Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth plugin NEVER receive callback when using password_file #1215

Open
kuldeepdhaka opened this issue Mar 30, 2019 · 1 comment · May be fixed by #1216
Open

Auth plugin NEVER receive callback when using password_file #1215

kuldeepdhaka opened this issue Mar 30, 2019 · 1 comment · May be fixed by #1216

Comments

@kuldeepdhaka
Copy link

kuldeepdhaka commented Mar 30, 2019
edited

As per https://mosquitto.org/man/mosquitto-conf-5.html
"If password_file, or acl_file are used in the config file alongsize auth_plugin, the plugin checks will run after the build in checks."

mosquitto/src/security_default.c

Lines 833 to 886 in 2d360fd

int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *context, const char *username, const char *password)
{
struct mosquitto__unpwd *u, *tmp;
struct mosquitto__unpwd *unpwd_ref;
#ifdef WITH_TLS
unsigned char hash[EVP_MAX_MD_SIZE];
unsigned int hash_len;
int rc;
#endif
if(!db) return MOSQ_ERR_INVAL;
if(db->config->per_listener_settings){
if(context->bridge) return MOSQ_ERR_SUCCESS;
if(!context->listener) return MOSQ_ERR_INVAL;
if(!context->listener->unpwd) return MOSQ_ERR_PLUGIN_DEFER;
unpwd_ref = context->listener->unpwd;
}else{
if(!db->unpwd) return MOSQ_ERR_PLUGIN_DEFER;
unpwd_ref = db->unpwd;
}
if(!username) return MOSQ_ERR_INVAL; /* Check must be made only after checking unpwd_ref. */
HASH_ITER(hh, unpwd_ref, u, tmp){
if(!strcmp(u->username, username)){
if(u->password){
if(password){
#ifdef WITH_TLS
rc = pw__digest(password, u->salt, u->salt_len, hash, &hash_len);
if(rc == MOSQ_ERR_SUCCESS){
if(hash_len == u->password_len && !mosquitto__memcmp_const(u->password, hash, hash_len)){
return MOSQ_ERR_SUCCESS;
}else{
return MOSQ_ERR_AUTH;
}
}else{
return rc;
}
#else
if(!strcmp(u->password, password)){
return MOSQ_ERR_SUCCESS;
}
#endif
}else{
return MOSQ_ERR_AUTH;
}
}else{
return MOSQ_ERR_SUCCESS;
}
}
}
return MOSQ_ERR_AUTH;
}

In above code, if no user is found (having a hash table), mosquitto_unpwd_check_default() return MOSQ_ERR_AUTH (the last line of function)

shouldn't it actually return MOSQ_ERR_PLUGIN_DEFER (at last line) since it suppose to defer it to other as per the docs)?

mosquitto_auth_unpwd_check() will never receive the callback if password_file is used in mosquitto.conf

Note: im very new to the code and based on heuristic this fixes my auth plugin not getting any callback.

diff --git a/src/security_default.c b/src/security_default.c
index 99b7809..8f896b0 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -882,7 +882,7 @@ int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *con
 		}
 	}
 
-	return MOSQ_ERR_AUTH;
+	return MOSQ_ERR_PLUGIN_DEFER;
 }
 
 static int unpwd__cleanup(struct mosquitto__unpwd **root, bool reload)
kuldeepdhaka added a commit to kuldeepdhaka/mosquitto that referenced this issue Mar 30, 2019
@kuldeepdhaka
Let auth plugin handle if no username matched
561c039 
mosquitto_unpwd_check_default() should return MOSQ_ERR_PLUGIN_DEFER instead MOSQ_ERR_AUTH
if no username matched so that auth plugin can handle it.

According to docs:
"If password_file, or acl_file are used in the config file alongsize auth_plugin,
the plugin checks will run after the build in checks."

Fixes eclipse#1215
kuldeepdhaka added a commit to kuldeepdhaka/mosquitto that referenced this issue Mar 30, 2019
@kuldeepdhaka
Let auth plugin handle if no username matched
bb21ef3 
mosquitto_unpwd_check_default() should return MOSQ_ERR_PLUGIN_DEFER instead MOSQ_ERR_AUTH
if no username matched so that auth plugin can handle it.

According to docs:
"If password_file, or acl_file are used in the config file alongsize auth_plugin,
the plugin checks will run after the build in checks."

Fixes eclipse#1215

Signed-off-by: Kuldeep Singh Dhaka <[email protected]>
@kuldeepdhaka kuldeepdhaka linked a pull request Mar 30, 2019 that will close this issue
Open
6 tasks
@kuldeepdhaka kuldeepdhaka changed the title Auth plugin ALWAYS not receiving callback when using password_file Auth plugin NEVER receive callback when using password_file Mar 31, 2019
@ralight
Copy link
Contributor

ralight commented Apr 11, 2019

You're right (as in the PR), but it does need more work to fix properly and won't be in 1.6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Let auth plugin handle if no username matched kuldeepdhaka/mosquitto
2 participants
@ralight @kuldeepdhaka