diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-10-01 13:03:36 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-10-01 13:14:23 +0200 |
commit | 3932f8ac9fcedc41b478414ea78bbd3bf50364ee (patch) | |
tree | 52318575b200e084b2c7c1fc94c20bba7e782582 | |
parent | build: bump and loosen go version (diff) | |
download | wireguard-windows-3932f8ac9fcedc41b478414ea78bbd3bf50364ee.tar.xz wireguard-windows-3932f8ac9fcedc41b478414ea78bbd3bf50364ee.zip |
Revert "version: use crypt32 instead of go x509 for cn extraction for file size"
This reverts commit 4cdc8fef9973a8d82593bff4e7cb350a20e0fa78.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rw-r--r-- | version/official_windows.go | 6 | ||||
-rw-r--r-- | version/wintrust/certificate_test.go | 28 | ||||
-rw-r--r-- | version/wintrust/certificate_windows.go | 29 | ||||
-rw-r--r-- | version/wintrust/zsyscall_windows.go | 11 |
4 files changed, 15 insertions, 59 deletions
diff --git a/version/official_windows.go b/version/official_windows.go index d9f041f6..b0f62250 100644 --- a/version/official_windows.go +++ b/version/official_windows.go @@ -67,12 +67,12 @@ func IsRunningOfficialVersion() bool { // This below tests is easily circumvented. False certificates can be appended, and just checking the // common name is not very good. But that's okay, as this isn't security related. - names, err := wintrust.ExtractCertificateNames(path) + certs, err := wintrust.ExtractCertificates(path) if err != nil { return false } - for _, name := range names { - if name == officialCommonName { + for _, cert := range certs { + if cert.Subject.CommonName == officialCommonName { return true } } diff --git a/version/wintrust/certificate_test.go b/version/wintrust/certificate_test.go deleted file mode 100644 index 19007351..00000000 --- a/version/wintrust/certificate_test.go +++ /dev/null @@ -1,28 +0,0 @@ -/* SPDX-License-Identifier: MIT - * - * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. - */ - -package wintrust - -import ( - "fmt" - "path/filepath" - "testing" - - "golang.org/x/sys/windows" -) - -func TestExtractCertificateNames(t *testing.T) { - system32, err := windows.GetSystemDirectory() - if err != nil { - t.Fatal(err) - } - names, err := ExtractCertificateNames(filepath.Join(system32, "ntoskrnl.exe")) - if err != nil { - t.Fatal(err) - } - for i, name := range names { - fmt.Printf("%d: %s\n", i, name) - } -} diff --git a/version/wintrust/certificate_windows.go b/version/wintrust/certificate_windows.go index 8c933f11..1e145095 100644 --- a/version/wintrust/certificate_windows.go +++ b/version/wintrust/certificate_windows.go @@ -6,6 +6,7 @@ package wintrust import ( + "crypto/x509" "syscall" "unsafe" @@ -16,13 +17,11 @@ const ( _CERT_QUERY_OBJECT_FILE = 1 _CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED = 1024 _CERT_QUERY_FORMAT_FLAG_ALL = 14 - _CERT_NAME_SIMPLE_DISPLAY_TYPE = 4 ) //sys cryptQueryObject(objectType uint32, object uintptr, expectedContentTypeFlags uint32, expectedFormatTypeFlags uint32, flags uint32, msgAndCertEncodingType *uint32, contentType *uint32, formatType *uint32, certStore *windows.Handle, msg *windows.Handle, context *uintptr) (err error) = crypt32.CryptQueryObject -//sys certGetNameString(certContext *windows.CertContext, nameType uint32, flags uint32, typePara uintptr, name *uint16, size uint32) (chars uint32) = crypt32.CertGetNameStringW -func ExtractCertificateNames(path string) ([]string, error) { +func ExtractCertificates(path string) ([]x509.Certificate, error) { path16, err := windows.UTF16PtrFromString(path) if err != nil { return nil, err @@ -33,8 +32,8 @@ func ExtractCertificateNames(path string) ([]string, error) { return nil, err } defer windows.CertCloseStore(certStore, 0) + var certs []x509.Certificate var cert *windows.CertContext - var names []string for { cert, err = windows.CertEnumCertificatesInStore(certStore, cert) if err != nil { @@ -48,21 +47,13 @@ func ExtractCertificateNames(path string) ([]string, error) { if cert == nil { break } - nameLen := certGetNameString(cert, _CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, 0, nil, 0) - if nameLen == 0 { - continue - } - name16 := make([]uint16, nameLen) - if certGetNameString(cert, _CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, 0, &name16[0], nameLen) != nameLen { - continue - } - if name16[0] == 0 { - continue + buf := make([]byte, cert.Length) + copy(buf, (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]) + if c, err := x509.ParseCertificate(buf); err == nil { + certs = append(certs, *c) + } else { + return nil, err } - names = append(names, windows.UTF16ToString(name16)) - } - if names == nil { - return nil, syscall.Errno(windows.CRYPT_E_NOT_FOUND) } - return names, nil + return certs, nil } diff --git a/version/wintrust/zsyscall_windows.go b/version/wintrust/zsyscall_windows.go index 7c742938..4d73cc5e 100644 --- a/version/wintrust/zsyscall_windows.go +++ b/version/wintrust/zsyscall_windows.go @@ -40,9 +40,8 @@ var ( modwintrust = windows.NewLazySystemDLL("wintrust.dll") modcrypt32 = windows.NewLazySystemDLL("crypt32.dll") - procWinVerifyTrust = modwintrust.NewProc("WinVerifyTrust") - procCryptQueryObject = modcrypt32.NewProc("CryptQueryObject") - procCertGetNameStringW = modcrypt32.NewProc("CertGetNameStringW") + procWinVerifyTrust = modwintrust.NewProc("WinVerifyTrust") + procCryptQueryObject = modcrypt32.NewProc("CryptQueryObject") ) func WinVerifyTrust(hWnd windows.Handle, actionId *windows.GUID, data *WinTrustData) (err error) { @@ -68,9 +67,3 @@ func cryptQueryObject(objectType uint32, object uintptr, expectedContentTypeFlag } return } - -func certGetNameString(certContext *windows.CertContext, nameType uint32, flags uint32, typePara uintptr, name *uint16, size uint32) (chars uint32) { - r0, _, _ := syscall.Syscall6(procCertGetNameStringW.Addr(), 6, uintptr(unsafe.Pointer(certContext)), uintptr(nameType), uintptr(flags), uintptr(typePara), uintptr(unsafe.Pointer(name)), uintptr(size)) - chars = uint32(r0) - return -} |