The 'controller' of an MP game (the host in general, though dedicated
servers would change that) is currently whoever first tells the server
that it is. This can be abused since it relies on trusting the clients.
This changes that logic: the server defines a 'controller secret', and
the first client to sent the correct controller secret is the
controller. This is safe assuming the secret is unknowable enough (the
current solution wouldn't pass strict cryptography tests, but it's
likely good enough).
Reverts 1a3fb29ff3, which introduced the 'trust the clients' mechanic,
as a change over 'the first local IP is controller'.
Necessary step towards dedicated server, if we want to use the regular
gamesetup (Refs #3556)
Differential Revision: https://code.wildfiregames.com/D3075
This was SVN commit r24952.
As suggested by elexis, 1a8de6d2b8 should get some protection against
brute force attacks on password.
This is supposed to prevent attackers from getting connection data by
guessing the password.
Each failed attempt increases the counter.
XmppClient on the server side checks for the users with certain number
of failed attempts, determined in CNetServer, and refuses to check the
password, answering with banned message.
So they cant guess again in given match. Effect of this block will
dissapear after new match is created.
Differential revision: D3467
Comments by: wraitii, Stan
Tested by: Stan, Freagarach
Ref: #5913
This was SVN commit r24794.
Follows 1a8de6d2b8.
Validate the password when a client joins a game, so even a player that
knows the connection data cannot join.
Refs #3556, Refs #5913
Differential Revision: https://code.wildfiregames.com/D3438
This was SVN commit r24775.
Current issue with the lobby, is that we make ips of hosts public for
anyone to read. This patch consists of 3 parts.
1.) Removing ips and ports from lobby javascript
2.) Removing need of script on the server to attach public ips to game
stanza by asking the host using xmppclient as proxy.
3.) Implementing password protected matches, to deny this information to
not trusted players.
Further description:
Do not send ports and stunip to the bots.
Removed from stanza.
Do not send ip to the lobby.
Removed from mapping gamelist from backend to gui (still on the backend
side, because it is done by script on 0ad server).
Get ip and ports on request when trying to connect.
On the host side, ask stun server what is host's public ip and remember
it.
On the client side, send iq through xmppclient to the hosting player and
ask for ip, port and if Stun is used, then if answer is success,
continue
with connecting, else fail.
Add optional password for matches.
Add password required identifier to the stanza.
Allow host to setup password for the match. Hash it on the host side and
store inside Netserver. If no password is given, matches will behave
as it is not required.
On the client side, if password for the match is required, show
additional window before trying to connect and ask for password, then
hash it
and send with iq request for ip, port and stun.
Server will answer with ip, port and stun only if passwords matches,
else will asnwer with error string.
Some security:
Passwords are hashed before sending, so it is not easy to guess what
users typed. (per wraitii)
Hashes are using different salt as lobby hashing and not using usernames
as salt (as that is not doable), so they are different even typing the
same password as for the lobby account.
Client remembers which user was asked for connection data and iq's id of
request. If answer doesn't match these things, it is ignored. (thnx
user1)
Every request for connection data is logged with hostname of the
requester to the mainlog file (no ips).
If user gets iq to send connection data and is not hosting the match,
will respond with error string "not_server".
If server gets iq::result with connection data, request is ignored.
Differential revision: D3184
Reviewed by: @wraitii
Comments by: @Stan, @bb, @Imarok, @vladislavbelov
Tested in lobby
This was SVN commit r24728.
Follows 107d3d461f and other 'pthread->std::thread' diffs.
Windows uses Structured Exception Handling to allow reporting errors
(both C++ and hardware) nicely. This works by wrapping the code in a
__try __catch block.
The pthread wrapper did this automatically, but we now need to do it
explicitly for std::thread.
Tested by: Stan
Differential Revision: https://code.wildfiregames.com/D3261
This was SVN commit r24530.
This threads the netclient session, which avoids timeouts when the
main-thread is not polling (map creation, very long simulation frames).
Unlike the NetServer, which should be as independent as possible from
the main thread, the NetClient is fundamentally tied to the game thread.
Therefore, this only threads the session object.
To ensure good performance and ease-of-use, lock-free queues for
in/out-going messages are used.
This fixes artificial timeouts, while also improving actual ping reports
(since frame-time is no longer a factor).
It effectively reverts D1513/eda236522c and 2e7e1c0b2b, all hacks around
lag-timeouts (and bits of 1a3fb29ff3).
Based on a patch by: Stan
Comments by: Vladislavbelov
Fixes#3700, refs #3373
Differential Revision: https://code.wildfiregames.com/D2848
This was SVN commit r24518.
No particularly noteworthy changes, as most complex API changes were
already supported in SM45 and done.
The addition of JSStructuredCloneData allows to remove our custom class.
Changes:
- InformalValueTypeName is back in the API, so remove our
implementation.
- Stop using JSRuntime entirely in favour of JSContext*
- JSPropertyDescriptor is renamed.
- CompartmentOptions are tweaked slightly (no functional changes)
- JS::Construct - API update.
- JSClass split - API update.
- A js.msg error message was removed, so we had to use a different one.
- Tests fix: fix comparison of union instances
- Disable warning in spidermonkey Vector.h
- Update error reporting to SM52 (minor API updates)
- Ignore warnings about unused return values (would come from OOM, which
isn't recoverable)
Most of the patching was done by Itms.
Tested by: Stan, Freagarach
Fixes#4893
Differential Revision: https://code.wildfiregames.com/D3095
This was SVN commit r24203.
- Check for pending exceptions after function calls and script
executions.
- Call LOGERROR instead of JS_ReportError when there is a conversion
error in FromJSVal, since that can only be called from C++ (where JS
errors don't really make sense). Instead, C++ callers of FromJSVal
should handle the failure and, themselves, either report an error or
simply do something else.
- Wrap JS_ReportError since that makes updating it later easier.
This isn't a systematical fix since ToJSVal also ought return a boolean
for failures, and we probably should trigger errors instead of warnings
on 'implicit' conversions, rather a preparation diff.
Part of the SM52 migration, stage: SM45 compatible (actually SM52
incompatible, too).
Based on a patch by: Itms
Comments by: Vladislavbelov, Stan`
Refs #742, #4893
Differential Revision: https://code.wildfiregames.com/D3093
This was SVN commit r24187.
SM52 essentially replaces JSRuntime with JSContext (though JSContext
itself was replaced with JSCompartment).
To prepare for this migration, rename all Runtime-related things to
Context.
Part of the SM52 migration, stage: SM45 compatible.
Patch by: Itms
Refs #4893
Differential Revision: https://code.wildfiregames.com/D3091
This was SVN commit r24181.
JSAutoRequest is required before calling into most JSAPI methods, for GC
reasons.
Calling it is required and fragile as one must not forget.
Further, SM52 and later make manipulating JSContext* dangerous as that
can cross Compartment(Realm in SM68) barriers (and ScriptInterface now
matches a Compartment).
The solution to both problems is to avoid using JSContext* in 0 A.D.
itself. To achieve this, a Request class is introduced, and must be used
to access a JSContext* from a scriptInterface. Further, Request is
passed to other ScriptInterface functions isntead of JSContext*, making
it obvious that the caller has already called it, reducing errors and
redundant JSAutoRequest calls.
Only JSNative functions now get a naked JSContext* without protection,
but the likelihood of forgetting a request is lower since many
ScriptInterface functions now expect it.
JSContext* is directly passed to JSAPI functions only.
Part of the SM52 migration, stage: SM45 compatible
Based on a patch by: Itms
Tested By: Freagarach
Refs #4893
Differential Revision: https://code.wildfiregames.com/D3088
This was SVN commit r24176.
- Makes it easier to change down the line (and change is coming)
- Allows making g_ScriptRuntime thread-local easily.
- Remove ParentRuntime, which is not used at the moment.
Part of the SM52 migration, stage: SM45 compatible.
Patch by: Itms
Tested By: Freagarach
Refs #4893
Differential Revision: https://code.wildfiregames.com/D3087
This was SVN commit r24171.
Avoid redundant map lookups by caching the iterator.
Remove c-style casts by using type specific printf parameters, and
static_cast elsewhere.
Use references while at it, and typedef -> using.
Differential Revision: https://code.wildfiregames.com/D1567
Comments by: Vladislav
Tested on: clang 8.0.1, gcc 9.1.0
This was SVN commit r22916.
Fixes an occurring leak indicated by the reported clang unused variable
compiler warning, refs #5294, #5550,
by adding the missing glooxwrapper::Jingle::Session::Session destructor
.
Fix two leaks that would have occurred if the according code had been
used:
Delete unused glooxwrapper::Jingle::ICEUDP::ICEUDP instead of adding the
missing destructor.
Delete unused glooxwrapper::Jingle::Content::Content instead of adding
the missing destructor.
Explain why glooxwrapper::Client::registerStanzaExtension doesn't leak
the new StanzaExtensionWrapper.
Explain why glooxwrapper::Jingle::Session::sessionInitiate doesn't leak
the new gloox::Jingle::Content, nor the new gloox::Jingle::ICEUDP.
Explain why glooxwrapper::SessionManager::registerPlugins doesn't leak
the new gloox::Jingle::Content and new gloox::Jingle::ICEUDP.
Explain why glooxwrapper::SessionManager::createSession doesn't leak the
gloox::Jingle::Session.
I will not leak memory in the glooxwrapper.
I will not leak memory in the glooxwrapper.
I will not leak memory in the glooxwrapper.
Use references in the StunClient and glooxwrapper to anticipate any
confusion as to whose obligation it is to delete variables when they are
passed around across several files.
Use static_cast and reinterpret_cast instead of C-style casts in the
StunClient.
Differential Revision: https://code.wildfiregames.com/D2094
Refs D2093 for the reported leaks.
Reviewed By: Josh
Comments By: fcxSanya, Vladislav for D2094, and echotangoecho, leper in
61261d14fc
This was SVN commit r22678.
std::thread crashes when destroyed without being joined or detached.
Joining would wait on the UPnP thread, which can take upwards of 10
seconds, so detach instead.
Reviewed By: elexis
Differential Revision: https://code.wildfiregames.com/D2181
This was SVN commit r22674.
This removes pthread mutexes/threads from:
- vfs
- the resource handler manager
- timer
- the network server.
This allows removing it from our general posix include header.
Differential Revision: https://code.wildfiregames.com/D1920
This was SVN commit r22666.
ThreadUtil shipped a scope lock and a mutex implementation, which can be
removed since we now have these in the standard library.
This lets us clean up this header which get included everywhere (through
profiler includes).
Tested By: Angen and Stan
Differential Revision: https://code.wildfiregames.com/D1915
This was SVN commit r22344.
This prevents a lobby player banned by the host from rejoining after
getting a new IP address and changing the rating part of the nickname,
refs #5320, #3241 / 32da740f14, #3549 / 0fd8aa2a77 / D897.
Differential Revision: https://code.wildfiregames.com/D1655
Reproduced By: Hannibal_Barca
This was SVN commit r21918.
This is due to too many oversteppings of the lobby Terms of Use
following JS mods that implemented an UI for players to join lobby games
with arbitrary nicknames or 'replace' / impersonate other players in
lobby games.
Agreed with: user1, Dunedan
Code proofread by: Vladislav
Minor discussions with: Imarok, Hannibal_Barca, smiley, fpre, bb, nani
refs
https://wildfiregames.com/forum/index.php?/topic/24722-improving-mod-security/
This was SVN commit r21877.
This works in autostartmode because that sets every client to an
observer and still relies on enabled cheats to have players assign
themselves.
This was SVN commit r21854.
The NetClient runs in the main thread, so any part of the loading screen
consuming several seconds makes that client timeout.
This is a workaround because threading the NetClient would have prevent
these timeouts, refs #3700.
Coutnerintuitively, since enet timeout tolerance is proportional to the
latency, the better the connection of the player, the more likely it was
to drop on gamestart.
This problem became very frequent in Alpha 23, at least due to the Aura
bugfix 583b6ec625, AIInterface being particularly slow and that not
having been disabled yet in the loading screen resulting in additional
10 second freezes during the loading screen, even on empty maps, refs
#5200, 8e168f85e6.
Differential Revision: https://code.wildfiregames.com/D1513
Based on patch by: causative
This was SVN commit r21842.
Prevents changes to the gamesettings after the game was started, so as
to use the correct map seed when generating the random map terrain for
rejoiners.
D1558 will prevent the UI bug #5206 and FSM error from doubleclicking on
StartGame.
Differential Revision: https://code.wildfiregames.com/D1562
Tested and accepted by: temple
This was SVN commit r21836.
This allows the host to distinguish clients that are just slower than
everyone else with the loading screen from clients who have most likely
disconnected or crashed already and may be considered to be kicked.
This is especially important for D1513, because that increases the
timeout tolerance to a minute or longer.
Fixes#5193
Differential Revision: https://code.wildfiregames.com/D1546
Reviewed By: causative
This was SVN commit r21832.
Allows lobby players to host games without having to configure their
router.
Differential Revision: https://code.wildfiregames.com/D364Fixes#2305
Patch By: fcxSanya.
StunClient based on code by SuperTuxKart, relicensed with approval of
the according authors hilnius, hiker, Auria, deveee, Flakebi, leper,
konstin and KroArtem.
Added rfc5245 (ejabberd) support, a GUI option, refactoring and segfault
fixes by myself.
Tested By: user1, Sandarac, Sestroretsk1714, Vladislav, Grugnas,
javiergodas
Partially Reviewed By: leper, Philip, echotangoecho
This was SVN commit r19703.
Two clients chosing the same GUID is highly unlikely, yet possible.
A malicious client chosing an existing GUID would have resulted in
unassigning the player with that GUID.
This was SVN commit r19225.
Thus remove the peculiarity to broadcast to clients that are in the
gamesetup, loading screen or ingame, but not rejoining ones.
Fix "unknown player" errors in the GUI by broadcasting player
assignments to rejoining players too. Fixes#4036.
Differential Revision: D17
Reviewed By: Imarok
This was SVN commit r19171.
Remove the "Net" prefix from the non-networked classes.
Use variadic macros and mark the client turnmanager as NONCOPYABLE.
Differential Revision: D16
Reviewed By: leper
This was SVN commit r19165.
Access the server from the client only, not from the GUI (except for
autostarted games).
Thereby lay the foundation for clients to setup the game (refs #3806)
and dedicated hosting (refs #3556).
Doesn't transfer nor remove the SetTurnLength showcase from 0ebe3486b6.
This was SVN commit r18322.
Don't compare for "127.0.0.1" to identify the host, but check for a new
boolean flag that is set by the client, refs #2854.
Remove an unneeded IP address conversion from u32 to string, refs #3241.
This was SVN commit r18140.
Only send the network-warnings to clients that successfully joined the
gamesetup or game.
Thus save a bit performance and
prevents a rare, harmless FSM update error (like in refs #3199) in case
a client received the message while authenticating.
Reported by fatherbushido, refs #3264.
This was SVN commit r18117.
The host can change the number of allowed observers in running games.
Make sure that joining observers won't take the "slot" of disconnected
players, fixes#3671.
Send clients a new disconnect reason "Server full" instead of letting
them timeout.
This was SVN commit r17881.
Remove it from the game-attributes, since it is not used in the
simulation, nor are they supposed to change in running games.
This was SVN commit r17861.
Have it disabled by default to fix#3604.
Prevents players from rejoining as late-observers in case they timed-out
on the client-side but not on the server-side.
This was SVN commit r17851.
This upgrade also introduces exact stack rooting (see to the wiki:
JSRootingGuide) and fixes problems with moving GC. This allows us to
enable generational garbage collection (GGC).
Measurements a few months ago have shown a performance improvement of a
non-visual replay of around 13.5%. This probably varies quite a bit, but
it should be somewhere between 5-20%. Memory usage has also been
improved. Check the forum thread for details.
Thanks to everyone from the team who helped with this directly or
indirectly (review, finding and fixing issues, the required C++11
upgrade, the new autobuilder etc.)! Also thanks to the SpiderMonkey
developers who helped on the #jsapi channel or elsewhere!
Fixes#2462, #2415, #2428, #2684, #1374
Refs #2973, #2669
This was SVN commit r16214.
Everything is char* now, so we don't need to mess around with different
string types.
Done with:
ag -ls 'LOG(MESSAGE|MESSAGERENDER|WARNING|ERROR)' source | xargs perl
-pi -e'1 while
s/(LOG(MESSAGE|MESSAGERENDER|WARNING|ERROR).*)%[hl]s/$1%s/g'
This was SVN commit r16187.
Done with:
ag -ls 'LOG(MESSAGE|MESSAGERENDER|WARNING|ERROR)' source | xargs sed
-i 's/LOG\(MESSAGE\|MESSAGERENDER\|WARNING\|ERROR\)(L/LOG\1(/g'
This was SVN commit r16183.
The runtime is becoming more and more important in the JSAPI. As a
result, we also have more functionality on the runtime level and having
the whole ScriptRuntime class hidden in ScriptInterface.cpp doesn't make
sense anymore. ScriptInterface.cpp also has become quite a large file
and pulling out the runtime part makes it a bit smaller.
Refs #2462
This was SVN commit r15961.
The main problem was that GC was only called from the simulation before
this patch. This means when you were waiting in the multiplayer lobby or
just had the GUI open, it only called GC when getting close to the JS
runtime size limit (I assume). Another problem was the Net Server
runtime which didn't GC either. Here the runtime size limit is 16 MB
though, so it's not too terrible. These issues have both been addressed
and GC has been given a bit more time per incremental slice to make sure
it gets done in time. It's still far from perfect, but there are too
many changes in SpiderMonkey related to GC, so I don't want to spend too
much time on this yet.
Refs #2808
This was SVN commit r15787.
This commit contains all the required changes to our source files and
build scripts (hopefully).
A next commit will remove the old stuff of SpiderMonkey 1.8.5.
Spcial thanks to:
- H4writer who helped a lot mainly with the performance issues we
had/have, but also with other problems or questions.
- Leper for the review.
- Historic_bruno for implementing the build scripts on Mac OS X and
testing on the Mac.
- The people from the #jsapi channel and from
mozilla.dev.tech.js-engine who answered a lot of questions and helped
solving problems.
- All the other people who helped
Refs #1886Fixes#2442Fixes#2416
This was SVN commit r14877.
Replace CreateValue with SetValueString so we don't pass pointers to
internal
ConfigDB structures around. Refs #1810.
Remove some splash screen related functions since we can achieve the
same
with the ConfigDB functions exposed to scripts.
This was SVN commit r14437.
