server: No longer accept "sideband" and "aes_ctr128" features. Both features are used unconditionally since commit d44413588dd7 (v0.6.3-27) from three years ago when the client stopped to request the feature. We don't need to support clients older than that any more, so fail the request if these features are still requested. Clarify the comment about the sha256 feature while at it.
Merge topic branch t/ff-compat into master A single commit which removes support for the old syntax of the ff command where negative values could be specified with a postfix such as "ff 30-". This syntax has long been deprecated. * refs/heads/t/ff-compat: server: Remove compatibility code of com_ff().
Merge branch 'maint' This fixes two old bugs related to signal handling which bite only rarely. But if they do, it hurts plenty. * maint: server: Fix race condition in com_stat(). server: Avoid deadlock in daemon_log().
server: Fix race condition in com_stat(). We need to block not only SIGTERM but also SIGUSR1 in the command handler of the stat server command because otherwise the signal is lost if it arrives within a small race window. If this happens, the next status update will be up to 50 seconds late. The race condition is even explained in the comment nearby... The bug was observed in a situation where the last admissible file of the current mood became inadmissible, causing the server to stop streaming. This is reflected by the status flags transition from P (playing) to N (stopped) via the intermediate state PN (trying to load next file). After either transition the server process sends SIGUSR1 to the command handler. If the second signal arrives just after the PN state was sampled but before the command handler goes to sleep by calling pselect(2), the signal handler runs and sets subcmd_should_die, but this won't be acted upon until after we sleep for up to 50 seconds in pselect(2). As a result, para_audiod, hence para_gui, keep reporting the stale PN state during this period. This bug was present in the code base since day one of the git repo in 2006.
server: Avoid deadlock in daemon_log(). Currently both the generic signal handler in signal.c and the signal handler for the stat command handler in command.c call daemon_log() via PARA_EMERG_LOG(). This is problematic because daemon_log() takes the log mutex and the signal might arrive while daemon_log() is executing. If this race condition is hit, the process deadlocks because daemon_log() tries to acquire a mutex which it already holds. All three types of server processes (main, afs and command handler) are susceptible to this bug, but regardless of which process happens to hit the race window, the server process hangs waiting on the mutex, and no longer accepts connections. Fix this by removing the problematic log call in the generic case and by printing it out of interrupt context in the command handler case. This bug was introduced together with the log mutex five years ago. Fixes: ced0c17d1a3ee0336dc7b35e69faff131dabecac
server: Remove compatibility code of com_ff(). The old syntax "ff 30-" is undocumented and deprecated since four years thanks to commit 9d232e63. According to the comment, the removal of the feature was scheduled for 0.7.0 but as of 0.7.1 the syntax is still accepted. So remove the extra code now.
com_term(): Ignore SIGTERM. Just to shut up valgrind when the server terminates due to the term command.
Merge topic branch t/overflow into master This series implements a new memory allocation API which checks for overflows. The first part of the series just renames the main allocation functions. Later patches in the series implement allocators which take two size_t arguments (like calloc(3)) and check whether the multiplication overflows by employing the __builtin_mul_overflow() primitive supported by gcc and clang. This requires us to bump the lowest supported gcc and clang version. * refs/heads/t/overflow: build: Compile with -ftrapv. string: Introduce arr_zalloc(). string: Introduce arr_alloc(). string: Introduce arr_realloc() and check for integer overflow. string: Rename para_calloc() -> zalloc(). string: Rename para_malloc() -> alloc(). string: Overhaul para_strdup().
Merge branch 'refs/heads/t/ll' Two little cleanups related to the logging facility and two commits which add the ll command to para_server and para_audiod. The merge resulted in a conflict in afs.c due to the earlier merge of the poll topic branch which replaced all calls to select() by calls to poll(). The implementation of the ll server command introduced a new caller of select(), afs_select(), which needs to be replaced by afs_poll() to resolve the conflict. * refs/heads/t/ll: New server command: ll to change the log level at runtime. New audiod command: ll to change the log level at runtime. daemon: Kill get_loglevel_by_name(). server/audiod: Don't parse loglevel argument unnecessarily.
send: Avoid select-specific arguments in {pre,post}_select(). Just pass a pointer to struct sched instead of the fd sets. Since two of the prototypes declared in send.h now refer to this structure, sched.h must be included before send.h. The udp sender implements neither ->pre_select() nor ->post_select(), so we only need to fix the order in which send.h and sched.h are included.
string: Introduce arr_alloc(). Change all callers of alloc() which pass a product of two integers as the allocation size to call the new function instead. This function aborts if the multiplication overflows. With arr_alloc() in place, alloc() reduces to a trivial wrapper which calls new arr_alloc() with the first argument equal to one.
string: Rename para_malloc() -> alloc(). Just because it's shorter and matches the naming of the new allocators we are about to introduce. The bulk of this patch was created with sed -i 's/para_malloc/alloc/g' *.c *.h yy/mp.y
New server command: ll to change the log level at runtime. This makes use of the infrastructure introduced in the previous patch. However, the implementation of the ll command for para_server is more involved than its audiod counterpart because in the server case we have to tell two different processes (server and afs) to change their log level while the calling process, the command handler, does not need to set the loglevel because it is about to exit anyway. For the inter-process communication we introduce a new field in the mmd shared memory area so that command handlers can read the current value or set a new value. The log level propagates from there via daemon_set_loglevel() to the server and afs processes during each iteration of the scheduler loop where para_log() will pick it up to set the log level threshold for subsequent log events. The si command handler currently refers to the argument of the --loglevel server option to include the log level in its output. With dynamic log levels this no longer works because it always prints the value from the command line or the config file rather than the run time log level. Since the new ll command also prints the loglevel when it is executed with no arguments, we simply remove this line from the si output and hope that nobody cares. The si command handler was the last user of the ENUM_STRING_VAL macro in command.c. Removing the macro also allows us to make CMD_PTR local to server.c and to remove the lopsub definitions of the server suite from command.c. However, we still include the lopsub definitions of the server *command* suite (server_cmd.lsg.h) of course. We let any authenticated user run the command with no arguments to report the current loglevel but require full privileges to change the loglevel. Thus, the check for sufficient privileges needs to be performed in the command handler.
Remove E_PERM. There is only one user which may as well use the standard error code.
Merge branch 'refs/heads/t/sha256' A couple of changes which start to eliminate the use of sha1 in favor of sha256. This series is only the first step, though, as we need to keep sha1 for the time being to provide backward compatibility. Cooking for four months. * refs/heads/t/sha256: manual: Avoid sha1. upgrade_db: Add copyright and purpose to upgrade_db.c. web: Add link to the para_upgrade_db(1) man page. afs: Switch to sha256 and change default database path. Add para_upgrade_db. Use sha256 for the challenge response. Introduce hash2 (sha256). Assume sideband and aes_ctr128 are always supported/requested.
Merge branch 'refs/heads/t/rm_task_subcmd' A single commit containing an incompatible change for 0.7.0. Cooking for almost a year. * refs/heads/t/rm_task_subcmd: Remove obsolete server subcommand "task".
command.c: Remove unused includes. None of these are needed. Tested on Linux, FreeBSD and NetBSD.
command.c: Make aux_info_cb() static. It is only used in command.c.
Use sha256 for the challenge response. sha1 is broken and should no longer be used. This commit introduces the new server feature "sha256". It is announced during the handshake with the client. The client code is patched to detect whether the server supports the feature and uses sha256 if it does. This change is backwards compatible. That is, old clients can still connect to a new server (using sha1). Also new clients can connect to an old server (and also use sha1 in this case).
Assume sideband and aes_ctr128 are always supported/requested. Sideband connections and the AES-based stream cipher have become mandatory in paraslash-0.6. The server no longer needs to annouce the feature as 0.6.x clients request it, regardless of whether it was announced or not. It needs to still accept the option, though. On the client side, we don't need to request the features any more as the server just ignores the request.