100644
--- a/options.c
+++ b/options.c
@@ -342,9 +342,9 @@ struct query *ctl;	/* option record to be initialized */
 	case 'T':
 	case LA_NETSEC:
 #if NET_SECURITY
-	    ctl->server.ipsec = (void *)optarg;
+	    ctl->server.netsec = (void *)optarg;
 #else
-	    fprintf(stderr, "fetchmail: IPv6 support is disabled\n");
+	    fprintf(stderr, "fetchmail: network security support is disabled\n");
 	    errflag++;
 #endif /* NET_SECURITY */
 	    break;
diff --git a/rcfile_y.y b/rcfile_y.y
index 95ffa5c6..b704c2ce 100644
--- a/rcfile_y.y
+++ b/rcfile_y.y
@@ -46,7 +46,7 @@ static int prc_errflag;
 static struct hostdata *leadentry;
 static flag trailer;
 #if NET_SECURITY
-static net_security_operation	request[NET_SECURITY_OPERATION_MAX];
+static struct net_security_operation request[NET_SECURITY_OPERATION_MAX];
 static int requestlen = NET_SECURITY_OPERATION_MAX;
 #endif /* NET_SECURITY */
 
@@ -173,11 +173,10 @@ serv_option	: AKA alias_list
 		| QVIRTUAL STRING	{current.server.qvirtual=xstrdup($2);}
 		| NETSEC STRING		{
 #ifdef NET_SECURITY
-		    			    if (net_security_strtorequest(options, request, &requestlen))
+		    			    if (net_security_strtorequest($2, request, &requestlen))
 						yyerror("invalid security request");
 					    else
-						current.server.netsec = 
-						    xstrdup($2);
+						current.server.netsec = xstrdup($2);
 #else
 					    yyerror("network-security support disabled")
 #endif /* NET_SECURITY */
diff --git a/socket.c b/socket.c
index 9fd04024..bb68833c 100644
--- a/socket.c
+++ b/socket.c
@@ -37,13 +37,13 @@ int SockOpen(const char *host, const char *service, const char *options)
 {
   int i;
   struct addrinfo *ai, req;
+#if NET_SECURITY
+  struct net_security_operation request[NET_SECURITY_OPERATION_MAX];
+  int requestlen;
+#endif /* NET_SECURITY */
 
   memset(&req, 0, sizeof(struct addrinfo));
   req.ai_socktype = SOCK_STREAM;
-#if NET_SECURITY
-  net_security_operation	request[NET_SECURITY_OPERATION_MAX];
-  int requestlen = NET_SECURITY_OPERATION_MAX;
-#endif /* NET_SECURITY */
 
   if (i = getaddrinfo(host, service, &req, &ai)) {
     fprintf(stderr, "fetchmail: getaddrinfo(%s.%s): %s(%d)\n", host, service, gai_strerror(i), i);
@@ -51,13 +51,19 @@ int SockOpen(const char *host, const char *service, const char *options)
   };
 
 #if NET_SECURITY
-  if (net_security_strtorequest(options, request, &requestlen))
-      i = -1;
+  if (!options)
+    requestlen = 0;
   else
-      i = inner_connect(ai, request, requestlen, NULL,NULL, "fetchmail", NULL);
+    if (net_security_strtorequest((char *)options, request, &requestlen))
+      goto ret;
+
+  i = inner_connect(ai, request, requestlen, NULL,NULL, "fetchmail", NULL);
+
+ret:
 #else /* NET_SECURITY */
   i = inner_connect(ai, NULL, 0, NULL, NULL, "fetchmail", NULL);
 #endif /* NET_SECURITY */
+
   freeaddrinfo(ai);
 
   return i;