diff options
Diffstat (limited to 'updater')
-rw-r--r-- | updater/authenticode.go | 7 | ||||
-rw-r--r-- | updater/constants.go | 2 | ||||
-rw-r--r-- | updater/downloader.go | 2 | ||||
-rw-r--r-- | updater/msirunner.go | 4 | ||||
-rw-r--r-- | updater/signify.go | 10 | ||||
-rw-r--r-- | updater/updater_test.go | 2 | ||||
-rw-r--r-- | updater/versions.go | 2 | ||||
-rw-r--r-- | updater/winhttp/mksyscall.go | 2 | ||||
-rw-r--r-- | updater/winhttp/syscall_windows.go | 12 | ||||
-rw-r--r-- | updater/winhttp/winhttp.go | 19 | ||||
-rw-r--r-- | updater/winhttp/winhttp_test.go | 2 |
11 files changed, 46 insertions, 18 deletions
diff --git a/updater/authenticode.go b/updater/authenticode.go index d6d80df5..1e0a25c0 100644 --- a/updater/authenticode.go +++ b/updater/authenticode.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package updater @@ -27,5 +27,8 @@ func verifyAuthenticode(path string) bool { FilePath: path16, }), } - return windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil + verified := windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil + data.StateAction = windows.WTD_STATEACTION_CLOSE + windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) + return verified } diff --git a/updater/constants.go b/updater/constants.go index 04b972fe..cf0ced92 100644 --- a/updater/constants.go +++ b/updater/constants.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package updater diff --git a/updater/downloader.go b/updater/downloader.go index b8b2763d..bf28db54 100644 --- a/updater/downloader.go +++ b/updater/downloader.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package updater diff --git a/updater/msirunner.go b/updater/msirunner.go index 13495f46..ec6b1bd3 100644 --- a/updater/msirunner.go +++ b/updater/msirunner.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package updater @@ -38,7 +38,7 @@ func (t *tempFile) Delete() error { if err != nil { return err } - return windows.DeleteFile(name16) //TODO: how does this deal with reparse points? + return windows.DeleteFile(name16) // TODO: how does this deal with reparse points? } disposition := byte(1) err := windows.SetFileInformationByHandle(t.originalHandle, windows.FileDispositionInfo, &disposition, 1) diff --git a/updater/signify.go b/updater/signify.go index eef9198a..de50fcba 100644 --- a/updater/signify.go +++ b/updater/signify.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package updater @@ -53,17 +53,17 @@ func readFileList(input []byte) (fileList, error) { if len(line) == 0 && index == len(fileLines)-1 { break } - components := strings.SplitN(line, " ", 2) - if len(components) != 2 { + first, second, ok := strings.Cut(line, " ") + if !ok { return nil, errors.New("File hash line has too few components") } - maybeHash, err := hex.DecodeString(components[0]) + maybeHash, err := hex.DecodeString(first) if err != nil || len(maybeHash) != blake2b.Size256 { return nil, errors.New("File hash is invalid base64 or incorrect number of bytes") } var hash [blake2b.Size256]byte copy(hash[:], maybeHash) - fileHashes[components[1]] = hash + fileHashes[second] = hash } if len(fileHashes) == 0 { return nil, errors.New("No file hashes found in signed input") diff --git a/updater/updater_test.go b/updater/updater_test.go index a90b13cb..809262bd 100644 --- a/updater/updater_test.go +++ b/updater/updater_test.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package updater diff --git a/updater/versions.go b/updater/versions.go index 5b42a748..dfc4c665 100644 --- a/updater/versions.go +++ b/updater/versions.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package updater diff --git a/updater/winhttp/mksyscall.go b/updater/winhttp/mksyscall.go index 1daedb08..54c06e85 100644 --- a/updater/winhttp/mksyscall.go +++ b/updater/winhttp/mksyscall.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package winhttp diff --git a/updater/winhttp/syscall_windows.go b/updater/winhttp/syscall_windows.go index 77e733e6..4f967bfa 100644 --- a/updater/winhttp/syscall_windows.go +++ b/updater/winhttp/syscall_windows.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package winhttp @@ -256,6 +256,16 @@ const ( _INTERNET_SCHEME_FTP = 3 _INTERNET_SCHEME_SOCKS = 4 + _WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 = 0x00000008 + _WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 = 0x00000020 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 = 0x00000080 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 = 0x00000200 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 = 0x00000800 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3 = 0x00002000 + _WINHTTP_FLAG_SECURE_PROTOCOL_ALL = _WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | _WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 + + _WINHTTP_PROTOCOL_FLAG_HTTP2 = 0x1 + _WINHTTP_ERROR_BASE = 12000 _ERROR_WINHTTP_OUT_OF_HANDLES = Error(12000 + 1) _ERROR_WINHTTP_TIMEOUT = Error(12000 + 2) diff --git a/updater/winhttp/winhttp.go b/updater/winhttp/winhttp.go index ac390a4f..cb19f194 100644 --- a/updater/winhttp/winhttp.go +++ b/updater/winhttp/winhttp.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package winhttp @@ -21,11 +21,13 @@ import ( type Session struct { handle _HINTERNET } + type Connection struct { handle _HINTERNET session *Session https bool } + type Response struct { handle _HINTERNET connection *Connection @@ -48,6 +50,11 @@ func isWin7() bool { return maj < 6 || (maj == 6 && min <= 1) } +func isWin8DotZeroOrBelow() bool { + maj, min, _ := windows.RtlGetNtVersionNumbers() + return maj < 6 || (maj == 6 && min <= 2) +} + func NewSession(userAgent string) (session *Session, err error) { session = new(Session) defer convertError(&err) @@ -69,9 +76,17 @@ func NewSession(userAgent string) (session *Session, err error) { if err != nil { return } - var enableHttp2 uint32 = 1 + var enableHttp2 uint32 = _WINHTTP_PROTOCOL_FLAG_HTTP2 _ = winHttpSetOption(session.handle, _WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, unsafe.Pointer(&enableHttp2), uint32(unsafe.Sizeof(enableHttp2))) // Don't check return value, in case of old Windows + if isWin8DotZeroOrBelow() { + var enableTLS12 uint32 = _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 + err = winHttpSetOption(session.handle, _WINHTTP_OPTION_SECURE_PROTOCOLS, unsafe.Pointer(&enableTLS12), uint32(unsafe.Sizeof(enableTLS12))) + if err != nil { + return + } + } + runtime.SetFinalizer(session, func(session *Session) { session.Close() }) diff --git a/updater/winhttp/winhttp_test.go b/updater/winhttp/winhttp_test.go index 41fbeb6b..36017a48 100644 --- a/updater/winhttp/winhttp_test.go +++ b/updater/winhttp/winhttp_test.go @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: MIT * - * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved. + * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved. */ package winhttp |