Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop a secure connection in mosquitto auth plugin #2150

Open
abhiarora4 opened this issue Mar 25, 2021 · 2 comments
Open

Drop a secure connection in mosquitto auth plugin #2150

abhiarora4 opened this issue Mar 25, 2021 · 2 comments

Comments

@abhiarora4
Copy link

abhiarora4 commented Mar 25, 2021
edited

I have written a plugin for mosquitto auth. I have configured only the SSL connection (using require_certificate true in the conf file) on one port. This is how my conf file looks like:

per_listener_settings true

listener 1884
auth_plugin /usr/lib/libmos_auth.so
allow_anonymous false
use_identity_as_username true
require_certificate true
tls_engine pkcs11
tls_keyform engine
cafile /etc/ssl/certs/ca-bundle.pem
keyfile pkcs11:object=device;token=0123AD;type=private
certfile /mnt/User_data/DeviceCert.pem

I was expecting mosquitto_auth_unpwd_check to be called before mosquitto_auth_acl_check but that's not happening. I get call to mosquitto_auth_acl_check without any call to mosquitto_auth_unpwd_check.

All I want to achieve is to drop the connection if the client has X509 having a serial number not specified in my list (stored in a file). I can do access control by disallowing subscription and publish but I want to drop the connection also.

My partial auth_plugin function implementation:

int mosquitto_auth_unpwd_check(void *user_data, struct mosquitto *client, const char *username, const char *password)
{
    mosquitto_log_printf(MOSQ_LOG_ERR, "Client (%s) Connected with username (%s)", mosquitto_client_id(client), username);

    X509 *pcert = mosquitto_client_certificate(client);
    if (pCert == NULL)
        return;
    char *subj = X509_NAME_oneline(X509_get_subject_name(pcert), NULL, 0);
    char *issuer = X509_NAME_oneline(X509_get_issuer_name(pcert), NULL, 0);

    mosquitto_log_printf(MOSQ_LOG_ERR, "Client Subject (%s) by issuer (%s)", subj, issuer);
    // TODO: Call openssl_free
    return MOSQ_ERR_SUCCESS;
}


int mosquitto_auth_acl_check(void *user_data, int access, struct mosquitto *client, const struct mosquitto_acl_msg *msg)
{
    mosquitto_log_printf(MOSQ_LOG_ERR, "Client (ACL Check) (%s) Connected with username (%s)", 
        mosquitto_client_id(client), mosquitto_client_username(client));


    X509 *pcert = mosquitto_client_certificate(client);
    if (pcert == NULL)
        return MOSQ_ERR_ACL_DENIED;
    char *subj = X509_NAME_oneline(X509_get_subject_name(pcert), NULL, 0);
    char *issuer = X509_NAME_oneline(X509_get_issuer_name(pcert), NULL, 0);

    mosquitto_log_printf(MOSQ_LOG_ERR, "Client Subject (%s) by issuer (%s)", subj, issuer);
    return MOSQ_ERR_ACL_DENIED;
}

Is there any other way to drop the connection? If I don't drop the connection, can a hacker use comprised certificate to do DOS attack?

I have posted the same question/issue over here
@ralight
Copy link
Contributor

ralight commented Mar 25, 2021

If you require client certificates and set use_identity_as_username true, then mosquitto doesn't carry out a second authentication step, so the username/password call isn't made at the plugin. You could instead set use_identitiy_as_username false and in the username/password check use mosquitto_client_set_username() to force the username to what you wish.

@marco99asr
Copy link

can someone help me?
#2646

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ralight @abhiarora4 @marco99asr