From eea44a8ad89a7c3ee2c8647e21c007b5250b4fb9 Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Mon, 16 Nov 2020 18:46:15 -0500
Subject: Only allow clients to AUTHENTICATE if using a cert

Otherwise the successful authentication message can leak information to
unauthenticated clients when both certificate and password
authentication are enabled.
---
 client.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/client.c b/client.c
index 6c12405..ea28d82 100644
--- a/client.c
+++ b/client.c
@@ -232,9 +232,10 @@ static void handleCap(struct Client *client, struct Message *msg) {
 
 static void handleAuthenticate(struct Client *client, struct Message *msg) {
 	if (!msg->params[0]) msg->params[0] = "";
-	if (!strcmp(msg->params[0], "EXTERNAL")) {
+	bool cert = (clientCaps & CapSASL) && tls_peer_cert_provided(client->tls);
+	if (cert && !strcmp(msg->params[0], "EXTERNAL")) {
 		clientFormat(client, "AUTHENTICATE +\r\n");
-	} else if (!strcmp(msg->params[0], "+")) {
+	} else if (cert && !strcmp(msg->params[0], "+")) {
 		clientFormat(
 			client, ":%s 900 * %s * :You are now logged in as *\r\n",
 			ORIGIN, stateEcho()
-- 
cgit 1.4.1