From 1a6baf223c6b0b17a8d0492b7c22cf39fd1fcccc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= <pawel@process-one.net>
Date: Wed, 1 Feb 2023 16:58:25 +0100
Subject: [PATCH] Re-allow anonymous connection for connection without client
 certificates

This fixes issue #3985. Initial issue was introduced in
5506b838c803c33c6fd5b1af00d62482c4a75c60 adding tls client cert
authentication.
---
 src/mod_mqtt_session.erl | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/mod_mqtt_session.erl b/src/mod_mqtt_session.erl
index f3dfe2272..cf61efea6 100644
--- a/src/mod_mqtt_session.erl
+++ b/src/mod_mqtt_session.erl
@@ -1214,7 +1214,13 @@ authenticate(#connect{password = Pass, properties = Props} = Pkt, State) ->
                                 true ->
                                     {ok, JID, pkix};
                                 false ->
-                                    {error, 'not-authorized'}
+                                    {error, 'not-authorized'};
+				no_cert ->
+				    case ejabberd_auth:check_password_with_authmodule(
+					LUser, <<>>, LServer, Pass) of
+					{true, AuthModule} -> {ok, JID, AuthModule};
+					false -> {error, 'not-authorized'}
+				    end
                             end;
                         _ ->
                             case ejabberd_auth:check_password_with_authmodule(
@@ -1230,7 +1236,7 @@ authenticate(#connect{password = Pass, properties = Props} = Pkt, State) ->
 
 -spec tls_auth(jid:jid(), state()) -> boolean().
 tls_auth(_JID, #state{tls_verify = false}) ->
-    false;
+    no_cert;
 tls_auth(JID, State) ->
     case State#state.socket of
         {fast_tls, Sock} ->
@@ -1251,10 +1257,10 @@ tls_auth(JID, State) ->
                             false
                     end;
                 error ->
-                    false
+                    no_cert
             end;
         _ ->
-            false
+            no_cert
     end.
 
 get_cert_jid(Cert) ->