Andre Noll [Sun, 21 Jun 2009 18:55:07 +0000 (20:55 +0200)]
Stronger crypto for client authentication.
This patch changes the way clients are authenticated:
- The size of the challenge has been increased from sizeof(unsigned long)
to 64. Openssl's Rand_bytes() is used to get the random buffer for the
challenge and the rc4 keys.
- The client responds with the sha1 hash of the challenge rather than
sending back the decrypted challenge in plain text.
- The rc4 keys are now 2 x 32 bytes long. They are rsa encrypted and
sent together with the challenge.
- Authentication requests for invalid users are not immediatedly denied
as this would reveal the fact that the user does not exist.
- rsa keys are required to be at least 2048 bits long.
Andre Noll [Sun, 14 Jun 2009 20:50:11 +0000 (22:50 +0200)]
Make rc4 encryption/decryption more explicit.
The old code used a rather fancy way to (de)activate encryption on
a per fd basis: In net.c there was an array of rc4 keys, indexed by fd.
This is rather wastful because the array size is determined by the
highest fd for which encryption is activated.
It's also hard to comprehend and it's easy to get strange results if
one forgets to deactivate the encryption after the fd is closed.
This patch introduces a new structure, rc4_context, which consists of
an fd and the needed rc4 keys. Users explicitly call the new rc4 variants
of the receving/sending functions which take a pointer to a struct
rc4_context instead of a file descriptor but are otherwise identical.
Andre Noll [Wed, 27 May 2009 17:16:54 +0000 (19:16 +0200)]
Truncate overlong tag info and replace newlines by spaces.
The tag info which is computed by the audio format handlers and stored
in the audio file table is read into a fixed-size buffer by the audio
file selector in open_and_update_audio_file(), passed to the server
process and then sent to the client via the stat command. It is not
interpreted at all during this process. In particular, it is not
essential for correctly streaming the audio file.
Vorbis comments and id3v2 tags have no size limit and may contain
arbitrary data which may lead to the following twi problems:
- As noted by Gerrit Renker, if the tag info is too long
to fit into the fixed-size buffer, the current code skips
the audio file and removes it from the list of currently
admissible files. So para_server fails to stream such files.
- If the tag info contains newlines, these are included
verbatim in the status output which may confuse para_audiod.
This patch truncates the tag info string if it does not fit into the
4K buffer and replaces newlines by spaces. This is a bit ugly but
avoids both of the above problems. It's still possible to retrieve
the complete tag info via the "ls -lv" command.
Andre Noll [Sun, 10 May 2009 19:31:13 +0000 (21:31 +0200)]
rbtree: Add const qualifier to some functions.
The 'rb_first()', 'rb_last()', 'rb_next()' and 'rb_prev()' calls take a pointer
to an RB node or RB root. They do not change the pointed objects, so add a
'const' qualifier.
Andre Noll [Sun, 10 May 2009 15:40:42 +0000 (17:40 +0200)]
filter: Force a minimal select timeout if something was converted.
When filter_preselect() runs. other pre_select functions might have
already been called and decided to do nothing, e.g. because their
output buffer was full or the input buffer was empty.
If this call to filter_preselect() changed any of the involved buffers,
we want those other pre_select() functions to be called ASAP. So force
a minimal timeout for the next select call to avoid unnecessary delays.
Andre Noll [Sun, 10 May 2009 13:28:13 +0000 (15:28 +0200)]
mp3dec: Try harder to recover from non-fatal errors.
If there's still data left, try to decode the next header in the
same scheduler run. This avoids unnecessary copies of large parts
of the mp3 input buffer.
Andre Noll [Sun, 10 May 2009 12:11:38 +0000 (14:11 +0200)]
audiod: Properly handle wng open failures.
If opening the writer node group fails, no task is being registered to the
scheduler although a task structure is allocated. This makes audiod think
everything is fine until the output buffer of the receiver or a filter is
filled up which may take several seconds.
Fix this flaw by setting the error field of the wng to -E_TASK_UNREGISTERED.
This causes audiod to close the receiver node and the filter chain and to
clear the affected slot.
Andre Noll [Mon, 4 May 2009 11:34:16 +0000 (13:34 +0200)]
Fix compilation on FreeBSD.
Without these two includes, compilation fails on FreeBSD with
/usr/include/net/if.h:265: error: field `ifru_addr' has incomplete type
/usr/include/net/if.h:266: error: field `ifru_dstaddr' has incomplete type
/usr/include/net/if.h:267: error: field `ifru_broadaddr' has incomplete type
/usr/include/net/if.h:299: error: field `ifra_addr' has incomplete type
/usr/include/net/if.h:300: error: field `ifra_broadaddr' has incomplete type
/usr/include/net/if.h:301: error: field `ifra_mask' has incomplete type
/usr/include/net/if.h:368: error: field `addr' has incomplete type
/usr/include/net/if.h:369: error: field `dstaddr' has incomplete type
Andre Noll [Mon, 4 May 2009 11:12:17 +0000 (13:12 +0200)]
Fix two gcc warnings.
mp3_afh.c:420: warning: comparison of distinct pointer types lacks a cast
alsa_write.c:119: warning: format '%zu' expects type 'size_t', but argument 4 has type 'int'
Andre Noll [Sun, 3 May 2009 16:11:22 +0000 (18:11 +0200)]
Alsa fixes and cleanups.
This patch
- replaces the unused E_SND_PCM_INFO error by E_PHYSICAL_WIDTH,
- checks the return value of snd_pcm_format_physical_width() and returns
-E_PHYSICAL_WIDTH if this causes bytes_per_frame being non-positive,
- introduces an upper bound for the start threshold. Without that
change, playback could be delayed by several seconds on some alsa
configurations (problem pointed out by Johannes Wörner, thanks).
- does not return early on input errors which could cause the last
part of the audio stream being skipped.
- avoids calling snd_pcm_writei() with a frame count of zero which
could happen with the old code in case there's more than zero but
less than a full frame of audio data available.
- cleans up the documentation of struct private_alsa_write_data
Currently, filters must not change their output buffer on the fly
because the writer might already have a reference to the old buffer
and keeps using this buffer.
As dealing with changing output buffers requires much more work,
including changes to the generic filter and writer code, let's defer
this change to post 0.3.4.
Andre Noll [Sun, 26 Apr 2009 17:45:59 +0000 (19:45 +0200)]
Avoid dirty afs tables on shutdown.
The server process must wait for afs because afs catches SIGINT/SIGTERM
and may thus not respond immediately to these SIGNALS.
Before reacting to the signal, afs might want to use the shared memory
area and the mmd mutex. If the server process destroys this mutex
too early and afs tries to lock the shared memory area, the call to
mutex_lock() will fail and terminate the afs process. This leads to
dirty osl tables.
There's no such problem with the other children of the server process
(the command handlers) as these reset their SIGINT/SIGTERM handlers
to the default action, i.e. these processes get killed immediately
by the above kill().
Andre Noll [Sun, 26 Apr 2009 16:08:13 +0000 (18:08 +0200)]
Fix an invalid free() in command handlers.
The chunk table and the info_string are pointers located in the mmd
struct that point to dynamically allocated memory that must be freed
by the parent and the child. However, as the mmd struct is in a shared
memory area, there's no guarantee that after the fork these pointers
are still valid in child context. As these two pointers are not used
in the child anyway, we save them to local variables and free the
memory via that copy in the child.
Andre Noll [Sat, 25 Apr 2009 13:17:58 +0000 (15:17 +0200)]
[net]: Fix buffer overflow in send_cred_buffer().
As pointed out by Johannes Wörner, para_audioc crashes on recent
Ubuntu systems due to stack smashing. This is caused by writing past
the end of the control buffer which stores the message header and
the socket credentials.
This patch fixes the bug by allocating a properly sized buffer.
Andre Noll [Thu, 23 Apr 2009 15:18:03 +0000 (17:18 +0200)]
[udp_send] Refuse to stream files with invalid chunk tables.
If an audio file contains a chunk so large that even the maximal
possible number of slices is not sufficient to put this chunk into
a single FEC group, we must refuse to send this file. It's likely a
corrupt file anyway.
The old code in num_slices() was buggy as it returned the number of
slices needed to send the file as an uint8_t, so the return value
was actually the number of needed slices mod 256. This could trigger
the assert() in setup_next_fec_group() which checks that the group
contains at least one chunk.
This patch changes num_slices() to detect this situation more
reliably. As it is likely caused by a bad audio file rather than by a
networking problem, we do _not_ kick the fec client, but deactivate
it for the current file only. This requires the new "error" member
of struct fec_client which indicates a temporarily disabled fec client.
Andre Noll [Thu, 23 Apr 2009 11:39:04 +0000 (13:39 +0200)]
[mp3_afh]: Ignore junk at the end of an mp3 file.
There are mp3 files containing large areas of zeros at the end of the
file. The old code in mp3_afh.c would include these zeros in the last
chunk of the file.
This leads to unnecessary network traffic as including this area in
a chunk means that useless data is going to be sent to the client.
More importantly, it causes the udp sender to bail out because such
large chunks can not be fec-encoded, even with the maximal number
of slices.
This patch uses frame_start+frame_length instead of the file size as
the end of the last chunk which avoids this particular problem.
Andre Noll [Mon, 6 Apr 2009 16:41:37 +0000 (18:41 +0200)]
Use para_sigaction() in command handlers.
This allows to get rid of an ugly hack for solaris. The patch also adds checks
for whether the signals were reset sucessfully in the command handler and
aborts early on errors.
Andre Noll [Mon, 6 Apr 2009 15:53:46 +0000 (17:53 +0200)]
Introduce para_sigaction().
This wrapper for sigaction() is public and may be used to setup
a handler different from the generic handler that gets installed
for the signal by para_install_sighandler().
Andre Noll [Mon, 6 Apr 2009 15:45:44 +0000 (17:45 +0200)]
signal: Switch from signal() to sigaction.
Use of signal() should be avoided because the behavior of signal() varies
across Unix versions, and has also varied historically across different
versions of Linux.
This patch rewrites para_install_sighandler so that it calls sigaction()
instead of signal(). The implementation is taken from good old APUE.
There are a couple of other users of signal() in the paraslash code. Most
of which are OK because they use signal() only to ignore/reset a signal which
happens to be the only portable use of signal(). All other users of signal()
have to be converted in subsequent patches.
Andre Noll [Sat, 21 Mar 2009 16:46:43 +0000 (17:46 +0100)]
server: Use a temporary SIGCHLD handler to catch afs init failures.
If afs dies immediately on startup (because of dirty tables) para_server
would not notice as the SIGCHLD handler is being intalled after the
call to afs_init().
Andre Noll [Thu, 19 Mar 2009 21:51:17 +0000 (22:51 +0100)]
audiod: Improve display of play time.
Keeping track of the offset, server stream start and the duration
of the audio file length at the time the receiver/writer was started
allows to compute the play time more accurately.
Andre Noll [Sun, 15 Mar 2009 16:35:37 +0000 (17:35 +0100)]
alsa: Split alsa_open().
Only perform what is absolutely necessary in alsa_open(). Call the
real alsa initialization from alsa_post_select(), when we actually
have audio data available to start streaming.
This should get rid of the sound artefacts that happen sometimes
at the beginning of the stream.
Andre Noll [Sun, 15 Mar 2009 14:29:12 +0000 (15:29 +0100)]
audiod: Improve receiver restart logic.
Use the vss status flags and the stream_start time announced by
para_server to decide when to start a new receiver.
This is better than basing this decision only on whether the vss status
equals "playing" as we did before. This allows to reliably detect when it
is safe to start a new receiver while the filter/writer of the current
stream are still active.
The old code would simply wait until filter/writer complete which, due to
buffering, might be much too late.
This was really a brain fart. Instead, introduce a small delay
in alsa_open() that defers audio data writing by 100ms. This seems
to be enough to get rid of the buffer underruns with the udp sender.
Andre Noll [Sun, 8 Mar 2009 20:41:27 +0000 (21:41 +0100)]
Make FEC work with oggvorbis streams.
Unfortunately, this required to rewrite large parts of the fec code
in vss.c. The new code behaves better if the FEC parameters are not
suitable for the current audio file, for example if the audio file header
does not fit into the desired number of slices. It detects this situation
and adjusts the given FEC parameters accordingly.