diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-08-02 01:05:02 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-08-02 04:49:13 +0200 |
commit | 21d8e66e04fedf66aef7188f22b32c3b126e8911 (patch) | |
tree | 1f3526c3943e12f076316373d1b2e81898845f36 | |
parent | proj: clean up loose ends (diff) | |
download | wintun-21d8e66e04fedf66aef7188f22b32c3b126e8911.tar.xz wintun-21d8e66e04fedf66aef7188f22b32c3b126e8911.zip |
api: incorporate new win7 code signing technique
https://git.zx2c4.com/downlevel-driver-enabler/about/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rw-r--r-- | api/adapter.c | 65 | ||||
-rw-r--r-- | api/resources.rc | 2 | ||||
-rw-r--r-- | downlevelshim/downlevelshim.vcxproj | 35 | ||||
-rw-r--r-- | downlevelshim/exports.def | 3 | ||||
-rw-r--r-- | downlevelshim/shim.c | 32 | ||||
-rw-r--r-- | wintun.proj | 8 | ||||
-rw-r--r-- | wintun.sln | 19 |
7 files changed, 160 insertions, 4 deletions
diff --git a/api/adapter.c b/api/adapter.c index d216578..8fa1ff6 100644 --- a/api/adapter.c +++ b/api/adapter.c @@ -1126,6 +1126,8 @@ SelectDriver( WCHAR CatPath[MAX_PATH] = { 0 }; WCHAR SysPath[MAX_PATH] = { 0 }; WCHAR InfPath[MAX_PATH] = { 0 }; + WCHAR DownlevelShimPath[MAX_PATH] = { 0 }; + if (!PathCombineW(CatPath, RandomTempSubDirectory, L"wintun.cat") || !PathCombineW(SysPath, RandomTempSubDirectory, L"wintun.sys") || !PathCombineW(InfPath, RandomTempSubDirectory, L"wintun.inf")) @@ -1141,6 +1143,53 @@ SelectDriver( LastError = LOG_LAST_ERROR(L"Failed to extract driver"); goto cleanupDelete; } + + WCHAR *WintrustKeyOriginalValue = NULL; + HKEY WintrustKey = NULL; + if (!IsWindows10) + { + LOG(WINTUN_LOG_INFO, L"Shimming downlevel driver loader"); + if (!PathCombineW(DownlevelShimPath, RandomTempSubDirectory, L"downlevelshim.dll")) + { + DownlevelShimPath[0] = L'\0'; + LastError = ERROR_BUFFER_OVERFLOW; + goto cleanupDelete; + } + if (!ResourceCopyToFile(DownlevelShimPath, L"downlevelshim.dll")) + { + LastError = LOG_LAST_ERROR(L"Failed to extract downlevel shim"); + goto cleanupDelete; + } + LastError = RegOpenKeyExW( + HKEY_LOCAL_MACHINE, + L"SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}", + 0, + KEY_QUERY_VALUE | KEY_SET_VALUE, + &WintrustKey); + if (LastError != ERROR_SUCCESS) + { + LOG_ERROR(LastError, L"Failed to open Wintrust FinalPolicy key"); + goto cleanupDelete; + } + WintrustKeyOriginalValue = RegistryQueryString(WintrustKey, L"$DLL", TRUE); + if (!WintrustKeyOriginalValue) + { + LastError = LOG_LAST_ERROR(L"Failed to read current Wintrust FinalPolicy key"); + goto cleanupWintrustKey; + } + LastError = RegSetValueExW( + WintrustKey, + L"$DLL", + 0, + REG_SZ, + (BYTE *)DownlevelShimPath, + (DWORD)((wcslen(DownlevelShimPath) + 1) * sizeof(DownlevelShimPath[0]))); + if (LastError != ERROR_SUCCESS) + { + LOG_ERROR(LastError, L"Failed to set Wintrust FinalPolicy key"); + goto cleanupWintrustChangedKey; + } + } LOG(WINTUN_LOG_INFO, L"Installing driver"); WCHAR InfStorePath[MAX_PATH]; if (!SetupCopyOEMInfW(InfPath, NULL, SPOST_NONE, 0, InfStorePath, MAX_PATH, NULL, NULL)) @@ -1185,10 +1234,26 @@ SelectDriver( LastError = ERROR_SUCCESS; DestroyDriverInfoListOnCleanup = FALSE; +cleanupWintrustChangedKey: + if (WintrustKeyOriginalValue) + RegSetValueExW( + WintrustKey, + L"$DLL", + 0, + REG_SZ, + (BYTE *)WintrustKeyOriginalValue, + (DWORD)((wcslen(WintrustKeyOriginalValue) + 1) * sizeof(WintrustKeyOriginalValue[0]))); +cleanupWintrustKey: + if (WintrustKey) + RegCloseKey(WintrustKey); + if (WintrustKeyOriginalValue) + Free(WintrustKeyOriginalValue); cleanupDelete: DeleteFileW(CatPath); DeleteFileW(SysPath); DeleteFileW(InfPath); + if (DownlevelShimPath[0]) + DeleteFileW(DownlevelShimPath); cleanupDirectory: RemoveDirectoryW(RandomTempSubDirectory); cleanupExistingAdapters: diff --git a/api/resources.rc b/api/resources.rc index ad4c98c..822ed3f 100644 --- a/api/resources.rc +++ b/api/resources.rc @@ -12,6 +12,8 @@ wintun.cat RCDATA "driver\\wintun.cat" wintun.inf RCDATA "driver\\wintun.inf" wintun.sys RCDATA "driver\\wintun.sys" +downlevelshim.dll RCDATA "downlevelshim.dll" + #if defined(WANT_AMD64_WOW64) # if defined(BUILT_AMD64_WOW64) wintun-amd64.dll RCDATA "amd64\\wintun.dll" diff --git a/downlevelshim/downlevelshim.vcxproj b/downlevelshim/downlevelshim.vcxproj new file mode 100644 index 0000000..cf403e0 --- /dev/null +++ b/downlevelshim/downlevelshim.vcxproj @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <PropertyGroup Label="Globals"> + <ProjectGuid>{6E8213E6-5046-4DE8-A760-0932C7D6E33E}</ProjectGuid> + <RootNamespace>downlevelshim</RootNamespace> + <ProjectName>downlevelshim</ProjectName> + </PropertyGroup> + <PropertyGroup Label="Configuration"> + <ConfigurationType>DynamicLibrary</ConfigurationType> + <PlatformToolset>WindowsApplicationForDrivers10.0</PlatformToolset> + </PropertyGroup> + <Import Project="..\wintun.props" /> + <PropertyGroup> + <TargetName>downlevelshim</TargetName> + </PropertyGroup> + <ItemDefinitionGroup> + <ClCompile> + <PreprocessorDefinitions>_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <AdditionalOptions>/volatile:iso %(AdditionalOptions)</AdditionalOptions> + </ClCompile> + <Link> + <ModuleDefinitionFile>exports.def</ModuleDefinitionFile> + <SubSystem>Windows</SubSystem> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <None Include="exports.def" /> + </ItemGroup> + <ItemGroup> + <ClCompile Include="shim.c" /> + </ItemGroup> + <Import Project="..\wintun.props.user" Condition="exists('..\wintun.props.user')" /> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ImportGroup Label="ExtensionTargets" /> +</Project> diff --git a/downlevelshim/exports.def b/downlevelshim/exports.def new file mode 100644 index 0000000..7d2ec36 --- /dev/null +++ b/downlevelshim/exports.def @@ -0,0 +1,3 @@ +LIBRARY downlevelshim.dll +EXPORTS + DriverFinalPolicy
\ No newline at end of file diff --git a/downlevelshim/shim.c b/downlevelshim/shim.c new file mode 100644 index 0000000..d277639 --- /dev/null +++ b/downlevelshim/shim.c @@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: GPL-2.0 + * + * Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved. + */ + +#include <windows.h> +#include <wintrust.h> + +typedef DWORD(DRIVER_FINAL_POLICY_FN)(CRYPT_PROVIDER_DATA *); +typedef DRIVER_FINAL_POLICY_FN *PDRIVER_FINAL_POLICY_FN; + +DRIVER_FINAL_POLICY_FN DriverFinalPolicy; + +DWORD +DriverFinalPolicy(CRYPT_PROVIDER_DATA *ProvData) +{ + DWORD OriginalLastError = GetLastError(); + HMODULE WintrustModule = GetModuleHandleA("WINTRUST.DLL"); + if (!WintrustModule) + return ERROR_INVALID_LIBRARY; + PDRIVER_FINAL_POLICY_FN RealDriverFinalPolicy = + (PDRIVER_FINAL_POLICY_FN)GetProcAddress(WintrustModule, "DriverFinalPolicy"); + if (!RealDriverFinalPolicy) + return ERROR_INVALID_FUNCTION; + DWORD Ret = RealDriverFinalPolicy(ProvData); + if (Ret == ERROR_APP_WRONG_OS) + { + Ret = ERROR_SUCCESS; + SetLastError(OriginalLastError); + } + return Ret; +} diff --git a/wintun.proj b/wintun.proj index a1cd244..3715f93 100644 --- a/wintun.proj +++ b/wintun.proj @@ -80,21 +80,21 @@ <Target Name="Dll-x86" Outputs="$(Configuration)\x86\wintun.dll" DependsOnTargets="Dll-amd64;Dll-arm64"> - <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=Win32" /> + <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=Win32" /> </Target> <Target Name="Dll-amd64" Outputs="$(Configuration)\amd64\wintun.dll" DependsOnTargets="Dll-arm64"> - <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=x64" /> + <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=x64" /> </Target> <Target Name="Dll-arm" Outputs="$(Configuration)\arm\wintun.dll" DependsOnTargets="Dll-arm64"> - <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM" /> + <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM" /> </Target> <Target Name="Dll-arm64" Outputs="$(Configuration)\arm64\wintun.dll"> - <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM64" /> + <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM64" /> </Target> <!-- @@ -7,10 +7,13 @@ EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "api", "api\api.vcxproj", "{897F02E3-3EAA-40AF-A6DC-17EB2376EDAF}" ProjectSection(ProjectDependencies) = postProject {F7679B65-2FEC-469A-8BAC-B07BF4439422} = {F7679B65-2FEC-469A-8BAC-B07BF4439422} + {6E8213E6-5046-4DE8-A760-0932C7D6E33E} = {6E8213E6-5046-4DE8-A760-0932C7D6E33E} EndProjectSection EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver", "driver\driver.vcxproj", "{F7679B65-2FEC-469A-8BAC-B07BF4439422}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "downlevelshim", "downlevelshim\downlevelshim.vcxproj", "{6E8213E6-5046-4DE8-A760-0932C7D6E33E}" +EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{3A98F138-EE02-4488-B856-B3C48500BEA8}" ProjectSection(SolutionItems) = preProject README.md = README.md @@ -78,6 +81,22 @@ Global {F7679B65-2FEC-469A-8BAC-B07BF4439422}.Release|arm64.Build.0 = Release|ARM64 {F7679B65-2FEC-469A-8BAC-B07BF4439422}.Release|x86.ActiveCfg = Release|Win32 {F7679B65-2FEC-469A-8BAC-B07BF4439422}.Release|x86.Build.0 = Release|Win32 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|amd64.ActiveCfg = Debug|x64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|amd64.Build.0 = Debug|x64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|arm.ActiveCfg = Debug|ARM + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|arm.Build.0 = Debug|ARM + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|arm64.ActiveCfg = Debug|ARM64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|arm64.Build.0 = Debug|ARM64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|x86.ActiveCfg = Debug|Win32 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Debug|x86.Build.0 = Debug|Win32 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|amd64.ActiveCfg = Release|x64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|amd64.Build.0 = Release|x64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|arm.ActiveCfg = Release|ARM + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|arm.Build.0 = Release|ARM + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|arm64.ActiveCfg = Release|ARM64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|arm64.Build.0 = Release|ARM64 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|x86.ActiveCfg = Release|Win32 + {6E8213E6-5046-4DE8-A760-0932C7D6E33E}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE |