Home Explore Help
Sign In
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
mosquitto-2.0.13
/
plugins
/
dynamic-security
/
auth.c

auth.c 4.6 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. /*
    2. 

  2. Copyright (c) 2020 Roger Light <roger@atchoo.org>
    3. 

  3. 

  4. All rights reserved. This program and the accompanying materials
    5. 

  5. are made available under the terms of the Eclipse Public License 2.0
    6. 

  6. and Eclipse Distribution License v1.0 which accompany this distribution.
    7. 

  7. 

  8. The Eclipse Public License is available at
    9. 

  9.    https://www.eclipse.org/legal/epl-2.0/
    10. 

  10. and the Eclipse Distribution License is available at
    11. 

  11.   http://www.eclipse.org/org/documents/edl-v10.php.
    12. 

  12. 

  13. SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
    14. 

  14. 

  15. Contributors:
    16. 

  16.    Roger Light - initial implementation and documentation.
    17. 

  17. */
    18. 

  18. 

  19. #include "config.h"
    20. 

  20. 

  21. #include <openssl/bio.h>
    22. 

  22. #include <openssl/buffer.h>
    23. 

  23. #include <openssl/evp.h>
    24. 

  24. #include <openssl/rand.h>
    25. 

  25. 

  26. #include "dynamic_security.h"
    27. 

  27. #include "mosquitto.h"
    28. 

  28. #include "mosquitto_broker.h"
    29. 

  29. 

  30. 

  31. /* ################################################################
    32. 

  32.  * #
    33. 

  33.  * # Base64 encoding/decoding
    34. 

  34.  * #
    35. 

  35.  * ################################################################ */
    36. 

  36. 

  37. int dynsec_auth__base64_encode(unsigned char *in, int in_len, char **encoded)
    38. 

  38. {
    39. 

  39. 	BIO *bmem, *b64;
    40. 

  40. 	BUF_MEM *bptr = NULL;
    41. 

  41. 

  42. 	if(in_len < 0) return 1;
    43. 

  43. 

  44. 	b64 = BIO_new(BIO_f_base64());
    45. 

  45. 	if(b64 == NULL) return 1;
    46. 

  46. 

  47. 	BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
    48. 

  48. 	bmem = BIO_new(BIO_s_mem());
    49. 

  49. 	if(bmem == NULL){
    50. 

  50. 		BIO_free_all(b64);
    51. 

  51. 		return 1;
    52. 

  52. 	}
    53. 

  53. 	b64 = BIO_push(b64, bmem);
    54. 

  54. 	BIO_write(b64, in, in_len);
    55. 

  55. 	if(BIO_flush(b64) != 1){
    56. 

  56. 		BIO_free_all(b64);
    57. 

  57. 		return 1;
    58. 

  58. 	}
    59. 

  59. 	BIO_get_mem_ptr(b64, &bptr);
    60. 

  60. 	*encoded = mosquitto_malloc(bptr->length+1);
    61. 

  61. 	if(!(*encoded)){
    62. 

  62. 		BIO_free_all(b64);
    63. 

  63. 		return 1;
    64. 

  64. 	}
    65. 

  65. 	memcpy(*encoded, bptr->data, bptr->length);
    66. 

  66. 	(*encoded)[bptr->length] = '\0';
    67. 

  67. 	BIO_free_all(b64);
    68. 

  68. 

  69. 	return 0;
    70. 

  70. }
    71. 

  71. 

  72. 

  73. int dynsec_auth__base64_decode(char *in, unsigned char **decoded, int *decoded_len)
    74. 

  74. {
    75. 

  75. 	BIO *bmem, *b64;
    76. 

  76. 	size_t slen;
    77. 

  77. 

  78. 	slen = strlen(in);
    79. 

  79. 

  80. 	b64 = BIO_new(BIO_f_base64());
    81. 

  81. 	if(!b64){
    82. 

  82. 		return 1;
    83. 

  83. 	}
    84. 

  84. 	BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
    85. 

  85. 

  86. 	bmem = BIO_new(BIO_s_mem());
    87. 

  87. 	if(!bmem){
    88. 

  88. 		BIO_free_all(b64);
    89. 

  89. 		return 1;
    90. 

  90. 	}
    91. 

  91. 	b64 = BIO_push(b64, bmem);
    92. 

  92. 	BIO_write(bmem, in, (int)slen);
    93. 

  93. 

  94. 	if(BIO_flush(bmem) != 1){
    95. 

  95. 		BIO_free_all(b64);
    96. 

  96. 		return 1;
    97. 

  97. 	}
    98. 

  98. 	*decoded = mosquitto_calloc(slen, 1);
    99. 

  99. 	if(!(*decoded)){
    100. 

  100. 		BIO_free_all(b64);
    101. 

  101. 		return 1;
    102. 

  102. 	}
    103. 

  103. 	*decoded_len =  BIO_read(b64, *decoded, (int)slen);
    104. 

  104. 	BIO_free_all(b64);
    105. 

  105. 

  106. 	if(*decoded_len <= 0){
    107. 

  107. 		mosquitto_free(*decoded);
    108. 

  108. 		*decoded = NULL;
    109. 

  109. 		*decoded_len = 0;
    110. 

  110. 		return 1;
    111. 

  111. 	}
    112. 

  112. 

  113. 	return 0;
    114. 

  114. }
    115. 

  115. 

  116. 

  117. /* ################################################################
    118. 

  118.  * #
    119. 

  119.  * # Password functions
    120. 

  120.  * #
    121. 

  121.  * ################################################################ */
    122. 

  122. 

  123. int dynsec_auth__pw_hash(struct dynsec__client *client, const char *password, unsigned char *password_hash, int password_hash_len, bool new_password)
    124. 

  124. {
    125. 

  125. 	const EVP_MD *digest;
    126. 

  126. 	int iterations;
    127. 

  127. 

  128. 	if(new_password){
    129. 

  129. 		if(RAND_bytes(client->pw.salt, sizeof(client->pw.salt)) != 1){
    130. 

  130. 			return MOSQ_ERR_UNKNOWN;
    131. 

  131. 		}
    132. 

  132. 		iterations = PW_DEFAULT_ITERATIONS;
    133. 

  133. 	}else{
    134. 

  134. 		iterations = client->pw.iterations;
    135. 

  135. 	}
    136. 

  136. 	if(iterations < 1){
    137. 

  137. 		return MOSQ_ERR_INVAL;
    138. 

  138. 	}
    139. 

  139. 	client->pw.iterations = iterations;
    140. 

  140. 

  141. 	digest = EVP_get_digestbyname("sha512");
    142. 

  142. 	if(!digest){
    143. 

  143. 		return MOSQ_ERR_UNKNOWN;
    144. 

  144. 	}
    145. 

  145. 

  146. 	return !PKCS5_PBKDF2_HMAC(password, (int)strlen(password),
    147. 

  147. 			client->pw.salt, sizeof(client->pw.salt), iterations,
    148. 

  148. 			digest, password_hash_len, password_hash);
    149. 

  149. }
    150. 

  150. 

  151. 

  152. /* ################################################################
    153. 

  153.  * #
    154. 

  154.  * # Username/password check
    155. 

  155.  * #
    156. 

  156.  * ################################################################ */
    157. 

  157. 

  158. static int memcmp_const(const void *a, const void *b, size_t len)
    159. 

  159. {
    160. 

  160. 	size_t i;
    161. 

  161. 	int rc = 0;
    162. 

  162. 

  163. 	if(!a || !b) return 1;
    164. 

  164. 

  165. 	for(i=0; i<len; i++){
    166. 

  166. 		if( ((char *)a)[i] != ((char *)b)[i] ){
    167. 

  167. 			rc = 1;
    168. 

  168. 		}
    169. 

  169. 	}
    170. 

  170. 	return rc;
    171. 

  171. }
    172. 

  172. 

  173. 

  174. int dynsec_auth__basic_auth_callback(int event, void *event_data, void *userdata)
    175. 

  175. {
    176. 

  176. 	struct mosquitto_evt_basic_auth *ed = event_data;
    177. 

  177. 	struct dynsec__client *client;
    178. 

  178. 	unsigned char password_hash[64]; /* For SHA512 */
    179. 

  179. 	const char *clientid;
    180. 

  180. 

  181. 	UNUSED(event);
    182. 

  182. 	UNUSED(userdata);
    183. 

  183. 

  184. 	if(ed->username == NULL || ed->password == NULL) return MOSQ_ERR_PLUGIN_DEFER;
    185. 

  185. 

  186. 	client = dynsec_clients__find(ed->username);
    187. 

  187. 	if(client){
    188. 

  188. 		if(client->disabled){
    189. 

  189. 			return MOSQ_ERR_AUTH;
    190. 

  190. 		}
    191. 

  191. 		if(client->clientid){
    192. 

  192. 			clientid = mosquitto_client_id(ed->client);
    193. 

  193. 			if(clientid == NULL || strcmp(client->clientid, clientid)){
    194. 

  194. 				return MOSQ_ERR_AUTH;
    195. 

  195. 			}
    196. 

  196. 		}
    197. 

  197. 		if(client->pw.valid && dynsec_auth__pw_hash(client, ed->password, password_hash, sizeof(password_hash), false) == MOSQ_ERR_SUCCESS){
    198. 

  198. 			if(memcmp_const(client->pw.password_hash, password_hash, sizeof(password_hash)) == 0){
    199. 

  199. 				return MOSQ_ERR_SUCCESS;
    200. 

  200. 			}else{
    201. 

  201. 				return MOSQ_ERR_AUTH;
    202. 

  202. 			}
    203. 

  203. 		}else{
    204. 

  204. 			return MOSQ_ERR_PLUGIN_DEFER;
    205. 

  205. 		}
    206. 

  206. 	}else{
    207. 

  207. 		return MOSQ_ERR_PLUGIN_DEFER;
    208. 

  208. 	}
    209. 

  209. }
    210.