INN commit: trunk (8 files)

INN Commit Russ_Allbery at isc.org
Mon Aug 25 19:37:52 UTC 2008 

    Date: Monday, August 25, 2008 @ 12:37:52
  Author: iulius
Revision: 7972

If a user is already authenticated, return 502 if AUTHINFO is sent again,
according to RFC 4643.

Also fix a bad answer in innd:  AUTHINFO subcommands could return 480...

Modified:
  trunk/innd/innd.h
  trunk/innd/nc.c
  trunk/innd/rc.c
  trunk/nnrpd/commands.c
  trunk/nnrpd/nnrpd.c
  trunk/nnrpd/nnrpd.h
  trunk/nnrpd/perm.c
  trunk/nnrpd/sasl.c

------------------+
 innd/innd.h      |    1 +
 innd/nc.c        |   10 ++++++++--
 innd/rc.c        |    1 +
 nnrpd/commands.c |    3 +++
 nnrpd/nnrpd.c    |    6 ++++++
 nnrpd/nnrpd.h    |    1 +
 nnrpd/perm.c     |    2 ++
 nnrpd/sasl.c     |    1 +
 8 files changed, 23 insertions(+), 2 deletions(-)

Modified: innd/innd.h
===================================================================
--- innd/innd.h	2008-08-24 22:23:41 UTC (rev 7971)
+++ innd/innd.h	2008-08-25 19:37:52 UTC (rev 7972)
@@ -318,6 +318,7 @@
   bool		       NoResendId;
   bool		       privileged;
   bool		       Nolist;
+  bool                 CanAuthenticate; /* Can use AUTHINFO? */
   unsigned long	       Duplicate;
   unsigned long	       Unwanted_s;
   unsigned long	       Unwanted_f;

Modified: innd/nc.c
===================================================================
--- innd/nc.c	2008-08-24 22:23:41 UTC (rev 7971)
+++ innd/nc.c	2008-08-25 19:37:52 UTC (rev 7972)
@@ -378,9 +378,14 @@
 
     /* Otherwise, make sure we're only getting "authinfo" commands. */
     if (strncasecmp(p, AUTHINFO, strlen(AUTHINFO)) != 0) {
-	NCwritereply(cp, NNTP_AUTH_NEEDED);
+        NCwritereply(cp, cp->CanAuthenticate ? NNTP_AUTH_NEEDED : NNTP_ACCESS);
 	return;
+    } else if (!cp->CanAuthenticate) {
+        /* Already authenticated. */
+        NCwritereply(cp, NNTP_ACCESS);
+        return;
     }
+
     for (p += strlen(AUTHINFO); ISWHITE(*p); p++)
 	continue;
 
@@ -393,7 +398,7 @@
 
     /* Now make sure we're getting only "authinfo pass" commands. */
     if (strncasecmp(p, PASS, strlen(PASS)) != 0) {
-	NCwritereply(cp, NNTP_AUTH_NEEDED);
+	NCwritereply(cp, NNTP_BAD_SUBCMD);
 	return;
     }
     for (p += strlen(PASS); ISWHITE(*p); p++)
@@ -405,6 +410,7 @@
 	NCwritereply(cp, NNTP_AUTH_BAD);
     } else {
 	cp->State = CSgetcmd;
+        cp->CanAuthenticate = false;
 	NCwritereply(cp, NNTP_AUTH_OK);
     }
 }

Modified: innd/rc.c
===================================================================
--- innd/rc.c	2008-08-24 22:23:41 UTC (rev 7971)
+++ innd/rc.c	2008-08-25 19:37:52 UTC (rev 7972)
@@ -604,6 +604,7 @@
             new->Skip = rp->Skip;
             new->NoResendId = rp->NoResendId;
             new->Nolist = rp->Nolist;
+            new->CanAuthenticate = true; /* Can use AUTHINFO. */
             new->MaxCnx = rp->MaxCnx;
             new->HoldTime = rp->HoldTime;
 	    memcpy(&new->Address, &remote, SA_LEN((struct sockaddr *)&remote));

Modified: nnrpd/commands.c
===================================================================
--- nnrpd/commands.c	2008-08-24 22:23:41 UTC (rev 7971)
+++ nnrpd/commands.c	2008-08-25 19:37:52 UTC (rev 7972)
@@ -187,6 +187,7 @@
 		Reply("%d Authentication succeeded\r\n", NNTP_OK_AUTHINFO);
 		PERMneedauth = false;
 		PERMauthorized = true;
+                PERMcanauthenticate = false;
 		free(logrec);
 		return;
 	    case 0:
@@ -242,6 +243,7 @@
             Reply("%d Ok\r\n", NNTP_OK_AUTHINFO);
             PERMneedauth = false;
             PERMauthorized = true;
+            PERMcanauthenticate = false;
             return;
         }
         
@@ -258,6 +260,7 @@
             Reply("%d Ok\r\n", NNTP_OK_AUTHINFO);
             PERMneedauth = false;
             PERMauthorized = true;
+            PERMcanauthenticate = false;
             return;
         }
 

Modified: nnrpd/nnrpd.c
===================================================================
--- nnrpd/nnrpd.c	2008-08-24 22:23:41 UTC (rev 7971)
+++ nnrpd/nnrpd.c	2008-08-25 19:37:52 UTC (rev 7972)
@@ -1143,6 +1143,12 @@
 	    continue;
 	}
 
+        /* 502 if already successfully authenticated, according to RFC 4643. */
+        if (!PERMcanauthenticate && (strcasecmp(cp->Name, "authinfo") == 0)) {
+            Reply("%d %s\r\n", NNTP_ERR_ACCESS, "Already authenticated");
+            continue;
+        }
+
 	/* Check usage. */
 	if ((cp->Minac != CMDany && ac < cp->Minac)
 	 || (cp->Maxac != CMDany && ac > cp->Maxac)) {

Modified: nnrpd/nnrpd.h
===================================================================
--- nnrpd/nnrpd.h	2008-08-24 22:23:41 UTC (rev 7971)
+++ nnrpd/nnrpd.h	2008-08-25 19:37:52 UTC (rev 7972)
@@ -150,6 +150,7 @@
 #endif	/* defined(MAINLINE) */
 
 EXTERN bool	PERMauthorized;
+EXTERN bool     PERMcanauthenticate;
 EXTERN bool	PERMcanpost;
 EXTERN bool	PERMcanread;
 EXTERN bool	PERMneedauth;

Modified: nnrpd/perm.c
===================================================================
--- nnrpd/perm.c	2008-08-24 22:23:41 UTC (rev 7971)
+++ nnrpd/perm.c	2008-08-25 19:37:52 UTC (rev 7972)
@@ -1382,6 +1382,7 @@
     access_realms   = NULL;
     success_auth    = NULL;
 
+    PERMcanauthenticate = true;
     PERMcanread	    = PERMcanpost   = false;
     PERMreadlist    = PERMpostlist  = false;
     PERMaccessconf = NULL;
@@ -1494,6 +1495,7 @@
 	}
 	PERMneedauth = false;
 	PERMauthorized = true;
+        PERMcanauthenticate = false;
 	success_auth = auth_realms[i];
     }
 }

Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c	2008-08-24 22:23:41 UTC (rev 7971)
+++ nnrpd/sasl.c	2008-08-25 19:37:52 UTC (rev 7972)
@@ -148,6 +148,7 @@
         PERMgetpermissions();
 	PERMneedauth = false;
 	PERMauthorized = true;
+        PERMcanauthenticate = false;
 
 	syslog(L_NOTICE, "%s user %s", Client.host, PERMuser);

More information about the inn-committers mailing list