From 56d0f74725060a26dedeb89d697a904446e6f72a Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Fri, 8 Jul 2016 09:36:25 +0100
Subject: [PATCH] Defer support for TLS-PSK.

---
 src/security.c         | 19 ++++++++++++++++---
 src/security_default.c |  2 +-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/security.c b/src/security.c
index b8bcdb37..8b2fa122 100644
--- a/src/security.c
+++ b/src/security.c
@@ -256,7 +256,7 @@ int mosquitto_acl_check(struct mosquitto_db *db, struct mosquitto *context, cons
 	if(rc != MOSQ_ERR_PLUGIN_DEFER){
 		return rc;
 	}
-	/* Default check has accepted or errored and then returned, or deferred.
+	/* Default check has accepted or deferred at this point.
 	 * If no plugins exist we should accept at this point so set rc to success.
 	 */
 	rc = MOSQ_ERR_SUCCESS;
@@ -283,7 +283,7 @@ int mosquitto_unpwd_check(struct mosquitto_db *db, const char *username, const c
 	if(rc != MOSQ_ERR_PLUGIN_DEFER){
 		return rc;
 	}
-	/* Default check has accepted or errored and then returned, or deferred.
+	/* Default check has accepted or deferred at this point.
 	 * If no plugins exist we should accept at this point so set rc to success.
 	 */
 	rc = MOSQ_ERR_SUCCESS;
@@ -306,12 +306,25 @@ int mosquitto_psk_key_get(struct mosquitto_db *db, const char *hint, const char
 	int rc;
 	int i;
 
+	rc = mosquitto_psk_key_get_default(db, hint, identity, key, max_key_len);
+	if(rc != MOSQ_ERR_PLUGIN_DEFER){
+		return rc;
+	}
+
+	/* Default check has accepted or deferred at this point.
+	 * If no plugins exist we should accept at this point so set rc to success.
+	 */
 	for(i=0; i<db->auth_plugin_count; i++){
 		rc = db->auth_plugins[i].psk_key_get(db->auth_plugins[i].user_data, hint, identity, key, max_key_len);
 		if(rc != MOSQ_ERR_PLUGIN_DEFER){
 			return rc;
 		}
 	}
-	return mosquitto_psk_key_get_default(db, hint, identity, key, max_key_len);
+	/* If all plugins deferred, this is a denial. If rc == MOSQ_ERR_SUCCESS
+	 * here, then no plugins were configured. */
+	if(rc == MOSQ_ERR_PLUGIN_DEFER){
+		rc = MOSQ_ERR_AUTH;
+	}
+	return rc;
 }
 
diff --git a/src/security_default.c b/src/security_default.c
index 5fc437b8..d590d51a 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -752,7 +752,7 @@ int mosquitto_psk_key_get_default(struct mosquitto_db *db, const char *hint, con
 	struct mosquitto__unpwd *u, *tmp;
 
 	if(!db || !hint || !identity || !key) return MOSQ_ERR_INVAL;
-	if(!db->psk_id) return MOSQ_ERR_AUTH;
+	if(!db->psk_id) return MOSQ_ERR_PLUGIN_DEFER;
 
 	HASH_ITER(hh, db->psk_id, u, tmp){
 		if(!strcmp(u->username, identity)){