Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SHA-1 cert used for network drivers causing issues #915

Closed
BooBerry opened this issue Feb 26, 2016 · 87 comments
Assignees
Labels
bug
Milestone

Comments

@BooBerry
Copy link

@BooBerry BooBerry commented Feb 26, 2016

http://forum.adguard.com/showthread.php?9340-Okay-I-m-stumped-quot-Cannot-enable-protection-quot

Looks like the use of only a SHA-1 certificate for the network drivers (WFP in this case, assuming TDI too) is causing issues in the Windows 10 Insider Preview builds. The user can't enable protection unless rebooting into troubleshooting mode then disabling Driver Signature Enforcement which allows Adguard to function properly.

Upon looking at adgnetworkwfpdrv.sys I see only a SHA-1 certificate is used. Since SHA-1 is in the process of being depreciated by the end of this year for Windows 7/8/10 shouldn't a SHA-256 certificate be used as well to prevent this issue?

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Feb 26, 2016

I discovered this after 10+ hours of troubleshooting my system. With the help of Boo Berry, we finally came down to this. I am the OP of the forum topic.

@ameshkov ameshkov added the bug label Feb 26, 2016
@ameshkov ameshkov added this to the 6.0 R2 milestone Feb 26, 2016
@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

Ah, they have finally did this:(

Ok then. Good news is that EV certificate has finally arrived (see #764)
Bad news is that microsoft submission algorithm is not yet clear.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

Do you have to submit it for Windows Hardware Quality Labs (WHQL) testing?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

No, there's a different way, it seems that it even can be automated.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

Yep, that's it.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

Looks pretty straightforward to me. If wonder if they'll push it out to the Windows 10 Threshold builds, or wait until Redstone's out this Summer.

Nonetheless, looks like you guys are on top of it like always. :)

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

Not sure, this all is very unclear to me. I still don't understand if we really need a EV certificate or cross-signing with our common SHA-2 certificate is enough.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

I guess you guys can always test it by installing the Insider Preview Redstone builds and see if you can reproduce the issue, then test with the SHA-2 certificate.

However since it's a kernel driver, it kinda makes sense to me to go the EV route, just in case.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

Updating to a new insider preview build right now.

I guess I'll go to office tomorrow morning as EV certificate token is there:)

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

Gosh, no remote access from home? :P

I'm guessing this either happens after X amount of time (assuming Windows discovers the network driver's signing) and it begins to happen, or it was an update pushed through Windows Update.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

EV certificate has a hardware token which is in the safe in the office:)

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

Ah, well there you go. :P

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Feb 26, 2016

Thanks for all of the helpful information, guys. I truly appreciate it!

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

Ah, just read this;

In Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), standard code signing cannot be used for kernel-mode drivers. For more info about these changes, see Code Signing FAQ.

Looks like EV is the way to go then.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

Weird, I've just updated to the latest Insider Preview and AG still works.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

I think that happened to Obi Wan too, it just seems it'll happen after an amount of time. Any Windows Updates?

Or, I guess, you could always fully uninstall, reboot and reinstall Adguard to see if it's triggered.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

Version 10.0.14267 Build 14267

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

I'll anyway go to the office tomorrow, but it would be much easier if I had the same issue:)

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

Hmmm, maybe there's something in the Windows event log on Obi's PC that could help?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 26, 2016

Who knows:)

@obiwankenobijohn will you be available tomorrow? You're my only hope to test the new signed drivers:)

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 26, 2016

If I can find the .esd for 14267, I'll play around with it in a VM. Though I suppose I could make a new test Outlook account and upgrade an existing Windows 10 VM.

P.S. I see what you did there. :P

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Feb 26, 2016

I will definitely be around. @ameshkov, the fast ring of the insider previews' latest build is 14271. That's the build I'm on. Windows 10 Pro Insider Preview build 14271.rs1_release.160218-2310, to be exact.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 27, 2016

Great, thank you!

I am also on "fast" updates. Seems that I should receive all missed updates before receiving the latest. Hope it will be available tomorrow.

Offtopic: i've forgot laptop charger in the office so i'll go off in a minute. Meanwhile, @BooBerry, check out the latest Android release, HTTPS filtering has arrived (nightly untested alpha version, some things never change:)).

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 27, 2016

I'm still waiting for my VM to even give me an Insider build. I guess it can take up to a day, apparently.

Offtopic: Oooh, nice! I got that "Network may be monitored" notification on every boot, but I fixed that myself with the Move Certs! app. I wonder if this can be done automatically for rooted users?

@Bohdan-SUP

This comment has been minimized.

Copy link

@Bohdan-SUP Bohdan-SUP commented Feb 27, 2016

Logs here - QIX-577-95768

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 27, 2016

@Bohdan-SUP let's collect all tickets here in this issue.

As soon as the issue is resolved we should inform users.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 27, 2016

@obiwankenobijohn you have x64 system right?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 27, 2016

I have one signed driver (WFP x64), we can at least check if it works with it.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 27, 2016

On Windows 10 that's more-or-less the one to test anyways.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 27, 2016

According to @obiwankenobijohn logs he currently has TDI in use.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 27, 2016

I saw that, but the WFP driver had the same error as well.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 27, 2016

Ok, here is an instruction:

  1. Go to Adguard settings and check "Use WFP driver" there
  2. Exit Adguard and stop Adguard Service
  3. Download this file:
    drivers.zip
  4. Rename it to "drivers.bin"
  5. Put "drivers.bin" to Adguard's installation folder (just overwrite the existing)
  6. Start Adguard Service and Adguard UI
@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 27, 2016

Just plopped it in my Insider VM, and it seems to be working rather well - SHA-256 certificate and all. I'll plop it on the main install now. =)

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 27, 2016

Did you face that issue in your VM before trying it? I still don't even with the latest insider preview build.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 27, 2016

Nope, still didn't encounter it and I've had it on all day with reboots every so often.

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Feb 28, 2016

Bingo! Worked like a charm! :) Thank you SOOOO much!!!!

@pbmcmlxxi

This comment has been minimized.

Copy link

@pbmcmlxxi pbmcmlxxi commented Feb 28, 2016

Morning. As with @obiwankenobijohn the guide to install the drivers.bin by @ameshkov got Adguard working for me. Thank you. :)

@mysteriously

This comment has been minimized.

Copy link

@mysteriously mysteriously commented Feb 28, 2016

Ok, let me try this driver as well.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 28, 2016

@obiwankenobijohn @pbmcmlxxi
Nice, thank you for checking it!

Now we should wait for manual review of other three drivers (x64 tdi and x86 both) and then push an update.

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Feb 28, 2016

It was my pleasure, @ameshkov! Glad I could help! :)

@mysteriously

This comment has been minimized.

Copy link

@mysteriously mysteriously commented Feb 28, 2016

@ameshkov I have more SSL errors in FF with new drivers.
ssl_error_bad_mac_read
secure connection failed
ssl_error_rx_unexpected_application_data
I'll disable Adguard for now.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 28, 2016

@mysteriously there is only one new driver - WFP x64. Other drivers are the same, we are still waiting for submissions to be signed.

Edit: in fact all drivers are the same, the difference is only in the file signature, that has nothing to do with how driver works.

@mysteriously

This comment has been minimized.

Copy link

@mysteriously mysteriously commented Feb 28, 2016

Edit: Ah, OK then. I thought driver version is newer with some changes applied.

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Feb 29, 2016

@ameshkov: You deserve a raise! Outstanding work! You've TOTALLY nailed it! This is why I am glad that I beta test...it isn't for anything in return, but noticing the little things like this is MORE than a reward, just so others don't have to have problems further down the road.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 29, 2016

Both TDI are now signed, we are close:) Waiting for x86 WFP only

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 29, 2016

Everything is signed, finally:)

Today we will publish a beta version with additional set of drivers for Win10.

@BooBerry

This comment has been minimized.

Copy link
Author

@BooBerry BooBerry commented Feb 29, 2016

Nice! Now the question is, will it still run on XP and Vista or does it need dual signed with a SHA-1 cert too?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 29, 2016

These drivers are for Windows 10 only.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 29, 2016

Guys, could you please try the beta version with new drivers?
http://cdn.adguard.com/public/Adguard/SpecialBuild/ev/Setup.exe

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Feb 29, 2016

Works beautifully! 👍

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 29, 2016

Nice, thank you!

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Mar 1, 2016

Closing this issue. Fix will be included in the today's beta release.

@ameshkov ameshkov closed this Mar 1, 2016
@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Mar 1, 2016

That's great to hear! Thank you ameshkov! :)

@obiwankenobijohn

This comment has been minimized.

Copy link

@obiwankenobijohn obiwankenobijohn commented Mar 5, 2016

Slight update: Upgraded today to newest insider build (build 14279), and it survived the upgrade still holding strong! 👍

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Mar 6, 2016

Nice, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.