global: move certain win32 APIs to x/sys/windows

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2021-01-22 18:24:33 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2021-01-24 00:12:24 +0100
commit: fc41f439f573fce3efdd37017f072f86cb7828ff (patch)
tree: 1889c42f4a4dc5190c88c87ec2a05d172a396459 /conf
parent: embeddable-dll-service: add more robust example for .NET 5 (diff)
download: wireguard-windows-fc41f439f573fce3efdd37017f072f86cb7828ff.tar.xz
wireguard-windows-fc41f439f573fce3efdd37017f072f86cb7828ff.zip
6 files changed, 27 insertions, 153 deletions
diff --git a/conf/dpapi/dpapi_windows.go b/conf/dpapi/dpapi_windows.go
index 778605e9..45ad950e 100644
--- a/conf/dpapi/dpapi_windows.go
+++ b/conf/dpapi/dpapi_windows.go
@@ -9,78 +9,59 @@ import (
 	"errors"
 	"runtime"
 	"unsafe"
+	"fmt"
 
 	"golang.org/x/sys/windows"
 )
 
-const (
-	dpCRYPTPROTECT_UI_FORBIDDEN      uint32 = 0x1
-	dpCRYPTPROTECT_LOCAL_MACHINE     uint32 = 0x4
-	dpCRYPTPROTECT_CRED_SYNC         uint32 = 0x8
-	dpCRYPTPROTECT_AUDIT             uint32 = 0x10
-	dpCRYPTPROTECT_NO_RECOVERY       uint32 = 0x20
-	dpCRYPTPROTECT_VERIFY_PROTECTION uint32 = 0x40
-	dpCRYPTPROTECT_CRED_REGENERATE   uint32 = 0x80
-)
-
-type dpBlob struct {
-	len  uint32
-	data uintptr
+func bytesToBlob(bytes []byte) *windows.DataBlob {
+       blob := &windows.DataBlob{Size: uint32(len(bytes))}
+       if len(bytes) > 0 {
+               blob.Data = &bytes[0]
+       }
+       return blob
 }
 
-func bytesToBlob(bytes []byte) *dpBlob {
-	blob := &dpBlob{}
-	blob.len = uint32(len(bytes))
-	if len(bytes) > 0 {
-		blob.data = uintptr(unsafe.Pointer(&bytes[0]))
-	}
-	return blob
-}
-
-//sys	cryptProtectData(dataIn *dpBlob, name *uint16, optionalEntropy *dpBlob, reserved uintptr, promptStruct uintptr, flags uint32, dataOut *dpBlob) (err error) = crypt32.CryptProtectData
-
 func Encrypt(data []byte, name string) ([]byte, error) {
-	out := dpBlob{}
-	err := cryptProtectData(bytesToBlob(data), windows.StringToUTF16Ptr(name), nil, 0, 0, dpCRYPTPROTECT_UI_FORBIDDEN, &out)
+	out := windows.DataBlob{}
+	err := windows.CryptProtectData(bytesToBlob(data), windows.StringToUTF16Ptr(name), nil, 0, nil, windows.CRYPTPROTECT_UI_FORBIDDEN, &out)
 	if err != nil {
-		return nil, errors.New("Unable to encrypt DPAPI protected data: " + err.Error())
+		return nil, fmt.Errorf("unable to encrypt DPAPI protected data: %w", err)
 	}
 
 	outSlice := *(*[]byte)(unsafe.Pointer(&(struct {
-		addr uintptr
+		addr *byte
 		len  int
 		cap  int
-	}{out.data, int(out.len), int(out.len)})))
+	}{out.Data, int(out.Size), int(out.Size)})))
 	ret := make([]byte, len(outSlice))
 	copy(ret, outSlice)
-	windows.LocalFree(windows.Handle(out.data))
+	windows.LocalFree(windows.Handle(unsafe.Pointer(out.Data)))
 
 	return ret, nil
 }
 
-//sys	cryptUnprotectData(dataIn *dpBlob, name **uint16, optionalEntropy *dpBlob, reserved uintptr, promptStruct uintptr, flags uint32, dataOut *dpBlob) (err error) = crypt32.CryptUnprotectData
-
 func Decrypt(data []byte, name string) ([]byte, error) {
-	out := dpBlob{}
+	out := windows.DataBlob{}
 	var outName *uint16
 	utf16Name, err := windows.UTF16PtrFromString(name)
 	if err != nil {
 		return nil, err
 	}
 
-	err = cryptUnprotectData(bytesToBlob(data), &outName, nil, 0, 0, dpCRYPTPROTECT_UI_FORBIDDEN, &out)
+	err = windows.CryptUnprotectData(bytesToBlob(data), &outName, nil, 0, nil, windows.CRYPTPROTECT_UI_FORBIDDEN, &out)
 	if err != nil {
-		return nil, errors.New("Unable to decrypt DPAPI protected data: " + err.Error())
+		return nil, fmt.Errorf("unable to decrypt DPAPI protected data: %w", err)
 	}
 
 	outSlice := *(*[]byte)(unsafe.Pointer(&(struct {
-		addr uintptr
+		addr *byte
 		len  int
 		cap  int
-	}{out.data, int(out.len), int(out.len)})))
+	}{out.Data, int(out.Size), int(out.Size)})))
 	ret := make([]byte, len(outSlice))
 	copy(ret, outSlice)
-	windows.LocalFree(windows.Handle(out.data))
+	windows.LocalFree(windows.Handle(unsafe.Pointer(out.Data)))
 
 	// Note: this ridiculous open-coded strcmp is not constant time.
 	different := false
@@ -101,7 +82,7 @@ func Decrypt(data []byte, name string) ([]byte, error) {
 	windows.LocalFree(windows.Handle(unsafe.Pointer(outName)))
 
 	if different {
-		return nil, errors.New("The input name does not match the stored name")
+		return nil, errors.New("input name does not match the stored name")
 	}
 
 	return ret, nil
diff --git a/conf/dpapi/mksyscall.go b/conf/dpapi/mksyscall.go
deleted file mode 100644
index 7c27e2d9..00000000
--- a/conf/dpapi/mksyscall.go
+++ /dev/null
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved.
- */
-
-package dpapi
-
-//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zdpapi_windows.go dpapi_windows.go
diff --git a/conf/dpapi/test.exe b/conf/dpapi/test.exe
new file mode 100755
index 00000000..9e5f23a7
--- /dev/null
+++ b/conf/dpapi/test.exe
diff --git a/conf/dpapi/zdpapi_windows.go b/conf/dpapi/zdpapi_windows.go
deleted file mode 100644
index 43738a52..00000000
--- a/conf/dpapi/zdpapi_windows.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package dpapi
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-	errERROR_EINVAL     error = syscall.EINVAL
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return errERROR_EINVAL
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modcrypt32 = windows.NewLazySystemDLL("crypt32.dll")
-
-	procCryptProtectData   = modcrypt32.NewProc("CryptProtectData")
-	procCryptUnprotectData = modcrypt32.NewProc("CryptUnprotectData")
-)
-
-func cryptProtectData(dataIn *dpBlob, name *uint16, optionalEntropy *dpBlob, reserved uintptr, promptStruct uintptr, flags uint32, dataOut *dpBlob) (err error) {
-	r1, _, e1 := syscall.Syscall9(procCryptProtectData.Addr(), 7, uintptr(unsafe.Pointer(dataIn)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(optionalEntropy)), uintptr(reserved), uintptr(promptStruct), uintptr(flags), uintptr(unsafe.Pointer(dataOut)), 0, 0)
-	if r1 == 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func cryptUnprotectData(dataIn *dpBlob, name **uint16, optionalEntropy *dpBlob, reserved uintptr, promptStruct uintptr, flags uint32, dataOut *dpBlob) (err error) {
-	r1, _, e1 := syscall.Syscall9(procCryptUnprotectData.Addr(), 7, uintptr(unsafe.Pointer(dataIn)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(optionalEntropy)), uintptr(reserved), uintptr(promptStruct), uintptr(flags), uintptr(unsafe.Pointer(dataOut)), 0, 0)
-	if r1 == 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
diff --git a/conf/storewatcher_windows.go b/conf/storewatcher_windows.go
index c5754558..44b4564e 100644
--- a/conf/storewatcher_windows.go
+++ b/conf/storewatcher_windows.go
@@ -11,20 +11,6 @@ import (
 	"golang.org/x/sys/windows"
 )
 
-const (
-	fncFILE_NAME   uint32 = 0x00000001
-	fncDIR_NAME    uint32 = 0x00000002
-	fncATTRIBUTES  uint32 = 0x00000004
-	fncSIZE        uint32 = 0x00000008
-	fncLAST_WRITE  uint32 = 0x00000010
-	fncLAST_ACCESS uint32 = 0x00000020
-	fncCREATION    uint32 = 0x00000040
-	fncSECURITY    uint32 = 0x00000100
-)
-
-//sys	findFirstChangeNotification(path *uint16, watchSubtree bool, filter uint32) (handle windows.Handle, err error) [failretval==windows.InvalidHandle] = kernel32.FindFirstChangeNotificationW
-//sys	findNextChangeNotification(handle windows.Handle) (err error) = kernel32.FindNextChangeNotification
-
 var haveStartedWatchingConfigDir bool
 
 func startWatchingConfigDir() {
@@ -36,7 +22,7 @@ func startWatchingConfigDir() {
 		h := windows.InvalidHandle
 		defer func() {
 			if h != windows.InvalidHandle {
-				windows.CloseHandle(h)
+				windows.FindCloseChangeNotification(h)
 			}
 			haveStartedWatchingConfigDir = false
 		}()
@@ -45,7 +31,7 @@ func startWatchingConfigDir() {
 		if err != nil {
 			return
 		}
-		h, err = findFirstChangeNotification(windows.StringToUTF16Ptr(configFileDir), true, fncFILE_NAME|fncDIR_NAME|fncATTRIBUTES|fncSIZE|fncLAST_WRITE|fncLAST_ACCESS|fncCREATION|fncSECURITY)
+		h, err = windows.FindFirstChangeNotification(configFileDir, true, windows.FILE_NOTIFY_CHANGE_FILE_NAME|windows.FILE_NOTIFY_CHANGE_DIR_NAME|windows.FILE_NOTIFY_CHANGE_ATTRIBUTES|windows.FILE_NOTIFY_CHANGE_SIZE|windows.FILE_NOTIFY_CHANGE_LAST_WRITE|windows.FILE_NOTIFY_CHANGE_LAST_ACCESS|windows.FILE_NOTIFY_CHANGE_CREATION|windows.FILE_NOTIFY_CHANGE_SECURITY)
 		if err != nil {
 			log.Printf("Unable to monitor config directory: %v", err)
 			return
@@ -54,7 +40,7 @@ func startWatchingConfigDir() {
 			s, err := windows.WaitForSingleObject(h, windows.INFINITE)
 			if err != nil || s == windows.WAIT_FAILED {
 				log.Printf("Unable to wait on config directory watcher: %v", err)
-				windows.CloseHandle(h)
+				windows.FindCloseChangeNotification(h)
 				h = windows.InvalidHandle
 				goto startover
 			}
@@ -63,10 +49,10 @@ func startWatchingConfigDir() {
 				cb.cb()
 			}
 
-			err = findNextChangeNotification(h)
+			err = windows.FindNextChangeNotification(h)
 			if err != nil {
 				log.Printf("Unable to monitor config directory again: %v", err)
-				windows.CloseHandle(h)
+				windows.FindCloseChangeNotification(h)
 				h = windows.InvalidHandle
 				goto startover
 			}
diff --git a/conf/zsyscall_windows.go b/conf/zsyscall_windows.go
index c012abaa..783411f6 100644
--- a/conf/zsyscall_windows.go
+++ b/conf/zsyscall_windows.go
@@ -38,35 +38,11 @@ func errnoErr(e syscall.Errno) error {
 }
 
 var (
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-	modwininet  = windows.NewLazySystemDLL("wininet.dll")
+	modwininet = windows.NewLazySystemDLL("wininet.dll")
 
-	procFindFirstChangeNotificationW = modkernel32.NewProc("FindFirstChangeNotificationW")
-	procFindNextChangeNotification   = modkernel32.NewProc("FindNextChangeNotification")
-	procInternetGetConnectedState    = modwininet.NewProc("InternetGetConnectedState")
+	procInternetGetConnectedState = modwininet.NewProc("InternetGetConnectedState")
 )
 
-func findFirstChangeNotification(path *uint16, watchSubtree bool, filter uint32) (handle windows.Handle, err error) {
-	var _p0 uint32
-	if watchSubtree {
-		_p0 = 1
-	}
-	r0, _, e1 := syscall.Syscall(procFindFirstChangeNotificationW.Addr(), 3, uintptr(unsafe.Pointer(path)), uintptr(_p0), uintptr(filter))
-	handle = windows.Handle(r0)
-	if handle == windows.InvalidHandle {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func findNextChangeNotification(handle windows.Handle) (err error) {
-	r1, _, e1 := syscall.Syscall(procFindNextChangeNotification.Addr(), 1, uintptr(handle), 0, 0)
-	if r1 == 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
 func internetGetConnectedState(flags *uint32, reserved uint32) (connected bool) {
 	r0, _, _ := syscall.Syscall(procInternetGetConnectedState.Addr(), 2, uintptr(unsafe.Pointer(flags)), uintptr(reserved), 0)
 	connected = r0 != 0
author	Jason A. Donenfeld <Jason@zx2c4.com>	2021-01-22 18:24:33 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2021-01-24 00:12:24 +0100
commit	fc41f439f573fce3efdd37017f072f86cb7828ff (patch)
tree	1889c42f4a4dc5190c88c87ec2a05d172a396459 /conf
parent	embeddable-dll-service: add more robust example for .NET 5 (diff)
download	wireguard-windows-fc41f439f573fce3efdd37017f072f86cb7828ff.tar.xz wireguard-windows-fc41f439f573fce3efdd37017f072f86cb7828ff.zip