INN commit: trunk (5 files)
INN Commit
Russ_Allbery at isc.org
Sun Sep 21 18:44:24 UTC 2008
Date: Sunday, September 21, 2008 @ 11:44:24
Author: iulius
Revision: 8045
* Restart the SASL server after authentication failure.
* Add PLAIN and LOGIN mechanisms.
* Reset the state of the NNTP protocol after a security layer
has been negotiated.
Modified:
trunk/nnrpd/Makefile
trunk/nnrpd/nnrpd.c
trunk/nnrpd/nnrpd.h
trunk/nnrpd/sasl.c
trunk/scripts/innreport_inn.pm
--------------------------+
nnrpd/Makefile | 6 ++--
nnrpd/nnrpd.c | 15 ----------
nnrpd/nnrpd.h | 1
nnrpd/sasl.c | 65 ++++++++++++++++++++++++++++++++++++++++++++-
scripts/innreport_inn.pm | 2 -
5 files changed, 71 insertions(+), 18 deletions(-)
Modified: nnrpd/Makefile
===================================================================
--- nnrpd/Makefile 2008-09-21 17:39:56 UTC (rev 8044)
+++ nnrpd/Makefile 2008-09-21 18:44:24 UTC (rev 8045)
@@ -148,7 +148,8 @@
../include/portable/time.h ../include/inn/qio.h ../include/inn/libinn.h \
../include/nntp.h ../include/inn/nntp.h ../include/inn/paths.h \
../include/inn/storage.h ../include/inn/vector.h ../include/inn/timer.h \
- tls.h
+ tls.h ../include/inn/ov.h ../include/inn/storage.h \
+ ../include/inn/history.h
newnews.o: newnews.c ../include/config.h ../include/inn/defines.h \
../include/inn/system.h ../include/inn/options.h ../include/clibrary.h \
../include/config.h ../include/inn/innconf.h ../include/inn/defines.h \
@@ -221,7 +222,8 @@
../include/portable/getaddrinfo.h ../include/portable/getnameinfo.h \
../include/portable/time.h ../include/inn/qio.h ../include/inn/libinn.h \
../include/nntp.h ../include/inn/nntp.h ../include/inn/paths.h \
- ../include/inn/storage.h ../include/inn/vector.h ../include/inn/timer.h
+ ../include/inn/storage.h ../include/inn/vector.h ../include/inn/timer.h \
+ ../include/inn/ov.h ../include/inn/storage.h ../include/inn/history.h
tls.o: tls.c ../include/config.h ../include/inn/defines.h \
../include/inn/system.h ../include/inn/options.h ../include/clibrary.h \
../include/config.h nnrpd.h ../include/portable/socket.h \
Modified: nnrpd/nnrpd.c
===================================================================
--- nnrpd/nnrpd.c 2008-09-21 17:39:56 UTC (rev 8044)
+++ nnrpd/nnrpd.c 2008-09-21 18:44:24 UTC (rev 8045)
@@ -1063,20 +1063,7 @@
}
#ifdef HAVE_SASL
- if (sasl_server_new("nntp", NULL, NULL, NULL, NULL,
- NULL, SASL_SUCCESS_DATA, &sasl_conn) != SASL_OK) {
- syslog(L_FATAL, "sasl_server_new() failed");
- exit(1);
- } else {
- /* XXX Fill in SASL_IPLOCALPORT and SASL_IPREMOTEPORT. */
- sasl_security_properties_t secprops;
-
- memset(&secprops, 0, sizeof(secprops));
- secprops.security_flags = SASL_SEC_NOPLAINTEXT;
- secprops.max_ssf = 256;
- secprops.maxbufsize = NNTP_MAXLEN_COMMAND;
- sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
- }
+ SASLnewserver();
#endif /* HAVE_SASL */
if (PERMaccessconf) {
Modified: nnrpd/nnrpd.h
===================================================================
--- nnrpd/nnrpd.h 2008-09-21 17:39:56 UTC (rev 8044)
+++ nnrpd/nnrpd.h 2008-09-21 18:44:24 UTC (rev 8045)
@@ -298,4 +298,5 @@
extern sasl_callback_t sasl_callbacks[];
void SASLauth(int ac, char *av[]);
+void SASLnewserver(void);
#endif /* HAVE_SASL */
Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c 2008-09-21 17:39:56 UTC (rev 8044)
+++ nnrpd/sasl.c 2008-09-21 18:44:24 UTC (rev 8045)
@@ -10,6 +10,9 @@
#include "inn/messages.h"
#include "nnrpd.h"
+/* Outside the ifdef so that make depend works even ifndef HAVE_SSL. */
+#include "inn/ov.h"
+
#ifdef HAVE_SSL
extern bool nnrpd_starttls_done;
#endif /* HAVE_SSL */
@@ -18,7 +21,8 @@
#include <sasl/sasl.h>
sasl_conn_t *sasl_conn = NULL;
-int sasl_ssf = 0, sasl_maxout = NNTP_MAXLEN_COMMAND;
+int sasl_ssf = 0;
+int sasl_maxout = NNTP_MAXLEN_COMMAND;
sasl_callback_t sasl_callbacks[] = {
/* XXX Do we want a proxy callback? */
@@ -60,7 +64,37 @@
}
+/*
+** Create a new SASL server authentication object.
+*/
void
+SASLnewserver(void)
+{
+ if (sasl_conn != NULL) {
+ sasl_dispose(&sasl_conn);
+ sasl_conn = NULL;
+ sasl_ssf = 0;
+ sasl_maxout = NNTP_MAXLEN_COMMAND;
+ }
+
+ if (sasl_server_new("nntp", NULL, NULL, NULL, NULL,
+ NULL, SASL_SUCCESS_DATA, &sasl_conn) != SASL_OK) {
+ syslog(L_FATAL, "sasl_server_new() failed");
+ Reply("%d SASL server unavailable. Try later!\r\n", NNTP_FAIL_TERMINATING);
+ ExitWithStats(1, true);
+ } else {
+ /* XXX Fill in SASL_IPLOCALPORT and SASL_IPREMOTEPORT. */
+ sasl_security_properties_t secprops;
+
+ memset(&secprops, 0, sizeof(secprops));
+ secprops.max_ssf = 256;
+ secprops.maxbufsize = NNTP_MAXLEN_COMMAND;
+ sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
+ }
+}
+
+
+void
SASLauth(int ac, char *av[])
{
const char *mech;
@@ -161,24 +195,32 @@
/* FALLTHROUGH */
case RTlong:
warn("%s response too long in AUTHINFO SASL", Client.host);
+ Reply("%d Too long response\r\n", NNTP_FAIL_TERMINATING);
ExitWithStats(1, false);
break;
case RTtimeout:
warn("%s timeout in AUTHINFO SASL", Client.host);
+ /* No answer. */
ExitWithStats(1, false);
break;
case RTeof:
warn("%s EOF in AUTHINFO SASL", Client.host);
+ Reply("%d EOF\r\n", NNTP_FAIL_TERMINATING);
ExitWithStats(1, false);
break;
default:
warn("%s internal %d in AUTHINFO SASL", Client.host, r);
+ Reply("%d Internal error\r\n", NNTP_FAIL_TERMINATING);
ExitWithStats(1, false);
break;
}
/* Check if client cancelled. */
if (strcmp(clientin, "*") == 0) {
+ /* Restart the SASL server in order to be able to reauthenticate.
+ * Call that function before the reply because in case of failure,
+ * 400 is sent. */
+ SASLnewserver();
Reply("%d Client cancelled authentication\r\n", NNTP_FAIL_AUTHINFO_BAD);
return;
}
@@ -240,6 +282,23 @@
sasl_ssf = *ssfp;
sasl_maxout =
(*maxoutp == 0 || *maxoutp > NNTP_MAXLEN_COMMAND) ? NNTP_MAXLEN_COMMAND : *maxoutp;
+
+ if (sasl_ssf != 0) {
+ /* Close out any existing article, report group stats.
+ * RFC 4643 requires the reset of any knowledge about the client. */
+ if (GRPcur) {
+ bool boolval;
+ ARTclose();
+ GRPreport();
+ OVctl(OVCACHEFREE, &boolval);
+ free(GRPcur);
+ GRPcur = NULL;
+ if (ARTcount)
+ syslog(L_NOTICE, "%s exit for AUTHINFO SASL articles %ld groups %ld",
+ Client.host, ARTcount, GRPcount);
+ GRPcount = 0;
+ }
+ }
} else {
/* Failure. */
int resp_code;
@@ -266,6 +325,10 @@
break;
}
+ /* Restart the SASL server in order to be able to reauthenticate.
+ * Call that function before the reply because in case of failure,
+ * 400 is sent. */
+ SASLnewserver();
Reply("%d %s\r\n",
resp_code, errstring ? errstring : "Authentication failed");
}
Modified: scripts/innreport_inn.pm
===================================================================
--- scripts/innreport_inn.pm 2008-09-21 17:39:56 UTC (rev 8044)
+++ scripts/innreport_inn.pm 2008-09-21 18:44:24 UTC (rev 8045)
@@ -1623,7 +1623,7 @@
return 1;
}
# exit (also called when using STARTTLS)
- if ($left =~ /(\S+) (?:exit|exit for STARTTLS) articles (\d+) groups (\d+)$/o) {
+ if ($left =~ /(\S+) (?:exit|exit for STARTTLS|exit for AUTHINFO SASL) articles (\d+) groups (\d+)$/o) {
my ($cust, $articles, $groups) = ($1, $2, $3);
$cust = lc $cust unless $CASE_SENSITIVE;
my $dom = &host2dom($cust);
More information about the inn-committers
mailing list