box: ensure requested auth method matches user's

After checking that the received authentication method and type are compatible with auth_request_check(), authenticate() tries to authenticate it using the user's authentication method with authenticate_request(). The problem is the user may use a different authenticate method from the one received in the request while authenticate_request() expects the request to be valid. As a result, it may crash in this case. Fix this by ensuring that the user's authentication method matches the one received in the request. Follow-up commit b5754d3 ("box: make auth subsystem pluggable") Follow-up #7986 NO_DOC=bug fix NO_CHANGELOG=unreleased NO_TEST=will be added to EE, because CE supports just one auth method
tarantool · Dec 13, 2022 · 9dcc824 · 9dcc824
1 parent 2574ff1
commit 9dcc824
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/src/box/authentication.c b/src/box/authentication.c
@@ -103,6 +103,7 @@ authenticate(const char *user_name, uint32_t user_name_len,
 	if (auth_request_check(method, auth_request, auth_request_end) != 0)
 		return -1;
 	if (user == NULL || user->def->auth == NULL ||
+	    user->def->auth->method != method ||
 	    !authenticate_request(user->def->auth, salt,
 				  auth_request, auth_request_end)) {
 		auth_res.is_authenticated = false;