Re: Updater
 

Sine all my projects where already on Github I had a similar problem to solve. I built a small PHP wrapper script running on my web server delivering the files via HTTP instead of HTTPS:

Feel free to use and adapt if you have a web server with PHP and the PHP-CURL extension.

Re: Updater
 

L 04/01/2014 - 18:11:23: SMC parsing error on line 0
L 04/01/2014 - 18:11:23: [0] URL: http://dev.xadgaming.com/simple-chat...er/updater.txt
L 04/01/2014 - 18:11:23: [1] ERROR: Line contained too many invalid tokens

We have this error on our server.

Re: Updater
 

http://dev.xadgaming.com/simple-chat...er/updater.txt

That doesn't look like a valid updater text file...

Re: Updater
 

It's due to the domain where the updater file for Simple Chat Processor is hosted being expired, you can just ignore that error.

Re: Updater
 

Is there ever going to be an option to have paths be different on the download server than the game server?

For instance, to make it easier to create distributions, I store my source and resource files using the full path (addons/sourcemod/scripting/whatever.sp or sound/prophunt/whatever.mp3) but I don't want to put my updater files... or models/materials/sounds... under the sourcemod directory.

Re: Updater
 

First thanks GoD-Tony for this powerfull and usefull tool.
And well, I have read your finals notes, not sure if you still want give a look about how I added Updater to my plugin, here is a link.

Re: Updater
 

How vulnerable is this to EvilGrade if DNS records are compromised?
http://www.infobyte.com.ar/down/Fran...%20-%20ENG.pdf

Re: Updater
 

Extremely.

Re: Updater
 

should add functionality to check downloaded file signatures (public/private key) before doing the update? Is that possible?

let's say I target the BGF warmod plugin. the dns redirects the update request to my compromised add-on.

If the updater had functionality to download the plugin together with a hash, signed with the warmod author private key and the updater was configured to read the public key the server admin stored on the server, it would reject the compromised add-on, no?

or does the SSL handle this already?

Re: Updater
 

If you can ensure the safety of your DNS-Server you may use SSL/TLS (HTTPS) to protect the content of the connection once established. I managed to get it working with Github using SSL/TLS, just edit scripting/updater/download_curl.sp and add the following after line 41:
This will tell cURL to use SSL protocol version 3 and connect successful. This will only work if you use the cURL extension!

If you still can't use SSL, try these steps (still requires cURL extension, no Socket or SteamTools support!):

1. Create a new directory called ssl in your sourcemod folder
2. Download this semi-official root CA collection and put it in the new ssl folder (don't rename it!)
3. Add this snippet after line 34 in download_curl.sp:
   Code:

   ---

   decl String:sCAPath[PLATFORM_MAX_PATH];
BuildPath(Path_SM, sCAPath, sizeof(sCAPath), "ssl/cacert.pem");

   ---

4. Add this snippet after line 41 in download_curl.sp:
   Code:

   ---

   if(FileExists(sCAPath))
{
        LogMessage("Found custom cacert.pem, using supplied root CA store for SSL connections");
        curl_easy_setopt_string(curl, CURLOPT_CAINFO, sCAPath);
}
curl_easy_setopt_int(curl, CURLOPT_SSLVERSION, 3);

   ---

5. Recompile, update your servers updater.smx and reload it
6. Plugins using updater should now be able to use HTTPS-enabled websites as update source

If you trust me and don't want to compile yourself you can use the attached updater.smx (as it can't be compiled on the forum), I increased the version number to 1.2.1 so it won't get confused with the official one.

Re: Updater
 

You'll need to attach a zip file of sources for that binary.

SteamTools already support HTTPS, cURL should as well without needing that flag unless you're talking to broken servers.

Re: Updater
 

Added source code.

Like I said; Github as an example will not handshake with clients using protocol version lower than SSL v3 (TLS v1) and the default option set in cURL will just cancel the request with an error. These are not "broken" servers but server who ensure they won't leak information to older clients supporting only old and probably vulnerable protocol versions.

Ah, I stand corrected, after a bit of research there really seems to be a problem with Github not graciously downgrading from TLS 1.0/1.1/1.2 to SSLv3 automatically, how odd!

Re: Updater
 

Thank you, I'm just curious about the case where DNS can't be guaranteed :)

with all the router hacks I read about these days

Re: Updater
 

If you consistently use SSL and your Clients strictly validates the certificate against an official CA (VeriSign, COMODO, StartSSL and so on) you are pretty safe against DNS spoofing attacks (I'm simplifying it a bit, in reality it's more complicated but I won't go in to deep) because the target host name has to match the certificates "distinguished name". If someone on your network gained access to the DNS system your server uses to resolve names and redirects traffic from your client to himself (faking the real update website) this validation would fail because only the real owner of the official update site has the corresponding private key and no connection would be established. This only works if the private key really remains secret (which can't be assured for old certificates since the heartbleed disaster) and the client won't skip the peer/host validation.

I hope this wasn't worded too complicated, long story short: SSL also protects against spoofed DNS requests (as long as it's set up properly)

Re: Updater
 

to get VeriSign certs you have to pay

I think it would be way easier if there is an RSA keypair, the plugin author keeps the secret key and generates a signature for the updater plugin to check with the public key. When you install a plugin, you provide the author public key with it so you can validate the downloaded plugin comes from the right source.

a dns hack won't be able to insert evil soucemod addons

Re: Updater
 

That's not a valid excuse if you are serious about what you are doing :wink: A three year wildcard(!) multi-domain certificate from StartSSL costs 60$/2yrs! I use them since 2008 if I remember correctly and it works perfectly in all (modern) browsers and other clients.

Signing the files would need an implementation for SourceMod to check (like an OpenSSL extension) and a few modifications on Updater, while HTTPS would ensure transport security and is easier to implement as long as people use SteamTools or cURL.

Re: Updater
 

Three year two years?

I think that using a type of signature system would work better. Requiring SSL is not compatible with Updater as it is now, since the Socket extension doesn't support it. Signatures would also allow for binaries supplied from other sources to be linked back to a trusted key.

Re: Updater
 

You pay once for your personal verification (so they know you are really you) and then you can request a certificate which will stay valid for two years. If I remember correctly you can expand to three years with one additional validation step (costing a bit more ofc.).

As for the signing of files; it's possible to achieve with OpenSSL:

1. Generate new private key called nefarius.key (this file must be kept secret!)
   • openssl genrsa -out nefarius.key 2048
2. Extract public key nefarius.pub (this file gets distributed to the clients)
   • openssl rsa -in nefarius.key -pubout > nefarius.pub
3. Create a hash of your plugin file
   • openssl dgst -sha256 plugin.smx > plugin.sha
4. Sign the hash with your private(!) key
   • openssl rsautl -sign -inkey nefarius.key -out plugin.sha.rsa -in plugin.sha
5. Transfer nefarius.pub, plugin.smx and plugin.sha.rsa to your client(s)
6. Client verifies signed hash file
   • openssl rsautl -verify -inkey nefarius.pub -in plugin.sha.rsa -pubin > plugin.sha
7. Client generates hash of downloaded plugin.smx
   • openssl dgst -sha256 plugin.smx > plugin.sha.tmp
8. Client compares contents of plugin.sha and plugin.sha.tmp
   • If they don't match, the file has been manipulated. Discard file, log action, call police etc.
   • If they match, accept and install the file

A plugin using this may use the System2 extension to run the openssl command. This requires openssl being present in the system path ofc. or a static build of openssl is shipped with the plugin.

Re: Updater
 

...for all 3 OSes SourceMod supports.

Re: Updater
 

Never mind, I think I misunderstood your comment. Ofc. a build compatible with all operating systems :)

Linux will - in most cases - not be a problem, I just tested it with a static build for Windows:

http://www0.xup.in/exec/ximg.php?fid=95980068

Re: Updater
 

I have my identity verified on StartSSL. It costs $70 and the certificates are valid for two years. Identity validation is good for one year and in that time you can issue unlimited certificates for domains that you own. For another $70 you can verify your control of an organization (a legal business) and then your certs are good for three years. Validation remains valid for only one year. Organization validation won't apply to everyone.

Still, security should not cost money. I think something like PGP would work best for this, as an extension or widely built into SourceMod.

Re: Updater
 

So you really want a signature based solution, eh? You shall get one :)

After a hard night of coding and stopping my brain from escaping as i dove through the OpenSSL documentation it's finally finished; a SourceMod extension for verifying files signed with an RSA private key: SourceSec! (my product names are always creative as hell)

http://www0.xup.in/exec/ximg.php?fid=10400326

It abstracts away the fairly complicated process of computing hashes and validating signatures with OpenSSL's API hell :) Currently there are two natives implemented:

• Code:

  ---

  native SourceSec_Verify(const String:publicKeyFile[], const String:sourceFile[], const String:signatureFile[])

  ---

  • Provides an easy way to validate a files authenticity by checking it against a supplied signature with the authors public key
• Code:

  ---

  native SourceSec_GetSHA256(String:output[], size, const String:file[])

  ---

  • Simple calculation of a typical SHA256 checksum

Here you can see a live test; someone tried to slip a potentially malicious version of a plugin which get's caught in the validation process:

http://www0.xup.in/exec/ximg.php?fid=17234424

Currently it's working flawlessly on windows only, I'll release all the project data in a separate thread in the extensions-sub-forums tomorrow. Usage is meant to be as simple as possible as this demo script shows:

Note: despite the fact I named the signature files extension .sha256 it of course is signed with the private key as anything else would be pointless :wink:

Re: Updater
 

Nice idea. Now to really have some use of this one would need some trusted place where to get the public key instead of just shipping it together with the plugin. And some way to assign those public keys with the .smx.

How about a small change to the plugin header where the compiler could add a signed hash of the .data and .code section if some command line flag is set to the private key. Then people could add their public key to their forum profiles and their forum userid would be added as the "owner" of the plugin in the header too.
When the plugin is loaded, sourcemod would fetch the publickey, display the username so admins can verify where it's from and verify the signature.

That way one could be sure, the binary is from the correct author you trust.
People would have to upload the signed .smx despite the plugin being able to compile through the online compiler "Get Plugin", but it's still the user's choice if they like some security of the plugin's origin.

Re: Updater
 

I'd target a solution which won't need to recompile every plugin or modify the compiler. I haven't yet dove deep enough into the SourceMod API but I think it's possible to intercept loading a plugin from an extension. The idea would be the following:

1. SourceSec extension is loaded and "listenes" for plugins to be loaded
2. Plugins get loaded (either through admin command or server start)
3. Filename of the plugin gets extracted (e.g. mapchooser.smx)
4. A signature file (e.g. mapchooser.sig) is searched within the plugins directory (or plugins/signatures)
5. If present, the public key gets searched in e.g. sourcemod/rsa/authors, named after the author in the plugin info header (e.g. Nefarius.pub)
6. Extension verifies all three components and allows plugin execution if check passed or denies with sending an error message to the logs

This would keep the administrative overhead for the authors at a minimum; they have to distribute the plugin, signature and public key where the public key should only be necessary to install once. Future updates using Updater will only fetch plugin and signature; if either of them get manipulated on it's way to the clients the validation against the public key (which is already present on the target machine and can't be swapped out unless an admin does so by hand) fails and the update won't get installed.

Re: Updater
 

This is a pretty good way to get it going immediately, but ultimately it would be nicer and cleaner to build this functionality directly into SourceMod.

How many server admins are going to bother to download 2 extra files for a plugin? It'd be nicer if the signature were embedded directly into the binary. The public keys could be kept in a repository on this site (it's already served over HTTPS), with the certificate pinned if you're paranoid.

Re: Updater
 

wow, good job.

this "sourcesec" mod you just wrote is what I was looking for, thanks!

Re: Updater
 

I think authors should just start distributing their public sig on their plugin thread, where we can already get the code.

I, for instance, usually want to inspect the code to learn and understand how it works and usually download the source & dependencies and compile myself. (I usually don't set up the updater part).

it's good to have a system available where you can validate the plugin before it is being automatically updated.

Re: Updater
 

Hello, i have a big problem with the updater,
it's my Updater.log

and that is my Error Log
Thank you if you reply :)

Re: Updater
 

Hello. I would like to use an updater in my plugin, but i would also like the plugin could be loaded if there is no Updater on current server. To add Updater support, i use the example code from the 1st post of thos topic. When i try to load my plugin w/o loaded updater i get the message:
I wonder if there is any way to start my compiled .smx with updater support if there is no updater on the server?

Re: Updater
 

You have a forward slash in your plugin name Module/Accueil.smx so Updater threats it like a directory and tries to put it into addons/sourcemod/plugins/Module which doesn't exist so it fails to create the local file. Swap the / with an _ for example and it should work.

Re: Updater
 

There is. Don't forget the
in your header and also add
to your plugin and it should do fine.

Re: Updater
 

Yes, but i wanna the plugin in this directory...

Re: Updater
 

So why doesn't it already exist then? Shouldn't it be created at the initial installation of your plugin? Like in the shipped ZIP or smth.? AFAIK there is no routine in Updater to create "missing" directories.

Re: Updater
 

I will try, thanks :)

Re: Updater
 

Completely unnecessary. Updater.inc already marks all THREE natives as optional. (Updater_AddPlugin(), Updater_RemovePlugin(), and Updater_ForceUpdate())

Also, ReloadPlugin isn't a native. The code that it executes is included right there in the INC. It's worth noting that if ReloadPlugin() isn't ever used in the plugin, it will not be compiled into the plugin at all, as it is prefixed with "stock"

Re: Updater
 

I see, thanks for clearing this up!

Re: Updater
 

SM will load plugins from subdirectories in addons/sourcemod/plugins (except for disabled). Notice where it says:

One can safely assume that the Module directory exists and that Accueil.smx is running from it.

henri9813: Check to make sure plugins/Module is writable.

Re: Updater
 

Except for disabled or optional you mean. I ran into that while checking the SourceMod source code last week. It's also in the 1.6 version, in case you're wondering.

Re: Updater
 

Hello,

does this not work properly with CS:GO on a linux server?

Output of sm_updater_status:
Output of sm_updater_check
The given times never change. It is stuck at 0.0 / 60.0.

Metamod:
Sourcemod:
Sourcemod Extensions:
Sourcemod Plugins:
I installed the socket extension since curl didnt work. The updater works fine with curl on CS:S.

With kind regards,
Karower

Re: Updater
 

Same problem like Karower. Any fix?