diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-01-24 14:39:46 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-01-25 21:47:29 +0100 |
commit | 02a15049b923581a2de2271bcf162991d9f885c1 (patch) | |
tree | 033a0eca7a18e5b83db484bd1bc60f59b57b6bb2 /version | |
parent | mod: bump (diff) | |
download | wireguard-windows-02a15049b923581a2de2271bcf162991d9f885c1.tar.xz wireguard-windows-02a15049b923581a2de2271bcf162991d9f885c1.zip |
updater,version: simplify code locations
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'version')
-rw-r--r-- | version/debugging_linux.go | 35 | ||||
-rw-r--r-- | version/official.go (renamed from version/certificate_windows.go) | 64 | ||||
-rw-r--r-- | version/official_windows.go | 77 | ||||
-rw-r--r-- | version/os.go (renamed from version/os_windows.go) | 0 |
4 files changed, 53 insertions, 123 deletions
diff --git a/version/debugging_linux.go b/version/debugging_linux.go deleted file mode 100644 index da90e271..00000000 --- a/version/debugging_linux.go +++ /dev/null @@ -1,35 +0,0 @@ -/* SPDX-License-Identifier: MIT - * - * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved. - */ - -package version - -import ( - "bytes" - "fmt" - - "golang.org/x/sys/unix" -) - -// For testing the updater package from linux. Debug stuff only. - -func utsToStr(u [65]byte) string { - i := bytes.IndexByte(u[:], 0) - if i < 0 { - return string(u[:]) - } - return string(u[:i]) -} - -func OsName() string { - var utsname unix.Utsname - if unix.Uname(&utsname) != nil { - return "Unix Unknown" - } - return fmt.Sprintf("%s %s %s", utsToStr(utsname.Sysname), utsToStr(utsname.Release), utsToStr(utsname.Version)) -} - -func VerifyAuthenticode(path string) bool { - return true -} diff --git a/version/certificate_windows.go b/version/official.go index b5ae3764..2345a0b7 100644 --- a/version/certificate_windows.go +++ b/version/official.go @@ -6,12 +6,58 @@ package version import ( - "syscall" + "errors" + "os" "unsafe" "golang.org/x/sys/windows" ) +const ( + officialCommonName = "WireGuard LLC" + evPolicyOid = "2.23.140.1.3" + policyExtensionOid = "2.5.29.32" +) + +// These are easily by-passable checks, which do not serve serve security purposes. +// DO NOT PLACE SECURITY-SENSITIVE FUNCTIONS IN THIS FILE + +func IsRunningOfficialVersion() bool { + path, err := os.Executable() + if err != nil { + return false + } + + names, err := extractCertificateNames(path) + if err != nil { + return false + } + for _, name := range names { + if name == officialCommonName { + return true + } + } + return false +} + +func IsRunningEVSigned() bool { + path, err := os.Executable() + if err != nil { + return false + } + + policies, err := extractCertificatePolicies(path, policyExtensionOid) + if err != nil { + return false + } + for _, policy := range policies { + if policy == evPolicyOid { + return true + } + } + return false +} + func extractCertificateNames(path string) ([]string, error) { path16, err := windows.UTF16PtrFromString(path) if err != nil { @@ -28,10 +74,8 @@ func extractCertificateNames(path string) ([]string, error) { for { cert, err = windows.CertEnumCertificatesInStore(certStore, cert) if err != nil { - if errno, ok := err.(syscall.Errno); ok { - if errno == syscall.Errno(windows.CRYPT_E_NOT_FOUND) { - break - } + if errors.Is(err, windows.Errno(windows.CRYPT_E_NOT_FOUND)) { + break } return nil, err } @@ -52,7 +96,7 @@ func extractCertificateNames(path string) ([]string, error) { names = append(names, windows.UTF16ToString(name16)) } if names == nil { - return nil, syscall.Errno(windows.CRYPT_E_NOT_FOUND) + return nil, windows.Errno(windows.CRYPT_E_NOT_FOUND) } return names, nil } @@ -77,10 +121,8 @@ func extractCertificatePolicies(path string, oid string) ([]string, error) { for { cert, err = windows.CertEnumCertificatesInStore(certStore, cert) if err != nil { - if errno, ok := err.(syscall.Errno); ok { - if errno == syscall.Errno(windows.CRYPT_E_NOT_FOUND) { - break - } + if errors.Is(err, windows.Errno(windows.CRYPT_E_NOT_FOUND)) { + break } return nil, err } @@ -109,7 +151,7 @@ func extractCertificatePolicies(path string, oid string) ([]string, error) { } } if policies == nil { - return nil, syscall.Errno(windows.CRYPT_E_NOT_FOUND) + return nil, windows.Errno(windows.CRYPT_E_NOT_FOUND) } return policies, nil } diff --git a/version/official_windows.go b/version/official_windows.go deleted file mode 100644 index 1bfcf90b..00000000 --- a/version/official_windows.go +++ /dev/null @@ -1,77 +0,0 @@ -/* SPDX-License-Identifier: MIT - * - * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved. - */ - -package version - -import ( - "os" - "unsafe" - - "golang.org/x/sys/windows" -) - -const ( - officialCommonName = "WireGuard LLC" - evPolicyOid = "2.23.140.1.3" - policyExtensionOid = "2.5.29.32" -) - -func VerifyAuthenticode(path string) bool { - path16, err := windows.UTF16PtrFromString(path) - if err != nil { - return false - } - data := &windows.WinTrustData{ - Size: uint32(unsafe.Sizeof(windows.WinTrustData{})), - UIChoice: windows.WTD_UI_NONE, - RevocationChecks: windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity. - UnionChoice: windows.WTD_CHOICE_FILE, - StateAction: windows.WTD_STATEACTION_VERIFY, - FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{ - Size: uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})), - FilePath: path16, - }), - } - return windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil -} - -// These are easily by-passable checks, which do not serve serve security purposes. Do not place security-sensitive -// functions below this line. - -func IsRunningOfficialVersion() bool { - path, err := os.Executable() - if err != nil { - return false - } - - names, err := extractCertificateNames(path) - if err != nil { - return false - } - for _, name := range names { - if name == officialCommonName { - return true - } - } - return false -} - -func IsRunningEVSigned() bool { - path, err := os.Executable() - if err != nil { - return false - } - - policies, err := extractCertificatePolicies(path, policyExtensionOid) - if err != nil { - return false - } - for _, policy := range policies { - if policy == evPolicyOid { - return true - } - } - return false -} diff --git a/version/os_windows.go b/version/os.go index 315a4901..315a4901 100644 --- a/version/os_windows.go +++ b/version/os.go |