INN commit: trunk/nnrpd (sasl.c)

INN Commit Russ_Allbery at isc.org
Wed Dec 31 19:05:45 UTC 2008


    Date: Wednesday, December 31, 2008 @ 11:05:45
  Author: iulius
Revision: 8270

Only AUTHINFO SASL PLAIN and AUTHINFO SASL EXTERNAL are vulnerable.
Other SASL mechanisms can be used without an active TLS layer.

Modified:
  trunk/nnrpd/sasl.c

--------+
 sasl.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Modified: sasl.c
===================================================================
--- sasl.c	2008-12-31 18:58:09 UTC (rev 8269)
+++ sasl.c	2008-12-31 19:05:45 UTC (rev 8270)
@@ -150,9 +150,11 @@
     }
 
 #ifdef HAVE_SSL
-    /* Check whether STARTTLS must be used before trying to authenticate. */
+    /* Check whether STARTTLS must be used before trying to authenticate
+     * with AUTHINFO SASL PLAIN or AUTHINFO SASL EXTERNAL. */
     if (PERMcanauthenticate && !PERMcanauthenticatewithoutSSL
-        && !nnrpd_starttls_done) {
+        && !nnrpd_starttls_done && ((strcasecmp(mech, "PLAIN") == 0
+                                     || strcasecmp(mech, "EXTERNAL") == 0))) {
         Reply("%d Encryption required\r\n", NNTP_FAIL_PRIVACY_NEEDED);
         return;
     }




More information about the inn-committers mailing list