api: incorporate new win7 code signing technique0.1

https://git.zx2c4.com/downlevel-driver-enabler/about/

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

7 files changed, 160 insertions, 4 deletions

diff --git a/api/adapter.c b/api/adapter.c
index faf725e..8dcddb8 100644
--- a/api/adapter.c
+++ b/api/adapter.c
@@ -1215,6 +1215,7 @@ SelectDriver(
     WCHAR CatPath[MAX_PATH] = { 0 };
     WCHAR SysPath[MAX_PATH] = { 0 };
     WCHAR InfPath[MAX_PATH] = { 0 };
+    WCHAR DownlevelShimPath[MAX_PATH] = { 0 };
     if (!PathCombineW(CatPath, RandomTempSubDirectory, L"wireguard.cat") ||
         !PathCombineW(SysPath, RandomTempSubDirectory, L"wireguard.sys") ||
         !PathCombineW(InfPath, RandomTempSubDirectory, L"wireguard.inf"))
@@ -1230,6 +1231,54 @@ SelectDriver(
         LastError = LOG_LAST_ERROR(L"Failed to extract driver");
         goto cleanupDelete;
     }
+
+    WCHAR *WintrustKeyOriginalValue = NULL;
+    HKEY WintrustKey = NULL;
+    if (!IsWindows10)
+    {
+        LOG(WIREGUARD_LOG_INFO, L"Shimming downlevel driver loader");
+        if (!PathCombineW(DownlevelShimPath, RandomTempSubDirectory, L"downlevelshim.dll"))
+        {
+            DownlevelShimPath[0] = L'\0';
+            LastError = ERROR_BUFFER_OVERFLOW;
+            goto cleanupDelete;
+        }
+        if (!ResourceCopyToFile(DownlevelShimPath, L"downlevelshim.dll"))
+        {
+            LastError = LOG_LAST_ERROR(L"Failed to extract downlevel shim");
+            goto cleanupDelete;
+        }
+        LastError = RegOpenKeyExW(
+            HKEY_LOCAL_MACHINE,
+            L"SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}",
+            0,
+            KEY_QUERY_VALUE | KEY_SET_VALUE,
+            &WintrustKey);
+        if (LastError != ERROR_SUCCESS)
+        {
+            LOG_ERROR(LastError, L"Failed to open Wintrust FinalPolicy key");
+            goto cleanupDelete;
+        }
+        WintrustKeyOriginalValue = RegistryQueryString(WintrustKey, L"$DLL", TRUE);
+        if (!WintrustKeyOriginalValue)
+        {
+            LastError = LOG_LAST_ERROR(L"Failed to read current Wintrust FinalPolicy key");
+            goto cleanupWintrustKey;
+        }
+        LastError = RegSetValueExW(
+            WintrustKey,
+            L"$DLL",
+            0,
+            REG_SZ,
+            (BYTE *)DownlevelShimPath,
+            (DWORD)((wcslen(DownlevelShimPath) + 1) * sizeof(DownlevelShimPath[0])));
+        if (LastError != ERROR_SUCCESS)
+        {
+            LOG_ERROR(LastError, L"Failed to set Wintrust FinalPolicy key");
+            goto cleanupWintrustChangedKey;
+        }
+    }
+
     LOG(WIREGUARD_LOG_INFO, L"Installing driver");
     WCHAR InfStorePath[MAX_PATH];
     if (!SetupCopyOEMInfW(InfPath, NULL, SPOST_NONE, 0, InfStorePath, MAX_PATH, NULL, NULL))
@@ -1274,10 +1323,26 @@ SelectDriver(
     LastError = ERROR_SUCCESS;
     DestroyDriverInfoListOnCleanup = FALSE;
 
+cleanupWintrustChangedKey:
+    if (WintrustKeyOriginalValue)
+        RegSetValueExW(
+            WintrustKey,
+            L"$DLL",
+            0,
+            REG_SZ,
+            (BYTE *)WintrustKeyOriginalValue,
+            (DWORD)((wcslen(WintrustKeyOriginalValue) + 1) * sizeof(WintrustKeyOriginalValue[0])));
+cleanupWintrustKey:
+    if (WintrustKey)
+        RegCloseKey(WintrustKey);
+    if (WintrustKeyOriginalValue)
+        Free(WintrustKeyOriginalValue);
 cleanupDelete:
     DeleteFileW(CatPath);
     DeleteFileW(SysPath);
     DeleteFileW(InfPath);
+    if (DownlevelShimPath[0])
+        DeleteFileW(DownlevelShimPath);
 cleanupDirectory:
     RemoveDirectoryW(RandomTempSubDirectory);
 cleanupExistingAdapters:
diff --git a/api/resources.rc b/api/resources.rc
index e2b1f05..0c283c5 100644
--- a/api/resources.rc
+++ b/api/resources.rc
@@ -12,6 +12,8 @@ wireguard.cat RCDATA "driver\\wireguard.cat"
 wireguard.inf RCDATA "driver\\wireguard.inf"
 wireguard.sys RCDATA "driver\\wireguard.sys"
 
+downlevelshim.dll RCDATA "downlevelshim.dll"
+
 #if defined(WANT_AMD64_WOW64)
 #    if defined(BUILT_AMD64_WOW64)
 wireguard-amd64.dll RCDATA "amd64\\wireguard.dll"
diff --git a/downlevelshim/downlevelshim.vcxproj b/downlevelshim/downlevelshim.vcxproj
new file mode 100644
index 0000000..264a300
--- /dev/null
+++ b/downlevelshim/downlevelshim.vcxproj
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}</ProjectGuid>
+    <RootNamespace>downlevelshim</RootNamespace>
+    <ProjectName>downlevelshim</ProjectName>
+  </PropertyGroup>
+  <PropertyGroup Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>WindowsApplicationForDrivers10.0</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="..\wireguard-nt.props" />
+  <PropertyGroup>
+    <TargetName>downlevelshim</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup>
+    <ClCompile>
+      <PreprocessorDefinitions>_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalOptions>/volatile:iso %(AdditionalOptions)</AdditionalOptions>
+    </ClCompile>
+    <Link>
+      <ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
+      <SubSystem>Windows</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="exports.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="shim.c" />
+  </ItemGroup>
+  <Import Project="..\wireguard-nt.props.user" Condition="exists('..\wireguard-nt.props.user')" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets" />
+</Project>
diff --git a/downlevelshim/exports.def b/downlevelshim/exports.def
new file mode 100644
index 0000000..7d2ec36
--- /dev/null
+++ b/downlevelshim/exports.def
@@ -0,0 +1,3 @@
+LIBRARY downlevelshim.dll
+EXPORTS
+	DriverFinalPolicy
\ No newline at end of file
diff --git a/downlevelshim/shim.c b/downlevelshim/shim.c
new file mode 100644
index 0000000..d277639
--- /dev/null
+++ b/downlevelshim/shim.c
@@ -0,0 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0
+ *
+ * Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+#include <windows.h>
+#include <wintrust.h>
+
+typedef DWORD(DRIVER_FINAL_POLICY_FN)(CRYPT_PROVIDER_DATA *);
+typedef DRIVER_FINAL_POLICY_FN *PDRIVER_FINAL_POLICY_FN;
+
+DRIVER_FINAL_POLICY_FN DriverFinalPolicy;
+
+DWORD
+DriverFinalPolicy(CRYPT_PROVIDER_DATA *ProvData)
+{
+    DWORD OriginalLastError = GetLastError();
+    HMODULE WintrustModule = GetModuleHandleA("WINTRUST.DLL");
+    if (!WintrustModule)
+        return ERROR_INVALID_LIBRARY;
+    PDRIVER_FINAL_POLICY_FN RealDriverFinalPolicy =
+        (PDRIVER_FINAL_POLICY_FN)GetProcAddress(WintrustModule, "DriverFinalPolicy");
+    if (!RealDriverFinalPolicy)
+        return ERROR_INVALID_FUNCTION;
+    DWORD Ret = RealDriverFinalPolicy(ProvData);
+    if (Ret == ERROR_APP_WRONG_OS)
+    {
+        Ret = ERROR_SUCCESS;
+        SetLastError(OriginalLastError);
+    }
+    return Ret;
+}
diff --git a/wireguard-nt.proj b/wireguard-nt.proj
index 77041d9..e8d4e4f 100644
--- a/wireguard-nt.proj
+++ b/wireguard-nt.proj
@@ -69,21 +69,21 @@
   <Target Name="Dll-x86"
     Outputs="$(Configuration)\x86\wireguard.dll"
     DependsOnTargets="Dll-amd64;Dll-arm64">
-    <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=Win32" />
+    <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=Win32" />
   </Target>
   <Target Name="Dll-amd64"
     Outputs="$(Configuration)\amd64\wireguard.dll"
     DependsOnTargets="Dll-arm64">
-    <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=x64" />
+    <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=x64" />
   </Target>
   <Target Name="Dll-arm"
     Outputs="$(Configuration)\arm\wireguard.dll"
     DependsOnTargets="Dll-arm64">
-    <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM" />
+    <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM" />
   </Target>
   <Target Name="Dll-arm64"
     Outputs="$(Configuration)\arm64\wireguard.dll">
-    <MSBuild Projects="api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM64" />
+    <MSBuild Projects="downlevelshim\downlevelshim.vcxproj;api\api.vcxproj" Targets="Build" Properties="Configuration=$(Configuration);Platform=ARM64" />
   </Target>
 
   <!--
diff --git a/wireguard-nt.sln b/wireguard-nt.sln
index 99b0600..0841074 100644
--- a/wireguard-nt.sln
+++ b/wireguard-nt.sln
@@ -7,10 +7,13 @@ EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "api", "api\api.vcxproj", "{99648503-7DFB-4C06-A87A-E7B66E93FF84}"
 	ProjectSection(ProjectDependencies) = postProject
 		{8B282C8F-5870-44C3-9A2A-B9091F4E9F68} = {8B282C8F-5870-44C3-9A2A-B9091F4E9F68}
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82} = {E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver", "driver\driver.vcxproj", "{8B282C8F-5870-44C3-9A2A-B9091F4E9F68}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "downlevelshim", "downlevelshim\downlevelshim.vcxproj", "{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}"
+EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{3A98F138-EE02-4488-B856-B3C48500BEA8}"
 	ProjectSection(SolutionItems) = preProject
 		README.md = README.md
@@ -79,6 +82,22 @@ Global
 		{8B282C8F-5870-44C3-9A2A-B9091F4E9F68}.Release|arm64.Build.0 = Release|ARM64
 		{8B282C8F-5870-44C3-9A2A-B9091F4E9F68}.Release|x86.ActiveCfg = Release|Win32
 		{8B282C8F-5870-44C3-9A2A-B9091F4E9F68}.Release|x86.Build.0 = Release|Win32
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|amd64.ActiveCfg = Debug|x64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|amd64.Build.0 = Debug|x64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|arm.ActiveCfg = Debug|ARM
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|arm.Build.0 = Debug|ARM
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|arm64.ActiveCfg = Debug|ARM64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|arm64.Build.0 = Debug|ARM64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|x86.ActiveCfg = Debug|Win32
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Debug|x86.Build.0 = Debug|Win32
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|amd64.ActiveCfg = Release|x64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|amd64.Build.0 = Release|x64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|arm.ActiveCfg = Release|ARM
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|arm.Build.0 = Release|ARM
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|arm64.ActiveCfg = Release|ARM64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|arm64.Build.0 = Release|ARM64
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|x86.ActiveCfg = Release|Win32
+		{E22CA58F-DEA5-48DC-BCF5-12075AD9BB82}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE