diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-17 09:59:18 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-17 10:50:25 +0100 |
commit | eaad9e896a574cafc15a97b38ac0e757bb746323 (patch) | |
tree | f88e13e639114ec00ebd916d1704a88feadf67d0 /installer | |
parent | updater: do not allow WinVerifyTrust to use UI (diff) | |
download | wireguard-windows-eaad9e896a574cafc15a97b38ac0e757bb746323.tar.xz wireguard-windows-eaad9e896a574cafc15a97b38ac0e757bb746323.zip |
fetcher: check WinVerifyTrust before execution
Our YubiHSM signature is much stronger than the junky authenticode one,
but still, it can't hurt. This also hedges against anti-virus in the
event that we forget to sign it -- A/V will inspect whatever code the
fetcher executes, and so we only want to execute authenticode-signed
MSIs, to avoid training their heuristics.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'installer')
-rw-r--r-- | installer/fetcher/Makefile | 4 | ||||
-rw-r--r-- | installer/fetcher/fetcher.c | 22 |
2 files changed, 21 insertions, 5 deletions
diff --git a/installer/fetcher/Makefile b/installer/fetcher/Makefile index bbec8e17..49b0bc51 100644 --- a/installer/fetcher/Makefile +++ b/installer/fetcher/Makefile @@ -9,11 +9,11 @@ DEPLOYMENT_PATH ?= Desktop CFLAGS += -std=gnu11 -DWINVER=0x0601 -D_WIN32_WINNT=0x0601 -flto CFLAGS += -Wall -Wextra CFLAGS += -MMD -MP -LDLIBS += -lkernel32 -lwinhttp -lntdll -lshlwapi -lmsi -lcomctl32 -luser32 -lshell32 +LDLIBS += -lkernel32 -lwinhttp -lntdll -lshlwapi -lmsi -lcomctl32 -luser32 -lshell32 -lwintrust LDFLAGS += -s -flto -Wl,--dynamicbase -Wl,--nxcompat -Wl,--tsaware -mwindows LDFLAGS += -Wl,--major-os-version=6 -Wl,--minor-os-version=1 -Wl,--major-subsystem-version=6 -Wl,--minor-subsystem-version=1 # The use of -Wl,/delayload: here implies we're using llvm-mingw -LDFLAGS += -Wl,/delayload:winhttp.dll -Wl,/delayload:msi.dll +LDFLAGS += -Wl,/delayload:winhttp.dll -Wl,/delayload:msi.dll -Wl,/delayload:wintrust.dll TARGET := wireguard-installer.exe CC := i686-w64-mingw32-clang WINDRES := i686-w64-mingw32-windres diff --git a/installer/fetcher/fetcher.c b/installer/fetcher/fetcher.c index ad392068..81c8d7e5 100644 --- a/installer/fetcher/fetcher.c +++ b/installer/fetcher/fetcher.c @@ -10,6 +10,8 @@ #include <ntsecapi.h> #include <sddl.h> #include <winhttp.h> +#include <wintrust.h> +#include <softpub.h> #include <msi.h> #include <stdio.h> #include <string.h> @@ -80,7 +82,16 @@ static DWORD __stdcall download_thread(void *param) size_t total_bytes, current_bytes; const char *arch; blake2b_ctx hasher; - SECURITY_ATTRIBUTES security_attributes = { .nLength = sizeof(SECURITY_ATTRIBUTES) }; + SECURITY_ATTRIBUTES security_attributes = { .nLength = sizeof(security_attributes) }; + WINTRUST_FILE_INFO wintrust_fileinfo = { .cbStruct = sizeof(wintrust_fileinfo) }; + WINTRUST_DATA wintrust_data = { + .cbStruct = sizeof(wintrust_data), + .dwUIChoice = WTD_UI_NONE, + .fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN, + .dwUnionChoice = WTD_CHOICE_FILE, + .dwStateAction = WTD_STATEACTION_VERIFY, + .pFile = &wintrust_fileinfo + }; (void)param; @@ -163,13 +174,18 @@ static DWORD __stdcall download_thread(void *param) goto out; set_progress(progress, current_bytes, total_bytes); } + + set_status(progress, "verifying installer"); blake2b_final(&hasher, computed_hash); if (memcmp(hash, computed_hash, sizeof(hash))) goto out; - - set_status(progress, "launching installer"); CloseHandle(filehandle); //TODO: I wish this wasn't required. filehandle = INVALID_HANDLE_VALUE; + wintrust_fileinfo.pcwszFilePath = L(msi_filename); + if (WinVerifyTrust(INVALID_HANDLE_VALUE, &(GUID)WINTRUST_ACTION_GENERIC_VERIFY_V2, &wintrust_data)) + goto out; + + set_status(progress, "launching installer"); ShowWindow(progress, SW_HIDE); ret = MsiInstallProductA(msi_filename, NULL); ret = ret == ERROR_INSTALL_USEREXIT ? ERROR_SUCCESS : ret; |