From c8ccf949364c10cc92951461c6e79afc6423e966 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Wed, 25 Dec 2019 12:43:02 -0500
Subject: [PATCH] fix #716

---
 irc/handlers.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/irc/handlers.go b/irc/handlers.go
index 000a3365..8816931e 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -469,6 +469,17 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
 		return false
 	}
 
+	// EXTERNAL doesn't carry an authentication ID (this is determined from the
+	// certificate), but does carry an optional authorization ID.
+	if len(value) != 0 {
+		authcid := client.Account()
+		cfAuthzid, err := CasefoldName(string(value))
+		if err != nil || cfAuthzid != authcid {
+			rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), client.t("SASL authentication failed: authcid and authzid should be the same"))
+			return false
+		}
+	}
+
 	sendSuccessfulAccountAuth(client, rb, false, true)
 	return false
 }