-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Expand file tree
/
Copy pathhandle_auth.c
More file actions
182 lines (158 loc) · 6.33 KB
/
handle_auth.c
File metadata and controls
182 lines (158 loc) · 6.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
/*
Copyright (c) 2018-2021 Roger Light <roger@atchoo.org>
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License 2.0
and Eclipse Distribution License v1.0 which accompany this distribution.
The Eclipse Public License is available at
https://www.eclipse.org/legal/epl-2.0/
and the Eclipse Distribution License is available at
http://www.eclipse.org/org/documents/edl-v10.php.
SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
Contributors:
Roger Light - initial implementation and documentation.
*/
#include "config.h"
#include <mosquitto/defs.h>
#include <stdio.h>
#include <string.h>
#include "mosquitto_broker_internal.h"
#include "mosquitto/mqtt_protocol.h"
#include "packet_mosq.h"
#include "property_mosq.h"
#include "send_mosq.h"
#include "util_mosq.h"
#include "will_mosq.h"
int handle__auth(struct mosquitto *context)
{
int rc = 0;
uint8_t reason_code = 0;
mosquitto_property *properties = NULL;
char *auth_method = NULL;
void *auth_data = NULL;
uint16_t auth_data_len = 0;
void *auth_data_out = NULL;
uint16_t auth_data_out_len = 0;
if(!context){
return MOSQ_ERR_INVAL;
}
if(context->protocol != mosq_p_mqtt5){
log__printf(NULL, MOSQ_LOG_INFO, "Protocol error from %s: AUTH packet when session not MQTT v5.0.", context->id);
return MOSQ_ERR_PROTOCOL;
}
if(context->auth_method == NULL){
log__printf(NULL, MOSQ_LOG_INFO, "Protocol error from %s: AUTH packet without existing auth-method.", context->id);
return MOSQ_ERR_PROTOCOL;
}
if(context->in_packet.command != CMD_AUTH){
return MOSQ_ERR_MALFORMED_PACKET;
}
if(context->in_packet.remaining_length > 0){
if(packet__read_byte(&context->in_packet, &reason_code)){
return MOSQ_ERR_MALFORMED_PACKET;
}
if(reason_code != MQTT_RC_CONTINUE_AUTHENTICATION
&& reason_code != MQTT_RC_REAUTHENTICATE){
send__disconnect(context, MQTT_RC_PROTOCOL_ERROR, NULL);
log__printf(NULL, MOSQ_LOG_INFO, "Protocol error from %s: AUTH packet with reason-code = %d.",
context->id, reason_code);
return MOSQ_ERR_PROTOCOL;
}
if((reason_code == MQTT_RC_REAUTHENTICATE && context->state != mosq_cs_active)
|| (reason_code == MQTT_RC_CONTINUE_AUTHENTICATION
&& context->state != mosq_cs_authenticating && context->state != mosq_cs_reauthenticating)){
send__disconnect(context, MQTT_RC_PROTOCOL_ERROR, NULL);
log__printf(NULL, MOSQ_LOG_INFO, "Protocol error from %s: AUTH reauthentication packet before session is active,",
context->id);
log__printf(NULL, MOSQ_LOG_INFO, " or attempted to continue authentication when no authentication in progress.");
return MOSQ_ERR_PROTOCOL;
}
rc = property__read_all(CMD_AUTH, &context->in_packet, &properties);
if(rc){
send__disconnect(context, MQTT_RC_UNSPECIFIED, NULL);
return rc;
}
if(mosquitto_property_read_string(properties, MQTT_PROP_AUTHENTICATION_METHOD, &auth_method, false) == NULL){
mosquitto_property_free_all(&properties);
send__disconnect(context, MQTT_RC_UNSPECIFIED, NULL);
log__printf(NULL, MOSQ_LOG_INFO, "Protocol error from %s: AUTH packet without auth-method property.",
context->id);
return MOSQ_ERR_PROTOCOL;
}
if(!auth_method || strcmp(auth_method, context->auth_method)){
/* No method, or non-matching method */
mosquitto_FREE(auth_method);
mosquitto_property_free_all(&properties);
send__disconnect(context, MQTT_RC_PROTOCOL_ERROR, NULL);
log__printf(NULL, MOSQ_LOG_INFO, "Protocol error from %s: AUTH packet with non-matching auth-method property (%s:%s).",
context->id, context->auth_method, auth_method);
return MOSQ_ERR_PROTOCOL;
}
mosquitto_FREE(auth_method);
mosquitto_property_read_binary(properties, MQTT_PROP_AUTHENTICATION_DATA, &auth_data, &auth_data_len, false);
mosquitto_property_free_all(&properties); /* FIXME - TEMPORARY UNTIL PROPERTIES PROCESSED */
}
log__printf(NULL, MOSQ_LOG_DEBUG, "Received AUTH from %s (rc%d, %s)", context->id, reason_code, context->auth_method);
if(reason_code == MQTT_RC_REAUTHENTICATE){
/* This is a re-authentication attempt */
mosquitto__set_state(context, mosq_cs_reauthenticating);
rc = mosquitto_security_auth_start(context, true, auth_data, auth_data_len, &auth_data_out, &auth_data_out_len);
}else{
if(context->state != mosq_cs_reauthenticating){
mosquitto__set_state(context, mosq_cs_authenticating);
}
rc = mosquitto_security_auth_continue(context, auth_data, auth_data_len, &auth_data_out, &auth_data_out_len);
}
mosquitto_FREE(auth_data);
if(rc == MOSQ_ERR_SUCCESS){
if(context->state == mosq_cs_authenticating){
return connect__on_authorised(context, auth_data_out, auth_data_out_len);
}else{
mosquitto__set_state(context, mosq_cs_active);
rc = send__auth(context, MQTT_RC_SUCCESS, auth_data_out, auth_data_out_len);
SAFE_FREE(auth_data_out);
return rc;
}
}else if(rc == MOSQ_ERR_AUTH_CONTINUE){
rc = send__auth(context, MQTT_RC_CONTINUE_AUTHENTICATION, auth_data_out, auth_data_out_len);
SAFE_FREE(auth_data_out);
return rc;
}else if(rc == MOSQ_ERR_AUTH_DELAYED){
SAFE_FREE(auth_data_out);
if(context->state == mosq_cs_authenticating){
mosquitto__set_state(context, mosq_cs_delayed_ext_auth);
}else{
mosquitto__set_state(context, mosq_cs_delayed_ext_reauth);
}
HASH_ADD_KEYPTR(hh_id_delayed_auth, db.contexts_by_id_delayed_auth, context->id, strlen(context->id), context);
return MOSQ_ERR_SUCCESS;
}else{
SAFE_FREE(auth_data_out);
if(context->state == mosq_cs_authenticating && context->will){
/* Free will without sending if this is our first authentication attempt */
will__clear(context);
}
if(rc == MOSQ_ERR_AUTH){
if(context->state == mosq_cs_authenticating){
send__connack(context, 0, MQTT_RC_NOT_AUTHORIZED, NULL);
mosquitto_FREE(context->id);
}else{
send__disconnect(context, MQTT_RC_NOT_AUTHORIZED, NULL);
}
return MOSQ_ERR_PROTOCOL;
}else if(rc == MOSQ_ERR_NOT_SUPPORTED){
/* Client has requested extended authentication, but we don't support it. */
if(context->state == mosq_cs_authenticating){
send__connack(context, 0, MQTT_RC_BAD_AUTHENTICATION_METHOD, NULL);
mosquitto_FREE(context->id);
}else{
send__disconnect(context, MQTT_RC_BAD_AUTHENTICATION_METHOD, NULL);
}
return MOSQ_ERR_PROTOCOL;
}else{
if(context->state == mosq_cs_authenticating){
mosquitto_FREE(context->id);
}
return rc;
}
}
}