Build integrity + server print neo_version info

* Server now just prints neo_version on startup * Server and client long git hashes are now matched up on startup to check build integrity. If they don't, the client cannot connect unless they have matching git hashes. * Server convar `neo_sv_build_integrity_check` to enable/disable this integrity check feature. Enabled by default. Debug builds integrity check bypass * Debug builds will have their first byte final bit fliped to 1 to indicate it's a debug build * This will indicate to the server that it's a debug build and if the server allows bypass, then it will * Mask out final bit before comparison to allow debug build that matches hash without first byte final bit * fixes NeotokyoRebuild#437 * fixes NeotokyoRebuild#485
nullsystem · Jul 14, 2024 · 303a61a · 303a61a
1 parent 8621b06
commit 303a61a
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 4 deletions.
diff --git a/mp/src/game/client/cdll_client_int.cpp b/mp/src/game/client/cdll_client_int.cpp
@@ -171,6 +171,7 @@ extern vgui::IInputInternal *g_InputInternal;
 #endif
 
 #ifdef NEO
+#include "neo_version.h"
 #include "neo_mount_original.h"
 #endif
 
@@ -954,6 +955,10 @@ int CHLClient::Init( CreateInterfaceFn appSystemFactory, CreateInterfaceFn physi
 	InitFbx();
 #endif
 
+#if defined(NEO) && defined(DEBUG)
+	InitializeDbgNeoClGitHashEdit();
+#endif
+
 	// it's ok if this is NULL. That just means the sourcevr.dll wasn't found
 	g_pSourceVR = (ISourceVirtualReality *)appSystemFactory(SOURCE_VIRTUAL_REALITY_INTERFACE_VERSION, NULL);
 

diff --git a/mp/src/game/server/gameinterface.cpp b/mp/src/game/server/gameinterface.cpp
@@ -132,6 +132,7 @@ extern ConVar tf_mm_servermode;
 
 #ifdef NEO
 #include "neo_mount_original.h"
+#include "neo_version.h"
 #endif
 
 extern IToolFrameworkServer *g_pToolFrameworkServer;
@@ -643,6 +644,7 @@ bool CServerGameDLL::DLLInit( CreateInterfaceFn appSystemFactory,
 	{
 		return false;
 	}
+	NeoVersionPrint();
 #endif
 
 	// Yes, both the client and game .dlls will try to Connect, the soundemittersystem.dll will handle this gracefully

diff --git a/mp/src/game/shared/neo/neo_gamerules.cpp b/mp/src/game/shared/neo/neo_gamerules.cpp
@@ -1,5 +1,6 @@
 #include "cbase.h"
 #include "neo_gamerules.h"
+#include "neo_version_info.h"
 #include "in_buttons.h"
 #include "ammodef.h"
 
@@ -36,6 +37,23 @@ ConVar neo_sv_player_restore("neo_sv_player_restore", "1", FCVAR_REPLICATED, "If
 ConVar neo_name("neo_name", "", FCVAR_USERINFO | FCVAR_ARCHIVE, "The nickname to set instead of the steam profile name.");
 ConVar cl_onlysteamnick("cl_onlysteamnick", "0", FCVAR_USERINFO | FCVAR_ARCHIVE, "Only show players Steam names, otherwise show player set names.", true, 0.0f, true, 1.0f);
 
+#ifdef GAME_DLL
+#ifdef DEBUG
+// Debug build by default relax integrity check requirement among debug clients
+static constexpr char INTEGRITY_CHECK_DBG[] = "1";
+#else
+static constexpr char INTEGRITY_CHECK_DBG[] = "0";
+#endif
+ConVar neo_sv_build_integrity_check("neo_sv_build_integrity_check", "1", FCVAR_GAMEDLL | FCVAR_REPLICATED,
+									"If enabled, the server checks the build's Git hash between the client and"
+									" the server. If it doesn't match, the server rejects and disconnects the client.",
+									true, 0.0f, true, 1.0f);
+ConVar neo_sv_build_integrity_check_allow_debug("neo_sv_build_integrity_check_allow_debug", INTEGRITY_CHECK_DBG, FCVAR_GAMEDLL | FCVAR_REPLICATED,
+									"If enabled, when the server checks the client hashes, it'll also allow debug"
+									" builds which has a given special bit to bypass the check.",
+									true, 0.0f, true, 1.0f);
+#endif
+
 REGISTER_GAMERULES_CLASS( CNEORules );
 
 BEGIN_NETWORK_TABLE_NOBASE( CNEORules, DT_NEORules )
@@ -1292,6 +1310,28 @@ void CNEORules::RestartGame()
 #ifdef GAME_DLL
 bool CNEORules::ClientConnected(edict_t *pEntity, const char *pszName, const char *pszAddress, char *reject, int maxrejectlen)
 {
+	if (neo_sv_build_integrity_check.GetBool())
+	{
+		const char *clientGitHash = engine->GetClientConVarValue(engine->IndexOfEdict(pEntity), "__neo_cl_git_hash");
+		const bool dbgBuildSkip = (neo_sv_build_integrity_check_allow_debug.GetBool()) ? (clientGitHash[0] & 0b1000'0000) : false;
+		if (dbgBuildSkip)
+		{
+			DevWarning("Client debug build integrity check bypass! Client: %s | Server: %s\n", clientGitHash, GIT_LONGHASH);
+		}
+		// NEO NOTE (nullsystem): Due to debug builds, if we're to match exactly, we'll have to mask out final bit first
+		char cmpClientGitHash[sizeof(GIT_LONGHASH) + 1];
+		V_strcpy_safe(cmpClientGitHash, clientGitHash);
+		cmpClientGitHash[0] &= 0b0111'1111;
+		if (!dbgBuildSkip && V_strcmp(cmpClientGitHash, GIT_LONGHASH))
+		{
+			// Truncate the git hash so it's short hash and doesn't make message too long
+			static constexpr int MAX_GITHASH_SHOW = 7;
+			V_snprintf(reject, maxrejectlen, "Build integrity failed! Client vs server mis-match: Check your neo_version. "
+											 "Client: %.*s | Server: %.*s",
+					   MAX_GITHASH_SHOW, cmpClientGitHash, MAX_GITHASH_SHOW, GIT_LONGHASH);
+			return false;
+		}
+	}
 	return BaseClass::ClientConnected(pEntity, pszName, pszAddress,
 		reject, maxrejectlen);
 #if(0)

diff --git a/mp/src/game/shared/neo/neo_version.cpp b/mp/src/game/shared/neo/neo_version.cpp
@@ -3,12 +3,11 @@
 #include "convar.h"
 #include "dbg.h"
 
-namespace {
-void neoVersionCallback()
+void NeoVersionPrint()
 {
 #if defined(GAME_DLL)
 	static constexpr char HEADER[] = "neo_version (Server's build info):";
-#else defined(CLIENT_DLL)
+#elif defined(CLIENT_DLL)
 	static constexpr char HEADER[] = "neo_version (Client's build info):";
 #endif
 	Msg("%s\n"
@@ -25,10 +24,31 @@ void neoVersionCallback()
 		COMPILER_ID, COMPILER_VERSION);
 }
 
+namespace {
 #ifdef CLIENT_DLL
 constexpr int NEO_VERSION_FLAGS = 0;
 #else
 constexpr int NEO_VERSION_FLAGS = FCVAR_HIDDEN;
 #endif
-ConCommand neo_version("neo_version", neoVersionCallback, "Print out client/server's build's information.", NEO_VERSION_FLAGS);
+ConCommand neo_version("neo_version", NeoVersionPrint, "Print out client/server's build's information.", NEO_VERSION_FLAGS);
+
+#ifdef CLIENT_DLL
+ConVar __neo_cl_git_hash("__neo_cl_git_hash", GIT_LONGHASH,
+						 FCVAR_USERINFO | FCVAR_HIDDEN | FCVAR_DONTRECORD | FCVAR_NOT_CONNECTED
+#ifndef DEBUG
+						 | FCVAR_PRINTABLEONLY
+#endif
+						 );
+#endif
 }
+
+#if defined(CLIENT_DLL) && defined(DEBUG)
+void InitializeDbgNeoClGitHashEdit()
+{
+	static char static_dbgHash[sizeof(GIT_LONGHASH) + 1];
+	V_strcpy_safe(static_dbgHash, GIT_LONGHASH);
+	static_dbgHash[0] = static_dbgHash[0] | 0b1000'0000;
+	__neo_cl_git_hash.SetDefault(static_dbgHash);
+	__neo_cl_git_hash.Revert(); // It just sets to the default
+}
+#endif
diff --git a/mp/src/game/shared/neo/neo_version.h b/mp/src/game/shared/neo/neo_version.h
@@ -0,0 +1,7 @@
+#pragma once
+
+void NeoVersionPrint();
+
+#if defined(CLIENT_DLL) && defined(DEBUG)
+void InitializeDbgNeoClGitHashEdit();
+#endif