INN commit: branches/2.6 (doc/pod/news.pod nnrpd/sasl.c)

INN Commit rra at isc.org
Thu Dec 10 20:48:20 UTC 2015 

    Date: Thursday, December 10, 2015 @ 12:48:20
  Author: iulius
Revision: 9976

SASL:  fix the detection of the negotiation of a security layer

nnrpd was wrongly discarding any knowledge from the client when an SASL
data integrity layer without encryption was negotiated.

Note that the patch also makes nnrpd no longer believe the connection
is encrypted in such cases, for use with require_ssl auth blocks in
readers.conf.  This fix is not mentioned in NEWS because that behaviour
for require_ssl is not yet released (new in INN 2.6.1).

Modified:
  branches/2.6/doc/pod/news.pod
  branches/2.6/nnrpd/sasl.c

------------------+
 doc/pod/news.pod |    7 +++++++
 nnrpd/sasl.c     |    9 ++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2015-12-10 20:47:08 UTC (rev 9975)
+++ doc/pod/news.pod	2015-12-10 20:48:20 UTC (rev 9976)
@@ -30,6 +30,13 @@
 
 =item *
 
+When a data integrity layer was negotiated during a successful SASL
+authentication, B<nnrpd> was wrongly reseting any knowledge obtained
+from the client, such as the current newsgroup and article number.
+This behaviour now applies only when an encryption layer is negotiated.
+
+=item *
+
 B<nntpsend> now correctly waits until all of the child B<innxmit>
 processes exit before it does.  It was causing B<nntpsend> to fail
 to work properly on systems that use systemd, because when it exits

Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c	2015-12-10 20:47:08 UTC (rev 9975)
+++ nnrpd/sasl.c	2015-12-10 20:48:20 UTC (rev 9976)
@@ -300,10 +300,13 @@
         sasl_maxout = (*maxoutp == 0 || *maxoutp > NNTP_MAXLEN_COMMAND) ?
             NNTP_MAXLEN_COMMAND : *maxoutp;
 
-        if (sasl_ssf > 0) {
+        if (sasl_ssf > 1) {
             /* For the forthcoming check of the permissions the client now
-             * has, tell the connection is encrypted, so that TLS-only auth
-             * blocks in readers.conf are properly taken into account. */
+             * has, tell the connection is encrypted, so that auth blocks
+             * requiring the negotiation of a security layer in readers.conf
+             * are properly taken into account.
+             * When sasl_ssf equals 1, only data integrity is provided, without
+             * any security. */
             encryption_layer_on = true;
 
             /* Close out any existing article, report group stats.

More information about the inn-committers mailing list