INN commit: branches/2.5 (include/nntp.h innd/innd.h innd/nc.c)

INN Commit rra at isc.org
Sun Nov 15 09:21:29 UTC 2009


    Date: Sunday, November 15, 2009 @ 01:21:29
  Author: iulius
Revision: 8765

Improve authentication in innd and implement RFC 4643
(AUTHINFO USER/PASS):

* If a feeder will not be able to authenticate (because
it already has access to every feeder commands), 502 is
returned instead of letting it authenticate [and fail to].

* Do not allow AUTHINFO PASS before having sent AUTHINFO USER.

Modified:
  branches/2.5/include/nntp.h
  branches/2.5/innd/innd.h
  branches/2.5/innd/nc.c

----------------+
 include/nntp.h |    9 ---------
 innd/innd.h    |    1 +
 innd/nc.c      |   40 ++++++++++++++++++++++++++++++----------
 3 files changed, 31 insertions(+), 19 deletions(-)

Modified: include/nntp.h
===================================================================
--- include/nntp.h	2009-11-15 09:21:15 UTC (rev 8764)
+++ include/nntp.h	2009-11-15 09:21:29 UTC (rev 8765)
@@ -42,16 +42,7 @@
 #define NNTP_CLASS_ERROR		'4'
 #define NNTP_CLASS_FATAL		'5'
 
-
 /*
-**  Authentication commands from the RFC update (not official).
-*/
-#define NNTP_AUTH_NEEDED		"480"
-#define NNTP_AUTH_BAD			"481"
-#define NNTP_AUTH_NEXT			"381"
-#define NNTP_AUTH_OK			"281"
-
-/*
 **  MODE CANCEL extension.
 */
 #define NNTP_OK_CANCELLED       "289"

Modified: innd/innd.h
===================================================================
--- innd/innd.h	2009-11-15 09:21:15 UTC (rev 8764)
+++ innd/innd.h	2009-11-15 09:21:29 UTC (rev 8765)
@@ -329,6 +329,7 @@
   bool		       Nolist;
   bool                 CanAuthenticate; /* Can use AUTHINFO? */
   bool                 IsAuthenticated; /* No need to use AUTHINFO? */
+  bool                 HasSentUsername; /* Has used AUTHINFO USER? */
   unsigned long	       Duplicate;
   unsigned long	       Unwanted_s;
   unsigned long	       Unwanted_f;

Modified: innd/nc.c
===================================================================
--- innd/nc.c	2009-11-15 09:21:15 UTC (rev 8764)
+++ innd/nc.c	2009-11-15 09:21:29 UTC (rev 8765)
@@ -430,40 +430,59 @@
 **  The AUTHINFO command.
 */
 static void
-NCauthinfo(CHANNEL *cp, int ac, char *av[])
+NCauthinfo(CHANNEL *cp, int ac UNUSED, char *av[])
 {
     char *buff = NULL;
     cp->Start = cp->Next;
 
-    if (!cp->CanAuthenticate) {
-        /* Already authenticated. */
-        NCwritereply(cp, NNTP_ACCESS);
+    if (cp->IsAuthenticated) {
+        /* 502 if authentication will fail. */
+        if (cp->CanAuthenticate)
+            xasprintf(&buff, "%d Authentication will fail", NNTP_ERR_ACCESS);
+        else
+            xasprintf(&buff, "%d Already authenticated", NNTP_ERR_ACCESS);
+        NCwritereply(cp, buff);
+        free(buff);
         return;
     }
 
     /* Ignore AUTHINFO USER commands, since we only care about the
      * password. */
-    if (ac > 1 && strcasecmp(av[1], "USER") == 0) {
-	NCwritereply(cp, NNTP_AUTH_NEXT);
+    if (strcasecmp(av[1], "USER") == 0) {
+        cp->HasSentUsername = true;
+        xasprintf(&buff, "%d Enter password", NNTP_CONT_AUTHINFO);
+        NCwritereply(cp, buff);
+        free(buff);
 	return;
     }
 
     /* Now make sure we're getting only AUTHINFO PASS commands. */
-    if (ac < 3 || strcasecmp(av[1], "PASS") != 0) {
-        xasprintf(&buff, "%d Syntax error", NNTP_ERR_SYNTAX);
+    if (strcasecmp(av[1], "PASS") != 0) {
+        xasprintf(&buff, "%d Bad AUTHINFO param", NNTP_ERR_SYNTAX);
         NCwritereply(cp, buff);
         free(buff);
 	return;
     }
 
+    /* AUTHINFO PASS cannot be sent before AUTHINFO USER. */
+    if (!cp->HasSentUsername) {
+        xasprintf(&buff, "%d Authentication commands issued out of sequence",
+                  NNTP_FAIL_AUTHINFO_REJECT);
+        NCwritereply(cp, buff);
+        free(buff);
+        return;
+    }
+
     /* Got the password -- is it okay? */
     if (!RCauthorized(cp, av[2])) {
-	NCwritereply(cp, NNTP_AUTH_BAD);
+        xasprintf(&buff, "%d Authentication failed", NNTP_FAIL_AUTHINFO_BAD);
     } else {
+        xasprintf(&buff, "%d Authentication succeeded", NNTP_OK_AUTHINFO);
         cp->CanAuthenticate = false;
         cp->IsAuthenticated = true;
-	NCwritereply(cp, NNTP_AUTH_OK);
     }
+    NCwritereply(cp, buff);
+    free(buff);
 }
 
 /*
@@ -1510,6 +1529,7 @@
     cp = CHANcreate(fd, CTnntp, CSgetcmd, NCreader, NCwritedone);
 
     cp->IsAuthenticated = !MustAuthorize;
+    cp->HasSentUsername = false;
 
     NCclearwip(cp);
     cp->privileged = IsLocal;




More information about the inn-committers mailing list