diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-17 09:59:18 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-17 10:50:25 +0100 |
commit | eaad9e896a574cafc15a97b38ac0e757bb746323 (patch) | |
tree | f88e13e639114ec00ebd916d1704a88feadf67d0 /installer/fetcher/fetcher.c | |
parent | updater: do not allow WinVerifyTrust to use UI (diff) | |
download | wireguard-windows-eaad9e896a574cafc15a97b38ac0e757bb746323.tar.xz wireguard-windows-eaad9e896a574cafc15a97b38ac0e757bb746323.zip |
fetcher: check WinVerifyTrust before execution
Our YubiHSM signature is much stronger than the junky authenticode one,
but still, it can't hurt. This also hedges against anti-virus in the
event that we forget to sign it -- A/V will inspect whatever code the
fetcher executes, and so we only want to execute authenticode-signed
MSIs, to avoid training their heuristics.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rw-r--r-- | installer/fetcher/fetcher.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/installer/fetcher/fetcher.c b/installer/fetcher/fetcher.c index ad392068..81c8d7e5 100644 --- a/installer/fetcher/fetcher.c +++ b/installer/fetcher/fetcher.c @@ -10,6 +10,8 @@ #include <ntsecapi.h> #include <sddl.h> #include <winhttp.h> +#include <wintrust.h> +#include <softpub.h> #include <msi.h> #include <stdio.h> #include <string.h> @@ -80,7 +82,16 @@ static DWORD __stdcall download_thread(void *param) size_t total_bytes, current_bytes; const char *arch; blake2b_ctx hasher; - SECURITY_ATTRIBUTES security_attributes = { .nLength = sizeof(SECURITY_ATTRIBUTES) }; + SECURITY_ATTRIBUTES security_attributes = { .nLength = sizeof(security_attributes) }; + WINTRUST_FILE_INFO wintrust_fileinfo = { .cbStruct = sizeof(wintrust_fileinfo) }; + WINTRUST_DATA wintrust_data = { + .cbStruct = sizeof(wintrust_data), + .dwUIChoice = WTD_UI_NONE, + .fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN, + .dwUnionChoice = WTD_CHOICE_FILE, + .dwStateAction = WTD_STATEACTION_VERIFY, + .pFile = &wintrust_fileinfo + }; (void)param; @@ -163,13 +174,18 @@ static DWORD __stdcall download_thread(void *param) goto out; set_progress(progress, current_bytes, total_bytes); } + + set_status(progress, "verifying installer"); blake2b_final(&hasher, computed_hash); if (memcmp(hash, computed_hash, sizeof(hash))) goto out; - - set_status(progress, "launching installer"); CloseHandle(filehandle); //TODO: I wish this wasn't required. filehandle = INVALID_HANDLE_VALUE; + wintrust_fileinfo.pcwszFilePath = L(msi_filename); + if (WinVerifyTrust(INVALID_HANDLE_VALUE, &(GUID)WINTRUST_ACTION_GENERIC_VERIFY_V2, &wintrust_data)) + goto out; + + set_status(progress, "launching installer"); ShowWindow(progress, SW_HIDE); ret = MsiInstallProductA(msi_filename, NULL); ret = ret == ERROR_INSTALL_USEREXIT ? ERROR_SUCCESS : ret; |