feat(mosq): Add support for basic MQTT authentication

david-cermak · david-cermak · commit 4390f047d99b · 2025-11-10T09:04:18.000+01:00
diff --git a/components/mosquitto/CMakeLists.txt b/components/mosquitto/CMakeLists.txt
@@ -90,6 +90,10 @@ if (CONFIG_MOSQ_ENABLE_SYS)
 endif()
 target_compile_options(${COMPONENT_LIB} PRIVATE "-Wno-format")
 
+# Enable linker wrapping for mosquitto_unpwd_check to allow connection callback interception
+# without modifying upstream code
+target_link_options(${COMPONENT_LIB} PRIVATE "-Wl,--wrap=mosquitto_unpwd_check")
+
 # Some mosquitto source unconditionally define `_GNU_SOURCE` which collides with IDF build system
 # producing warning: "_GNU_SOURCE" redefined
 # This workarounds this issue by undefining the macro for the selected files
diff --git a/components/mosquitto/api.md b/components/mosquitto/api.md
@@ -16,6 +16,7 @@
 | ---: | :--- |
 | struct | [**mosq\_broker\_config**](#struct-mosq_broker_config) <br>_Mosquitto configuration structure._ |
 | typedef void(\* | [**mosq\_message\_cb\_t**](#typedef-mosq_message_cb_t)  <br> |
+| typedef int(\* | [**mosq\_connect\_cb\_t**](#typedef-mosq_connect_cb_t)  <br> |
 
 ## Functions
 
@@ -37,6 +38,8 @@ Variables:
 
 -  void(\* handle_message_cb  <br>On message callback. If configured, user function is called whenever mosquitto processes a message.
 
+-  mosq\_connect\_cb\_t handle_connect_cb  <br>On connect callback. If configured, user function is called whenever a client attempts to connect. The callback receives client_id, username, password, and password length. Return 0 to accept the connection, non-zero to reject it.
+
 -  const char \* host  <br>Address on which the broker is listening for connections
 
 -  int port  <br>Port number of the broker to listen to
@@ -49,6 +52,26 @@ Variables:
 typedef void(* mosq_message_cb_t) (char *client, char *topic, char *data, int len, int qos, int retain);
 ```
 
+### typedef `mosq_connect_cb_t`
+
+```c
+typedef int(* mosq_connect_cb_t) (const char *client_id, const char *username, const char *password, int password_len);
+```
+
+Callback function type for connection authentication. Called when a client attempts to connect to the broker.
+
+**Parameters:**
+
+* `client_id` Client identifier string. Will be an empty string if not provided.
+* `username` Username string, or NULL if no username was provided.
+* `password` Password string (binary data), or NULL if no password was provided.
+* `password_len` Length of the password in bytes. Note: If password contains null bytes, this may not reflect the full binary length as mosquitto stores passwords as null-terminated strings.
+
+**Returns:**
+
+* `0` to accept the connection
+* Non-zero to reject the connection (will result in CONNACK_REFUSED_NOT_AUTHORIZED)
+
 
 ## Functions Documentation
 
diff --git a/components/mosquitto/port/broker.c b/components/mosquitto/port/broker.c
@@ -102,6 +102,7 @@ void mosq_broker_stop(void)
 }
 
 extern mosq_message_cb_t g_mosq_message_callback;
+extern mosq_connect_cb_t g_mosq_connect_callback;
 
 int mosq_broker_run(struct mosq_broker_config *broker_config)
 {
@@ -130,6 +131,9 @@ int mosq_broker_run(struct mosq_broker_config *broker_config)
     if (broker_config->handle_message_cb) {
         g_mosq_message_callback = broker_config->handle_message_cb;
     }
+    if (broker_config->handle_connect_cb) {
+        g_mosq_connect_callback = broker_config->handle_connect_cb;
+    }
 
     db.config = &config;
 
diff --git a/components/mosquitto/port/callbacks.c b/components/mosquitto/port/callbacks.c
@@ -3,8 +3,9 @@
  *
  * SPDX-License-Identifier: EPL-2.0
  *
- * SPDX-FileContributor: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileContributor: 2024-2025 Espressif Systems (Shanghai) CO LTD
  */
+#include <string.h>
 #include "mosquitto_internal.h"
 #include "mosquitto_broker.h"
 #include "memory_mosq.h"
@@ -16,6 +17,7 @@
 #include "mosq_broker.h"
 
 mosq_message_cb_t g_mosq_message_callback = NULL;
+mosq_connect_cb_t g_mosq_connect_callback = NULL;
 
 int mosquitto_callback_register(
     mosquitto_plugin_id_t *identifier,
@@ -51,3 +53,39 @@ int plugin__handle_message(struct mosquitto *context, struct mosquitto_msg_store
     }
     return MOSQ_ERR_SUCCESS;
 }
+
+int __real_mosquitto_unpwd_check(struct mosquitto *context);
+
+/* Wrapper function to intercept mosquitto_unpwd_check calls via linker wrapping */
+int __wrap_mosquitto_unpwd_check(struct mosquitto *context)
+{
+    int rc;
+    int password_len = 0;
+
+    /* Call user's connect callback if set */
+    if (g_mosq_connect_callback) {
+        /* Extract password length if password is present.
+         * Note: MQTT passwords are binary data, but mosquitto stores them as null-terminated strings.
+         * If password contains null bytes, strlen() will not return the full length.
+         * This matches how mosquitto itself handles passwords in some security functions. */
+        if (context->password) {
+            password_len = (int)strlen(context->password);
+        }
+
+        /* Call user callback */
+        rc = g_mosq_connect_callback(
+                 context->id ? context->id : "",
+                 context->username ? context->username : NULL,
+                 context->password ? context->password : NULL,
+                 password_len
+             );
+
+        /* If callback rejects (returns non-zero), return AUTH error immediately */
+        if (rc != 0) {
+            return MOSQ_ERR_AUTH;
+        }
+    }
+
+    /* Call the original function */
+    return __real_mosquitto_unpwd_check(context);
+}
diff --git a/components/mosquitto/port/include/mosq_broker.h b/components/mosquitto/port/include/mosq_broker.h
@@ -14,6 +14,8 @@ extern "C" {
 struct mosquitto__config;
 
 typedef void (*mosq_message_cb_t)(char *client, char *topic, char *data, int len, int qos, int retain);
+
+typedef int (*mosq_connect_cb_t)(const char *client_id, const char *username, const char *password, int password_len);
 /**
  * @brief Mosquitto configuration structure
  *
@@ -33,6 +35,11 @@ struct mosq_broker_config {
                                      * On message callback. If configured, user function is called
                                      * whenever mosquitto processes a message.
                                      */
+    mosq_connect_cb_t handle_connect_cb; /*!< On connect callback. If configured, user function is called
+                                     * whenever a client attempts to connect. The callback receives
+                                     * client_id, username, password, and password length. Return 0 to
+                                     * accept the connection, non-zero to reject it.
+                                     */
 };
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,7 @@ void mosq_broker_stop(void)`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`extern mosq_message_cb_t g_mosq_message_callback;`
	`105`	`+extern mosq_connect_cb_t g_mosq_connect_callback;`
`105`	`106`
`106`	`107`	`int mosq_broker_run(struct mosq_broker_config *broker_config)`
`107`	`108`	`{`
`@@ -130,6 +131,9 @@ int mosq_broker_run(struct mosq_broker_config *broker_config)`
`130`	`131`	`if (broker_config->handle_message_cb) {`
`131`	`132`	`g_mosq_message_callback = broker_config->handle_message_cb;`
`132`	`133`	`}`
	`134`	`+ if (broker_config->handle_connect_cb) {`
	`135`	`+ g_mosq_connect_callback = broker_config->handle_connect_cb;`
	`136`	`+ }`
`133`	`137`
`134`	`138`	`db.config = &config;`
`135`	`139`