INN commit: trunk/nnrpd (misc.c tls.c tls.h)

INN Commit Russ_Allbery at isc.org
Sat Sep 20 15:12:35 UTC 2008 

    Date: Saturday, September 20, 2008 @ 08:12:35
  Author: iulius
Revision: 8037

* Do not close the connection when TLS negotiation can not be initiated.
  Therefore, send 580 and not 400, unless it is done at initial connection
  by nnrpd -S.
* Do not send 580 when negotiation fails (382 has already been sent).

Modified:
  trunk/nnrpd/misc.c
  trunk/nnrpd/tls.c
  trunk/nnrpd/tls.h

--------+
 misc.c |   60 +++++++++++++++++++++++++++++++++---------------------------
 tls.c  |   17 ++++++++++++-----
 tls.h  |    2 +-
 3 files changed, 46 insertions(+), 33 deletions(-)

Modified: misc.c
===================================================================
--- misc.c	2008-09-20 08:19:28 UTC (rev 8036)
+++ misc.c	2008-09-20 15:12:35 UTC (rev 8037)
@@ -511,41 +511,47 @@
 void
 CMDstarttls(int ac UNUSED, char *av[] UNUSED)
 {
-  int result;
+    int result;
 
-  tls_init();
-  if (nnrpd_starttls_done == 1) {
-      Reply("%d Already using an active TLS layer\r\n",
-            NNTP_ERR_ACCESS);
-      return;
-  }
+    if (nnrpd_starttls_done == 1) {
+        Reply("%d Already using an active TLS layer\r\n",
+              NNTP_ERR_ACCESS);
+        return;
+    }
 
-  Reply("%d Begin TLS negotiation now\r\n", NNTP_CONT_STARTTLS);
-  fflush(stdout);
+    result = tls_init();
 
-  /* Must flush our buffers before starting TLS. */
+    if (result == -1) {
+        /* No reply because tls_init() has already sent one. */
+        return;
+    }
+
+    Reply("%d Begin TLS negotiation now\r\n", NNTP_CONT_STARTTLS);
+    fflush(stdout);
+
+    /* Must flush our buffers before starting TLS. */
   
-  result=tls_start_servertls(0,  /* Read.  */
-			     1); /* Write. */
-  if (result==-1) {
-    Reply("%d STARTTLS failed\r\n", NNTP_ERR_STARTTLS);
-    return;
-  }
+    result = tls_start_servertls(0,  /* Read.  */
+                                 1); /* Write. */
+    if (result == -1) {
+        /* No reply because we have already sent NNTP_CONT_STARTTLS. */
+        return;
+    }
 
 #ifdef HAVE_SASL
-  /* Tell SASL about the negotiated layer. */
-  result = sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL,
-			(sasl_ssf_t *) &tls_cipher_usebits);
-  if (result != SASL_OK) {
-    syslog(L_NOTICE, "sasl_setprop() failed: CMDstarttls()");
-  }
+    /* Tell SASL about the negotiated layer. */
+    result = sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL,
+                          (sasl_ssf_t *) &tls_cipher_usebits);
+    if (result != SASL_OK) {
+        syslog(L_NOTICE, "sasl_setprop() failed: CMDstarttls()");
+    }
 
-  result = sasl_setprop(sasl_conn, SASL_AUTH_EXTERNAL, tls_peer_CN);
-  if (result != SASL_OK) {
-    syslog(L_NOTICE, "sasl_setprop() failed: CMDstarttls()");
-  }
+    result = sasl_setprop(sasl_conn, SASL_AUTH_EXTERNAL, tls_peer_CN);
+    if (result != SASL_OK) {
+        syslog(L_NOTICE, "sasl_setprop() failed: CMDstarttls()");
+    }
 #endif /* HAVE_SASL */
 
-  nnrpd_starttls_done = 1;
+    nnrpd_starttls_done = 1;
 }
 #endif /* HAVE_SSL */

Modified: tls.c
===================================================================
--- tls.c	2008-09-20 08:19:28 UTC (rev 8036)
+++ tls.c	2008-09-20 15:12:35 UTC (rev 8037)
@@ -413,7 +413,7 @@
 **
 **  The skeleton of this function is taken from OpenSSL apps/s_server.c.
 **
-**  returns -1 on error
+**  Returns -1 on error.
 */
 
 int
@@ -506,14 +506,16 @@
 **  The function called by nnrpd to initialize the TLS support.  Calls
 **  tls_init_server_engine and checks the result.  On any sort of failure,
 **  nnrpd will exit.
+**
+**  Returns -1 on error.
 */
-void
+int
 tls_init(void)
 {
     int ssl_result;
 
     if (tls_initialized)
-        return;
+        return 0;
 
     ssl_result = tls_init_serverengine(5,        /* Depth to verify. */
 				       0,        /* Can client auth? */
@@ -523,14 +525,19 @@
 				       innconf->tlscertfile,
 				       innconf->tlskeyfile);
     if (ssl_result == -1) {
-        Reply("%d Error initializing TLS\r\n", NNTP_FAIL_TERMINATING);
+        Reply("%d Error initializing TLS\r\n",
+              initialSSL ? NNTP_FAIL_TERMINATING : NNTP_ERR_STARTTLS);
         syslog(L_ERROR, "error initializing TLS: "
                "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]",
                innconf->tlscafile, innconf->tlscapath,
                innconf->tlscertfile, innconf->tlskeyfile);
-        ExitWithStats(1, false);
+        if (initialSSL)
+            ExitWithStats(1, false);
+        return -1;
     }
+
     tls_initialized = true;
+    return 0;
 }
 
 

Modified: tls.h
===================================================================
--- tls.h	2008-09-20 08:19:28 UTC (rev 8036)
+++ tls.h	2008-09-20 15:12:35 UTC (rev 8037)
@@ -37,7 +37,7 @@
 			  char *tls_key_file);
 
 /* Init TLS. */
-void tls_init(void);
+int tls_init(void);
 
 /* Start TLS negotiation. */
 int tls_start_servertls(int readfd, int writefd);

More information about the inn-committers mailing list