From 59a19ca87a496cb6e1c20fb129c72de9d636567d Mon Sep 17 00:00:00 2001 From: Badlop Date: Thu, 29 Jul 2010 23:14:03 +0200 Subject: [PATCH] Don't offer SASL auth before doing TLS if TLS is required (thanks to Etan Reisner) Originally reported in http://yo.jabber.ru/bugzilla/show_bug.cgi?id=251 Implements: http://tools.ietf.org/html/rfc3920#section-6.2 If Use of TLS (Section 5) needs to be established before a particular authentication mechanism may be used, the receiving entity MUST NOT provide that mechanism in the list of available SASL authentication mechanisms prior to TLS negotiation. --- src/ejabberd_c2s.erl | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl index 065a58ebb..2ee4e0a22 100644 --- a/src/ejabberd_c2s.erl +++ b/src/ejabberd_c2s.erl @@ -348,11 +348,27 @@ wait_for_stream({xmlstreamstart, #xmlel{ns = NS} = Opening}, StateData) -> U, Server, P, D, DG) end, StateData#state.socket), - Mechs = [exmpp_server_sasl:feature( + MechsPrepared = [exmpp_server_sasl:feature( cyrsasl:listmech(Server))], SockMod = (StateData#state.sockmod):get_sockmod( StateData#state.socket), + TLSRequired = StateData#state.tls_required, + Mechs = + case TLSRequired of + true -> + case (SockMod == gen_tcp) of + true -> + []; + false -> + MechsPrepared + end; + false -> + MechsPrepared + end, + SockMod = + (StateData#state.sockmod):get_sockmod( + StateData#state.socket), Zlib = StateData#state.zlib, CompressFeature = case Zlib andalso