25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

Merge pull request #316 from weiss/really-require-tls

Make sure "starttls_required" can't be bypassed
This commit is contained in:
Evgeny Khramtsov 2014-10-12 11:05:49 +04:00
commit 97fa57c360

View File

@ -735,7 +735,7 @@ wait_for_feature_request({xmlstreamelement, El},
(StateData#state.sockmod):get_sockmod(StateData#state.socket), (StateData#state.sockmod):get_sockmod(StateData#state.socket),
case {xml:get_attr_s(<<"xmlns">>, Attrs), Name} of case {xml:get_attr_s(<<"xmlns">>, Attrs), Name} of
{?NS_SASL, <<"auth">>} {?NS_SASL, <<"auth">>}
when not ((SockMod == gen_tcp) and TLSRequired) -> when TLSEnabled or not TLSRequired ->
Mech = xml:get_attr_s(<<"mechanism">>, Attrs), Mech = xml:get_attr_s(<<"mechanism">>, Attrs),
ClientIn = jlib:decode_base64(xml:get_cdata(Els)), ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
case cyrsasl:server_start(StateData#state.sasl_state, case cyrsasl:server_start(StateData#state.sasl_state,
@ -856,7 +856,7 @@ wait_for_feature_request({xmlstreamelement, El},
end end
end; end;
_ -> _ ->
if (SockMod == gen_tcp) and TLSRequired -> if TLSRequired and not TLSEnabled ->
Lang = StateData#state.lang, Lang = StateData#state.lang,
send_element(StateData, send_element(StateData,
?POLICY_VIOLATION_ERR(Lang, ?POLICY_VIOLATION_ERR(Lang,