[Dr. McKay]

Quote:

Originally Posted by Nefarius You pay once for your personal verification (so they know you are really you) and then you can request a certificate which will stay valid for two years. If I remember correctly you can expand to three years with one additional validation step (costing a bit more ofc.). As for the signing of files; it's possible to achieve with OpenSSL: Generate new private key called nefarius.key (this file must be kept secret!) openssl genrsa -out nefarius.key 2048 Extract public key nefarius.pub (this file gets distributed to the clients) openssl rsa -in nefarius.key -pubout > nefarius.pub Create a hash of your plugin file openssl dgst -sha256 plugin.smx > plugin.sha Sign the hash with your private(!) key openssl rsautl -sign -inkey nefarius.key -out plugin.sha.rsa -in plugin.sha Transfer nefarius.pub, plugin.smx and plugin.sha.rsa to your client(s) Client verifies signed hash file openssl rsautl -verify -inkey nefarius.pub -in plugin.sha.rsa -pubin > plugin.sha Client generates hash of downloaded plugin.smx openssl dgst -sha256 plugin.smx > plugin.sha.tmp Client compares contents of plugin.sha and plugin.sha.tmp If they don't match, the file has been manipulated. Discard file, log action, call police etc. If they match, accept and install the file A plugin using this may use the System2 extension to run the openssl command. This requires openssl being present in the system path ofc. or a static build of openssl is shipped with the plugin.

I have my identity verified on StartSSL. It costs $70 and the certificates are valid for two years. Identity validation is good for one year and in that time you can issue unlimited certificates for domains that you own. For another $70 you can verify your control of an organization (a legal business) and then your certs are good for three years. Validation remains valid for only one year. Organization validation won't apply to everyone.

Still, security should not cost money. I think something like PGP would work best for this, as an extension or widely built into SourceMod.

[Nefarius]

So you really want a signature based solution, eh? You shall get one

After a hard night of coding and stopping my brain from escaping as i dove through the OpenSSL documentation it's finally finished; a SourceMod extension for verifying files signed with an RSA private key: SourceSec! (my product names are always creative as hell)



It abstracts away the fairly complicated process of computing hashes and validating signatures with OpenSSL's API hell Currently there are two natives implemented:

• Code:

  native SourceSec_Verify(const String:publicKeyFile[], const String:sourceFile[], const String:signatureFile[])

  • Provides an easy way to validate a files authenticity by checking it against a supplied signature with the authors public key
• Code:

  native SourceSec_GetSHA256(String:output[], size, const String:file[])

  • Simple calculation of a typical SHA256 checksum

Here you can see a live test; someone tried to slip a potentially malicious version of a plugin which get's caught in the validation process:



Currently it's working flawlessly on windows only, I'll release all the project data in a separate thread in the extensions-sub-forums tomorrow. Usage is meant to be as simple as possible as this demo script shows:

PHP Code:

#pragma semicolon 1
#include <sourcemod>
#include <sourcesec>

public Plugin:myinfo =
{
    name = "SourceSig",
    author = "Nefarius",
    description = "SourceSig Test",
    version = SOURCEMOD_VERSION,
    url = "http://nefarius.at/"
};

public OnPluginStart()
{
    decl String:inFileHash[65];
    decl String:pubKey[PLATFORM_MAX_PATH] = "data/wml/nefarius.pub";
    decl String:inFile[PLATFORM_MAX_PATH] = "plugins/wml.smx";
    decl String:inSig[PLATFORM_MAX_PATH] = "data/wml/wml.smx.sha256";
    
    PrintToServer("PUBLIC KEY PATH: %s", pubKey);
    PrintToServer("ORIGINAL FILE PATH: %s", inFile);
    PrintToServer("SIGNATURE PATH: %s", inSig);

    SourceSec_GetSHA256(inFileHash, sizeof(inFileHash), inFile);
    PrintToServer("SHA256 OF ORIGINAL FILE: %s", inFileHash);
    
    new ret = SourceSec_Verify(pubKey, inFile, inSig);
    
    PrintToServer("VALIDATION RESULT: %d", ret);
} 


Note: despite the fact I named the signature files extension .sha256 it of course is signed with the private key as anything else would be pointless

[Peace-Maker]

Nice idea. Now to really have some use of this one would need some trusted place where to get the public key instead of just shipping it together with the plugin. And some way to assign those public keys with the .smx.

How about a small change to the plugin header where the compiler could add a signed hash of the .data and .code section if some command line flag is set to the private key. Then people could add their public key to their forum profiles and their forum userid would be added as the "owner" of the plugin in the header too.
When the plugin is loaded, sourcemod would fetch the publickey, display the username so admins can verify where it's from and verify the signature.

That way one could be sure, the binary is from the correct author you trust.
People would have to upload the signed .smx despite the plugin being able to compile through the online compiler "Get Plugin", but it's still the user's choice if they like some security of the plugin's origin.

[Nefarius]

I'd target a solution which won't need to recompile every plugin or modify the compiler. I haven't yet dove deep enough into the SourceMod API but I think it's possible to intercept loading a plugin from an extension. The idea would be the following:

1. SourceSec extension is loaded and "listenes" for plugins to be loaded
2. Plugins get loaded (either through admin command or server start)
3. Filename of the plugin gets extracted (e.g. mapchooser.smx)
4. A signature file (e.g. mapchooser.sig) is searched within the plugins directory (or plugins/signatures)
5. If present, the public key gets searched in e.g. sourcemod/rsa/authors, named after the author in the plugin info header (e.g. Nefarius.pub)
6. Extension verifies all three components and allows plugin execution if check passed or denies with sending an error message to the logs

This would keep the administrative overhead for the authors at a minimum; they have to distribute the plugin, signature and public key where the public key should only be necessary to install once. Future updates using Updater will only fetch plugin and signature; if either of them get manipulated on it's way to the clients the validation against the public key (which is already present on the target machine and can't be swapped out unless an admin does so by hand) fails and the update won't get installed.

[Dr. McKay]

Quote:

Originally Posted by Nefarius I'd target a solution which won't need to recompile every plugin or modify the compiler. I haven't yet dove deep enough into the SourceMod API but I think it's possible to intercept loading a plugin from an extension. The idea would be the following: SourceSec extension is loaded and "listenes" for plugins to be loaded Plugins get loaded (either through admin command or server start) Filename of the plugin gets extracted (e.g. mapchooser.smx) A signature file (e.g. mapchooser.sig) is searched within the plugins directory (or plugins/signatures) If present, the public key gets searched in e.g. sourcemod/rsa/authors, named after the author in the plugin info header (e.g. Nefarius.pub) Extension verifies all three components and allows plugin execution if check passed or denies with sending an error message to the logs This would keep the administrative overhead for the authors at a minimum; they have to distribute the plugin, signature and public key where the public key should only be necessary to install once. Future updates using Updater will only fetch plugin and signature; if either of them get manipulated on it's way to the clients the validation against the public key (which is already present on the target machine and can't be swapped out unless an admin does so by hand) fails and the update won't get installed.

This is a pretty good way to get it going immediately, but ultimately it would be nicer and cleaner to build this functionality directly into SourceMod.

How many server admins are going to bother to download 2 extra files for a plugin? It'd be nicer if the signature were embedded directly into the binary. The public keys could be kept in a repository on this site (it's already served over HTTPS), with the certificate pinned if you're paranoid.

[Lordearon]

wow, good job.

this "sourcesec" mod you just wrote is what I was looking for, thanks!

[Lordearon]

Quote:

Originally Posted by Dr. McKay This is a pretty good way to get it going immediately, but ultimately it would be nicer and cleaner to build this functionality directly into SourceMod. How many server admins are going to bother to download 2 extra files for a plugin? It'd be nicer if the signature were embedded directly into the binary. The public keys could be kept in a repository on this site (it's already served over HTTPS), with the certificate pinned if you're paranoid.

I think authors should just start distributing their public sig on their plugin thread, where we can already get the code.

I, for instance, usually want to inspect the code to learn and understand how it works and usually download the source & dependencies and compile myself. (I usually don't set up the updater part).

it's good to have a system available where you can validate the plugin before it is being automatically updated.

[henri9813]

Hello, i have a big problem with the updater,

Quote:

L 04/21/2014 - 01:49:51: Update available for "Module d'accueil" (Module/Accueil.smx). Current: 0.0.0 - Latest: 0.0.1 L 04/21/2014 - 01:49:51: [0] Module d'accueil, nouveauté: L 04/21/2014 - 01:49:51: [1] changement du type de message: L 04/21/2014 - 01:49:51: [2] text->HUD

it's my Updater.log

and that is my Error Log

Quote:

L 04/21/2014 - 01:49:52: SourceMod error session started L 04/21/2014 - 01:49:52: Info (map "cp_orange_x_6") (file "errors_20140421.log") L 04/21/2014 - 01:49:52: [SM] Native "Steam_WriteHTTPResponseBody" reported: Unable to open addons/sourcemod/plugins/Module/Accueil.smx.temp for writing L 04/21/2014 - 01:49:52: [SM] Displaying call stack trace for plugin "updater.smx": L 04/21/2014 - 01:49:52: [SM] [0] Line 27, updater/download_steamtools.sp::OnSteamHTTPComplete()

Thank you if you reply

[GAVVVR]

Hello. I would like to use an updater in my plugin, but i would also like the plugin could be loaded if there is no Updater on current server. To add Updater support, i use the example code from the 1st post of thos topic. When i try to load my plugin w/o loaded updater i get the message:

Quote:

Could not find required plugin "Updater"

I wonder if there is any way to start my compiled .smx with updater support if there is no updater on the server?

[Nefarius]

Quote:

Originally Posted by henri9813 Hello, i have a big problem with the updater, ...

You have a forward slash in your plugin name Module/Accueil.smx so Updater threats it like a directory and tries to put it into addons/sourcemod/plugins/Module which doesn't exist so it fails to create the local file. Swap the / with an _ for example and it should work.