updater,version: simplify code locations

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

11 files changed, 92 insertions, 154 deletions

diff --git a/conf/dpapi/dpapi_windows.go b/conf/dpapi/dpapi_windows.go
index 45ad950e..f3a238d5 100644
--- a/conf/dpapi/dpapi_windows.go
+++ b/conf/dpapi/dpapi_windows.go
@@ -7,19 +7,19 @@ package dpapi
 
 import (
 	"errors"
+	"fmt"
 	"runtime"
 	"unsafe"
-	"fmt"
 
 	"golang.org/x/sys/windows"
 )
 
 func bytesToBlob(bytes []byte) *windows.DataBlob {
-       blob := &windows.DataBlob{Size: uint32(len(bytes))}
-       if len(bytes) > 0 {
-               blob.Data = &bytes[0]
-       }
-       return blob
+	blob := &windows.DataBlob{Size: uint32(len(bytes))}
+	if len(bytes) > 0 {
+		blob.Data = &bytes[0]
+	}
+	return blob
 }
 
 func Encrypt(data []byte, name string) ([]byte, error) {
diff --git a/updater/authenticode.go b/updater/authenticode.go
new file mode 100644
index 00000000..13ce6917
--- /dev/null
+++ b/updater/authenticode.go
@@ -0,0 +1,31 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved.
+ */
+
+package updater
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+func verifyAuthenticode(path string) bool {
+	path16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return false
+	}
+	data := &windows.WinTrustData{
+		Size:             uint32(unsafe.Sizeof(windows.WinTrustData{})),
+		UIChoice:         windows.WTD_UI_NONE,
+		RevocationChecks: windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity.
+		UnionChoice:      windows.WTD_CHOICE_FILE,
+		StateAction:      windows.WTD_STATEACTION_VERIFY,
+		FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{
+			Size:     uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})),
+			FilePath: path16,
+		}),
+	}
+	return windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil
+}
diff --git a/updater/downloader.go b/updater/downloader.go
index 98159553..a61acbd4 100644
--- a/updater/downloader.go
+++ b/updater/downloader.go
@@ -168,7 +168,7 @@ func DownloadVerifyAndExecute(userToken uintptr) (progress chan DownloadProgress
 		}
 
 		progress <- DownloadProgress{Activity: "Verifying authenticode signature"}
-		if !version.VerifyAuthenticode(file.ExclusivePath()) {
+		if !verifyAuthenticode(file.ExclusivePath()) {
 			progress <- DownloadProgress{Error: errors.New("The downloaded update does not have an authentic authenticode signature")}
 			return
 		}
diff --git a/updater/msirunner_windows.go b/updater/msirunner.go
index d7631706..d7631706 100644
--- a/updater/msirunner_windows.go
+++ b/updater/msirunner.go
diff --git a/updater/msirunner_linux.go b/updater/msirunner_linux.go
deleted file mode 100644
index f6cca441..00000000
--- a/updater/msirunner_linux.go
+++ /dev/null
@@ -1,23 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved.
- */
-
-package updater
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"os/exec"
-)
-
-// This isn't a Linux program, yes, but having the updater package work across platforms is quite helpful for testing.
-
-func runMsi(msiPath string, userToken uintptr, env []string) error {
-	return exec.Command("qarma", "--info", "--text", fmt.Sprintf("It seems to be working! Were we on Windows, ‘%s’ would be executed.", msiPath)).Run()
-}
-
-func msiTempFile() (*os.File, error) {
-	return ioutil.TempFile(os.TempDir(), "")
-}
diff --git a/updater/updater_test.go b/updater/updater_test.go
index a29d71f6..02e980eb 100644
--- a/updater/updater_test.go
+++ b/updater/updater_test.go
@@ -20,7 +20,7 @@ func TestUpdate(t *testing.T) {
 		return
 	}
 	t.Log("Found update")
-	progress := DownloadVerifyAndExecute(0, nil)
+	progress := DownloadVerifyAndExecute(0)
 	for {
 		dp := <-progress
 		if dp.Error != nil {
diff --git a/updater/winhttp/httptest.exe b/updater/winhttp/httptest.exe
deleted file mode 100755
index 9f7ecda4..00000000
--- a/updater/winhttp/httptest.exe
+++ /dev/null
diff --git a/version/debugging_linux.go b/version/debugging_linux.go
deleted file mode 100644
index da90e271..00000000
--- a/version/debugging_linux.go
+++ /dev/null
@@ -1,35 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved.
- */
-
-package version
-
-import (
-	"bytes"
-	"fmt"
-
-	"golang.org/x/sys/unix"
-)
-
-// For testing the updater package from linux. Debug stuff only.
-
-func utsToStr(u [65]byte) string {
-	i := bytes.IndexByte(u[:], 0)
-	if i < 0 {
-		return string(u[:])
-	}
-	return string(u[:i])
-}
-
-func OsName() string {
-	var utsname unix.Utsname
-	if unix.Uname(&utsname) != nil {
-		return "Unix Unknown"
-	}
-	return fmt.Sprintf("%s %s %s", utsToStr(utsname.Sysname), utsToStr(utsname.Release), utsToStr(utsname.Version))
-}
-
-func VerifyAuthenticode(path string) bool {
-	return true
-}
diff --git a/version/certificate_windows.go b/version/official.go
index b5ae3764..2345a0b7 100644
--- a/version/certificate_windows.go
+++ b/version/official.go
@@ -6,12 +6,58 @@
 package version
 
 import (
-	"syscall"
+	"errors"
+	"os"
 	"unsafe"
 
 	"golang.org/x/sys/windows"
 )
 
+const (
+	officialCommonName = "WireGuard LLC"
+	evPolicyOid        = "2.23.140.1.3"
+	policyExtensionOid = "2.5.29.32"
+)
+
+// These are easily by-passable checks, which do not serve serve security purposes.
+// DO NOT PLACE SECURITY-SENSITIVE FUNCTIONS IN THIS FILE
+
+func IsRunningOfficialVersion() bool {
+	path, err := os.Executable()
+	if err != nil {
+		return false
+	}
+
+	names, err := extractCertificateNames(path)
+	if err != nil {
+		return false
+	}
+	for _, name := range names {
+		if name == officialCommonName {
+			return true
+		}
+	}
+	return false
+}
+
+func IsRunningEVSigned() bool {
+	path, err := os.Executable()
+	if err != nil {
+		return false
+	}
+
+	policies, err := extractCertificatePolicies(path, policyExtensionOid)
+	if err != nil {
+		return false
+	}
+	for _, policy := range policies {
+		if policy == evPolicyOid {
+			return true
+		}
+	}
+	return false
+}
+
 func extractCertificateNames(path string) ([]string, error) {
 	path16, err := windows.UTF16PtrFromString(path)
 	if err != nil {
@@ -28,10 +74,8 @@ func extractCertificateNames(path string) ([]string, error) {
 	for {
 		cert, err = windows.CertEnumCertificatesInStore(certStore, cert)
 		if err != nil {
-			if errno, ok := err.(syscall.Errno); ok {
-				if errno == syscall.Errno(windows.CRYPT_E_NOT_FOUND) {
-					break
-				}
+			if errors.Is(err, windows.Errno(windows.CRYPT_E_NOT_FOUND)) {
+				break
 			}
 			return nil, err
 		}
@@ -52,7 +96,7 @@ func extractCertificateNames(path string) ([]string, error) {
 		names = append(names, windows.UTF16ToString(name16))
 	}
 	if names == nil {
-		return nil, syscall.Errno(windows.CRYPT_E_NOT_FOUND)
+		return nil, windows.Errno(windows.CRYPT_E_NOT_FOUND)
 	}
 	return names, nil
 }
@@ -77,10 +121,8 @@ func extractCertificatePolicies(path string, oid string) ([]string, error) {
 	for {
 		cert, err = windows.CertEnumCertificatesInStore(certStore, cert)
 		if err != nil {
-			if errno, ok := err.(syscall.Errno); ok {
-				if errno == syscall.Errno(windows.CRYPT_E_NOT_FOUND) {
-					break
-				}
+			if errors.Is(err, windows.Errno(windows.CRYPT_E_NOT_FOUND)) {
+				break
 			}
 			return nil, err
 		}
@@ -109,7 +151,7 @@ func extractCertificatePolicies(path string, oid string) ([]string, error) {
 		}
 	}
 	if policies == nil {
-		return nil, syscall.Errno(windows.CRYPT_E_NOT_FOUND)
+		return nil, windows.Errno(windows.CRYPT_E_NOT_FOUND)
 	}
 	return policies, nil
 }
diff --git a/version/official_windows.go b/version/official_windows.go
deleted file mode 100644
index 1bfcf90b..00000000
--- a/version/official_windows.go
+++ /dev/null
@@ -1,77 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved.
- */
-
-package version
-
-import (
-	"os"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-const (
-	officialCommonName = "WireGuard LLC"
-	evPolicyOid        = "2.23.140.1.3"
-	policyExtensionOid = "2.5.29.32"
-)
-
-func VerifyAuthenticode(path string) bool {
-	path16, err := windows.UTF16PtrFromString(path)
-	if err != nil {
-		return false
-	}
-	data := &windows.WinTrustData{
-		Size:                        uint32(unsafe.Sizeof(windows.WinTrustData{})),
-		UIChoice:                        windows.WTD_UI_NONE,
-		RevocationChecks:                windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity.
-		UnionChoice:                     windows.WTD_CHOICE_FILE,
-		StateAction:                     windows.WTD_STATEACTION_VERIFY,
-		FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{
-			Size: uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})),
-			FilePath: path16,
-		}),
-	}
-	return windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil
-}
-
-// These are easily by-passable checks, which do not serve serve security purposes. Do not place security-sensitive
-// functions below this line.
-
-func IsRunningOfficialVersion() bool {
-	path, err := os.Executable()
-	if err != nil {
-		return false
-	}
-
-	names, err := extractCertificateNames(path)
-	if err != nil {
-		return false
-	}
-	for _, name := range names {
-		if name == officialCommonName {
-			return true
-		}
-	}
-	return false
-}
-
-func IsRunningEVSigned() bool {
-	path, err := os.Executable()
-	if err != nil {
-		return false
-	}
-
-	policies, err := extractCertificatePolicies(path, policyExtensionOid)
-	if err != nil {
-		return false
-	}
-	for _, policy := range policies {
-		if policy == evPolicyOid {
-			return true
-		}
-	}
-	return false
-}
diff --git a/version/os_windows.go b/version/os.go
index 315a4901..315a4901 100644
--- a/version/os_windows.go
+++ b/version/os.go