Don't offer SASL auth before doing TLS if TLS is required (thanks to Etan Reisner)

Originally reported in http://yo.jabber.ru/bugzilla/show_bug.cgi?id=251 Implements: http://tools.ietf.org/html/rfc3920#section-6.2 If Use of TLS (Section 5) needs to be established before a particular authentication mechanism may be used, the receiving entity MUST NOT provide that mechanism in the list of available SASL authentication mechanisms prior to TLS negotiation.
2010-07-29 23:14:03 +02:00 · 2010-07-29 23:14:03 +02:00 · 59a19ca87a
parent e653598cd0
commit 59a19ca87a
1 changed files with 17 additions and 1 deletions
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@ -348,11 +348,27 @@ wait_for_stream({xmlstreamstart, #xmlel{ns = NS} = Opening}, StateData) ->
 						    U, Server, P, D, DG)
 					  end,
 					  StateData#state.socket),
-				    Mechs = [exmpp_server_sasl:feature(
+				    MechsPrepared = [exmpp_server_sasl:feature(
 					cyrsasl:listmech(Server))],
 				    SockMod =
 					(StateData#state.sockmod):get_sockmod(
 					  StateData#state.socket),
+				    TLSRequired = StateData#state.tls_required,
+				    Mechs =
+					case TLSRequired of
+					    true ->
+						case (SockMod == gen_tcp) of
+						    true ->
+							[];
+						    false ->
+							MechsPrepared
+						end;
+					    false ->
+						MechsPrepared
+					end,
+				    SockMod =
+					(StateData#state.sockmod):get_sockmod(
+					  StateData#state.socket),
 				    Zlib = StateData#state.zlib,
 				    CompressFeature =
 					case Zlib andalso