Bump version to 2.8.0

Check hash pattern and launcher signature

---

By creating this pull request, I understand that code that is AI
generated or otherwise automatically generated may be rejected without
further discussion.
I declare that I fully understand all code I pushed into this PR, and
wrote all this code myself and own the rights to this code.

.github/workflows/cmake-linux.yml

@@ -20,7 +20,7 @@ jobs:
         with:
             vcpkgArguments: 'zlib nlohmann-json openssl cpp-httplib[openssl]'
             vcpkgDirectory: '${{ runner.workspace }}/b/vcpkg'
-            vcpkgGitCommitId: '40616a5e954f7be1077ef37db3fbddbd5dcd1ca6'
+            vcpkgGitCommitId: 'b5d1a94fb7f88fd835e360fd23a45a09ceedbf48'
 
       - name: Create Build Environment
         run: cmake -E make_directory ${{github.workspace}}/build-linux

.github/workflows/cmake-windows.yml

@@ -20,7 +20,7 @@ jobs:
         with:
             vcpkgArguments: 'discord-rpc zlib nlohmann-json openssl cpp-httplib[openssl]'
             vcpkgDirectory: '${{ runner.workspace }}/b/vcpkg'
-            vcpkgGitCommitId: '40616a5e954f7be1077ef37db3fbddbd5dcd1ca6'
+            vcpkgGitCommitId: 'b5d1a94fb7f88fd835e360fd23a45a09ceedbf48'
             vcpkgTriplet: 'x64-windows-static'
 
       - name: Create Build Environment

src/Network/Http.cpp

@@ -20,45 +20,6 @@
 #include <mutex>
 #include <nlohmann/json.hpp>
 
-void WriteHttpDebug(const httplib::Client& client, const std::string& method, const std::string& target, const httplib::Result& result) try {
-    const std::filesystem::path folder = ".https_debug";
-    std::filesystem::create_directories(folder);
-    if (!std::filesystem::exists(folder / "WHAT IS THIS FOLDER.txt")) {
-        std::ofstream ignore { folder / "WHAT IS THIS FOLDER.txt" };
-        ignore << "This folder exists to help debug current issues with the backend. Do not share this folder with anyone but BeamMP staff. It contains detailed logs of any failed http requests." << std::endl;
-    }
-    const auto file = folder / (method + ".json");
-    // 1 MB limit
-    if (std::filesystem::exists(file) && std::filesystem::file_size(file) > 1'000'000) {
-        std::filesystem::rename(file, file.generic_string() + ".bak");
-    }
-
-    std::ofstream of { file, std::ios::app };
-    nlohmann::json js {
-        { "utc", std::chrono::system_clock::now().time_since_epoch().count() },
-        { "target", target },
-        { "client_info", {
-                             { "openssl_verify_result", client.get_openssl_verify_result() },
-                             { "host", client.host() },
-                             { "port", client.port() },
-                             { "socket_open", client.is_socket_open() },
-                             { "valid", client.is_valid() },
-                         } },
-    };
-    if (result) {
-        auto value = result.value();
-        js["result"] = {};
-        js["result"]["body"] = value.body;
-        js["result"]["status"] = value.status;
-        js["result"]["headers"] = value.headers;
-        js["result"]["version"] = value.version;
-        js["result"]["location"] = value.location;
-        js["result"]["reason"] = value.reason;
-    }
-    of << js.dump();
-} catch (const std::exception& e) {
-    error(e.what());
-}
 
 static size_t CurlWriteCallback(void* contents, size_t size, size_t nmemb, void* userp) {
     std::string* Result = reinterpret_cast<std::string*>(userp);

src/Network/VehicleData.cpp

@@ -94,7 +94,8 @@ void UDPClientMain(const std::string& IP, int Port) {
     inet_pton(AF_INET, IP.c_str(), &ToServer->sin_addr);
     UDPSock = socket(AF_INET, SOCK_DGRAM, 0);
     if (!magic.empty())
-        UDPSend(magic);
+        for (int i = 0; i < 10; i++)
+            UDPSend(magic);
     GameSend("P" + std::to_string(ClientID));
     TCPSend("H", TCPSock);
     UDPSend("p");

src/Security/BeamNG.cpp

@@ -268,7 +268,7 @@ void LegitimacyCheck() {
     std::ifstream libraryFolders(libraryFoldersPath);
     auto root = tyti::vdf::read(libraryFolders);
     for (auto folderInfo : root.childs) {
-        if (std::filesystem::exists(folderInfo.second->attribs["path"] + "/steamapps/common/BeamNG.drive/integrity.json")){
+        if ((folderInfo.second->childs["apps"]->attribs).contains("284160") && std::filesystem::exists(folderInfo.second->attribs["path"] + "/steamapps/common/BeamNG.drive/integrity.json")){
             GameDir = folderInfo.second->attribs["path"] + "/steamapps/common/BeamNG.drive/";
             break;
         }

src/Startup.cpp

@@ -4,7 +4,6 @@
  SPDX-License-Identifier: AGPL-3.0-or-later
 */
 
-
 #include "zip_file.h"
 #include <charconv>
 #include <cstring>
@@ -14,9 +13,9 @@
 #if defined(_WIN32)
 #elif defined(__linux__)
 #include <unistd.h>
-#elif defined (__APPLE__)
+#elif defined(__APPLE__)
-#include <unistd.h>
 #include <libproc.h>
+#include <unistd.h>
 #endif // __APPLE__
 #include "Http.h"
 #include "Logger.h"
@@ -84,7 +83,7 @@ beammp_fs_string GetEN() {
 }
 
 std::string GetVer() {
-    return "2.7";
+    return "2.8";
 }
 std::string GetPatch() {
     return ".0";
@@ -114,7 +113,7 @@ fs::path GetBP(const beammp_fs_char* P) {
     // should instead be placed in Application Support.
     proc_pidpath(pid, path, sizeof(path));
     fspath = std::string(path);
- #else
+#else
     fspath = beammp_fs_string(P);
 #endif
     fspath = fs::weakly_canonical(fspath.string() + "/..");
@@ -194,11 +193,157 @@ void CheckName() {
     }
 }
 
+#if defined(_WIN32)
+#include <wincrypt.h>
+#include <wintrust.h>
+#include <softpub.h>
+#include <iostream>
+
+#pragma comment(lib, "wintrust.lib")
+#pragma comment(lib, "crypt32.lib")
+
+bool CheckThumbprint(std::filesystem::path filepath)
+{
+    HCERTSTORE hStore = NULL;
+    HCRYPTMSG hMsg = NULL;
+
+    if (!CryptQueryObject(
+        CERT_QUERY_OBJECT_FILE,
+        filepath.wstring().c_str(),
+        CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
+        CERT_QUERY_FORMAT_FLAG_BINARY,
+        0,
+        NULL, NULL, NULL,
+        &hStore,
+        &hMsg,
+        NULL))
+    {
+        return false;
+    }
+
+    DWORD dwSignerInfo = 0;
+    if (!CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, NULL, &dwSignerInfo) || dwSignerInfo == 0)
+        return false;
+
+    PCMSG_SIGNER_INFO pSignerInfo = (PCMSG_SIGNER_INFO)LocalAlloc(LPTR, dwSignerInfo);
+    if (!CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, pSignerInfo, &dwSignerInfo))
+    {
+        LocalFree(pSignerInfo);
+        return false;
+    }
+
+    CERT_INFO certInfo = {};
+    certInfo.Issuer = pSignerInfo->Issuer;
+    certInfo.SerialNumber = pSignerInfo->SerialNumber;
+
+    PCCERT_CONTEXT pCertContext = CertFindCertificateInStore(
+        hStore,
+        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+        0,
+        CERT_FIND_SUBJECT_CERT,
+        &certInfo,
+        NULL);
+
+    if (!pCertContext)
+    {
+        LocalFree(pSignerInfo);
+        return false;
+    }
+
+    BYTE hash[64];
+    DWORD hashSize = sizeof(hash);
+
+    bool match = false;
+    if (CertGetCertificateContextProperty(pCertContext, CERT_SHA256_HASH_PROP_ID, hash, &hashSize))
+    {
+        std::string pubKeyData(
+            reinterpret_cast<const char*>(pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData),
+            pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData
+        );
+
+        std::string pubKeyHash = Utils::GetSha256HashReallyFast(pubKeyData, L"PubKey");
+        debug("pub key hash: " + pubKeyHash);
+
+        std::string fileThumbprint;
+        for (DWORD i = 0; i < hashSize; i++)
+        {
+            char buf[3];
+            sprintf_s(buf, "%02x", hash[i]);
+            fileThumbprint += buf;
+        }
+
+        debug("File thumbprint: " +fileThumbprint);
+        debug(filepath);
+
+        if (fileThumbprint == "937f055b713de69416926ed4651d65219a0a0e77d7a78c1932c007e14326da33" && pubKeyHash == "2afad4a5773b0ac449f48350ce0d09c372be0d5bcbaa6d01332ce000baffde99"){
+            match = true;
+        }
+    }
+
+    CertFreeCertificateContext(pCertContext);
+    CertCloseStore(hStore, 0);
+    LocalFree(pSignerInfo);
+
+    return match;
+}
+#include <windows.h>
+#include <wintrust.h>
+#include <Softpub.h>
+#include <filesystem>
+#include <string>
+
+#pragma comment(lib, "wintrust")
+
+bool VerifySignature(const std::filesystem::path& filePath)
+{
+    std::wstring path = filePath.wstring();
+
+    WINTRUST_FILE_INFO fileInfo = {};
+    fileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO);
+    fileInfo.pcwszFilePath = path.c_str();
+    fileInfo.hFile = NULL;
+    fileInfo.pgKnownSubject = NULL;
+
+    WINTRUST_DATA winTrustData = {};
+    winTrustData.cbStruct = sizeof(WINTRUST_DATA);
+    winTrustData.dwUIChoice = WTD_UI_NONE;
+    winTrustData.dwUnionChoice = WTD_CHOICE_FILE;
+    winTrustData.pFile = &fileInfo;
+
+    winTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
+
+    GUID policyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
+
+    LONG status = WinVerifyTrust(
+        NULL,
+        &policyGUID,
+        &winTrustData
+    );
+
+    debug(filePath);
+    debug("Signature check code: " + std::to_string(status));
+
+    winTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
+    WinVerifyTrust(NULL, &policyGUID, &winTrustData);
+
+    return (status == CERT_E_UNTRUSTEDROOT);
+}
+#endif
+
 void CheckForUpdates(const std::string& CV) {
     std::string LatestHash = HTTP::Get("https://backend.beammp.com/sha/launcher?branch=" + Branch + "&pk=" + PublicKey);
     std::string LatestVersion = HTTP::Get(
         "https://backend.beammp.com/version/launcher?branch=" + Branch + "&pk=" + PublicKey);
 
+    std::regex sha256_pattern(R"(^[a-fA-F0-9]{64}$)");
+    std::smatch match;
+
+    if (LatestHash.length() != 64 || !std::regex_match(LatestHash, match, sha256_pattern)) {
+        error("Invalid hash from backend, skipping update check.");
+        debug("Launcher hash in question: " + LatestHash);
+        return;
+    }
+
     transform(LatestHash.begin(), LatestHash.end(), LatestHash.begin(), ::tolower);
     beammp_fs_string BP(GetBP() / GetEN()), Back(GetBP() / beammp_wide("BeamMP-Launcher.back"));
 
@@ -211,11 +356,23 @@ void CheckForUpdates(const std::string& CV) {
             error("Auto update is NOT implemented for the Linux version. Please update manually ASAP as updates contain security patches.");
 #else
             info("Downloading Launcher update " + LatestHash);
+            std::wstring DownloadLocation = GetBP() / (beammp_wide("new_") + GetEN());
             if (HTTP::Download(
-                "https://backend.beammp.com/builds/launcher?download=true"
+                    "https://backend.beammp.com/builds/launcher?download=true"
-                "&pk="
+                    "&pk="
-                    + PublicKey + "&branch=" + Branch,
+                        + PublicKey + "&branch=" + Branch,
-                GetBP() / (beammp_wide("new_") + GetEN()), LatestHash)) {
+                    DownloadLocation, LatestHash)) {
+                if (!VerifySignature(DownloadLocation) || !CheckThumbprint(DownloadLocation)) {
+                    std::error_code ec;
+                    fs::remove(DownloadLocation, ec);
+                    if (ec) {
+                        error("Failed to remove broken launcher update");
+                    }
+                    throw std::runtime_error("The authenticity of the updated launcher could not be verified, it was corrupted or tampered with.");
+                }
+
+                info("Update signature is valid");
+
                 std::error_code ec;
                 fs::remove(Back, ec);
                 if (ec == std::errc::permission_denied) {
@@ -227,6 +384,13 @@ void CheckForUpdates(const std::string& CV) {
                 fs::rename(GetBP() / (beammp_wide("new_") + GetEN()), BP);
                 URelaunch();
             } else {
+                if (fs::exists(DownloadLocation)) {
+                    std::error_code error_code;
+                    fs::remove(DownloadLocation, error_code);
+                    if (error_code) {
+                        error("Failed to remove broken launcher update");
+                    }
+                }
                 throw std::runtime_error("Failed to download the launcher update! Please try manually updating it, https://docs.beammp.com/FAQ/Update-launcher/");
             }
 #endif
@@ -238,7 +402,6 @@ void CheckForUpdates(const std::string& CV) {
     TraceBack++;
 }
 
-
 #ifdef _WIN32
 void LinuxPatch() {
     HKEY hKey = nullptr;
@@ -357,6 +520,15 @@ void PreGame(const beammp_fs_string& GamePath) {
                              [](auto const& c) -> bool { return !std::isalnum(c); }),
             LatestHash.end());
 
+        std::regex sha256_pattern(R"(^[a-fA-F0-9]{64}$)");
+        std::smatch match;
+
+        if (LatestHash.length() != 64 || !std::regex_match(LatestHash, match, sha256_pattern)) {
+            error("Invalid hash from backend, skipping mod update check.");
+            debug("Mod hash in question: " + LatestHash);
+            return;
+        }
+
         try {
             if (!fs::exists(GetGamePath() / beammp_wide("mods/multiplayer"))) {
                 fs::create_directories(GetGamePath() / beammp_wide("mods/multiplayer"));