PLAIN mechanism sends password in BASE64 encoding which everyone can
read. As result, debug logs expose password and users often don't remove
it when post the logs in the Internet.
Usually, both a secure mechanism and PLAIN are used in the scenario when
username or password is incorrect. PLAIN fails in this scenario anyway.
Legacy authentication can expose password in plaintext. Since this is
not widely used mechanism, disable it by default. It can be enabled back
with connection option XMPP_CONN_FLAG_LEGACY_AUTH.
There are places where code relies on well-formed stanzas and expects
that ns attribute is always present. Check whether ns NULL or not before
passing it to strcmp().
Fixes#121.
RFC6121 removes the precondition of establishing a session before a client
may exchange XML stanzas on an XMPP network.
This PR allows libstrophe to not request session where it is indicated
as optional by the server, saving a round trip.
https://tools.ietf.org/html/rfc6121#section-1.4
OpenSSL-1.1.0 marks cleanup functions as deprecated and changes
initialization function. It implements implicit de-initialization.
Reported by @zygmund2000.
@curse666 suggested solution for #46 which reduces memory usage in expat
module. Current patch fixes few issues:
- Inner text is lost for depth 1 stanzas
- Incorrect handling of mixed xml <x>text<y/></x>
- Reduced number of realloc() calls
Free attribute "to" before replacing it in xmpp_stanza_reply().
Free value on insertion error in xmpp_stanza_set_attribute().
Don't copy attributes manually. Use xmpp_stanza_set_attribute() instead.
Default timeout was 1 millisecond and it consumed CPU by running the
loop in xmpp_run(). The CPU usage was unacceptable and thus xmpp_run()
was not used by users. Also user can set the timeout by
xmpp_ctx_set_timeout() now.
Event loop already handles the situation when there is a timed handler
which needs to be run before the timeout is reached. Also system awakes
event loop when data arrives to socket.
The only drawback is when timed handler sends data it will be actually
sent after select(2) returns. But this situation can be handled easily by
adding socket to wfds when xmpp_conn_t contains data in sending queue.
- Certificate verification is enabled for all openssl versions by
default
- xmpp_ctx_set_timeout()
- Move xmpp_ctx_set_timeout() to event loop section in strophe.h