Sfoglia il codice sorgente

Add PluginLoader class

- PluginLoader::verify can be used to check if the plugin has a valid
(SHA512/RSA 4096) signature.
- Uses nn OpenSSL public key that is embedded during the compile.
Aqua-sama 2 mesi fa
parent
commit
95d92e52ed
Firmato da: Aqua-sama <aqua@iserlohn-fortress.net> ID Chiave GPG: 5378B8349C1D5ADA
7 ha cambiato i file con 121 aggiunte e 15 eliminazioni
  1. 17
    10
      linux/makepkg/PKGBUILD
  2. 3
    1
      meson.build
  3. 3
    1
      src/browser.cpp
  4. 4
    2
      src/main.cpp
  5. 4
    1
      src/meson.build
  6. 77
    0
      src/plugin/pluginloader.cpp
  7. 13
    0
      src/plugin/pluginloader.h

+ 17
- 10
linux/makepkg/PKGBUILD Vedi File

@@ -14,10 +14,10 @@ license=('GPL3')
14 14
 
15 15
 depends=('qt5-webengine>=5.11.0' 'boost-libs>=1.66.0')
16 16
 optdepends=('firejail: launch a sandboxed instance')
17
-makedepends=('git' 'meson' 'pkg-config' 'python-kconfiglib' 'asciidoctor')
17
+makedepends=('git' 'meson' 'pkg-config' 'python-kconfiglib' 'asciidoctor' 'openssl')
18 18
 
19 19
 # this is the central repository
20
-source=("git+https://neueland.iserlohn-fortress.net/gitea/aqua/smolbote.git"
20
+source=("git+https://neueland.iserlohn-fortress.net/gitea/aeon/smolbote.git"
21 21
         "git+https://github.com/itay-grudev/SingleApplication.git")
22 22
 
23 23
 sha512sums=('SKIP'
@@ -32,6 +32,17 @@ prepare() {
32 32
     git submodule init
33 33
     git config submodule.3rd-party/SingleApplication/SingleApplication.git.url $srcdir/SingleApplication
34 34
     git submodule update 3rd-party/SingleApplication/SingleApplication.git
35
+
36
+    msg "Creating OpenSSL signing key"
37
+    mkdir $srcdir/signing
38
+    cd $srcdir/signing
39
+    # generate rsa keypair
40
+    openssl genrsa -out privateKey.pem 4096
41
+    msg2 "RSA/4096 key created in $srcdir/signing/privateKey.pem. Keep this key if you want to sign additional plugins."
42
+
43
+    openssl rsa -in privateKey.pem -pubout -out publicKey.pem
44
+    xxd -i publicKey.pem $srcdir/smolbote/src/plugin/publicKey.h
45
+    msg2 "Public key exported, and will be embedded into the resulting application. This will break reproducible builds."
35 46
 }
36 47
 
37 48
 pkgver() {
@@ -76,13 +87,9 @@ package() {
76 87
     cd $srcdir/build
77 88
     DESTDIR="$pkgdir" ninja install
78 89
 
79
-    #msg Creating signing key in $srcdir/build/gpg
80
-    #mkdir $srcdir/build/gpg
81
-    #gpg2 --homedir=$srcdir/build/gpg --batch --generate-key $srcdir/smolbote/tools/gpgkey.preset
82
-
83
-    #msg Signing plugins
84
-    #for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do
85
-    #    gpg2 --homedir=$srcdir/build/gpg --batch --yes --local-user=smolbote@localhost --detach-sign --output=$so.sig $so
86
-    #done
90
+    msg Signing plugins
91
+    for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do
92
+        openssl dgst -sha256 -sign $srcdir/signing/privateKey.pem -out $so.sig $so
93
+    done
87 94
 }
88 95
 

+ 3
- 1
meson.build Vedi File

@@ -1,5 +1,5 @@
1 1
 project('smolbote', 'cpp',
2
-    version: 'master',
2
+    version: '0.1.0',
3 3
     default_options: ['cpp_std=c++17', 'strip=true', 'warning_level=3'],
4 4
     license: 'GPL3',
5 5
     meson_version: '>=0.49.0'
@@ -26,6 +26,8 @@ dep_boost = dependency('boost', modules: ['program_options'])
26 26
 
27 27
 dep_spdlog = dependency('spdlog', fallback: ['spdlog', 'spdlog_dep'], version: '>=1.3.1')
28 28
 
29
+dep_openssl = dependency('openssl')
30
+
29 31
 optional_deps = []
30 32
 
31 33
 if get_option('Breakpad').enabled()

+ 3
- 1
src/browser.cpp Vedi File

@@ -38,6 +38,7 @@
38 38
 #include "adblock/adblocklist.h"
39 39
 #include "hostlist/hostlist.h"
40 40
 #include <spdlog/spdlog.h>
41
+#include "plugin/pluginloader.h"
41 42
 
42 43
 Browser::Browser(int &argc, char *argv[], bool allowSecondary)
43 44
     : SingleApplication(argc, argv, allowSecondary, SingleApplication::User | SingleApplication::SecondaryNotification | SingleApplication::ExcludeAppVersion)
@@ -150,7 +151,8 @@ QPluginLoader *Browser::addPlugin(const QString &path)
150 151
     if(path.isEmpty())
151 152
         return nullptr;
152 153
 
153
-    auto *loader = new QPluginLoader(path, this);
154
+    auto *loader = new PluginLoader(path, this);
155
+    spdlog::info("Verifying plugin: {}", loader->verify() ? "passed" : "failed");
154 156
     loader->load();
155 157
 
156 158
     auto *info = new PluginInfo(loader);

+ 4
- 2
src/main.cpp Vedi File

@@ -18,6 +18,7 @@
18 18
 #include <QFile>
19 19
 #include <QLibraryInfo>
20 20
 #include <QPluginLoader>
21
+#include "plugin/pluginloader.h"
21 22
 #include <QTranslator>
22 23
 #include <memory>
23 24
 #include <plugininterface.h>
@@ -69,8 +70,9 @@ int main(int argc, char **argv)
69 70
     CommandHash_t pluginCommands;
70 71
 
71 72
     // Load plugins
72
-    for(const QString &path : Util::files(config->value<QString>("plugins.path").value())) {
73
-        auto *loader = new QPluginLoader(path);
73
+    for(const QString &path : Util::files(config->value<QString>("plugins.path").value(), {"*.so", "*.dll"})) {
74
+        auto *loader = new PluginLoader(path);
75
+        spdlog::info("Verifying plugin: {}", loader->verify() ? "passed" : "failed");
74 76
         const bool loaded = loader->load();
75 77
         spdlog::info("{} plugin {}", loaded ? "Loaded" : "Failed to load", qUtf8Printable(path));
76 78
 

+ 4
- 1
src/meson.build Vedi File

@@ -1,6 +1,7 @@
1 1
 # poi
2 2
 poi_moc = mod_qt5.preprocess(
3 3
     moc_headers: ['browser.h',
4
+        'plugin/pluginloader.h',
4 5
         'mainwindow/mainwindow.h', 'mainwindow/menubar.h', 'mainwindow/widgets/dockwidget.h', 'mainwindow/widgets/menusearch.h', 'mainwindow/widgets/navigationbar.h', 'mainwindow/widgets/searchform.h',
5 6
         'session/savesessiondialog.h', 'session/sessiondialog.h', 'session/sessionform.h',
6 7
         'subwindow/subwindow.h', 'subwindow/tabwidget.h',
@@ -13,13 +14,15 @@ poi_moc = mod_qt5.preprocess(
13 14
 
14 15
 poi = executable(get_option('poiName'), install: true,
15 16
     cpp_args: ['-DQAPPLICATION_CLASS=QApplication'],
16
-    dependencies: [dep_qt5, dep_boost, dep_spdlog, dep_SingleApplication, dep_genheaders, optional_deps,
17
+    dependencies: [dep_qt5, dep_boost, dep_spdlog, dep_openssl, dep_SingleApplication, dep_genheaders, optional_deps,
17 18
         dep_about, dep_addressbar, dep_bookmarks, dep_configuration, dep_downloads, dep_urlfilter, dep_webprofile],
18 19
     include_directories: [include],
19 20
     sources: ['main.cpp', 'builtins.cpp', 'crashhandler.cpp', poi_moc,
20 21
     'browser.cpp',
21 22
     'util.cpp', 'util.h',
22 23
 
24
+    'plugin/pluginloader.cpp',
25
+
23 26
     'mainwindow/mainwindow.cpp',
24 27
     'mainwindow/menubar.cpp',
25 28
     'mainwindow/widgets/dockwidget.cpp',

+ 77
- 0
src/plugin/pluginloader.cpp Vedi File

@@ -0,0 +1,77 @@
1
+#include "pluginloader.h"
2
+#include <QFile>
3
+#include <openssl/evp.h>
4
+#include <openssl/pem.h>
5
+#include "publicKey.h"
6
+#include <spdlog/spdlog.h>
7
+
8
+PluginLoader::PluginLoader(const QString &fileName, QObject *parent)
9
+    : QPluginLoader(fileName, parent)
10
+{
11
+}
12
+
13
+bool PluginLoader::verify(const char *hashName) const
14
+{
15
+    const QString sigName = this->fileName() + ".sig";
16
+    if(!QFile::exists(sigName)) {
17
+        spdlog::error("Signature does not exist: {}", qUtf8Printable(sigName));
18
+        return false;
19
+    }
20
+
21
+    auto *bio = BIO_new_mem_buf(publicKey_pem, publicKey_pem_len);
22
+    Q_CHECK_PTR(bio);
23
+
24
+    auto *key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
25
+    Q_CHECK_PTR(key);
26
+
27
+    auto *ctx = EVP_MD_CTX_new();
28
+    Q_CHECK_PTR(ctx);
29
+
30
+    const auto *md = EVP_get_digestbyname(hashName);
31
+    Q_CHECK_PTR(md);
32
+
33
+    int rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, key);
34
+    if(rc != 1) {
35
+        spdlog::error("DigestVerifyInit failed: %i", rc);
36
+        return false;
37
+    }
38
+
39
+    // read plugin into DigestVerifyUpdate
40
+    QFile plugin(this->fileName());
41
+    plugin.open(QIODevice::ReadOnly);
42
+    int len = plugin.size();
43
+    int read = 0;
44
+    auto *buf = new unsigned char[1024];
45
+    while(len > 0) {
46
+        read = plugin.read((char*) buf, 1024);
47
+        len -= read;
48
+
49
+        rc = EVP_DigestVerifyUpdate(ctx, buf, read);
50
+        if(rc != 1)
51
+            spdlog::error("DigestVerifyUpdate failed: %i", rc);
52
+    }
53
+    delete buf;
54
+    plugin.close();
55
+
56
+    // read signature into DigestVerifyFinal
57
+    QFile sigFile(sigName);
58
+    sigFile.open(QIODevice::ReadOnly);
59
+    const int sig_len = sigFile.size();
60
+    const auto* sig = [&sigFile, sig_len]() {
61
+        auto* buf = new unsigned char[sig_len];
62
+        sigFile.read((char*) buf, sig_len);
63
+        return buf;
64
+    }();
65
+    sigFile.close();
66
+
67
+    rc = EVP_DigestVerifyFinal(ctx, sig, sig_len);
68
+    delete sig;
69
+
70
+    if(rc == 1)
71
+        return true;
72
+    else {
73
+        spdlog::error("DigestVerifyFinal failed: %i", rc);
74
+        return false;
75
+    }
76
+}
77
+

+ 13
- 0
src/plugin/pluginloader.h Vedi File

@@ -0,0 +1,13 @@
1
+#include <QPluginLoader>
2
+
3
+class PluginLoader : public QPluginLoader
4
+{
5
+    Q_OBJECT
6
+
7
+public:
8
+    PluginLoader(const QString &fileName, QObject *parent = nullptr);
9
+    ~PluginLoader() = default;
10
+
11
+    bool verify(const char *hashName = "SHA256") const;
12
+};
13
+

Loading…
Annulla
Salva