diff options
| author | June McEnroe <june@causal.agency> | 2020-11-16 18:46:15 -0500 |
|---|---|---|
| committer | June McEnroe <june@causal.agency> | 2020-11-16 18:46:15 -0500 |
| commit | eea44a8ad89a7c3ee2c8647e21c007b5250b4fb9 (patch) | |
| tree | 332de89d092a4b64e01c250443715d6f66b5fde0 | |
| parent | Set client sockets non-blocking (diff) | |
| download | pounce-eea44a8ad89a7c3ee2c8647e21c007b5250b4fb9.tar.gz pounce-eea44a8ad89a7c3ee2c8647e21c007b5250b4fb9.zip | |
Only allow clients to AUTHENTICATE if using a cert
Otherwise the successful authentication message can leak information to unauthenticated clients when both certificate and password authentication are enabled.
| -rw-r--r-- | client.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/client.c b/client.c index 6c12405..ea28d82 100644 --- a/client.c +++ b/client.c @@ -232,9 +232,10 @@ static void handleCap(struct Client *client, struct Message *msg) { static void handleAuthenticate(struct Client *client, struct Message *msg) { if (!msg->params[0]) msg->params[0] = ""; - if (!strcmp(msg->params[0], "EXTERNAL")) { + bool cert = (clientCaps & CapSASL) && tls_peer_cert_provided(client->tls); + if (cert && !strcmp(msg->params[0], "EXTERNAL")) { clientFormat(client, "AUTHENTICATE +\r\n"); - } else if (!strcmp(msg->params[0], "+")) { + } else if (cert && !strcmp(msg->params[0], "+")) { clientFormat( client, ":%s 900 * %s * :You are now logged in as *\r\n", ORIGIN, stateEcho() |