STABLE14-winverifytrust-20041129

author Jeffrey Altman <jaltman@mit.edu>

Tue, 7 Dec 2004 05:59:54 +0000 (05:59 +0000)

committer Derrick Brashear <shadow@dementia.org>

Tue, 7 Dec 2004 05:59:54 +0000 (05:59 +0000)
author Jeffrey Altman <jaltman@mit.edu>
Tue, 7 Dec 2004 05:59:54 +0000 (05:59 +0000)
committer Derrick Brashear <shadow@dementia.org>
Tue, 7 Dec 2004 05:59:54 +0000 (05:59 +0000)
diff --git a/src/WINNT/afsd/NTMakefile b/src/WINNT/afsd/NTMakefile

index c662c685b5c86ae05b76a6f8f03ea7a4807c222a..56e6199c0bf75b9b7b87afa25ccf82b61387c85c 100644 (file)
--- a/src/WINNT/afsd/NTMakefile
+++ b/src/WINNT/afsd/NTMakefile
@@ -337,7 +337,7 @@ $(EXEDIR)\unlog.exe: $(OUT)\cunlog.obj $(OUT)\unlog.res $(EXELIBS)
  AFSD_EXEFILE = $(EXEDIR)\afsd.exe
  
  AFSD_SDKLIBS =\
-       largeint.lib \
+#      largeint.lib \
         netapi32.lib \
          dnsapi.lib \
          mpr.lib \
@@ -349,7 +349,7 @@ AFSD_SDKLIBS =\
          secur32.lib \
          ole32.lib \
          oleaut32.lib \
-        psapi.lib
+        psapi.lib wintrust.lib
  
  AFSD_EXELIBS =\
         $(DESTDIR)\lib\libosi.lib \
diff --git a/src/WINNT/afsd/afsd_service.c b/src/WINNT/afsd/afsd_service.c

index 851d390c5a8337fa891a89b343488aca13879354..c01f2140ecaef69318c79d28edeff3d49ec037d1 100644 (file)
--- a/src/WINNT/afsd/afsd_service.c
+++ b/src/WINNT/afsd/afsd_service.c
@@ -11,7 +11,9 @@
  #include <afs/stds.h>
  
  #include <windows.h>
+#include <softpub.h>
  #include <psapi.h>
+#include <winerror.h>
  #include <string.h>
  #include <setjmp.h>
  #include "afsd.h"
@@ -488,6 +490,66 @@ GetVersionInfo( CHAR * filename, CHAR * szOutput, DWORD dwOutput )
      return retval;
  }
  
+BOOL VerifyTrust(CHAR * filename)
+{
+    WINTRUST_DATA fTrust;
+    WINTRUST_FILE_INFO finfo;
+    GUID trustAction = WINTRUST_ACTION_GENERIC_VERIFY_V2;
+    GUID subject = WIN_TRUST_SUBJTYPE_RAW_FILEEX;
+    wchar_t wfilename[260];
+    LONG ret;
+
+    if (filename == NULL ) 
+        return FALSE;
+
+    mbstowcs(wfilename, filename, 260);
+
+    finfo.cbStruct = sizeof(finfo);
+    finfo.pcwszFilePath= wfilename;
+    finfo.hFile = INVALID_HANDLE_VALUE;
+    finfo.pgKnownSubject = &subject;
+
+    fTrust.cbStruct = sizeof(fTrust);
+    fTrust.pPolicyCallbackData = NULL;
+    fTrust.pSIPClientData = NULL;
+    fTrust.dwUIChoice = WTD_UI_NONE;
+    fTrust.fdwRevocationChecks = WTD_REVOKE_NONE;
+    fTrust.dwUnionChoice = WTD_CHOICE_FILE;
+    fTrust.pFile = &finfo;
+    fTrust.dwStateAction = WTD_STATEACTION_IGNORE;
+    fTrust.hWVTStateData = NULL;
+    fTrust.pwszURLReference = NULL;
+    fTrust.dwProvFlags = WTD_SAFER_FLAG | WTD_REVOCATION_CHECK_NONE;
+    fTrust.dwUIContext = WTD_UICONTEXT_EXECUTE;
+    
+    ret = WinVerifyTrust(INVALID_HANDLE_VALUE, &trustAction, &fTrust);
+
+    if (ret == ERROR_SUCCESS) {
+        return TRUE;
+    } else {
+        DWORD gle = GetLastError();
+        switch (gle) {
+        case TRUST_E_PROVIDER_UNKNOWN:
+            afsi_log("VerifyTrust failed: \"Generic Verify V2\" Provider Unknown");
+            break;  
+        case TRUST_E_NOSIGNATURE:
+            afsi_log("VerifyTrust failed: Unsigned executable");
+            break;
+        case TRUST_E_EXPLICIT_DISTRUST:
+            afsi_log("VerifyTrust failed: Certificate Marked as Untrusted by the user");
+            break;
+        case TRUST_E_SUBJECT_NOT_TRUSTED:
+            afsi_log("VerifyTrust failed: File is not trusted");
+            break;
+        case CRYPT_E_SECURITY_SETTINGS:
+            afsi_log("VerifyTrust failed: local security options prevent verification");
+            break;
+        default:
+            afsi_log("VerifyTrust failed: 0x%X", GetLastError());
+        }
+        return FALSE;
+    }
+}
  
  BOOL AFSModulesVerify(void)
  {
@@ -495,6 +557,7 @@ BOOL AFSModulesVerify(void)
      CHAR afsdVersion[128];
      CHAR modVersion[128];
      CHAR checkName[1024];
+    BOOL trustVerified = FALSE;
      HMODULE hMods[1024];
      HANDLE hProcess;
      DWORD cbNeeded;
@@ -509,6 +572,8 @@ BOOL AFSModulesVerify(void)
  
      afsi_log("%s version %s", filename, afsdVersion);
  
+    trustVerified = VerifyTrust(filename);
+
      // Get a list of all the modules in this process.
      hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
                             FALSE, GetCurrentProcessId());
@@ -543,6 +608,10 @@ BOOL AFSModulesVerify(void)
                          afsi_log("Version mismatch: %s", szModName);
                          success = FALSE;
                      }
+                    if ( trustVerified && !VerifyTrust(szModName) ) {
+                        afsi_log("Signature Verification failed: %s", szModName);
+                        success = FALSE;
+                    }
                  }
              }
          }
author	Jeffrey Altman <jaltman@mit.edu>
	Tue, 7 Dec 2004 05:59:54 +0000 (05:59 +0000)
committer	Derrick Brashear <shadow@dementia.org>
	Tue, 7 Dec 2004 05:59:54 +0000 (05:59 +0000)
src/WINNT/afsd/NTMakefile		patch \| blob \| history
src/WINNT/afsd/afsd_service.c		patch \| blob \| history