diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-10-02 11:51:33 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-10-02 11:51:33 +0200 |
| commit | 912396a1fc27e242875ce4ff913b997992e43839 (patch) | |
| tree | 38bf91712ded2c2a4e9a7c07bf955013ee678bae | |
| parent | ringlogger: simplify (diff) | |
| download | wireguard-windows-912396a1fc27e242875ce4ff913b997992e43839.tar.xz wireguard-windows-912396a1fc27e242875ce4ff913b997992e43839.zip | |
version: speed up start up by omitting winverifytrust call
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
| -rw-r--r-- | version/official_windows.go | 52 |
1 files changed, 6 insertions, 46 deletions
diff --git a/version/official_windows.go b/version/official_windows.go index fffebe55..5f8ea731 100644 --- a/version/official_windows.go +++ b/version/official_windows.go @@ -57,29 +57,10 @@ func IsRunningOfficialVersion() bool { if err != nil { return false } - path16, err := windows.UTF16PtrFromString(path) - if err != nil { - return false - } - file := &wintrust.WinTrustFileInfo{ - CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustFileInfo{})), - FilePath: path16, - } - data := &wintrust.WinTrustData{ - CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustData{})), - UIChoice: wintrust.WTD_UI_NONE, - RevocationChecks: wintrust.WTD_REVOKE_NONE, // No revocation, as this isn't security related. - UnionChoice: wintrust.WTD_CHOICE_FILE, - StateAction: wintrust.WTD_STATEACTION_VERIFY, - FileOrCatalogOrBlobOrSgnrOrCert: uintptr(unsafe.Pointer(file)), - } - err = wintrust.WinVerifyTrust(0, &wintrust.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) - if err != nil { - return false - } - // This below test is easily circumvented. False certificates can be appended, and just checking the - // common name is not very good. But that's okay, as this isn't security related. + // This is easily circumvented. We don't even verify the chain before hand with WinVerifyTrust. + // False certificates can be appended. But that's okay, as this isn't security related. + certs, err := wintrust.ExtractCertificates(path) if err != nil { return false @@ -92,36 +73,15 @@ func IsRunningOfficialVersion() bool { return false } -// This is an easily by-passable check, which doesn't serve a security purpose but mostly just a low-grade -// informational and semantic one. func IsRunningEVSigned() bool { path, err := os.Executable() if err != nil { return false } - path16, err := windows.UTF16PtrFromString(path) - if err != nil { - return false - } - file := &wintrust.WinTrustFileInfo{ - CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustFileInfo{})), - FilePath: path16, - } - data := &wintrust.WinTrustData{ - CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustData{})), - UIChoice: wintrust.WTD_UI_NONE, - RevocationChecks: wintrust.WTD_REVOKE_NONE, // No revocation, as this isn't security related. - UnionChoice: wintrust.WTD_CHOICE_FILE, - StateAction: wintrust.WTD_STATEACTION_VERIFY, - FileOrCatalogOrBlobOrSgnrOrCert: uintptr(unsafe.Pointer(file)), - } - err = wintrust.WinVerifyTrust(0, &wintrust.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) - if err != nil { - return false - } - // This below tests is easily circumvented. False certificates can be appended. But that's okay, as this isn't - // security related. + // This is easily circumvented. We don't even verify the chain before hand with WinVerifyTrust. + // False certificates can be appended. But that's okay, as this isn't security related. + certs, err := wintrust.ExtractCertificates(path) if err != nil { return false |