diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-31 13:15:53 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-31 13:15:53 +0200 |
| commit | 69c32375d1831bcf4e98bccead51b8d0b7c58bff (patch) | |
| tree | b7270a6f503dd9106c1d4d824230b3f09abda740 /tunnel/firewall | |
| parent | tunnel: logical simplification (diff) | |
| download | wireguard-windows-69c32375d1831bcf4e98bccead51b8d0b7c58bff.tar.xz wireguard-windows-69c32375d1831bcf4e98bccead51b8d0b7c58bff.zip | |
firewall: use random GUIDs
Diffstat (limited to 'tunnel/firewall')
| -rw-r--r-- | tunnel/firewall/blocker.go | 33 | ||||
| -rw-r--r-- | tunnel/firewall/helpers.go | 14 |
2 files changed, 27 insertions, 20 deletions
diff --git a/tunnel/firewall/blocker.go b/tunnel/firewall/blocker.go index cdb656b0..e02fd05f 100644 --- a/tunnel/firewall/blocker.go +++ b/tunnel/firewall/blocker.go @@ -48,31 +48,27 @@ func createWfpSession() (uintptr, error) { } func registerBaseObjects(session uintptr) (*baseObjects, error) { - // {48E29F38-7492-4436-8F92-29D78A8D29D3} - providerGUID := windows.GUID{ - Data1: 0x48e29f38, - Data2: 0x7492, - Data3: 0x4436, - Data4: [8]byte{0x8f, 0x92, 0x29, 0xd7, 0x8a, 0x8d, 0x29, 0xd3}, + bo := &baseObjects{} + var err error + bo.provider, err = randGUID() + if err != nil { + return nil, wrapErr(err) } - // {FE3DB7F8-4658-4DE5-8DA9-CE5086A8266B} - filtersGUID := windows.GUID{ - Data1: 0xfe3db7f8, - Data2: 0x4658, - Data3: 0x4de5, - Data4: [8]byte{0x8d, 0xa9, 0xce, 0x50, 0x86, 0xa8, 0x26, 0x6b}, + bo.filters, err = randGUID() + if err != nil { + return nil, wrapErr(err) } // // Register provider. // { - displayData, err := createWtFwpmDisplayData0("WireGuard", "The WireGuard provider") + displayData, err := createWtFwpmDisplayData0("WireGuard", "WireGuard provider") if err != nil { return nil, wrapErr(err) } provider := wtFwpmProvider0{ - providerKey: providerGUID, + providerKey: bo.provider, displayData: *displayData, } err = fwpmProviderAdd0(session, &provider, 0) @@ -91,9 +87,9 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { return nil, wrapErr(err) } sublayer := wtFwpmSublayer0{ - subLayerKey: filtersGUID, + subLayerKey: bo.filters, displayData: *displayData, - providerKey: &providerGUID, + providerKey: &bo.provider, weight: ^uint16(0), } err = fwpmSubLayerAdd0(session, &sublayer, 0) @@ -102,10 +98,7 @@ func registerBaseObjects(session uintptr) (*baseObjects, error) { } } - return &baseObjects{ - providerGUID, - filtersGUID, - }, nil + return bo, nil } func EnableFirewall(luid uint64, restrictToDNSServers []net.IP, restrictAll bool) error { diff --git a/tunnel/firewall/helpers.go b/tunnel/firewall/helpers.go index ee783c2d..79ab0d82 100644 --- a/tunnel/firewall/helpers.go +++ b/tunnel/firewall/helpers.go @@ -7,10 +7,12 @@ package firewall import ( "fmt" + "io" "os" "runtime" "syscall" "unsafe" + "crypto/rand" "golang.org/x/sys/windows" ) @@ -135,3 +137,15 @@ func getCurrentProcessAppID() (*wtFwpByteBlob, error) { } return appID, nil } + +func randGUID() (windows.GUID, error) { + guid := windows.GUID{} + n, err := rand.Read((*[16]byte)(unsafe.Pointer(&guid))[:]) + if err != nil { + return guid, err + } + if n != 16 { + return guid, io.ErrShortBuffer + } + return guid, nil +}
\ No newline at end of file |