Commit Graph

522 Commits

Author SHA1 Message Date
Jason A. Donenfeld
acc9ee7f34 api: remove authenticode support
Certificates are no longer valid.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-02 00:24:10 +02:00
Jason A. Donenfeld
86521458e3 props: use ForcedTargetVersion for override
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-30 10:40:27 +02:00
Jason A. Donenfeld
0a3799cc3a editorconfig: farewell wix
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-30 10:40:27 +02:00
Jason A. Donenfeld
d0732ca4f8 driver: remove useless defines from resource
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-30 10:40:27 +02:00
Simon Rozman
d675646ab8 api: upgrade
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:25:27 +02:00
Simon Rozman
d61007297d example: resolve signed/unsigned code analysis warning
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:22:19 +02:00
Simon Rozman
d30f6754d4 global: upgrade clang-format
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:22:19 +02:00
Simon Rozman
7dffa4be72 vs: move shared configuration to wintun.props and upgrade
Remember to rename wintun.vcxproj.user file in your local working folder
to wintun.props.user manually.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:22:18 +02:00
Simon Rozman
7de5d2e6c8 driver: workaround SDV failure with code analysis
SDV is using own CL.EXE which returns error code 2 when code analysis
is turned on. However, we need code analysis results for DVL.

While we could use a new "ReleaseSDV" configuration, we don't really
require limited code analysis in Release builds, as long as we address
all full code analysis warnings in Debug builds.

To make DVL happier, an intermediate Release build was injected with
code analysis turned on.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-27 12:22:26 +02:00
Jason A. Donenfeld
899e085a91 api: build with WDK
Makes builds more reproducable, as we can do our next release using the
EWDK, an all-in-one ISO of build tools from Microsoft.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-23 20:20:43 +02:00
Jason A. Donenfeld
af83574b34 api: remove unused pch file
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-13 15:48:45 +02:00
Simon Rozman
928f21c573 driver: switch to MS-recommended memory alloc
Suggested-by: Static Driver Verifier
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-13 14:33:43 +02:00
Simon Rozman
dccf2085cb driver: cleanup project file
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-12 10:38:21 +02:00
Simon Rozman
d41ac04565 driver: remove excessive media connection reporting on adapter init
The initial adapter state (including media connection) is provided by
the NDIS_MINIPORT_ADAPTER_GENERAL_ATTRIBUTES.
Additional NdisMIndicateStatusEx() call seems excessive.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-12 10:38:21 +02:00
Jason A. Donenfeld
005af4a9c7 api: use SuggestedInstanceId instead of NetSetupAnticipatedInstanceId
All was well with NetSetupAnticipatedInstanceId, until a bug crept into
recent Windows builds that caused old GUIDs not to be properly removed,
resulting in subsequent adapter creations to fail, because NetSetup
AnticipatedInstanceId considers it fatal when the target GUID
already exists, even if in diminished form.

The initial solution was to detect cruft, and then steal a
TrustedInstaller token and sleuth around the registry cleaning things
up. The horror!

Uncomfortable with this, I reopened IDA and had a look around with fresh
eyes, three years after the original discovery of NetSetupAnticipated
InstanceId. There, I found some interesting behavior in
NetSetupSvcDeviceManager::InstallNetworkInterfaces, which amounts to
something like:

    if (IsSet("RetiredNetCfgInstanceId") {
      if (IsSet("NetSetupAnticipatedInstanceId")
        DeleteAdapter(GetValue("RetiredNetCfgInstanceId"));
      else
        Set("NetSetupAnticipatedInstanceId", GetValue("RetiredNetCfgInstanceId"));
      Delete("RetiredNetCfgInstanceId");
    }
    CreateAdapter = TRUE;
    if (IsSet("NetSetupAnticipatedInstanceId")) {
      Guid = GetValue("NetSetupAnticipatedInstanceId");
      if (AdapterAlreadyExists(Guid))
        CreateAdapter = FALSE;
      else
        SetGuidOfNewAdapter(Guid);
      Delete("NetSetupAnticipatedInstanceId");
    } else if (IsSet("SuggestedInstanceId")) {
      Guid = GetValue("SuggestedInstanceId");
      if (!AdapterAlreadyExists(Guid))
        SetGuidOfNewAdapter(Guid);
      Delete("SuggestedInstanceId");
    }

Thus, one appealing strategy would be to set both NetSetupAnticipated
InstanceId and RetiredInstanceId to the same value, and let the service
handle deleting the old one for us before creating the new one.
However, the cleanup of the old adapter winds up being quasi-
asynchronous, and thus we still wind up in the CreateAdapter = FALSE
case.

So, the remaining strategy is to simply use SuggestedInstanceId instead.
This has the behavior that if there's an adapter already in use, it'll
use a new random GUID. The result is that adapter creation won't fail.

That's not great, but the docs have always made it clear that
"requested" is a best-effort sort of thing. Plus, hopefully the creation
of the new adapter will help nudge the bug a bit and cleanup the old
cruft. In some ways, transitioning from our old strategy of "cudgel the
registry until we get the GUID we want" to "ask politely and accept no
for an answer" is a disappointing regression in functionality. But it
also means we don't need to keep crazy token stealing code around, or
fish around in the registry dangerously. This probably also increases
the likelihood that an adapter will be created during edge cases, which
means fewer errors for users, which could be a good thing. On the
downside, we have the perpetual tensions caused by a system that now
"fails open" instead of "fails closed". But so it goes in Windows land.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-09 17:08:28 +02:00
Jason A. Donenfeld
cf6e441ff5 api: log instance id when object file name is empty
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-08 03:13:14 +02:00
Jason A. Donenfeld
bf5b170101 api: print correct last error when failing
Prior to the conversion, LastError is ERROR_SUCCESS, so move the logging
to be after the conversion.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-08 02:50:57 +02:00
Jason A. Donenfeld
48bbaa0be3 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 16:18:03 +02:00
Jason A. Donenfeld
ed2f5cc225 api: don't auto-elevate
There's no longer a need to do this for every API call. This only exists
now for the pnp guid reuse workaround hack.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 16:18:03 +02:00
Jason A. Donenfeld
d33732ab4b driver: hard code security descriptor bytes
This is compatible with old Windows. Generated by:

  #include <stdio.h>
  #include <windows.h>
  #include <sddl.h>

  int main(int argc, char *argv[])
  {
      PSECURITY_DESCRIPTOR sd;
      ULONG sd_len;

      if (!ConvertStringSecurityDescriptorToSecurityDescriptorA("O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)", SDDL_REVISION_1, &sd, &sd_len))
          return 1;
      for (ULONG i = 0; i < sd_len; ++i)
          printf("0x%02x%s%s", ((unsigned char *)sd)[i], i == sd_len - 1 ? "" : ",", i == sd_len -1 || i % 8 == 7 ? "\n": " ");
      return 0;
  }

This can be easily checked from kernel space with this ugly snippet:

  UNICODE_STRING Func;
  RtlInitUnicodeString(&Func, L"SeConvertSecurityDescriptorToStringSecurityDescriptor");
  WCHAR *Str = NULL;
  ((NTSTATUS(NTAPI *)(PSECURITY_DESCRIPTOR, DWORD, DWORD, WCHAR **, DWORD *))MmGetSystemRoutineAddress(&Func))(
      TunDispatchSecurityDescriptor, 1, 0x14, &Str, NULL);
  DbgPrint("Did it work? %ls\n", Str);

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 16:18:03 +02:00
Jason A. Donenfeld
6154c73032 driver: build security descriptor from sddl
This is a bit easier to read.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 14:10:50 +02:00
Jason A. Donenfeld
b3bf490434 driver: allow admins but require high integrity label
Might be more reasonable.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 14:09:16 +02:00
Jason A. Donenfeld
59bf6be8b6 driver: specify pnplockdown in inf
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 13:51:58 +02:00
Jason A. Donenfeld
273cbe2d14 driver: format
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 13:51:57 +02:00
Jason A. Donenfeld
479bbdc50a api: only mark GUID as in-use if Status != NotPresent
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-11 19:43:34 +02:00
Jason A. Donenfeld
0d96b900c3 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-10 19:23:28 +02:00
Jason A. Donenfeld
6cf9ac71c3 driver: do not assume aligned addresses when allocating MDLs
IoAllocateMdl allocates a different size structure depending on the
bottom in-page bits of the address. By passing null, it assumes that the
address is aligned within the page, which it might not be. Fix this by
passing the eventual virtual address to the allocation function so that
the right amount is always allocated.

Reported-by: Oleksandr Muzychuk <oleksandr.muzychuk@apriorit.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-10 19:02:49 +02:00
Simon Rozman
f19945b3c6 driver: move init-only functions into INIT segment
Reference: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/writing-a-driverentry-routine
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-05-10 11:24:44 +02:00
Simon Rozman
71e1ab6940 driver: fix memory leak on pre-Windows 7
Should NDIS version check fail the DriverEntry() bailed out without
releasing the TunDispatchSecurityDescriptor.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-05-10 11:24:44 +02:00
Simon Rozman
b28a721d9e driver: cleanup unused DBG define
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-05-10 11:24:44 +02:00
Jason A. Donenfeld
02f19b8c90 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-10 11:24:44 +02:00
Jason A. Donenfeld
3c8b92e80e api: use simpler problem status checking
This reworks commit e51b49604b.

Link: https://www.reddit.com/r/WireGuard/comments/n6yocf/unable_to_create_wintun_on_windows_7_laptop_with/
Reported-by: Alirz
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-10 11:23:58 +02:00
Jason A. Donenfeld
1efbd14c2c api: check that GUID is valid before assuming it's in use
ROOT/NET/000X could have been claimed by a different driver, so we want
to double check.

Link: https://lists.zx2c4.com/pipermail/wireguard/2021-May/006716.html
Reported-by: Piotr Sobczak <piotrs@glosol.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-10 11:23:58 +02:00
Jason A. Donenfeld
d9555bea1b api: discourage UaF on teardown
While it does make sense to make readers unblock by setting the read
event on teardown, this is something that consumers of the library
should do _before_ calling EndSession, not something that makes sense
for the library to do itself. The reason is that, in the hypothetical
case in which this makes sense, immediately after unblocking the reader
via SetEvent, the function goes on to free all of the memory that that
reader might want to use. So, rather, the proper shutdown flow is from
the application side, and looks like:

    Closing = true;
    SetEvent(WintunGetReadWaitEvent());
    WaitForReadersToReturn();
    WintunEndSession();

Alternatively, rather than using WaitForSingleObject on the read event,
consumers can WaitForMultipleObjects and include a shutdown event, which
is what the example code does.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-10 11:23:58 +02:00
Jason A. Donenfeld
d2db3b9977 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-05 11:25:44 +02:00
Jason A. Donenfeld
0c9a87b8a2 api: skip requested GUID if !win10
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-05 11:25:44 +02:00
Jason A. Donenfeld
747ba7121d api: clean up NetSetup2 GUIDs
Recent versions of Windows fail to tidy up, causing issues when reusing
GUIDs. Check to see if a GUID might be orphaned, and forcibly clear out
the registry state if so.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-05 11:17:39 +02:00
Jason A. Donenfeld
4480d32011 api: don't pass bogus previous buffer size argument
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-05 10:54:33 +02:00
Jason A. Donenfeld
e51b49604b api: don't return ERROR_SUCCESS if adapter doesn't come up
Otherwise we fail to remove the zombie adapter, and then the problem
repeats itself. Note that this is part of a larger issue of clearing out
bad GUIDs in NetSetup2 on recent Windows builds

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-04 12:20:43 +02:00
Simon Rozman
5e48e4196e project: fix typo in .editorconfig
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-05-04 12:20:35 +02:00
Jason A. Donenfeld
5edd8d2517 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-04-13 15:55:08 -06:00
Simon Rozman
51a4f299c3 vs: put .pdb files in the intermediate folders
Wondering, why WinDbg is refusing to load symbols for wintun.sys
recently...

By default, building puts .pdb files to the output folder. Next to the
final binaries: wintun.sys, wintun.dll, example.exe... Wait?! But the
wintun.pdb from wintun.dll overwrites the wintun.pdb from wintun.sys
then.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-04-13 15:50:50 -06:00
Simon Rozman
227b76480c vs: remove api->wintun project dependency
The time stamping with Inf2Cat never makes the wintun output really "up-
to-date". This keeps triggering wintun project rebuilds over and over
again. Including all the projects depending on wintun.

Thou, the api project really depends on the driver built by wintun
project, those needless driver rebuilds are utterly annoying.

To be correct, the amd64 api project also depends on the arm64 api
project - a dependency which cannot be described using .sln. So, one way
or another, a developer must build projects inside the .sln in a
specific order.

Another solution would be to split the solution file (pun intended). One
.sln for driver, another for the api and example projects. Then open the
one the developer is focused on.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-04-13 15:50:50 -06:00
Simon Rozman
d35312d33f api: log Windows error message too when creating folder or file fails
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-04-13 15:50:50 -06:00
Simon Rozman
3a8dbb6ae2 api: fix fallback log line printf template
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-04-10 13:37:22 +02:00
Simon Rozman
2f1d1ab827 Fix © in resources
The \xa9 is © on Windows-125x code pages. When Wintun was compiled on a
Windows computer using UTF-8 as default code page (for "non-Unicode"
programs), the Copyright notice in resources was wrong.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-03-19 12:04:23 +01:00
Simon Rozman
a6fa9c1b67 project: add support for intermediate versioning
While the Wintun driver is typically released only at <major>.<minor>
milestones, the wintun.dll did see some intermediate releases.

To make MSI logic correctly decide to upgrade local wintun.dll file, the
version inscribed in wintun.dll file resources should increment in those
intermediate releases. MSI ignores file timestamps. One could use
REINSTALLMODE=emus Installer property to force copying wintun.dll when
its version doesn't change. But REINSTALLMODE applies to all files in
the MSI session and would be an additional requirement when authoring
MSI packages with wintun.dll.

Bumping only the final ZIP filename version is not sufficient.

Therefore, a <major>.<minor> or <major>.<minor>.<build> versioning is
introduced. Furthermore, we no longer distinguish between WintunVersion
and WintunVersionStr. All our releases used strictly numeric
<major>.<minor> notation, making WintunVersion and WintunVersionStr
always the same.

When the driver didn't change, just bump the version in wintun.proj and
run `msbuild wintun.proj /t:Zip` to rebuild the wintun.dll and make the
new ZIP file.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-03-19 11:52:11 +01:00
Simon Rozman
1ccd623e94 api: make .h filenames lowercase for building with MinGW on Linux
MinGW supplies all Windows header files using lowercase filenames.
This makes some of the #include lines in wintun.h fail to resolve the
.h files correctly on a case-sensitive filesystem.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-03-16 10:11:00 +01:00
Simon Rozman
cef7922556 api: elevate to SYSTEM in WintunEnumAdapters()
The WintunEnumAdapters() requires namespace mutex. However,
NamespaceTakePoolMutex() works as SYSTEM user only.

WireGuard is using the WintunEnumAdapters() in its manager service to
cleanup stale adapters. As the WireGuard manager service is running as
SYSTEM, this requirement was not apparent before.

This commit also extends the example project to list its existing
adapters at start.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-03-08 13:48:29 +01:00
Simon Rozman
bc5cde8916 api: upgrade logging
Log runtime information to quickly check whether the values are sane
when analyzing error logs sent in by users.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-02-16 04:19:21 +01:00