Broker now validates usernames provided over TLS are valid UTF-8.
This commit is contained in:
parent
44b94875b5
commit
02d36f9946
@ -1,5 +1,7 @@
|
|||||||
Security:
|
Security:
|
||||||
- Broker will reject Will messages that attempt to publish to $CONTROL/.
|
- Broker will now reject Will messages that attempt to publish to $CONTROL/.
|
||||||
|
- Broker now validates usernames provided in a TLS certificate or TLS-PSK
|
||||||
|
identity are valid UTF-8.
|
||||||
|
|
||||||
Broker:
|
Broker:
|
||||||
- Fix $SYS messages being expired after 60 seconds and hence unchanged values
|
- Fix $SYS messages being expired after 60 seconds and hence unchanged values
|
||||||
|
@ -794,11 +794,22 @@ int handle__connect(struct mosquitto *context)
|
|||||||
rc = MOSQ_ERR_AUTH;
|
rc = MOSQ_ERR_AUTH;
|
||||||
goto handle_connect_error;
|
goto handle_connect_error;
|
||||||
}
|
}
|
||||||
|
const char *new_username;
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
context->username = mosquitto__strdup((char *) ASN1_STRING_data(name_asn1));
|
new_username = (const char *) ASN1_STRING_data(name_asn1);
|
||||||
#else
|
#else
|
||||||
context->username = mosquitto__strdup((char *) ASN1_STRING_get0_data(name_asn1));
|
new_username = (const char *) ASN1_STRING_get0_data(name_asn1);
|
||||||
#endif
|
#endif
|
||||||
|
if(mosquitto_validate_utf8(new_username, (int)strlen(new_username))){
|
||||||
|
if(context->protocol == mosq_p_mqtt5){
|
||||||
|
send__connack(context, 0, MQTT_RC_BAD_USERNAME_OR_PASSWORD, NULL);
|
||||||
|
}else{
|
||||||
|
send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD, NULL);
|
||||||
|
}
|
||||||
|
X509_free(client_cert);
|
||||||
|
return MOSQ_ERR_AUTH;
|
||||||
|
}
|
||||||
|
context->username = mosquitto__strdup(new_username);
|
||||||
if(!context->username){
|
if(!context->username){
|
||||||
if(context->protocol == mosq_p_mqtt5){
|
if(context->protocol == mosq_p_mqtt5){
|
||||||
send__connack(context, 0, MQTT_RC_SERVER_UNAVAILABLE, NULL);
|
send__connack(context, 0, MQTT_RC_SERVER_UNAVAILABLE, NULL);
|
||||||
|
@ -296,6 +296,10 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(listener->use_identity_as_username){
|
if(listener->use_identity_as_username){
|
||||||
|
if(mosquitto_validate_utf8(identity, (int)strlen(identity))){
|
||||||
|
mosquitto__free(psk_key);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
context->username = mosquitto__strdup(identity);
|
context->username = mosquitto__strdup(identity);
|
||||||
if(!context->username){
|
if(!context->username){
|
||||||
mosquitto__free(psk_key);
|
mosquitto__free(psk_key);
|
||||||
|
@ -244,6 +244,9 @@ int mosquitto_set_username(struct mosquitto *client, const char *username)
|
|||||||
if(!client) return MOSQ_ERR_INVAL;
|
if(!client) return MOSQ_ERR_INVAL;
|
||||||
|
|
||||||
if(username){
|
if(username){
|
||||||
|
if(mosquitto_validate_utf8(username, (int)strlen(username))){
|
||||||
|
return MOSQ_ERR_MALFORMED_UTF8;
|
||||||
|
}
|
||||||
u_dup = mosquitto__strdup(username);
|
u_dup = mosquitto__strdup(username);
|
||||||
if(!u_dup) return MOSQ_ERR_NOMEM;
|
if(!u_dup) return MOSQ_ERR_NOMEM;
|
||||||
}else{
|
}else{
|
||||||
|
Loading…
Reference in New Issue
Block a user