diff -c -r inn-2.3.1/doc/man/readers.conf.5 inn-2.3.1-modified/doc/man/readers.conf.5 *** inn-2.3.1/doc/man/readers.conf.5 Mon Aug 21 02:14:43 2000 --- inn-2.3.1-modified/doc/man/readers.conf.5 Sun Feb 25 01:50:07 2001 *************** *** 219,224 **** --- 219,227 ---- address in a netblock; for example, \*(L"10.10.10.0/24\*(R" will match any \s-1IP\s0 address between 10.10.10.0 and 10.10.10.255 inclusive. .PP + If compiled against the SSL libraries, an auth group with the ssl_required: + parameter set to true only applies if the incoming connection is using SSL. + .PP For any connection from a host that matches that wildmat expression or netblock, (the program given with the res: parameter, if present) is run to determine the identity of the user just from the *************** *** 365,370 **** --- 368,379 ---- If this parameter is present, any connection matching this auth group will have its privileges determined only by access groups containing a matching key parameter. + .Ip "\fBkey:\fR" 4 + .IX Item "require_ssl:" + If set to true, an incoming connection only matches this auth group if + it is encrypted using SSL. This parameter is only valid if + .I <--with-openssl at configure> + was specified. .SH "ACCESS GROUP PARAMETERS" .IX Header "ACCESS GROUP PARAMETERS" .Ip "\fBusers:\fR" 4 diff -c -r inn-2.3.1/nnrpd/nnrpd.c inn-2.3.1-modified/nnrpd/nnrpd.c *** inn-2.3.1/nnrpd/nnrpd.c Thu Jan 11 10:39:38 2001 --- inn-2.3.1-modified/nnrpd/nnrpd.c Sat Feb 24 21:39:57 2001 *************** *** 1009,1014 **** --- 1017,1023 ---- STATstart = TIMEINFOasDOUBLE(Now); #ifdef HAVE_SSL + ClientSSL = FALSE; if (initialSSL) { sasl_config_read(); ssl_result=tls_init_serverengine(5, /* depth to verify */ *************** *** 1038,1043 **** --- 1047,1053 ---- } nnrpd_starttls_done=1; + ClientSSL = TRUE; } #endif /* HAVE_SSL */ diff -c -r inn-2.3.1/nnrpd/nnrpd.h inn-2.3.1-modified/nnrpd/nnrpd.h *** inn-2.3.1/nnrpd/nnrpd.h Mon Aug 21 02:14:43 2000 --- inn-2.3.1-modified/nnrpd/nnrpd.h Sat Feb 24 20:55:50 2001 *************** *** 139,144 **** --- 139,147 ---- EXTERN char ServerHost[SMBUF]; EXTERN char Username[SMBUF]; EXTERN char ClientIp[20]; + #ifdef HAVE_SSL + EXTERN BOOL ClientSSL; + #endif EXTERN char LogName[256] ; extern char *ACTIVETIMES; extern char *HISTORY; diff -c -r inn-2.3.1/nnrpd/perm.c inn-2.3.1-modified/nnrpd/perm.c *** inn-2.3.1/nnrpd/perm.c Thu Jan 11 10:39:38 2001 --- inn-2.3.1-modified/nnrpd/perm.c Sun Feb 25 01:40:33 2001 *************** *** 58,63 **** --- 58,66 ---- typedef struct _AUTHGROUP { char *name; char *key; + #ifdef HAVE_SSL + int require_ssl; + #endif char *hosts; METHOD **res_methods; METHOD **auth_methods; *************** *** 157,163 **** --- 163,174 ---- #define PERMnnrpdauthsender 50 #define PERMvirtualhost 51 #define PERMnewsmaster 52 + #ifdef HAVE_SSL + #define PERMrequire_ssl 53 + #define PERMMAX 54 + #else #define PERMMAX 53 + #endif #define TEST_CONFIG(a, b) \ { \ *************** *** 234,239 **** --- 245,253 ---- { PERMnnrpdauthsender, "nnrpdauthsender:" }, { PERMvirtualhost, "virtualhost:" }, { PERMnewsmaster, "newsmaster:" }, + #ifdef HAVE_SSL + { PERMrequire_ssl, "require_ssl:" }, + #endif { 0, 0 } }; *************** *** 333,338 **** --- 347,356 ---- else ret->hosts = 0; + #ifdef HAVE_SSL + ret->require_ssl = orig->require_ssl; + #endif + ret->res_methods = 0; if (orig->res_methods) { for (i = 0; orig->res_methods[i]; i++) *************** *** 402,407 **** --- 420,432 ---- return(ret); } + void SetDefaultAuth(AUTHGROUP *curauth) + { + #ifdef HAVE_SSL + curauth->require_ssl = FALSE; + #endif + } + void SetDefaultAccess(ACCESSGROUP *curaccess) { curaccess->allownewnews = innconf->allownewnews;; *************** *** 554,560 **** static void authdecl_parse(AUTHGROUP *curauth, CONFFILE *f, CONFTOKEN *tok) { ! int oldtype; METHOD *m; BOOL bit; char buff[SMBUF], *oldname, *p; --- 579,585 ---- static void authdecl_parse(AUTHGROUP *curauth, CONFFILE *f, CONFTOKEN *tok) { ! int oldtype,boolval; METHOD *m; BOOL bit; char buff[SMBUF], *oldname, *p; *************** *** 573,583 **** --- 598,621 ---- ReportError(f, buff); } + if (caseEQ(tok->name, "on") || caseEQ(tok->name, "true") || caseEQ(tok->name, "yes")) + boolval = TRUE; + else if (caseEQ(tok->name, "off") || caseEQ(tok->name, "false") || caseEQ(tok->name, "no")) + boolval = FALSE; + else + boolval = -1; + switch (oldtype) { case PERMkey: curauth->key = COPY(tok->name); SET_CONFIG(PERMkey); break; + #ifdef HAVE_SSL + case PERMrequire_ssl: + if (boolval != -1) curauth->require_ssl = boolval; + SET_CONFIG(PERMrequire_ssl); + break; + #endif case PERMhost: curauth->hosts = COPY(tok->name); CompressList(curauth->hosts); *************** *** 1017,1022 **** --- 1055,1061 ---- curauth = NEW(AUTHGROUP, 1); memset((POINTER) curauth, 0, sizeof(AUTHGROUP)); memset(ConfigBit, '\0', ConfigBitsize); + SetDefaultAuth(curauth); } curauth->name = str; *************** *** 1058,1063 **** --- 1097,1105 ---- /* stuff that belongs in an authgroup */ case PERMhost: + #ifdef HAVE_SSL + case PERMrequire_ssl: + #endif case PERMauthprog: case PERMresprog: case PERMdefuser: *************** *** 1071,1076 **** --- 1113,1119 ---- curgroup->auth = NEW(AUTHGROUP, 1); (void)memset((POINTER)curgroup->auth, 0, sizeof(AUTHGROUP)); memset(ConfigBit, '\0', ConfigBitsize); + SetDefaultAuth(curgroup->auth); } authdecl_parse(curgroup->auth, cf->f, tok); *************** *** 1461,1466 **** --- 1504,1515 ---- int iter; char *pat, *p; + + #ifdef HAVE_SSL + if ((group->require_ssl == TRUE) && (ClientSSL == FALSE)) { + return(0); + } + #endif /* If no hosts are specified, by default they match. */