INN commit: trunk/nnrpd (sasl.c)

INN Commit Russ_Allbery at isc.org
Tue Sep 23 17:51:32 UTC 2008


    Date: Tuesday, September 23, 2008 @ 10:51:31
  Author: iulius
Revision: 8048

* Properly set TLS negociation for the SASL server.
* Do not use the ANONYMOUS mechanism.

Modified:
  trunk/nnrpd/sasl.c

--------+
 sasl.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Modified: sasl.c
===================================================================
--- sasl.c	2008-09-22 18:50:21 UTC (rev 8047)
+++ sasl.c	2008-09-23 17:51:31 UTC (rev 8048)
@@ -14,6 +14,8 @@
 #include "inn/ov.h"
 
 #ifdef HAVE_SSL
+extern int tls_cipher_usebits;
+extern char *tls_peer_CN;
 extern bool nnrpd_starttls_done;
 #endif /* HAVE_SSL */
 
@@ -87,9 +89,23 @@
         sasl_security_properties_t secprops;
 
         memset(&secprops, 0, sizeof(secprops));
+        secprops.security_flags = SASL_SEC_NOANONYMOUS;
         secprops.max_ssf = 256;
         secprops.maxbufsize = NNTP_MAXLEN_COMMAND;
         sasl_setprop(sasl_conn, SASL_SEC_PROPS, &secprops);
+#ifdef HAVE_SSL
+        /* Tell SASL about the negotiated TLS layer. */
+        if (nnrpd_starttls_done) {
+            if (sasl_setprop(sasl_conn, SASL_SSF_EXTERNAL,
+                             (sasl_ssf_t *) &tls_cipher_usebits) != SASL_OK) {
+                syslog(L_NOTICE, "sasl_setprop() failed:  TLS layer for SASL");
+            }
+            if (sasl_setprop(sasl_conn, SASL_AUTH_EXTERNAL, tls_peer_CN)
+                != SASL_OK) {
+                syslog(L_NOTICE, "sasl_setprop() failed:  TLS layer for SASL");
+            }
+        }
+#endif
     }
 }
 



More information about the inn-committers mailing list