INN commit: branches/2.5 (include/nntp.h innd/innd.h innd/nc.c)
INN Commit
rra at isc.org
Sun Nov 15 09:21:29 UTC 2009
Date: Sunday, November 15, 2009 @ 01:21:29
Author: iulius
Revision: 8765
Improve authentication in innd and implement RFC 4643
(AUTHINFO USER/PASS):
* If a feeder will not be able to authenticate (because
it already has access to every feeder commands), 502 is
returned instead of letting it authenticate [and fail to].
* Do not allow AUTHINFO PASS before having sent AUTHINFO USER.
Modified:
branches/2.5/include/nntp.h
branches/2.5/innd/innd.h
branches/2.5/innd/nc.c
----------------+
include/nntp.h | 9 ---------
innd/innd.h | 1 +
innd/nc.c | 40 ++++++++++++++++++++++++++++++----------
3 files changed, 31 insertions(+), 19 deletions(-)
Modified: include/nntp.h
===================================================================
--- include/nntp.h 2009-11-15 09:21:15 UTC (rev 8764)
+++ include/nntp.h 2009-11-15 09:21:29 UTC (rev 8765)
@@ -42,16 +42,7 @@
#define NNTP_CLASS_ERROR '4'
#define NNTP_CLASS_FATAL '5'
-
/*
-** Authentication commands from the RFC update (not official).
-*/
-#define NNTP_AUTH_NEEDED "480"
-#define NNTP_AUTH_BAD "481"
-#define NNTP_AUTH_NEXT "381"
-#define NNTP_AUTH_OK "281"
-
-/*
** MODE CANCEL extension.
*/
#define NNTP_OK_CANCELLED "289"
Modified: innd/innd.h
===================================================================
--- innd/innd.h 2009-11-15 09:21:15 UTC (rev 8764)
+++ innd/innd.h 2009-11-15 09:21:29 UTC (rev 8765)
@@ -329,6 +329,7 @@
bool Nolist;
bool CanAuthenticate; /* Can use AUTHINFO? */
bool IsAuthenticated; /* No need to use AUTHINFO? */
+ bool HasSentUsername; /* Has used AUTHINFO USER? */
unsigned long Duplicate;
unsigned long Unwanted_s;
unsigned long Unwanted_f;
Modified: innd/nc.c
===================================================================
--- innd/nc.c 2009-11-15 09:21:15 UTC (rev 8764)
+++ innd/nc.c 2009-11-15 09:21:29 UTC (rev 8765)
@@ -430,40 +430,59 @@
** The AUTHINFO command.
*/
static void
-NCauthinfo(CHANNEL *cp, int ac, char *av[])
+NCauthinfo(CHANNEL *cp, int ac UNUSED, char *av[])
{
char *buff = NULL;
cp->Start = cp->Next;
- if (!cp->CanAuthenticate) {
- /* Already authenticated. */
- NCwritereply(cp, NNTP_ACCESS);
+ if (cp->IsAuthenticated) {
+ /* 502 if authentication will fail. */
+ if (cp->CanAuthenticate)
+ xasprintf(&buff, "%d Authentication will fail", NNTP_ERR_ACCESS);
+ else
+ xasprintf(&buff, "%d Already authenticated", NNTP_ERR_ACCESS);
+ NCwritereply(cp, buff);
+ free(buff);
return;
}
/* Ignore AUTHINFO USER commands, since we only care about the
* password. */
- if (ac > 1 && strcasecmp(av[1], "USER") == 0) {
- NCwritereply(cp, NNTP_AUTH_NEXT);
+ if (strcasecmp(av[1], "USER") == 0) {
+ cp->HasSentUsername = true;
+ xasprintf(&buff, "%d Enter password", NNTP_CONT_AUTHINFO);
+ NCwritereply(cp, buff);
+ free(buff);
return;
}
/* Now make sure we're getting only AUTHINFO PASS commands. */
- if (ac < 3 || strcasecmp(av[1], "PASS") != 0) {
- xasprintf(&buff, "%d Syntax error", NNTP_ERR_SYNTAX);
+ if (strcasecmp(av[1], "PASS") != 0) {
+ xasprintf(&buff, "%d Bad AUTHINFO param", NNTP_ERR_SYNTAX);
NCwritereply(cp, buff);
free(buff);
return;
}
+ /* AUTHINFO PASS cannot be sent before AUTHINFO USER. */
+ if (!cp->HasSentUsername) {
+ xasprintf(&buff, "%d Authentication commands issued out of sequence",
+ NNTP_FAIL_AUTHINFO_REJECT);
+ NCwritereply(cp, buff);
+ free(buff);
+ return;
+ }
+
/* Got the password -- is it okay? */
if (!RCauthorized(cp, av[2])) {
- NCwritereply(cp, NNTP_AUTH_BAD);
+ xasprintf(&buff, "%d Authentication failed", NNTP_FAIL_AUTHINFO_BAD);
} else {
+ xasprintf(&buff, "%d Authentication succeeded", NNTP_OK_AUTHINFO);
cp->CanAuthenticate = false;
cp->IsAuthenticated = true;
- NCwritereply(cp, NNTP_AUTH_OK);
}
+ NCwritereply(cp, buff);
+ free(buff);
}
/*
@@ -1510,6 +1529,7 @@
cp = CHANcreate(fd, CTnntp, CSgetcmd, NCreader, NCwritedone);
cp->IsAuthenticated = !MustAuthorize;
+ cp->HasSentUsername = false;
NCclearwip(cp);
cp->privileged = IsLocal;
More information about the inn-committers
mailing list