From: Holger Weiss <holger@zedat.fu-berlin.de>
Date: Thu, 24 Apr 2014 09:04:10 +0000 (+0200)
Subject: Check TLS state before requesting SASL EXTERNAL
X-Git-Tag: 14.05~53^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d805d198acae4284a0f8512305c9180c2ac9dd08;p=ejabberd

Check TLS state before requesting SASL EXTERNAL

Make sure a remote server can't circumvent "s2s_use_starttls: required"
by offering SASL EXTERNAL authentication over a non-TLS connection.
---

diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl
index a0a83631d..e404207cd 100644
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@@ -578,7 +578,9 @@ wait_for_features({xmlstreamelement, El}, StateData) ->
 		 {next_state, stream_established,
 		  StateData#state{queue = queue:new()}};
 	     SASLEXT and StateData#state.try_auth and
-	       (StateData#state.new /= false) ->
+	       (StateData#state.new /= false) and
+		 (StateData#state.tls_enabled or
+		   not StateData#state.tls_required) ->
 		 send_element(StateData,
 			      #xmlel{name = <<"auth">>,
 				     attrs =