INN commit: trunk (doc/pod/news.pod nnrpd/sasl.c)

Sun Dec 6 18:27:18 UTC 2015

Date: Sunday, December 6, 2015 @ 10:27:17
  Author: iulius
Revision: 9962

SASL:  fix the detection of the negotiation of a security layer

nnrpd was wrongly discarding any knowledge from the client when an SASL
data integrity layer without encryption was negotiated.

Note that the patch also makes nnrpd no longer believe the connection
is encrypted in such cases, for use with require_ssl auth blocks in
readers.conf.  This fix is not mentioned in NEWS because that behaviour
for require_ssl is not yet released (new in INN 2.6.1).

Modified:
  trunk/doc/pod/news.pod
  trunk/nnrpd/sasl.c

------------------+
 doc/pod/news.pod |    7 +++++++
 nnrpd/sasl.c     |    9 ++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

Modified: doc/pod/news.pod
===================================================================

--- doc/pod/news.pod	2015-12-04 21:07:32 UTC (rev 9961)
+++ doc/pod/news.pod	2015-12-06 18:27:17 UTC (rev 9962)
@@ -24,6 +24,13 @@
 
 =item *
 
+When a data integrity layer was negotiated during a successful SASL
+authentication, B<nnrpd> was wrongly reseting any knowledge obtained
+from the client, such as the current newsgroup and article number.
+This behaviour now applies only when an encryption layer is negotiated.
+
+=item *
+
 B<nntpsend> now correctly waits until all of the child B<innxmit>
 processes exit before it does.  It was causing B<nntpsend> to fail
 to work properly on systems that use systemd, because when it exits

Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c	2015-12-04 21:07:32 UTC (rev 9961)
+++ nnrpd/sasl.c	2015-12-06 18:27:17 UTC (rev 9962)
@@ -300,10 +300,13 @@
         sasl_maxout = (*maxoutp == 0 || *maxoutp > NNTP_MAXLEN_COMMAND) ?
             NNTP_MAXLEN_COMMAND : *maxoutp;
 
-        if (sasl_ssf > 0) {
+        if (sasl_ssf > 1) {
             /* For the forthcoming check of the permissions the client now
-             * has, tell the connection is encrypted, so that TLS-only auth
-             * blocks in readers.conf are properly taken into account. */
+             * has, tell the connection is encrypted, so that auth blocks
+             * requiring the negotiation of a security layer in readers.conf
+             * are properly taken into account.
+             * When sasl_ssf equals 1, only data integrity is provided, without
+             * any security. */
             encryption_layer_on = true;
 
             /* Close out any existing article, report group stats.

