Don't offer SASL auth before doing TLS if TLS is required (thanks to Etan Reisner)

Originally reported in
http://yo.jabber.ru/bugzilla/show_bug.cgi?id=251

Implements:
http://tools.ietf.org/html/rfc3920#section-6.2
If Use of TLS (Section 5) needs to be
established before a particular authentication mechanism may be used, the
receiving entity MUST NOT provide that mechanism in the list of available SASL
authentication mechanisms prior to TLS negotiation.

1 files changed, 17 insertions, 1 deletions

diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 065a58ebb..2ee4e0a22 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -348,11 +348,27 @@ wait_for_stream({xmlstreamstart, #xmlel{ns = NS} = Opening}, StateData) ->
 						    U, Server, P, D, DG)
 					  end,
 					  StateData#state.socket),
-				    Mechs = [exmpp_server_sasl:feature(
+				    MechsPrepared = [exmpp_server_sasl:feature(
 					cyrsasl:listmech(Server))],
 				    SockMod =
 					(StateData#state.sockmod):get_sockmod(
 					  StateData#state.socket),
+				    TLSRequired = StateData#state.tls_required,
+				    Mechs =
+					case TLSRequired of
+					    true ->
+						case (SockMod == gen_tcp) of
+						    true ->
+							[];
+						    false ->
+							MechsPrepared
+						end;
+					    false ->
+						MechsPrepared
+					end,
+				    SockMod =
+					(StateData#state.sockmod):get_sockmod(
+					  StateData#state.socket),
 				    Zlib = StateData#state.zlib,
 				    CompressFeature =
 					case Zlib andalso