INN commit: trunk (8 files)
INN Commit
Russ_Allbery at isc.org
Sun Sep 21 09:05:56 UTC 2008
Date: Sunday, September 21, 2008 @ 02:05:55
Author: iulius
Revision: 8042
* Check whether STARTTLS must be used before trying to authenticate.
Send 483 if that is the case.
* Use require_ssl: for an encrypted connection either from the beginning
if the -S flag is passed to nnrpd or after a successful use of STARTTLS.
* Reorganize how nnrpd parses auth blocks with that change to require_ssl:.
* Replace ClientSSL by PERMcanauthenticatewithoutSSL in order to better
be aware of the real permissions.
* Documentation update.
Modified:
trunk/doc/pod/readers.conf.pod
trunk/nnrpd/commands.c
trunk/nnrpd/list.c
trunk/nnrpd/misc.c
trunk/nnrpd/nnrpd.c
trunk/nnrpd/nnrpd.h
trunk/nnrpd/perm.c
trunk/nnrpd/sasl.c
--------------------------+
doc/pod/readers.conf.pod | 32 ++++++++++++++++++--------------
nnrpd/commands.c | 29 ++++++++++++++++++++++++++---
nnrpd/list.c | 2 +-
nnrpd/misc.c | 6 +++---
nnrpd/nnrpd.c | 6 ++----
nnrpd/nnrpd.h | 6 +++---
nnrpd/perm.c | 37 ++++++++++++++++++++++++++++++++-----
nnrpd/sasl.c | 15 ++++++++++++++-
8 files changed, 99 insertions(+), 34 deletions(-)
Modified: doc/pod/readers.conf.pod
===================================================================
--- doc/pod/readers.conf.pod 2008-09-20 21:44:07 UTC (rev 8041)
+++ doc/pod/readers.conf.pod 2008-09-21 09:05:55 UTC (rev 8042)
@@ -88,9 +88,10 @@
address in a netblock; for example, "10.10.10.0/24" will match any IP
address between 10.10.10.0 and 10.10.10.255 inclusive.
-If compiled against the SSL libraries, an auth group with the require_ssl:
+If compiled against the SSL libraries, an auth group with the I<require_ssl>
parameter set to true only applies if the incoming connection is using
-SSL.
+SSL, either from the beginning if the B<-S> flag was passed to B<nnrpd> or
+after a successful use of STARTTLS.
For any connection from a host that matches that wildmat expression or
netblock, each <res-program> (multiple res: lines may be present in a
@@ -306,8 +307,10 @@
=item B<require_ssl:>
If set to true, an incoming connection only matches this auth group if
-it is encrypted using SSL. This parameter is only valid if INN is
-compiled with SSL support (B<--with-openssl> passed to configure).
+it is encrypted using SSL, either from the beginning if the B<-S> flag
+was passed to B<nnrpd> or after a successful use of STARTTLS. This
+parameter is only valid if INN is compiled with SSL support
+(B<--with-openssl> passed to configure).
=item B<perl_access:>
@@ -526,7 +529,7 @@
=item *
All auth groups are scanned and the ones that don't match the client
-(due to hosts:, localaddress:, require_ssl:, etc) are eliminated.
+(due to I<hosts>, I<localaddress>, I<require_ssl>, etc.) are eliminated.
=item *
@@ -786,9 +789,10 @@
=item *
-To restrict connections on the standard nntp port (119) to use SSL for
-some (or all) of the auth groups to match, use the require_ssl:
-parameter.
+To restrict connections on the standard NNTP port (119) to use SSL for
+some (or all) of the auth groups to match, use the I<require_ssl>
+parameter. Note that a client can use STARTTLS to negotiate an
+encrypted connection.
=item *
@@ -798,12 +802,12 @@
=item *
-Consider running a C<nnrpd -S> (with C<-D>, or out of "super-server"
-like B<inetd>) on the NNTPS port (563) for clients that support SSL. See
-nnrpd(8) for more details about how to configure that. You
-can use the require_ssl: parameter, or C<-c> to specify an alternate
-F<readers.conf> if you want a substantially different configuration for
-this case.
+Consider running B<nnrpd> with the B<-S> flag (either also with B<-D>,
+or out of "super-server" like B<inetd>) on the NNTPS port (563) for
+clients that support SSL. See nnrpd(8) for more details about how
+to configure that. You can use the I<require_ssl> parameter or the
+B<-c> flag to specify an alternate F<readers.conf> file if you want
+a substantially different configuration for this case.
=item *
Modified: nnrpd/commands.c
===================================================================
--- nnrpd/commands.c 2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/commands.c 2008-09-21 09:05:55 UTC (rev 8042)
@@ -13,6 +13,10 @@
#include "inn/version.h"
#include "tls.h"
+#ifdef HAVE_SSL
+extern bool nnrpd_starttls_done;
+#endif /* HAVE_SSL */
+
typedef struct {
char *name;
ARTNUM high;
@@ -60,7 +64,7 @@
}
/* 502 if already successfully authenticated, according to RFC 4643. */
- if (!PERMcanauthenticate) {
+ if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
return -1;
}
@@ -225,10 +229,20 @@
/* Each time AUTHINFO USER is used, the new username is cached. */
if (strcasecmp(av[1], "USER") == 0) {
/* 502 if already successfully authenticated, according to RFC 4643. */
- if (!PERMcanauthenticate) {
+ if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
return;
}
+
+#ifdef HAVE_SSL
+ /* Check whether STARTTLS must be used before trying to authenticate. */
+ if (PERMcanauthenticate && !PERMcanauthenticatewithoutSSL
+ && !nnrpd_starttls_done) {
+ Reply("%d Encryption required\r\n", NNTP_FAIL_PRIVACY_NEEDED);
+ return;
+ }
+#endif
+
if (ac > 3) {
Reply("%d No whitespace allowed in username\r\n", NNTP_ERR_SYNTAX);
return;
@@ -245,11 +259,20 @@
}
/* 502 if already successfully authenticated, according to RFC 4643. */
- if (!PERMcanauthenticate) {
+ if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
return;
}
+#ifdef HAVE_SSL
+ /* Check whether STARTTLS must be used before trying to authenticate. */
+ if (PERMcanauthenticate && !PERMcanauthenticatewithoutSSL
+ && !nnrpd_starttls_done) {
+ Reply("%d Encryption required\r\n", NNTP_FAIL_PRIVACY_NEEDED);
+ return;
+ }
+#endif
+
/* AUTHINFO PASS cannot be sent before AUTHINFO USER. */
if (User[0] == '\0') {
Reply("%d Authentication commands issued out of sequence\r\n",
Modified: nnrpd/list.c
===================================================================
--- nnrpd/list.c 2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/list.c 2008-09-21 09:05:55 UTC (rev 8042)
@@ -12,7 +12,7 @@
#include "inn/messages.h"
#ifdef HAVE_SSL
-extern int nnrpd_starttls_done;
+extern bool nnrpd_starttls_done;
#endif /* HAVE_SSL */
typedef struct _LISTINFO {
Modified: nnrpd/misc.c
===================================================================
--- nnrpd/misc.c 2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/misc.c 2008-09-21 09:05:55 UTC (rev 8042)
@@ -22,7 +22,7 @@
extern SSL *tls_conn;
extern int tls_cipher_usebits;
extern char *tls_peer_CN;
-extern int nnrpd_starttls_done;
+extern bool nnrpd_starttls_done;
#endif
@@ -517,7 +517,7 @@
int result;
bool boolval;
- if (nnrpd_starttls_done == 1) {
+ if (nnrpd_starttls_done) {
Reply("%d Already using an active TLS layer\r\n", NNTP_ERR_ACCESS);
return;
}
@@ -562,7 +562,7 @@
}
#endif /* HAVE_SASL */
- nnrpd_starttls_done = 1;
+ nnrpd_starttls_done = true;
/* Close out any existing article, report group stats.
* RFC 4642 requires the reset of any knowledge about the client. */
Modified: nnrpd/nnrpd.c
===================================================================
--- nnrpd/nnrpd.c 2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/nnrpd.c 2008-09-21 09:05:55 UTC (rev 8042)
@@ -33,7 +33,7 @@
#ifdef HAVE_SSL
extern SSL *tls_conn;
-int nnrpd_starttls_done = 0;
+bool nnrpd_starttls_done = false;
#endif
/*
@@ -974,15 +974,13 @@
} /* DaemonMode */
#ifdef HAVE_SSL
- ClientSSL = false;
if (initialSSL) {
tls_init();
if (tls_start_servertls(0, 1) == -1) {
Reply("%d SSL connection failed\r\n", NNTP_FAIL_TERMINATING);
ExitWithStats(1, false);
}
- nnrpd_starttls_done = 1;
- ClientSSL = true;
+ nnrpd_starttls_done = true;
}
#endif /* HAVE_SSL */
Modified: nnrpd/nnrpd.h
===================================================================
--- nnrpd/nnrpd.h 2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/nnrpd.h 2008-09-21 09:05:55 UTC (rev 8042)
@@ -151,6 +151,9 @@
EXTERN bool PERMauthorized;
EXTERN bool PERMcanauthenticate;
+#ifdef HAVE_SSL
+EXTERN bool PERMcanauthenticatewithoutSSL;
+#endif
EXTERN bool PERMcanpost;
EXTERN bool PERMcanpostgreeting;
EXTERN bool PERMcanread;
@@ -164,9 +167,6 @@
EXTERN char **PERMpostlist;
EXTERN struct client Client;
EXTERN char Username[SMBUF];
-#ifdef HAVE_SSL
-EXTERN bool ClientSSL;
-#endif
extern char *ACTIVETIMES;
extern char *HISTORY;
extern char *ACTIVE;
Modified: nnrpd/perm.c
===================================================================
--- nnrpd/perm.c 2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/perm.c 2008-09-21 09:05:55 UTC (rev 8042)
@@ -21,6 +21,10 @@
# include <sys/select.h>
#endif
+#ifdef HAVE_SSL
+extern bool nnrpd_starttls_done;
+#endif /* HAVE_SSL */
+
/* data types */
typedef struct _CONFCHAIN {
CONFFILE *f;
@@ -1315,9 +1319,6 @@
inwhat = 0;
if (curauth->name
-#ifdef HAVE_SSL
- && ((curauth->require_ssl == false) || (ClientSSL == true))
-#endif
&& MatchHost(curauth->hosts, Client.host, Client.ip)) {
if (!MatchHost(curauth->localaddress, Client.serverhost, Client.serverip)) {
syslog(L_TRACE, "Auth strategy '%s' does not match localhost. Removing.",
@@ -1382,6 +1383,9 @@
success_auth = NULL;
PERMcanauthenticate = false;
+#ifdef HAVE_SSL
+ PERMcanauthenticatewithoutSSL = false;
+#endif
PERMcanpostgreeting = false;
PERMcanread = PERMcanpost = false;
PERMreadlist = PERMpostlist = false;
@@ -1406,10 +1410,16 @@
ExitWithStats(1, true);
}
- /* auth_realms are all expected to match the user. */
+ /* auth_realms are all expected to match the user.
+ * Be careful whether SSL is required, though. */
for (i = 0; auth_realms[i]; i++) {
- if (auth_realms[i]->auth_methods != NULL)
+ if (auth_realms[i]->auth_methods != NULL) {
PERMcanauthenticate = true;
+#ifdef HAVE_SSL
+ if (auth_realms[i]->require_ssl == false)
+ PERMcanauthenticatewithoutSSL = true;
+#endif
+ }
/* We assume that an access or dynamic script will allow
* the user to post when authenticated, so that a 200 greeting
* code can be sent. */
@@ -1419,6 +1429,11 @@
}
uname = 0;
while (!uname && i--) {
+#ifdef HAVE_SSL
+ /* If SSL is required, check that the connection is encrypted. */
+ if ((auth_realms[i]->require_ssl == true) && !nnrpd_starttls_done)
+ continue;
+#endif
if ((uname = ResolveUser(auth_realms[i])) != NULL)
PERMauthorized = true;
if (!uname && auth_realms[i]->default_user)
@@ -1913,6 +1928,12 @@
if (auth->res_methods == NULL)
return NULL;
+#ifdef HAVE_SSL
+ /* If SSL is required, check that the connection is encrypted. */
+ if ((auth->require_ssl == true) && !nnrpd_starttls_done)
+ return NULL;
+#endif
+
tmp = concatpath(innconf->pathbin, INN_PATH_AUTHDIR);
resdir = concatpath(tmp, INN_PATH_AUTHDIR_NOPASS);
free(tmp);
@@ -1957,6 +1978,12 @@
if (auth->auth_methods == NULL)
return NULL;
+#ifdef HAVE_SSL
+ /* If SSL is required, check that the connection is encrypted. */
+ if ((auth->require_ssl == true) && !nnrpd_starttls_done)
+ return NULL;
+#endif
+
tmp = concatpath(innconf->pathbin, INN_PATH_AUTHDIR);
resdir = concatpath(tmp, INN_PATH_AUTHDIR_PASSWD);
free(tmp);
Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c 2008-09-20 21:44:07 UTC (rev 8041)
+++ nnrpd/sasl.c 2008-09-21 09:05:55 UTC (rev 8042)
@@ -10,6 +10,10 @@
#include "inn/messages.h"
#include "nnrpd.h"
+#ifdef HAVE_SSL
+extern bool nnrpd_starttls_done;
+#endif /* HAVE_SSL */
+
#ifdef HAVE_SASL
#include <sasl/sasl.h>
@@ -85,11 +89,20 @@
}
/* 502 if already successfully authenticated, according to RFC 4643. */
- if (!PERMcanauthenticate) {
+ if (PERMauthorized && !PERMneedauth && !PERMcanauthenticate) {
Reply("%d Already authenticated\r\n", NNTP_ERR_ACCESS);
return;
}
+#ifdef HAVE_SSL
+ /* Check whether STARTTLS must be used before trying to authenticate. */
+ if (PERMcanauthenticate && !PERMcanauthenticatewithoutSSL
+ && !nnrpd_starttls_done) {
+ Reply("%d Encryption required\r\n", NNTP_FAIL_PRIVACY_NEEDED);
+ return;
+ }
+#endif
+
if (ac == 4) {
/* initial response */
clientin = av[3];
More information about the inn-committers
mailing list