Leak_Technologies/HULL
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move autoupdater to its own repo (https://github.com/ioquake/autoupdater)

Browse Source
This commit is contained in:
Tim Angus 2025-11-02 17:19:40 +00:00
parent a9a6ccb103
commit 7bd2c17f9d
11 changed files with 0 additions and 1619 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1046
code/autoupdater/autoupdater.c
View File

File diff suppressed because it is too large Load Diff

8
code/autoupdater/rsa_tools/.gitignore vendored
View File

@ -1,8 +0,0 @@
crypt-*.tar.bz2
tfm-*.tar.xz
libtomcrypt-*
tomsfastmath-*
rsa_make_keys
rsa_sign
rsa_verify
*.exe

79
code/autoupdater/rsa_tools/build-libtom-unix.sh
View File

@ -1,79 +0,0 @@
#!/bin/bash
TFMVER=0.13.1
LTCVER=1.17
set -e
OSTYPE=`uname -s`
if [ "$OSTYPE" = "Linux" ]; then
NCPU=`cat /proc/cpuinfo |grep vendor_id |wc -l`
let NCPU=$NCPU+1
elif [ "$OSTYPE" = "Darwin" ]; then
NCPU=`sysctl -n hw.ncpu`
export CFLAGS="$CFLAGS -mmacosx-version-min=10.7 -DMAC_OS_X_VERSION_MIN_REQUIRED=1070"
export LDFLAGS="$LDFLAGS -mmacosx-version-min=10.7"
elif [ "$OSTYPE" = "SunOS" ]; then
NCPU=`/usr/sbin/psrinfo |wc -l |sed -e 's/^ *//g;s/ *$//g'`
else
NCPU=1
fi
if [ -z "$NCPU" ]; then
NCPU=1
elif [ "$NCPU" = "0" ]; then
NCPU=1
fi
if [ ! -f tfm-$TFMVER.tar.xz ]; then
echo "Downloading TomsFastMath $TFMVER sources..."
curl -L -o tfm-$TFMVER.tar.xz https://github.com/libtom/tomsfastmath/releases/download/v$TFMVER/tfm-$TFMVER.tar.xz || exit 1
fi
if [ ! -f ./crypt-$LTCVER.tar.bz2 ]; then
echo "Downloading LibTomCrypt $LTCVER sources..."
curl -L -o crypt-$LTCVER.tar.bz2 https://github.com/libtom/libtomcrypt/releases/download/$LTCVER/crypt-$LTCVER.tar.bz2 || exit 1
fi
if [ ! -d tomsfastmath-$TFMVER ]; then
echo "Checking TomsFastMath archive hash..."
if [ "`shasum -a 256 tfm-$TFMVER.tar.xz |awk '{print $1;}'`" != "47c97a1ada3ccc9fcbd2a8a922d5859a84b4ba53778c84c1d509c1a955ac1738" ]; then
echo "Uhoh, tfm-$TFMVER.tar.xz does not have the sha256sum we expected!"
exit 1
fi
echo "Unpacking TomsFastMath $TFMVER sources..."
tar -xJvvf ./tfm-$TFMVER.tar.xz
fi
if [ ! -d libtomcrypt-$LTCVER ]; then
if [ "`shasum -a 256 crypt-$LTCVER.tar.bz2 |awk '{print $1;}'`" != "e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116" ]; then
echo "Uhoh, crypt-$LTCVER.tar.bz2 does not have the sha256sum we expected!"
exit 1
fi
echo "Unpacking LibTomCrypt $LTCVER sources..."
tar -xjvvf ./crypt-$LTCVER.tar.bz2
fi
echo
echo
echo "Will use make -j$NCPU. If this is wrong, check NCPU at top of script."
echo
echo
set -e
set -x
# Some compilers can't handle the ROLC inline asm; just turn it off.
cd tomsfastmath-$TFMVER
make -j$NCPU
cd ..
export CFLAGS="$CFLAGS -DTFM_DESC -DLTC_NO_ROLC -I ../tomsfastmath-$TFMVER/src/headers"
cd libtomcrypt-$LTCVER
make -j$NCPU
cd ..
set +x
echo "All done."
# end of build-libtom-unix.sh ...

33
code/autoupdater/rsa_tools/build-rsa-tools.sh
View File

@ -1,33 +0,0 @@
#!/bin/bash
export TFMDIR="tomsfastmath-0.13.1"
export LTCDIR="libtomcrypt-1.17"
OSTYPE=`uname -s`
if [ -z "$CC" ]; then
if [ "`uname -o`" = "Cygwin" ]; then
export CC=/usr/bin/i686-w64-mingw32-gcc
else
export CC=cc
fi
fi
function build {
if [ "$OSTYPE" = "Darwin" ]; then
$CC -mmacosx-version-min=10.7 -DMAC_OS_X_VERSION_MIN_REQUIRED=1070 -I $TFMDIR/src/headers -I $LTCDIR/src/headers -o "$1" -Wall -O3 "$1.c" rsa_common.c $LTCDIR/libtomcrypt.a $TFMDIR/libtfm.a
else
$CC -I $TFMDIR/src/headers -I $LTCDIR/src/headers -o "$1" -Wall -O3 "$1.c" rsa_common.c $LTCDIR/libtomcrypt.a $TFMDIR/libtfm.a
fi
}
set -e
set -x
./build-libtom-unix.sh
build rsa_make_keys
build rsa_sign
build rsa_verify
set +x
echo "rsa_tools are compiled!"

61
code/autoupdater/rsa_tools/rsa_common.c
View File

@ -1,61 +0,0 @@
#include "rsa_common.h"
void fail(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fputs("\n", stderr);
fflush(stderr);
exit(1);
}
void write_file(const char *fname, const void *buf, const unsigned long len)
{
FILE *io = fopen(fname, "wb");
if (!io) {
fail("Can't open '%s' for writing: %s", fname, strerror(errno));
}
if (fwrite(buf, len, 1, io) != 1) {
fail("Couldn't write '%s': %s", fname, strerror(errno));
}
if (fclose(io) != 0) {
fail("Couldn't flush '%s' to disk: %s", fname, strerror(errno));
}
}
void read_file(const char *fname, void *buf, unsigned long *len)
{
ssize_t br;
FILE *io = fopen(fname, "rb");
if (!io) {
fail("Can't open '%s' for reading: %s", fname, strerror(errno));
}
br = fread(buf, 1, *len, io);
if (ferror(io)) {
fail("Couldn't read '%s': %s", fname, strerror(errno));
} else if (!feof(io)) {
fail("Buffer too small to read '%s'", fname);
}
fclose(io);
*len = (unsigned long) br;
}
void read_rsakey(rsa_key *key, const char *fname)
{
unsigned char buf[4096];
unsigned long len = sizeof (buf);
int rc;
read_file(fname, buf, &len);
if ((rc = rsa_import(buf, len, key)) != CRYPT_OK) {
fail("rsa_import for '%s' failed: %s", fname, error_to_string(rc));
}
}

30
code/autoupdater/rsa_tools/rsa_common.h
View File

@ -1,30 +0,0 @@
#ifndef _INCL_RSA_COMMON_H_
#define _INCL_RSA_COMMON_H_ 1
#include <stdarg.h>
#include <stdio.h>
#include <errno.h>
#define TFM_DESC
#define LTC_NO_ROLC
#include "tomcrypt.h"
#define SALT_LEN 8
#if defined(__GNUC__) || defined(__clang__)
#define NEVER_RETURNS __attribute__((noreturn))
#define PRINTF_FUNC(fmtargnum, dotargnum) __attribute__ (( format( __printf__, fmtargnum, dotargnum )))
#else
#define NEVER_RETURNS
#define PRINTF_FUNC(fmtargnum, dotargnum)
#endif
void fail(const char *fmt, ...) NEVER_RETURNS PRINTF_FUNC(1, 2);
void write_file(const char *fname, const void *buf, const unsigned long len);
void read_file(const char *fname, void *buf, unsigned long *len);
void read_rsakey(rsa_key *key, const char *fname);
#endif
/* end of rsa_common.h ... */

45
code/autoupdater/rsa_tools/rsa_make_keys.c
View File

@ -1,45 +0,0 @@
#include "rsa_common.h"
static void write_rsakey(rsa_key *key, const int type, const char *fname)
{
unsigned char buf[4096];
unsigned long len = sizeof (buf);
int rc;
if ((rc = rsa_export(buf, &len, type, key)) != CRYPT_OK) {
fail("rsa_export for '%s' failed: %s", fname, error_to_string(rc));
}
write_file(fname, buf, len);
}
int main(int argc, char **argv)
{
int rc = 0;
prng_state prng;
int prng_index;
rsa_key key;
ltc_mp = tfm_desc;
prng_index = register_prng(&sprng_desc); /* (fortuna_desc is a good choice if your platform's PRNG sucks.) */
if (prng_index == -1) {
fail("Failed to register a RNG");
}
if ((rc = rng_make_prng(128, prng_index, &prng, NULL)) != CRYPT_OK) {
fail("rng_make_prng failed: %s", error_to_string(rc));
}
if ((rc = rsa_make_key(&prng, prng_index, 256, 65537, &key)) != CRYPT_OK) {
fail("rng_make_key failed: %s", error_to_string(rc));
}
write_rsakey(&key, PK_PRIVATE, "privatekey.bin");
write_rsakey(&key, PK_PUBLIC, "publickey.bin");
rsa_free(&key);
return 0;
}
/* end of rsa_make_keys.c ... */

75
code/autoupdater/rsa_tools/rsa_sign.c
View File

@ -1,75 +0,0 @@
#include "rsa_common.h"
static void sign_file(const char *fname, rsa_key *key, prng_state *prng, const int prng_index, const int hash_index)
{
const size_t sigfnamelen = strlen(fname) + 5;
char *sigfname = (char *) malloc(sigfnamelen);
unsigned char hash[256];
unsigned long hashlen = sizeof (hash);
unsigned char sig[1024];
unsigned long siglen = sizeof (sig);
int rc = 0;
int status = 0;
if (!sigfname) {
fail("out of memory");
}
if ((rc = hash_file(hash_index, fname, hash, &hashlen)) != CRYPT_OK) {
fail("hash_file for '%s' failed: %s", fname, error_to_string(rc));
}
if ((rc = rsa_sign_hash(hash, hashlen, sig, &siglen, prng, prng_index, hash_index, SALT_LEN, key)) != CRYPT_OK) {
fail("rsa_sign_hash for '%s' failed: %s", fname, error_to_string(rc));
}
if ((rc = rsa_verify_hash(sig, siglen, hash, hashlen, hash_index, SALT_LEN, &status, key)) != CRYPT_OK) {
fail("rsa_verify_hash for '%s' failed: %s", fname, error_to_string(rc));
}
if (!status) {
fail("Generated signature isn't valid! Bug in the program!");
}
snprintf(sigfname, sigfnamelen, "%s.sig", fname);
write_file(sigfname, sig, siglen);
free(sigfname);
}
int main(int argc, char **argv)
{
int rc = 0;
prng_state prng;
int prng_index, hash_index;
rsa_key key;
int i;
ltc_mp = tfm_desc;
prng_index = register_prng(&sprng_desc); /* (fortuna_desc is a good choice if your platform's PRNG sucks.) */
if (prng_index == -1) {
fail("Failed to register a RNG");
}
hash_index = register_hash(&sha256_desc);
if (hash_index == -1) {
fail("Failed to register sha256 hasher");
}
if ((rc = rng_make_prng(128, prng_index, &prng, NULL)) != CRYPT_OK) {
fail("rng_make_prng failed: %s", error_to_string(rc));
}
read_rsakey(&key, "privatekey.bin");
for (i = 1; i < argc; i++) {
sign_file(argv[i], &key, &prng, prng_index, hash_index);
}
rsa_free(&key);
return 0;
}
/* end of rsa_sign.c ... */

60
code/autoupdater/rsa_tools/rsa_verify.c
View File

@ -1,60 +0,0 @@
#include "rsa_common.h"
static void verify_file(const char *fname, rsa_key *key, const int hash_index)
{
const size_t sigfnamelen = strlen(fname) + 5;
char *sigfname = (char *) malloc(sigfnamelen);
unsigned char hash[256];
unsigned long hashlen = sizeof (hash);
unsigned char sig[1024];
unsigned long siglen = sizeof (sig);
int status = 0;
int rc = 0;
if (!sigfname) {
fail("out of memory");
}
snprintf(sigfname, sigfnamelen, "%s.sig", fname);
read_file(sigfname, sig, &siglen);
free(sigfname);
if ((rc = hash_file(hash_index, fname, hash, &hashlen)) != CRYPT_OK) {
fail("hash_file for '%s' failed: %s", fname, error_to_string(rc));
}
if ((rc = rsa_verify_hash(sig, siglen, hash, hashlen, hash_index, SALT_LEN, &status, key)) != CRYPT_OK) {
fail("rsa_verify_hash for '%s' failed: %s", fname, error_to_string(rc));
}
if (!status) {
fail("Invalid signature for '%s'! Don't trust this file!", fname);
}
}
int main(int argc, char **argv)
{
int hash_index;
rsa_key key;
int i;
ltc_mp = tfm_desc;
hash_index = register_hash(&sha256_desc);
if (hash_index == -1) {
fail("Failed to register sha256 hasher");
}
read_rsakey(&key, "publickey.bin");
for (i = 1; i < argc; i++) {
verify_file(argv[i], &key, hash_index);
}
rsa_free(&key);
return 0;
}
/* end of rsa_verify.c ... */

17
code/autoupdater/rsa_tools/test-rsa-tools.sh
View File

@ -1,17 +0,0 @@
#!/bin/bash
if [ -f privatekey.bin ]; then
echo "move your existing keys out of the way."
exit 1
fi
( ./rsa_make_keys && echo "key making okay") || echo "key making NOT okay"
echo "The quick brown fox jumped over the lazy dog." >testmsg.txt
( ./rsa_sign testmsg.txt && echo "signing okay" ) || echo "signing NOT okay"
( ./rsa_verify testmsg.txt && echo "basic verifying okay" ) || echo "basic verifying NOT okay"
echo "The quick brown fox jumped over the lazy dog!" >testmsg.txt
( ./rsa_verify testmsg.txt 2>/dev/null && echo "tamper test NOT okay" ) || echo "tamper test okay"
echo "The quick brown fox jumped over the lazy dog." >testmsg.txt
( ./rsa_verify testmsg.txt && echo "reverify okay" ) || echo "reverify NOT okay"
rm -f testmsg.txt testmsg.txt.sig publickey.bin privatekey.bin

165
docs/autoupdater-readme.txt
View File

@ -1,165 +0,0 @@
The updater program's code is public domain. The rest of ioquake3 is not.
The source code to the autoupdater is in the code/autoupdater directory.
There is a small piece of code in ioquake3 itself at startup, too; this is
in code/sys/sys_autoupdater.c ...
(This is all Unix terminology, but similar approaches on Windows apply.)
The updater is a separate program, written in C, with no dependencies on
the game. It (statically) links to libcurl and uses the C runtime, but
otherwise has no external dependencies. It has to be a single binary file
with no shared libraries.
The basic flow looks like this:
- The game launches as usual.
- Right after main() starts, the game creates a pipe, forks off a new process,
and execs the updater in that process. The game won't ever touch the pipe
again. It's just there to block the child app until the game terminates.
- The updater has no UI. It writes a log file.
- The updater downloads a manifest from a known URL over https://, using
libCurl. The base URL is platform-specific (it might be
https://example.com/mac/, or https://example.com/linux-x86/, whatever).
The url might have other features, like a updater version or a specific
product name, etc.
The manifest is at $BASEURL/manifest.txt
- The updater also downloads $BASEURL/manifest.txt.sig, which is a digital
signature for the manifest. It checks the manifest against this signature
and a known public RSA key; if the manifest doesn't match the signature,
the updater refuses to continue.
- The manifest looks like this: three lines per item...
Contents/MacOS/baseq3/uix86_64.dylib
332428
a49bbe77f8eb6c195265ea136f881f7830db58e4d8a883b27f59e1e23e396a20
- That's the file's path, its size in bytes, and an sha256 hash of the data.
- The file will be at this path under the base url on the webserver.
- The manifest only lists files that ever needed updating; it's not necessary
to list every file in the game's installation (unless you want to allow the
entire game to download).
- The updater will check each item in the manifest:
- Does the file not exist in the install? Needs downloading.
- Does the file have a different size? Needs downloading.
- Does the file have a different sha256sum? Needs downloading.
- Otherwise, file is up to date, leave it alone.
- If an item needs downloading, do these same checks against the file in the
download directory (if it's already there and matches, don't download again.)
- Download necessary files with libcurl, put it in a download directory.
- The downloaded file is also checked for size and sha256 vs the manifest, to
make sure there was no corruption or confusion. If a downloaded file doesn't
match what was expected, the updater aborts and will try again next time.
This could fail checksum due to i/o errors and compromised security, but
it might just be that a new version was being published and bad luck
happened, and a retry later could correct everything.
- If the updater itself needs upgrading, we deal with that first. It's
downloaded, then the updater relaunches from the downloaded binary with
a special command line. That relaunched process copies itself to the proper
location, and then relaunches _again_ to restart the normal updating
process with the new updater in its correct position.
- Once the downloads are complete and the updater itself doesn't need
upgrading, we are ready to start the normal upgrade. Since we can't replace
executables on some platforms while they are running, and swapping out a
game's data files at runtime isn't wise in general, the updater will now
block until the game terminates. It does this by reading on the pipe that
the game created when forking the updater; since the game never writes
anything to this pipe, it causes the updater to block until the pipe closes.
Since the game never deliberately closes the pipe either, it remains open
until the OS forcibly closes it as the game process terminates. Being an
unnamed pipe, it just vaporizes at this point, leaving no state that might
accidentally hang us up later, like a global semaphore or whatnot. This
technique also lets us localize the game's code changes to one small block
of C code, with no need to manage these resources elsewhere.
- As a sanity check, the updater will also kill(game_process_id, 0) until it
fails, sleeping for 100 milliseconds between each attempt, in case the
process is still being cleaned up by the OS after closing the pipe.
- Once the updater is confident the game process is gone, it will start
upgrading the appropriate files. It does this in two steps: it moves
the old file to a "rollback" directory so it's out of the way but still
available, then it moves the newly-downloaded file into place. Since these
are all simple renames and not copies, this can move fast. Any missing
parent directories are created, in case the update is adding a new file
in a directory that didn't previously exist.
- If something goes wrong at this point (file i/o error, etc), the updater
will roll back the changes by deleting the updated files, and moving the
files in the "rollback" directory back to their original locations. Then
the updater aborts.
- If nothing went wrong, the rollback files are deleted. And we are officially
up to date! The updater terminates.
The updater is designed to fail at any point. If a download fails, it'll
pick up and try again next time, etc. Completed downloads will remain, so it
will just need to download any missing/incomplete files.
The server side just needs to be able to serve static files over HTTPS from
any standard Apache/nginx/whatever process.
Failure points:
- If the updater fails when still downloading data, it just picks up on next
restart.
- If the updater fails when replacing files, it rolls back any changes it has
made.
- If the updater fails when rolling back, then running the updater again after
fixing the specific problem (disk error, etc?) will redownload and replace
any files that were left in an uncertain state. The only true point of
risk is crashing during a rollback and then having the updater bricked for
some reason, but that's an extremely small surface area, knock on wood.
- If the updater crashes or totally bricks, ioquake3 should just keep being
ioquake3. It will still launch and play, even if the updater is quietly
segfaulting in the background on startup.
- If an update bricks ioquake3 to the point where it can't run the updater,
running the updater directly should let it recover (assuming a future update
fixes the problem).
- If the download server is compromised, they would need the private key
(not stored on the download server) to alter the manifest to serve
compromised files to players. If they try to change a file or the manifest,
the updater will know to abort without updating anything.
- If the private key is compromised, we generate a new one, ship new
installers with an updated public key, and re-sign the manifest with the
new private key. Existing installations will never update again until they
do a fresh install, or at least update their copy of the public key.
How manifest signing works:
Some admin will generate a public/private key with the rsa_make_keys program,
keeping the private key secret. Using the private key and the rsa_sign
program, the admin will sign the manifest, generating manifest.txt.sig.
The public key ships with the game (adding 270 bytes to the download), the
.sig is downloaded with the manifest by the autoupdater (256 bytes extra
download), then the autoupdater checks the manifest against the signature
with the public key. if the signature isn't valid (the manifest was tampered
with or corrupt), the autoupdater refuses to continue.
If the manifest is to be trusted, it lists sha256 checksums for every file to
download, so there's no need to sign every file; if they can't tamper with the
manifest, they can't tamper with any other file to be updated since the file's
listed sha256 won't match.
If the private key is compromised, we generate new keys and ship new
installers, so new installations will be able to update but existing ones
will need to do a new install to keep getting updates. Don't let the private
key get compromised. The private key doesn't go on a public server. Maybe it
doesn't even live on the admin's laptop hard drive.
If the download server is compromised and serving malware, the autoupdater
will reject it outright if they haven't compromised the private key, generated
a new manifest, and signed it with the private key.
Items to consider for future revisions:
- Maybe put a limit on the number manifest downloads, so we only check once
every hour? Every day?
- Channels? Stable (what everyone gets by default), Nightly (once a day),
Experimental (some other work-in-progress branch), Bloody (literally the
latest commit).
- Let mods update, separate from the main game?
Questions? Ask Ryan: icculus@icculus.org
--ryan.