diff --git a/CHANGELOG.md b/CHANGELOG.md index acdd387..c12b15f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,9 @@ Line wrap the file at 100 chars. Th * **Security**: in case of vulnerabilities. ## [Unreleased] +### Changed +- Update build and release procedure to remove support for pre-Windows 10 systems. + ### Fixed - Ensure IOCTL requests are always processed on worker thread to prevent client from getting stuck inside DeviceIoControl API call. diff --git a/RELEASE.md b/RELEASE.md index 26796ae..deff1d4 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -33,18 +33,17 @@ Configure signing in Microsoft partner portal: 1. `cd` into driver repository. 1. Run `build.bat ` to build and sign the driver. 1. Artifacts are prepared under `bin/dist/`: - 1. `bin/dist/legacy/` contains the final artifacts for Windows 7/8/8.1. - 1. `bin/dist/win10/` contains an intermediate driver package for Windows 10. - 1. `bin/dist/meta/` currently, only holds the shared PDB file. -1. Upload Windows 10 intermediate driver package (`mullvad-split-tunnel-amd64.cab`) to Microsoft for attestation signing. -1. Download attestation signed driver for Windows 10. + 1. `mullvad-split-tunnel-amd64.cab` is an intermediate driver package for Windows 10. + 1. `mullvad-split-tunnel.pdb` contains debug information. +1. Upload intermediate driver package to Microsoft for attestation signing. +1. Download attestation signed driver package. ## Updating dependent repositories 1. In the `mullvadvpn-app-binaries` repository: - 1. Update legacy driver package in `x86_64-pc-windows-msvc/split-tunnel/legacy/`. - 1. Extract attestation signed driver and related files into `x86_64-pc-windows-msvc/split-tunnel/win10/`. - 1. Update driver PDB file in `x86_64-pc-windows-msvc/split-tunnel/meta/`. + 1. In subfolder `x86_64-pc-windows-msvc/split-tunnel/`: + 1. Extract attestation signed driver package. + 1. Update driver PDB file. 1. Merge file updates into `master`. 1. In the `mullvadvpn-app` repository: 1. Update the `mullvadvpn-app-binaries` submodule reference. diff --git a/build.bat b/build.bat index 6318817..572f629 100644 --- a/build.bat +++ b/build.bat @@ -8,7 +8,6 @@ if [%VisualStudioVersion%]==[] ( if [%1]==[] goto USAGE set CERT_THUMBPRINT=%1 -set CROSSCERT=digicert-high-assurance-ev.crt set TIMESTAMP_SERVER=http://timestamp.digicert.com set ROOT=%~dp0 @@ -26,41 +25,28 @@ IF %ERRORLEVEL% NEQ 0 goto ERROR :: Sign driver -signtool sign /tr %TIMESTAMP_SERVER% /td sha256 /fd sha256 /sha1 "%1" /v /ac %ROOT%resources\%CROSSCERT% %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.sys +signtool sign /tr %TIMESTAMP_SERVER% /td sha256 /fd sha256 /sha1 "%CERT_THUMBPRINT%" /v %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.sys IF %ERRORLEVEL% NEQ 0 goto ERROR :: Re-generate catalog file now that driver binary has changed del %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.cat -"%WindowsSdkVerBinPath%x86\inf2cat.exe" /driver:%ROOT%bin\x64-Release\mullvad-split-tunnel /os:"7_x64" /verbose +"%WindowsSdkBinPath%x86\inf2cat.exe" /driver:%ROOT%bin\x64-Release\mullvad-split-tunnel /os:"10_x64" /verbose IF %ERRORLEVEL% NEQ 0 goto ERROR :: Sign catalog -signtool sign /tr %TIMESTAMP_SERVER% /td sha256 /fd sha256 /sha1 "%1" /v /ac %ROOT%resources\%CROSSCERT% %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.cat +signtool sign /tr %TIMESTAMP_SERVER% /td sha256 /fd sha256 /sha1 "%CERT_THUMBPRINT%" /v %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.cat IF %ERRORLEVEL% NEQ 0 goto ERROR -:: Copy artifacts - -rmdir /s /q %ROOT%bin\dist - -mkdir %ROOT%bin\dist\legacy -copy /b %ROOT%bin\x64-Release\mullvad-split-tunnel\* %ROOT%bin\dist\legacy\ - -mkdir %ROOT%bin\dist\meta -move %ROOT%bin\dist\legacy\mullvad-split-tunnel.pdb %ROOT%bin\dist\meta\ - -:: :: Build a CAB file for submission to the MS Hardware Dev Center -:: The co-installer has to be included (?) because it's referenced in the inf file -:: -mkdir %ROOT%bin\dist\win10 +mkdir %ROOT%bin\temp\cab ->"%ROOT%bin\dist\win10\mullvad-split-tunnel-amd64.ddf" ( +>"%ROOT%bin\temp\cab\mullvad-split-tunnel-amd64.ddf" ( echo .OPTION EXPLICIT ; Generate errors echo .Set CabinetFileCountThreshold=0 echo .Set FolderFileCountThreshold=0 @@ -73,32 +59,38 @@ mkdir %ROOT%bin\dist\win10 echo .Set Compress=on echo .Set CabinetNameTemplate=mullvad-split-tunnel-amd64.cab echo .Set DestinationDir=Package - echo .Set DiskDirectoryTemplate=%ROOT%bin\dist\win10 - echo %ROOT%bin\dist\legacy\mullvad-split-tunnel.cat - echo %ROOT%bin\dist\legacy\mullvad-split-tunnel.inf - echo %ROOT%bin\dist\legacy\mullvad-split-tunnel.sys - echo %ROOT%bin\dist\legacy\WdfCoinstaller01011.dll + echo .Set DiskDirectoryTemplate=%ROOT%bin\temp\cab + echo %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.cat + echo %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.inf + echo %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.sys + echo %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.pdb ) -:: :: makecab produces several garbage files -:: force current working directory to prevent spreading them out -:: +:: Force current working directory to prevent spreading them out -pushd %ROOT%bin\dist\win10 +pushd %ROOT%bin\temp\cab -makecab /f "%ROOT%bin\dist\win10\mullvad-split-tunnel-amd64.ddf" +makecab /f "%ROOT%bin\temp\cab\mullvad-split-tunnel-amd64.ddf" popd IF %ERRORLEVEL% NEQ 0 goto ERROR -signtool sign /tr %TIMESTAMP_SERVER% /td sha256 /fd sha256 /sha1 "%1" /v /ac %ROOT%resources\%CROSSCERT% %ROOT%bin\dist\win10\mullvad-split-tunnel-amd64.cab +signtool sign /tr %TIMESTAMP_SERVER% /td sha256 /fd sha256 /sha1 "%CERT_THUMBPRINT%" /v %ROOT%bin\temp\cab\mullvad-split-tunnel-amd64.cab IF %ERRORLEVEL% NEQ 0 goto ERROR +:: Collect artifacts + +mkdir %ROOT%bin\dist + +copy /b %ROOT%bin\x64-Release\mullvad-split-tunnel\mullvad-split-tunnel.pdb %ROOT%bin\dist\ +copy /b %ROOT%bin\temp\cab\mullvad-split-tunnel-amd64.cab %ROOT%bin\dist\ + echo; echo BUILD COMPLETED SUCCESSFULLY +echo ARTIFACTS ARE IN --^> bin/dist/ ^<-- echo; exit /b 0 diff --git a/resources/digicert-high-assurance-ev.crt b/resources/digicert-high-assurance-ev.crt deleted file mode 100644 index c42e0fc..0000000 --- a/resources/digicert-high-assurance-ev.crt +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFOzCCAyOgAwIBAgIKYSBNtAAAAAAAJzANBgkqhkiG9w0BAQUFADB/MQswCQYD -VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe -MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQDEyBNaWNyb3Nv -ZnQgQ29kZSBWZXJpZmljYXRpb24gUm9vdDAeFw0xMTA0MTUxOTQ1MzNaFw0yMTA0 -MTUxOTU1MzNaMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx -GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhp -Z2ggQXNzdXJhbmNlIEVWIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDGzOVz5vvUu+UtLTKm3+WBP8nNJUm2cSrD1ZQ0Z6IKHLBfaaZAscS3 -so/QmKSpQVk609yU1jzbdDikSsxNJYL3SqVTEjju80ltcZF+Y7arpl/DpIT4T2JR -vvjF7Ns4kuMG5QiRDMQoQVX7y1qJFX5x6DW/TXIJPb46OFBbdzEbjbPHJEWap6xt -ABRaBLe6E+tRCphBQSJOZWGHgUFQpnlcid4ZSlfVLuZdHFMsfpjNGgYWpGhz0DQE -E1yhcdNafFXbXmThN4cwVgTlEbQpgBLxeTmIogIRfCdmt4i3ePLKCqg4qwpkwr9m -XZWEwaElHoddGlALIBLMQbtuC1E4uEvLAgMBAAGjgcswgcgwEQYDVR0gBAowCDAG -BgRVHSAAMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSx -PsNpA/i/RwHUmCYaCALvY2QrwzAfBgNVHSMEGDAWgBRi+wohW39DbhHaCVRQa/XS -lnHxnjBVBgNVHR8ETjBMMEqgSKBGhkRodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v -cGtpL2NybC9wcm9kdWN0cy9NaWNyb3NvZnRDb2RlVmVyaWZSb290LmNybDANBgkq -hkiG9w0BAQUFAAOCAgEAIIzBWe1vnGstwUo+dR1FTEFQHL2A6tmwkosGKhM/Uxae -VjlqimO2eCR59X24uUehCpbC9su9omafBuGs0nkJDv083KwCDHCvPxvseH7U60sF -YCbZc2GRIe2waGPglxKrb6AS7dmf0tonPLPkVvnR1IEPcb1CfKaJ3M3VvZWiq/GT -EX3orDEpqF1mcEGd/HXJ1bMaOSrQhQVQi6yRysSTy3GlnaSUb1gM+m4gxAgxtYWd -foH50j3KWxiFbAqG7CIJG6V0NE9/KLyVSqsdtpiwXQmkd3Z+76eOXYT2GCTL0W2m -w6GcwhB1gP+dMv3mz0M6gvfOj+FyKptit1/tlRo5XC+UbUi3AV8zL7vcLXM0iQRC -ChyLefmj+hfv+qEaEN/gssGV61wMBZc7NT4YiE3bbL8kiY3Ivdifezk6JKDV39Hz -ShqX9qZveh+wkKmzrAE5kdNht2TxPlc4A6/OetK1kPWu3DmZ1bY8l+2myxbHfWsq -TJCU5kxU/R7NIOzOaJyHWOlhYL7rDsnVGX2f6Xi9DqwhdQePqW7gjGoqa5zj52W8 -vC08bdwE3GdFNjKvBIG8qABuYUyVxVzUjo6fL8EydL29EWUDB83vt14CV9qG1Boo -NK+ISbLPpd2CVm9oqhTiWVT+/+ru7+qScCJggeMlI8CfzA9JsjWqWMM6w9kWlBA= ------END CERTIFICATE----- diff --git a/src/mullvad-split-tunnel.inf b/src/mullvad-split-tunnel.inf index 3e66d2f..b9dcac5 100644 --- a/src/mullvad-split-tunnel.inf +++ b/src/mullvad-split-tunnel.inf @@ -13,7 +13,6 @@ DriverVer= [DestinationDirs] DefaultDestDir = 12 -mullvad-split-tunnel_Device_CoInstaller_CopyFiles = 11 ; ================= Class section ===================== @@ -29,16 +28,15 @@ HKR,,Icon,,-5 [SourceDisksFiles] mullvad-split-tunnel.sys = 1,, -WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ;***************************************** ; Install Section ;***************************************** [Manufacturer] -%ManufacturerName%=Standard,NT$ARCH$ +%ManufacturerName%=Standard,NT$ARCH$.10.0 -[Standard.NT$ARCH$] +[Standard.NT$ARCH$.10.0] %mullvad-split-tunnel.DeviceDesc%=mullvad-split-tunnel_Device, Root\mullvad-split-tunnel [mullvad-split-tunnel_Device.NT] @@ -59,25 +57,6 @@ StartType = 3 ; SERVICE_DEMAND_START ErrorControl = 1 ; SERVICE_ERROR_NORMAL ServiceBinary = %12%\mullvad-split-tunnel.sys -; -;--- mullvad-split-tunnel_Device Coinstaller installation ------ -; - -[mullvad-split-tunnel_Device.NT.CoInstallers] -AddReg=mullvad-split-tunnel_Device_CoInstaller_AddReg -CopyFiles=mullvad-split-tunnel_Device_CoInstaller_CopyFiles - -[mullvad-split-tunnel_Device_CoInstaller_AddReg] -HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" - -[mullvad-split-tunnel_Device_CoInstaller_CopyFiles] -WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll - -[mullvad-split-tunnel_Device.NT.Wdf] -KmdfService = mullvad-split-tunnel, mullvad-split-tunnel_wdfsect -[mullvad-split-tunnel_wdfsect] -KmdfLibraryVersion = $KMDFVERSION$ - [Strings] SPSVCINST_ASSOCSERVICE= 0x00000002 ManufacturerName="Mullvad AB" diff --git a/src/mullvad-split-tunnel.vcxproj b/src/mullvad-split-tunnel.vcxproj index 753fb78..4ba8484 100644 --- a/src/mullvad-split-tunnel.vcxproj +++ b/src/mullvad-split-tunnel.vcxproj @@ -30,7 +30,7 @@ - Windows7 + Windows10 true WindowsKernelModeDriver10.0 Driver @@ -42,7 +42,7 @@ - Windows7 + Windows10 false WindowsKernelModeDriver10.0 Driver @@ -54,7 +54,7 @@ - Windows7 + Windows10 true WindowsKernelModeDriver10.0 Driver @@ -66,7 +66,7 @@ - Windows7 + Windows10 false WindowsKernelModeDriver10.0 Driver @@ -125,10 +125,10 @@ 0.0.0.1 - copy /y $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel.pdb $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel\mullvad-split-tunnel.pdb + scripts\fixup-driver-package.bat "$(OutDir)" - custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" + scripts\clean-driver-package.bat "$(OutDir)" && scripts\custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" @@ -143,10 +143,10 @@ /INTEGRITYCHECK %(AdditionalOptions) - copy /y $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel.pdb $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel\mullvad-split-tunnel.pdb + scripts\fixup-driver-package.bat "$(OutDir)" - custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" + scripts\clean-driver-package.bat "$(OutDir)" && scripts\custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" 0.0.0.1 @@ -163,10 +163,10 @@ trace.h - copy /y $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel.pdb $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel\mullvad-split-tunnel.pdb + scripts\fixup-driver-package.bat "$(OutDir)" - custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" + scripts\clean-driver-package.bat "$(OutDir)" && scripts\custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" 0.0.0.1 @@ -188,10 +188,10 @@ 0.0.0.1 - copy /y $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel.pdb $(SolutionDir)\..\bin\$(Platform)-$(Configuration)\mullvad-split-tunnel\mullvad-split-tunnel.pdb + scripts\fixup-driver-package.bat "$(OutDir)" - custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" + scripts\clean-driver-package.bat "$(OutDir)" && scripts\custom-stampinf.bat "$(InfToolPath)stampinf.exe" $(InfArch) $(KMDF_VERSION_MAJOR).$(KMDF_VERSION_MINOR) "$(IntDir)mullvad-split-tunnel.inf" "$(OutDir)mullvad-split-tunnel.inf" diff --git a/src/scripts/clean-driver-package.bat b/src/scripts/clean-driver-package.bat new file mode 100644 index 0000000..a773e03 --- /dev/null +++ b/src/scripts/clean-driver-package.bat @@ -0,0 +1,26 @@ +@echo off + +:: Visual studio will only clean the driver package directory when making a rebuild of the project +:: So for a regular build the directory could contain all kinds of old cruft. + +if [%1]==[] goto ABORT_ARGUMENTS + +:: Argument 1 is a quoted string containing an absolute path. + +set OUTPUT_DIR=%1 + +pushd %OUTPUT_DIR% + +echo Cleaning driver package of old cruft + +rmdir /s /q mullvad-split-tunnel + +popd + +exit /b 0 + +:ABORT_ARGUMENTS + +echo ERROR: %0 invoked without enough arguments + +exit /b 1 diff --git a/src/custom-stampinf.bat b/src/scripts/custom-stampinf.bat similarity index 96% rename from src/custom-stampinf.bat rename to src/scripts/custom-stampinf.bat index f68b3ed..74a9813 100644 --- a/src/custom-stampinf.bat +++ b/src/scripts/custom-stampinf.bat @@ -25,7 +25,7 @@ setlocal enabledelayedexpansion :: Import version defines into environment -for /f "tokens=1-3 delims= " %%i in (%~dp0\version.h) do ( +for /f "tokens=1-3 delims= " %%i in (%~dp0\..\version.h) do ( if /i "%%i"=="#define" ( set %%j=%%k ) diff --git a/src/scripts/fixup-driver-package.bat b/src/scripts/fixup-driver-package.bat new file mode 100644 index 0000000..94e50bd --- /dev/null +++ b/src/scripts/fixup-driver-package.bat @@ -0,0 +1,31 @@ +@echo off + +if [%1]==[] goto ABORT_ARGUMENTS + +:: Argument 1 is a quoted string containing an absolute path. + +set OUTPUT_DIR=%1 + +pushd %OUTPUT_DIR% + +echo Copying debug info into driver package + +copy /y /b mullvad-split-tunnel.pdb mullvad-split-tunnel\ + +:: Some silly component somewhere will insist on always including the KMDF Co-installer. +:: There appears to be no way of suppressing this using configuration changes. +:: So we'll just remove the file after-the-fact. + +echo Removing WDF Co-installer from driver package + +del "mullvad-split-tunnel\wdfcoinstaller*.dll" + +popd + +exit /b 0 + +:ABORT_ARGUMENTS + +echo ERROR: %0 invoked without enough arguments + +exit /b 1