message_name_get() adds "." to the tail and it leads to:
strncpy(&dest, ".", 1);
gcc 9.2.0 generates a warning, because string is truncated without
copying trailing '\0'. Replace strncpy() with memcpy() to fix the
warning.
OpenSSL and LibreSSL versions are incompatible. Moreover, LibreSSL
always define OPENSSL_VERSION_NUMBER as 0x20000000L. Instead of checking
for LibreSSL everywhere explicitly, redefine OPENSSL_VERSION_NUMBER.
See similar issues with nginx project: https://trac.nginx.org/nginx/ticket/1605
The facebook suddenly stopped connecting on my dev machine. I still cannot
explain what caused this change in behaviour, but I was finally able to
diagnose and fix the problem.
Chat was not connecting due to an error in tls_start. The windows function
InitializeSecurityContext was returning a SEC_E_INCOMPLETE_MESSAGE status
which was being treated as an error. However, the documentation states
that this is not an error. This status simply indicates that more data
needs to be read. This commit does precisely that -- when
SEC_E_INCOMPLETE_MESSAGE we read more data from the socket and call
InitializeSecurityContext again.
PLAIN mechanism sends password in BASE64 encoding which everyone can
read. As result, debug logs expose password and users often don't remove
it when post the logs in the Internet.
Usually, both a secure mechanism and PLAIN are used in the scenario when
username or password is incorrect. PLAIN fails in this scenario anyway.
Legacy authentication can expose password in plaintext. Since this is
not widely used mechanism, disable it by default. It can be enabled back
with connection option XMPP_CONN_FLAG_LEGACY_AUTH.
There are places where code relies on well-formed stanzas and expects
that ns attribute is always present. Check whether ns NULL or not before
passing it to strcmp().
Fixes#121.
RFC6121 removes the precondition of establishing a session before a client
may exchange XML stanzas on an XMPP network.
This PR allows libstrophe to not request session where it is indicated
as optional by the server, saving a round trip.
https://tools.ietf.org/html/rfc6121#section-1.4
OpenSSL-1.1.0 marks cleanup functions as deprecated and changes
initialization function. It implements implicit de-initialization.
Reported by @zygmund2000.