diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-04-30 09:41:36 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-04-30 09:41:36 +0200 |
commit | f022feba7b2cfaa647487c5f53bacd00298d44de (patch) | |
tree | d3a856a9a091733acf676287238643864a42606c /version | |
parent | ui: allow update labels to wrap (diff) | |
download | wireguard-windows-f022feba7b2cfaa647487c5f53bacd00298d44de.tar.xz wireguard-windows-f022feba7b2cfaa647487c5f53bacd00298d44de.zip |
version: add beginnings of authenticode checking
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'version')
-rw-r--r-- | version/official_linux.go | 12 | ||||
-rw-r--r-- | version/official_windows.go | 48 | ||||
-rw-r--r-- | version/wintrust/mksyscall.go | 8 | ||||
-rw-r--r-- | version/wintrust/wintrust_windows.go | 115 |
4 files changed, 183 insertions, 0 deletions
diff --git a/version/official_linux.go b/version/official_linux.go new file mode 100644 index 00000000..d3ca3349 --- /dev/null +++ b/version/official_linux.go @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package version + +// For testing the updater package from linux. Debug stuff only. + +func IsOfficialPath(path string) bool { + return true +} diff --git a/version/official_windows.go b/version/official_windows.go new file mode 100644 index 00000000..745c2ba6 --- /dev/null +++ b/version/official_windows.go @@ -0,0 +1,48 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package version + +import ( + "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/windows/version/wintrust" + "os" + "unsafe" +) + +func IsOfficialPath(path string) bool { + path16, err := windows.UTF16PtrFromString(path) + if err != nil { + return false + } + file := &wintrust.WinTrustFileInfo{ + CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustFileInfo{})), + FilePath: path16, + } + data := &wintrust.WinTrustData{ + CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustData{})), + UIChoice: wintrust.WTD_UI_NONE, + RevocationChecks: wintrust.WTD_REVOKE_NONE, + UnionChoice: wintrust.WTD_CHOICE_FILE, + StateAction: wintrust.WTD_STATEACTION_VERIFY, + FileOrCatalogOrBlobOrSgnrOrCert: uintptr(unsafe.Pointer(file)), + } + err = wintrust.WinVerifyTrust(0, &wintrust.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) + if err != nil { + return false + } + + //TODO: check that the certificate actually belongs to us + + return true +} + +func IsOfficial() bool { + path, err := os.Executable() + if err != nil { + return false + } + return IsOfficialPath(path) +} diff --git a/version/wintrust/mksyscall.go b/version/wintrust/mksyscall.go new file mode 100644 index 00000000..0a5df80d --- /dev/null +++ b/version/wintrust/mksyscall.go @@ -0,0 +1,8 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package wintrust + +//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -output zsyscall_windows.go wintrust_windows.go diff --git a/version/wintrust/wintrust_windows.go b/version/wintrust/wintrust_windows.go new file mode 100644 index 00000000..b50636a3 --- /dev/null +++ b/version/wintrust/wintrust_windows.go @@ -0,0 +1,115 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package wintrust + +import ( + "golang.org/x/sys/windows" + "syscall" +) + +type WinTrustData struct { + CbStruct uint32 + PolicyCallbackData uintptr + SIPClientData uintptr + UIChoice uint32 + RevocationChecks uint32 + UnionChoice uint32 + FileOrCatalogOrBlobOrSgnrOrCert uintptr + StateAction uint32 + StateData syscall.Handle + URLReference *uint16 + ProvFlags uint32 + UIContext uint32 + SignatureSettings *WintrustSignatureSettings +} + +const ( + WTD_UI_ALL = 1 + WTD_UI_NONE = 2 + WTD_UI_NOBAD = 3 + WTD_UI_NOGOOD = 4 +) + +const ( + WTD_REVOKE_NONE = 0 + WTD_REVOKE_WHOLECHAIN = 1 +) + +const ( + WTD_CHOICE_FILE = 1 + WTD_CHOICE_CATALOG = 2 + WTD_CHOICE_BLOB = 3 + WTD_CHOICE_SIGNER = 4 + WTD_CHOICE_CERT = 5 +) + +const ( + WTD_STATEACTION_IGNORE = 0x00000000 + WTD_STATEACTION_VERIFY = 0x00000010 + WTD_STATEACTION_CLOSE = 0x00000002 + WTD_STATEACTION_AUTO_CACHE = 0x00000003 + WTD_STATEACTION_AUTO_CACHE_FLUSH = 0x00000004 +) + +const ( + WTD_USE_IE4_TRUST_FLAG = 0x1 + WTD_NO_IE4_CHAIN_FLAG = 0x2 + WTD_NO_POLICY_USAGE_FLAG = 0x4 + WTD_REVOCATION_CHECK_NONE = 0x10 + WTD_REVOCATION_CHECK_END_CERT = 0x20 + WTD_REVOCATION_CHECK_CHAIN = 0x40 + WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT = 0x80 + WTD_SAFER_FLAG = 0x100 + WTD_HASH_ONLY_FLAG = 0x200 + WTD_USE_DEFAULT_OSVER_CHECK = 0x400 + WTD_LIFETIME_SIGNING_FLAG = 0x800 + WTD_CACHE_ONLY_URL_RETRIEVAL = 0x1000 + WTD_DISABLE_MD2_MD4 = 0x2000 + WTD_MOTW = 0x4000 +) + +const ( + TRUST_E_NOSIGNATURE = 0x800B0100 + TRUST_E_EXPLICIT_DISTRUST = 0x800B0111 + TRUST_E_SUBJECT_NOT_TRUSTED = 0x800B0004 + CRYPT_E_SECURITY_SETTINGS = 0x80092026 +) + +const ( + WTD_UICONTEXT_EXECUTE = 0 + WTD_UICONTEXT_INSTALL = 1 +) + +var WINTRUST_ACTION_GENERIC_VERIFY_V2 = windows.GUID{ + Data1: 0xaac56b, + Data2: 0xcd44, + Data3: 0x11d0, + Data4: [8]byte{0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee}, +} + +type WinTrustFileInfo struct { + CbStruct uint32 + FilePath *uint16 + File windows.Handle + KnownSubject *windows.GUID +} + +type WintrustSignatureSettings struct { + CbStruct uint32 + Index uint32 + Flags uint32 + SecondarySigs uint32 + VerifiedSigIndex uint32 + CryptoPolicy *CertStrongSignPara +} + +type CertStrongSignPara struct { + CbStruct uint32 + InfoChoice uint32 + InfoOrSerializedInfoOrOID uintptr +} + +//sys WinVerifyTrust(hWnd windows.Handle, actionId *windows.GUID, data *WinTrustData) (err error) [r1 != 0] = wintrust.WinVerifyTrust |