Don't advertise auth mechanisms too early

If "starttls_required: true" is specified for c2s connections, authentication mechanisms shouldn't be offered before negotiating the TLS connection.
2014-10-23 10:04:14 +02:00 · 2014-10-23 10:04:14 +02:00 · 2d748115ee
parent 0b22277b11
commit 2d748115ee
1 changed files with 19 additions and 13 deletions
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@ -383,6 +383,9 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 			    send_header(StateData, Server, <<"1.0">>, DefaultLang),
 			    case StateData#state.authenticated of
 				false ->
+				    TLS = StateData#state.tls,
+				    TLSEnabled = StateData#state.tls_enabled,
+				    TLSRequired = StateData#state.tls_required,
 				    SASLState =
 					cyrsasl:server_new(
 					  <<"jabber">>, Server, <<"">>, [],
@ -398,12 +401,21 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 						  ejabberd_auth:check_password_with_authmodule(
 						    U, Server, P, D, DG)
 					  end),
-				    Mechs = lists:map(fun (S) ->
-						      #xmlel{name = <<"mechanism">>,
-							     attrs = [],
-							     children = [{xmlcdata, S}]}
-					      end,
-					      cyrsasl:listmech(Server)),
+				    Mechs =
+					case TLSEnabled or not TLSRequired of
+					    true ->
+						Ms = lists:map(fun (S) ->
+								       #xmlel{name = <<"mechanism">>,
+									      attrs = [],
+									      children = [{xmlcdata, S}]}
+							       end,
+							       cyrsasl:listmech(Server)),
+						[#xmlel{name = <<"mechanisms">>,
+							attrs = [{<<"xmlns">>, ?NS_SASL}],
+							children = Ms}];
+					    false ->
+						[]
+					end,
 				    SockMod =
 					(StateData#state.sockmod):get_sockmod(
 					  StateData#state.socket),
@ -421,9 +433,6 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 					    _ ->
 						[]
 					end,
-				    TLS = StateData#state.tls,
-				    TLSEnabled = StateData#state.tls_enabled,
-				    TLSRequired = StateData#state.tls_required,
 				    TLSFeature =
 					case (TLS == true) andalso
 					    (TLSEnabled == false) andalso
@ -448,10 +457,7 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 					    #xmlel{name = <<"stream:features">>,
 						   attrs = [],
 						   children =
-						    TLSFeature ++ CompressFeature ++
-						    [#xmlel{name = <<"mechanisms">>,
-							    attrs = [{<<"xmlns">>, ?NS_SASL}],
-							    children = Mechs}]
+						    TLSFeature ++ CompressFeature ++ Mechs
 						    ++
 						    ejabberd_hooks:run_fold(c2s_stream_features,
 							Server, [], [Server])}),