Commit graph

15 commits

Author SHA1 Message Date
Ryan C. Gordon
7542966e33 Verify libTom source archives aren't tampered with. 2017-06-04 01:15:38 -04:00
Ryan C. Gordon
ece37f1390 Initial add of rsa_tools.
This is just a simple RSA public key digital signature thing built on
libtomcrypt. The gist:

Some admin will generate a public/private key with rsa_make_keys, keeping the
private key secret. Using the private key and rsa_sign, the admin will sign
the autoupdater manifests, generating manifest.txt.sig.

The public key ships with the game (adding 270 bytes to the download), the
.sig is downloaded with the manifest by the autoupdater (256 bytes extra
download), then the autoupdater checks the manifest against the signature
with the public key. if the signature isn't valid (the manifest was tampered
with or corrupt), the autoupdater refuses to continue.

If the manifest is to be trusted, it lists sha256 checksums for every file to
download, so there's no need to sign every file; if they can't tamper with the
manifest, they can't tamper with any other file to be updated since the file's
listed sha256 won't match.

If the private key is compromised, we generate new keys and ship new
installers, so new installations will be able to update but existing ones
will need to do a new install to keep getting updates. Don't let the private
key get compromised. The private key doesn't go on a public server. Maybe it
doesn't even live on the admin's laptop hard drive.

If the download server is compromised and serving malware, the autoupdater
will reject it outright if they haven't compromised the private key, generated
a new manifest, and signed it with the private key.

libtomcrypt is sort of a big pile of source code, so instead of putting it
in revision control, we have a script to download it. Most things don't need
it. It lives on GitHub, so we _could_ do a git submodule, but most people
don't need it, so why waste their disk and bandwidth? That said, when compiled
you end up with a few hundred kilobytes of binary code to verify a signature
and no external dependencies, so it seems like a win.
2017-06-03 20:26:07 -04:00
Ryan C. Gordon
1aa20487a4 autoupdater: Fixed up GCC/clang printf function attribute. 2017-06-03 12:02:29 -04:00
Ryan C. Gordon
b33551dfa2 Fixed comment typo: s/until/under 2017-06-02 11:28:33 -04:00
Ryan C. Gordon
cd4aa2d9a9 Don't fail if the game process went away before we were ready to wait for it. 2017-06-02 01:32:33 -04:00
Ryan C. Gordon
b5c54ec019 Use stdint.h on Visual C if >= Visual Studio 2010. 2017-06-02 01:31:45 -04:00
Ryan C. Gordon
82977da9c8 Working Windows port of the autoupdater! 2017-06-02 00:49:42 -04:00
Ryan C. Gordon
8cf088ae27 Fully initialize ManifestItems (rollback, etc, was uninitialized before!). 2017-06-01 17:17:25 -04:00
Ryan C. Gordon
b6a83a1494 ioquake3 calls this arch "x86" and not "i386". 2017-06-01 13:02:17 -04:00
Ryan C. Gordon
a69020b217 Fixed up some types in sha256.* 2017-05-31 03:39:45 -04:00
Ryan C. Gordon
67b0cccc75 Don't fclose(NULL) if a file doesn't exist. 2017-05-30 20:20:18 -04:00
Ryan C. Gordon
f518f75149 Don't link directly to libcurl.
Lots of Linux distros have different names (libcurl-gnutls.so vs etc), and
version the symbols (curl_global_init@@CURL_LIBSSL_3), so it's more compatible
to just dlsym the basic entry points we need and just demand that libcurl is
installed at all.

Alternately: we'll use our own libcurl build, but we'll probably have to dump
SSL support to make this sane to do.
2017-05-30 20:15:59 -04:00
Ryan C. Gordon
b892bcfdbc Cleanup in failures a little better. 2017-05-30 18:02:48 -04:00
Ryan C. Gordon
69829916b5 Fixed -Wstrict-prototypes warning. 2017-05-30 17:37:53 -04:00
Ryan C. Gordon
4729c683fd Initial shot at writing an ioquake3 autoupdater. 2017-05-25 14:13:18 -04:00