readers.conf support for detecting SSL

Jeffrey M. Vinocur jeff at litech.org
Sun Feb 25 07:06:57 UTC 2001 

I've added a "require_ssl:" parameter to auth groups in readers.conf, such
that if it is true, a connection only matches a block if the host matches
as usual *and* the connection is over SSL.

I don't think it would be hard to pass this down into the perl hooks, but
I don't know anything about how they work so I didn't try.

Attached is a context diff (nnrpd/nnrpd.h, nnrpd/nnrpd.c, nnrpd/perm.c,
doc/man/readers.conf.5), but the line numbers are a bit funky (my source
is starting to diverge; I should probably start hacking on a fresh copy).
All of the included context is straight from 2.3.1, though, so it should
apply pretty well.


I haven't tested it over a long period, but it does (finally) work as
expected, at least with my configuration.  I don't have a tremendously
interesting readers.conf, so I could concievably have missed something
subtle.



-- 
Jeffrey M. Vinocur
jeff at litech.org


-- Attached file included as plaintext by Listar --
-- File: nnrpd-ssl

diff -c -r inn-2.3.1/doc/man/readers.conf.5 inn-2.3.1-modified/doc/man/readers.conf.5
*** inn-2.3.1/doc/man/readers.conf.5	Mon Aug 21 02:14:43 2000
--- inn-2.3.1-modified/doc/man/readers.conf.5	Sun Feb 25 01:50:07 2001
***************
*** 219,224 ****
--- 219,227 ----
  address in a netblock; for example, \*(L"10.10.10.0/24\*(R" will match any \s-1IP\s0
  address between 10.10.10.0 and 10.10.10.255 inclusive.
  .PP
+ If compiled against the SSL libraries, an auth group with the ssl_required: 
+ parameter set to true only applies if the incoming connection is using SSL.
+ .PP
  For any connection from a host that matches that wildmat expression or
  netblock, <res-program> (the program given with the res: parameter, if
  present) is run to determine the identity of the user just from the
***************
*** 365,370 ****
--- 368,379 ----
  If this parameter is present, any connection matching this auth group will
  have its privileges determined only by access groups containing a matching
  key parameter.
+ .Ip "\fBkey:\fR" 4
+ .IX Item "require_ssl:"
+ If set to true, an incoming connection only matches this auth group if
+ it is encrypted using SSL.  This parameter is only valid if 
+ .I <--with-openssl at configure>
+ was specified.
  .SH "ACCESS GROUP PARAMETERS"
  .IX Header "ACCESS GROUP PARAMETERS"
  .Ip "\fBusers:\fR" 4
diff -c -r inn-2.3.1/nnrpd/nnrpd.c inn-2.3.1-modified/nnrpd/nnrpd.c
*** inn-2.3.1/nnrpd/nnrpd.c	Thu Jan 11 10:39:38 2001
--- inn-2.3.1-modified/nnrpd/nnrpd.c	Sat Feb 24 21:39:57 2001
***************
*** 1009,1014 ****
--- 1017,1023 ----
      STATstart = TIMEINFOasDOUBLE(Now);
  
  #ifdef HAVE_SSL
+     ClientSSL = FALSE;
      if (initialSSL) {
        sasl_config_read();
        ssl_result=tls_init_serverengine(5,        /* depth to verify */
***************
*** 1038,1043 ****
--- 1047,1053 ----
        }
  
        nnrpd_starttls_done=1;
+       ClientSSL = TRUE;
      }
  #endif /* HAVE_SSL */
  
diff -c -r inn-2.3.1/nnrpd/nnrpd.h inn-2.3.1-modified/nnrpd/nnrpd.h
*** inn-2.3.1/nnrpd/nnrpd.h	Mon Aug 21 02:14:43 2000
--- inn-2.3.1-modified/nnrpd/nnrpd.h	Sat Feb 24 20:55:50 2001
***************
*** 139,144 ****
--- 139,147 ----
  EXTERN char     ServerHost[SMBUF];
  EXTERN char	Username[SMBUF];
  EXTERN char     ClientIp[20];
+ #ifdef HAVE_SSL
+ EXTERN BOOL     ClientSSL;
+ #endif
  EXTERN char	LogName[256] ;
  extern char	*ACTIVETIMES;
  extern char	*HISTORY;
diff -c -r inn-2.3.1/nnrpd/perm.c inn-2.3.1-modified/nnrpd/perm.c
*** inn-2.3.1/nnrpd/perm.c	Thu Jan 11 10:39:38 2001
--- inn-2.3.1-modified/nnrpd/perm.c	Sun Feb 25 01:40:33 2001
***************
*** 58,63 ****
--- 58,66 ----
  typedef struct _AUTHGROUP {
      char *name;
      char *key;
+ #ifdef HAVE_SSL
+     int require_ssl;
+ #endif
      char *hosts;
      METHOD **res_methods;
      METHOD **auth_methods;
***************
*** 157,163 ****
--- 163,174 ----
  #define PERMnnrpdauthsender	50
  #define PERMvirtualhost		51
  #define PERMnewsmaster		52
+ #ifdef HAVE_SSL
+ #define PERMrequire_ssl         53
+ #define PERMMAX			54
+ #else
  #define PERMMAX			53
+ #endif
  
  #define TEST_CONFIG(a, b) \
      { \
***************
*** 234,239 ****
--- 245,253 ----
    { PERMnnrpdauthsender, "nnrpdauthsender:" },
    { PERMvirtualhost, "virtualhost:" },
    { PERMnewsmaster, "newsmaster:" },
+ #ifdef HAVE_SSL
+   { PERMrequire_ssl, "require_ssl:" },
+ #endif
    { 0, 0 }
  };
  
***************
*** 333,338 ****
--- 347,356 ----
      else
  	ret->hosts = 0;
  
+ #ifdef HAVE_SSL
+     ret->require_ssl = orig->require_ssl;
+ #endif
+ 
      ret->res_methods = 0;
      if (orig->res_methods) {
  	for (i = 0; orig->res_methods[i]; i++)
***************
*** 402,407 ****
--- 420,432 ----
      return(ret);
  }
  
+ void SetDefaultAuth(AUTHGROUP *curauth)
+ {
+ #ifdef HAVE_SSL
+         curauth->require_ssl = FALSE;
+ #endif
+ }
+ 
  void SetDefaultAccess(ACCESSGROUP *curaccess)
  {
      curaccess->allownewnews = innconf->allownewnews;;
***************
*** 554,560 ****
  
  static void authdecl_parse(AUTHGROUP *curauth, CONFFILE *f, CONFTOKEN *tok)
  {
!     int oldtype;
      METHOD *m;
      BOOL bit;
      char buff[SMBUF], *oldname, *p;
--- 579,585 ----
  
  static void authdecl_parse(AUTHGROUP *curauth, CONFFILE *f, CONFTOKEN *tok)
  {
!     int oldtype,boolval;
      METHOD *m;
      BOOL bit;
      char buff[SMBUF], *oldname, *p;
***************
*** 573,583 ****
--- 598,621 ----
  	ReportError(f, buff);
      }
  
+     if (caseEQ(tok->name, "on") || caseEQ(tok->name, "true") || caseEQ(tok->name, "yes"))
+ 	boolval = TRUE;
+     else if (caseEQ(tok->name, "off") || caseEQ(tok->name, "false") || caseEQ(tok->name, "no"))
+ 	boolval = FALSE;
+     else
+ 	boolval = -1;
+ 
      switch (oldtype) {
        case PERMkey:
  	curauth->key = COPY(tok->name);
  	SET_CONFIG(PERMkey);
  	break;
+ #ifdef HAVE_SSL
+       case PERMrequire_ssl:
+         if (boolval != -1) curauth->require_ssl = boolval;
+         SET_CONFIG(PERMrequire_ssl);
+         break;
+ #endif
        case PERMhost:
  	curauth->hosts = COPY(tok->name);
  	CompressList(curauth->hosts);
***************
*** 1017,1022 ****
--- 1055,1061 ----
  			curauth = NEW(AUTHGROUP, 1);
  			memset((POINTER) curauth, 0, sizeof(AUTHGROUP));
  			memset(ConfigBit, '\0', ConfigBitsize);
+                         SetDefaultAuth(curauth);
  		    }
  
  		    curauth->name = str;
***************
*** 1058,1063 ****
--- 1097,1105 ----
  
  		/* stuff that belongs in an authgroup */
  	      case PERMhost:
+ #ifdef HAVE_SSL
+               case PERMrequire_ssl:
+ #endif
  	      case PERMauthprog:
  	      case PERMresprog:
  	      case PERMdefuser:
***************
*** 1071,1076 ****
--- 1113,1119 ----
  		    curgroup->auth = NEW(AUTHGROUP, 1);
  		    (void)memset((POINTER)curgroup->auth, 0, sizeof(AUTHGROUP));
  		    memset(ConfigBit, '\0', ConfigBitsize);
+                     SetDefaultAuth(curgroup->auth);
  		}
  
  		authdecl_parse(curgroup->auth, cf->f, tok);
***************
*** 1461,1466 ****
--- 1504,1515 ----
      int	    iter;
      char    *pat, 
  	    *p;
+ 
+ #ifdef HAVE_SSL
+     if ((group->require_ssl == TRUE) && (ClientSSL == FALSE)) {
+         return(0);
+     }
+ #endif
  
      /*	If no hosts are specified, by default they match.   */

More information about the inn-patches mailing list