INN commit: trunk (8 files)

INN Commit Russ_Allbery at isc.org
Sun Sep 21 09:05:56 UTC 2008


    Date: Sunday, September 21, 2008 @ 02:05:55
  Author: iulius
Revision: 8042

* Check whether STARTTLS must be used before trying to authenticate.
  Send 483 if that is the case.
* Use require_ssl: for an encrypted connection either from the beginning
  if the -S flag is passed to nnrpd or after a successful use of STARTTLS.
* Reorganize how nnrpd parses auth blocks with that change to require_ssl:.
* Replace ClientSSL by PERMcanauthenticatewithoutSSL in order to better
  be aware of the real permissions.
* Documentation update.

Modified:
  trunk/doc/pod/readers.conf.pod
  trunk/nnrpd/commands.c
  trunk/nnrpd/list.c
  trunk/nnrpd/misc.c
  trunk/nnrpd/nnrpd.c
  trunk/nnrpd/nnrpd.h
  trunk/nnrpd/perm.c
  trunk/nnrpd/sasl.c

--------------------------+
 doc/pod/readers.conf.pod |   32 ++++++++++++++++++--------------
 nnrpd/commands.c         |   29 ++++++++++++++++++++++++++---
 nnrpd/list.c             |    2 +-
 nnrpd/misc.c             |    6 +++---
 nnrpd/nnrpd.c            |    6 ++----
 nnrpd/nnrpd.h            |    6 +++---
 nnrpd/perm.c             |   37 ++++++++++++++++++++++++++++++++-----
 nnrpd/sasl.c             |   15 ++++++++++++++-
 8 files changed, 99 insertions(+), 34 deletions(-)

Modified: doc/pod/readers.conf.pod
===================================================================
--- doc/pod/readers.conf.pod	2008-09-20 21:44:07 UTC (rev 8041)
+++ doc/pod/readers.conf.pod	2008-09-21 09:05:55 UTC (rev 8042)
@@ -88,9 +88,10 @@
 address in a netblock; for example, "10.10.10.0/24" will match any IP
 address between 10.10.10.0 and 10.10.10.255 inclusive.
 
-If compiled against the SSL libraries, an auth group with the require_ssl:
+If compiled against the SSL libraries, an auth group with the I<require_ssl>
 parameter set to true only applies if the incoming connection is using
-SSL.
+SSL, either from the beginning if the B<-S> flag was passed to B<nnrpd> or
+after a successful use of STARTTLS.
 
 For any connection from a host that matches that wildmat expression or
 netblock, each <res-program> (multiple res: lines may be present in a
@@ -306,8 +307,10 @@
 =item B<require_ssl:>
 
 If set to true, an incoming connection only matches this auth group if
-it is encrypted using SSL.  This parameter is only valid if INN is
-compiled with SSL support (B<--with-openssl> passed to configure).
+it is encrypted using SSL, either from the beginning if the B<-S> flag
+was passed to B<nnrpd> or after a successful use of STARTTLS.  This
+parameter is only valid if INN is compiled with SSL support
+(B<--with-openssl> passed to configure).
 
 =item B<perl_access:>
 
@@ -526,7 +529,7 @@
 =item *
 
 All auth groups are scanned and the ones that don't match the client
-(due to hosts:, localaddress:, require_ssl:, etc) are eliminated.
+(due to I<hosts>, I<localaddress>, I<require_ssl>, etc.) are eliminated.
 
 =item *
 
@@ -786,9 +789,10 @@
 
 =item *
 
-To restrict connections on the standard nntp port (119) to use SSL for
-some (or all) of the auth groups to match, use the require_ssl:
-parameter.
+To restrict connections on the standard NNTP port (119) to use SSL for
+some (or all) of the auth groups to match, use the I<require_ssl>
+parameter.  Note that a client can use STARTTLS to negotiate an
+encrypted connection.
 
 =item *
 
@@ -798,12 +802,12 @@
 
 =item *
 
-Consider running a C<nnrpd -S> (with C<-D>, or out of "super-server"
-like B<inetd>) on the NNTPS port (563) for clients that support SSL.  See
-nnrpd(8) for more details about how to configure that.  You
-can use the require_ssl: parameter, or C<-c> to specify an alternate
-F<readers.conf> if you want a substantially different configuration for
-this case.
+Consider running B<nnrpd> with the B<-S> flag (either also with B<-D>,
+or out of "super-server" like B<inetd>) on the NNTPS port (563) for
+clients that support SSL.  See nnrpd(8) for more details about how
+to configure that.  You can use the I<require_ssl> parameter or the
+B<-c> flag to specify an alternate F<readers.conf> file if you want
+a substantially different configuration for this case.
 
 =item *
 

Modified: nnrpd/commands.c
===================================================================
--- nnrpd/commands.c	2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/commands.c	2008-09-21 09:05:55 UTC (rev 8042)
@@ -13,6 +13,10 @@
 #include "inn/version.h"
 #include "tls.h"
 
+#ifdef HAVE_SSL
+extern bool nnrpd_starttls_done;
+#endif /* HAVE_SSL */
+
 typedef struct {
     char *name;
     ARTNUM high;
@@ -60,7 +64,7 @@
     }
 
     /* 502 if already successfully authenticated, according to RFC 4643. */
-    if (!PERMcanauthenticate) {
+    if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
         Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
         return -1;
     }
@@ -225,10 +229,20 @@
         /* Each time AUTHINFO USER is used, the new username is cached. */
         if (strcasecmp(av[1], "USER") == 0) {
             /* 502 if already successfully authenticated, according to RFC 4643. */
-            if (!PERMcanauthenticate) {
+            if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
                 Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
                 return;
             }
+
+#ifdef HAVE_SSL
+            /* Check whether STARTTLS must be used before trying to authenticate. */
+            if (PERMcanauthenticate && !PERMcanauthenticatewithoutSSL
+                && !nnrpd_starttls_done) {
+                Reply("%d Encryption required\r\n", NNTP_FAIL_PRIVACY_NEEDED);
+                return;
+            }
+#endif
+
             if (ac > 3) {
                 Reply("%d No whitespace allowed in username\r\n", NNTP_ERR_SYNTAX);
                 return;
@@ -245,11 +259,20 @@
         }
 
         /* 502 if already successfully authenticated, according to RFC 4643. */
-        if (!PERMcanauthenticate) {
+        if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
             Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
             return;
         }
 
+#ifdef HAVE_SSL
+        /* Check whether STARTTLS must be used before trying to authenticate. */
+        if (PERMcanauthenticate && !PERMcanauthenticatewithoutSSL
+            && !nnrpd_starttls_done) {
+             Reply("%d Encryption required\r\n", NNTP_FAIL_PRIVACY_NEEDED);
+             return;
+        }
+#endif
+
         /* AUTHINFO PASS cannot be sent before AUTHINFO USER. */
         if (User[0] == '\0') {
             Reply("%d Authentication commands issued out of sequence\r\n",

Modified: nnrpd/list.c
===================================================================
--- nnrpd/list.c	2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/list.c	2008-09-21 09:05:55 UTC (rev 8042)
@@ -12,7 +12,7 @@
 #include "inn/messages.h"
 
 #ifdef HAVE_SSL
-extern int nnrpd_starttls_done;
+extern bool nnrpd_starttls_done;
 #endif /* HAVE_SSL */
 
 typedef struct _LISTINFO {

Modified: nnrpd/misc.c
===================================================================
--- nnrpd/misc.c	2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/misc.c	2008-09-21 09:05:55 UTC (rev 8042)
@@ -22,7 +22,7 @@
 extern SSL *tls_conn;
 extern int tls_cipher_usebits;
 extern char *tls_peer_CN;
-extern int nnrpd_starttls_done;
+extern bool nnrpd_starttls_done;
 #endif 
 
 
@@ -517,7 +517,7 @@
     int result;
     bool boolval;
 
-    if (nnrpd_starttls_done == 1) {
+    if (nnrpd_starttls_done) {
         Reply("%d Already using an active TLS layer\r\n", NNTP_ERR_ACCESS);
         return;
     }
@@ -562,7 +562,7 @@
     }
 #endif /* HAVE_SASL */
 
-    nnrpd_starttls_done = 1;
+    nnrpd_starttls_done = true;
 
     /* Close out any existing article, report group stats.
      * RFC 4642 requires the reset of any knowledge about the client. */

Modified: nnrpd/nnrpd.c
===================================================================
--- nnrpd/nnrpd.c	2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/nnrpd.c	2008-09-21 09:05:55 UTC (rev 8042)
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_SSL
 extern SSL *tls_conn;
-int nnrpd_starttls_done = 0;
+bool nnrpd_starttls_done = false;
 #endif 
 
 /*
@@ -974,15 +974,13 @@
     } /* DaemonMode */
 
 #ifdef HAVE_SSL
-    ClientSSL = false;
     if (initialSSL) {
         tls_init();
         if (tls_start_servertls(0, 1) == -1) {
             Reply("%d SSL connection failed\r\n", NNTP_FAIL_TERMINATING);
             ExitWithStats(1, false);
         }
-        nnrpd_starttls_done = 1;
-        ClientSSL = true;
+        nnrpd_starttls_done = true;
     }
 #endif /* HAVE_SSL */
 

Modified: nnrpd/nnrpd.h
===================================================================
--- nnrpd/nnrpd.h	2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/nnrpd.h	2008-09-21 09:05:55 UTC (rev 8042)
@@ -151,6 +151,9 @@
 
 EXTERN bool	PERMauthorized;
 EXTERN bool     PERMcanauthenticate;
+#ifdef HAVE_SSL
+EXTERN bool     PERMcanauthenticatewithoutSSL;
+#endif
 EXTERN bool	PERMcanpost;
 EXTERN bool     PERMcanpostgreeting;
 EXTERN bool	PERMcanread;
@@ -164,9 +167,6 @@
 EXTERN char	**PERMpostlist;
 EXTERN struct client Client;
 EXTERN char	Username[SMBUF];
-#ifdef HAVE_SSL
-EXTERN bool	ClientSSL;
-#endif
 extern char	*ACTIVETIMES;
 extern char	*HISTORY;
 extern char	*ACTIVE;

Modified: nnrpd/perm.c
===================================================================
--- nnrpd/perm.c	2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/perm.c	2008-09-21 09:05:55 UTC (rev 8042)
@@ -21,6 +21,10 @@
 # include <sys/select.h>
 #endif
 
+#ifdef HAVE_SSL
+extern bool nnrpd_starttls_done;
+#endif /* HAVE_SSL */
+
 /* data types */
 typedef struct _CONFCHAIN {
     CONFFILE *f;
@@ -1315,9 +1319,6 @@
 		inwhat = 0;
 
 		if (curauth->name
-#ifdef HAVE_SSL
-		    && ((curauth->require_ssl == false) || (ClientSSL == true))
-#endif
 		    && MatchHost(curauth->hosts, Client.host, Client.ip)) {
 		    if (!MatchHost(curauth->localaddress, Client.serverhost, Client.serverip)) {
 			syslog(L_TRACE, "Auth strategy '%s' does not match localhost.  Removing.",
@@ -1382,6 +1383,9 @@
     success_auth    = NULL;
 
     PERMcanauthenticate = false;
+#ifdef HAVE_SSL
+    PERMcanauthenticatewithoutSSL = false;
+#endif
     PERMcanpostgreeting = false;
     PERMcanread	    = PERMcanpost   = false;
     PERMreadlist    = PERMpostlist  = false;
@@ -1406,10 +1410,16 @@
 	ExitWithStats(1, true);
     }
 
-    /* auth_realms are all expected to match the user. */
+    /* auth_realms are all expected to match the user.
+     * Be careful whether SSL is required, though. */
     for (i = 0; auth_realms[i]; i++) {
-	if (auth_realms[i]->auth_methods != NULL)
+	if (auth_realms[i]->auth_methods != NULL) {
 	    PERMcanauthenticate = true;
+#ifdef HAVE_SSL
+            if (auth_realms[i]->require_ssl == false)
+                PERMcanauthenticatewithoutSSL = true;
+#endif
+        }
         /* We assume that an access or dynamic script will allow
          * the user to post when authenticated, so that a 200 greeting
          * code can be sent. */
@@ -1419,6 +1429,11 @@
     }
     uname = 0;
     while (!uname && i--) {
+#ifdef HAVE_SSL
+        /* If SSL is required, check that the connection is encrypted. */
+        if ((auth_realms[i]->require_ssl == true) && !nnrpd_starttls_done)
+            continue;
+#endif
 	if ((uname = ResolveUser(auth_realms[i])) != NULL)
 	    PERMauthorized = true;
 	if (!uname && auth_realms[i]->default_user)
@@ -1913,6 +1928,12 @@
     if (auth->res_methods == NULL)
         return NULL;
 
+#ifdef HAVE_SSL
+    /* If SSL is required, check that the connection is encrypted. */
+    if ((auth->require_ssl == true) && !nnrpd_starttls_done)
+        return NULL;
+#endif
+
     tmp = concatpath(innconf->pathbin, INN_PATH_AUTHDIR);
     resdir = concatpath(tmp, INN_PATH_AUTHDIR_NOPASS);
     free(tmp);
@@ -1957,6 +1978,12 @@
     if (auth->auth_methods == NULL)
         return NULL;
 
+#ifdef HAVE_SSL
+    /* If SSL is required, check that the connection is encrypted. */
+    if ((auth->require_ssl == true) && !nnrpd_starttls_done)
+        return NULL;
+#endif
+
     tmp = concatpath(innconf->pathbin, INN_PATH_AUTHDIR);
     resdir = concatpath(tmp, INN_PATH_AUTHDIR_PASSWD);
     free(tmp);

Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c	2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/sasl.c	2008-09-21 09:05:55 UTC (rev 8042)
@@ -10,6 +10,10 @@
 #include "inn/messages.h"
 #include "nnrpd.h"
 
+#ifdef HAVE_SSL
+extern bool nnrpd_starttls_done;
+#endif /* HAVE_SSL */
+
 #ifdef HAVE_SASL
 
 #include <sasl/sasl.h>
@@ -85,11 +89,20 @@
     }
 
     /* 502 if already successfully authenticated, according to RFC 4643. */
-    if (!PERMcanauthenticate) {
+    if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
         Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
         return;
     }
 
+#ifdef HAVE_SSL
+    /* Check whether STARTTLS must be used before trying to authenticate. */
+    if (PERMcanauthenticate && !PERMcanauthenticatewithoutSSL
+        && !nnrpd_starttls_done) {
+        Reply("%d Encryption required\r\n", NNTP_FAIL_PRIVACY_NEEDED);
+        return;
+    }
+#endif
+
     if (ac == 4) {
 	/* initial response */
 	clientin = av[3];



More information about the inn-committers mailing list