ci: sync bundled winredirect drivers

Author: nekohasekai

.github/scripts/compare_signed_pe.py

@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+from __future__ import annotations
+
+import argparse
+import hashlib
+import sys
+from pathlib import Path
+
+
+class PEFormatError(ValueError):
+    pass
+
+
+def read_u16(data: bytes, offset: int) -> int:
+    return int.from_bytes(data[offset:offset + 2], "little")
+
+
+def read_u32(data: bytes, offset: int) -> int:
+    return int.from_bytes(data[offset:offset + 4], "little")
+
+
+def canonicalize_signed_pe(path: Path) -> bytes:
+    data = bytearray(path.read_bytes())
+    if len(data) < 0x40 or data[:2] != b"MZ":
+        raise PEFormatError(f"{path}: missing DOS header")
+
+    pe_offset = read_u32(data, 0x3C)
+    if pe_offset + 24 > len(data) or data[pe_offset:pe_offset + 4] != b"PE\x00\x00":
+        raise PEFormatError(f"{path}: missing PE header")
+
+    optional_offset = pe_offset + 24
+    magic = read_u16(data, optional_offset)
+    if magic == 0x10B:
+        data_directory_offset = optional_offset + 96
+    elif magic == 0x20B:
+        data_directory_offset = optional_offset + 112
+    else:
+        raise PEFormatError(f"{path}: unsupported optional header magic 0x{magic:04x}")
+
+    checksum_offset = optional_offset + 64
+    if checksum_offset + 4 > len(data):
+        raise PEFormatError(f"{path}: truncated optional header")
+    data[checksum_offset:checksum_offset + 4] = b"\x00" * 4
+
+    security_directory_offset = data_directory_offset + 8 * 4
+    if security_directory_offset + 8 > len(data):
+        raise PEFormatError(f"{path}: truncated data directories")
+
+    certificate_offset = read_u32(data, security_directory_offset)
+    certificate_size = read_u32(data, security_directory_offset + 4)
+    data[security_directory_offset:security_directory_offset + 8] = b"\x00" * 8
+
+    if certificate_offset == 0 or certificate_size == 0:
+        return bytes(data)
+
+    certificate_end = certificate_offset + certificate_size
+    if certificate_end > len(data):
+        raise PEFormatError(f"{path}: certificate table exceeds file size")
+
+    return bytes(data[:certificate_offset] + data[certificate_end:])
+
+
+def canonical_sha256(path: Path) -> str:
+    return hashlib.sha256(canonicalize_signed_pe(path)).hexdigest()
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(
+        description="Compare two PE files after stripping Authenticode-only differences.",
+    )
+    parser.add_argument("left", type=Path)
+    parser.add_argument("right", type=Path)
+    args = parser.parse_args()
+
+    try:
+        left_hash = canonical_sha256(args.left)
+        right_hash = canonical_sha256(args.right)
+    except (OSError, PEFormatError) as exc:
+        print(exc, file=sys.stderr)
+        return 2
+
+    print(f"{args.left}: {left_hash}")
+    print(f"{args.right}: {right_hash}")
+    return 0 if left_hash == right_hash else 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

.github/workflows/winredirect-driver-sync.yml

@@ -0,0 +1,183 @@
+name: sync winredirect driver
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+    paths:
+      - '.github/scripts/compare_signed_pe.py'
+      - '.github/workflows/winredirect-driver-sync.yml'
+      - 'internal/winredirect/driver/**'
+
+permissions:
+  contents: write
+
+concurrency:
+  group: winredirect-driver-${{ github.event.pull_request.head.repo.full_name }}-${{ github.event.pull_request.head.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sync:
+    name: Refresh bundled drivers
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: windows-2025
+    env:
+      REPO_DIR: C:\Users\sekai\Projects\sing-tun
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Install Windows SDK and WDK
+        shell: pwsh
+        run: |
+          $sdkHeader = 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\um\Windows.h'
+          $wdkHeader = 'C:\Program Files (x86)\Windows Kits\10\Include\10.0.26100.0\km\ntddk.h'
+
+          if (-not (Test-Path $sdkHeader)) {
+            winget install --source winget --exact --id Microsoft.WindowsSDK.10.0.26100 --accept-source-agreements --accept-package-agreements --disable-interactivity --log "$env:RUNNER_TEMP\sdk-install.log"
+            Write-Host "Windows SDK install exit code: $LASTEXITCODE"
+          }
+
+          if (-not (Test-Path $wdkHeader)) {
+            winget install --source winget --exact --id Microsoft.WindowsWDK.10.0.26100 --accept-source-agreements --accept-package-agreements --disable-interactivity --log "$env:RUNNER_TEMP\wdk-install.log"
+            Write-Host "WDK install exit code: $LASTEXITCODE"
+          }
+
+          if (-not (Test-Path $sdkHeader)) {
+            throw "Windows SDK header not found after installation: $sdkHeader"
+          }
+          if (-not (Test-Path $wdkHeader)) {
+            throw "WDK header not found after installation: $wdkHeader"
+          }
+
+      - name: Mirror repository to stable Windows path
+        shell: pwsh
+        run: |
+          if (Test-Path $env:REPO_DIR) {
+            Remove-Item -LiteralPath $env:REPO_DIR -Recurse -Force
+          }
+          New-Item -ItemType Directory -Path (Split-Path -Parent $env:REPO_DIR) -Force | Out-Null
+          robocopy $env:GITHUB_WORKSPACE $env:REPO_DIR /MIR /NFL /NDL /NJH /NJS /NP
+          $robocopyExitCode = $LASTEXITCODE
+          if ($robocopyExitCode -gt 7) {
+            throw "robocopy failed with exit code $robocopyExitCode"
+          }
+          Write-Host "robocopy completed with exit code $robocopyExitCode"
+          exit 0
+
+      - name: Build, verify reproducibility, and refresh tracked drivers
+        id: sync
+        shell: pwsh
+        working-directory: ${{ env.REPO_DIR }}
+        run: |
+          git config --global --add safe.directory $env:REPO_DIR
+
+          $vswhere = Join-Path ${env:ProgramFiles(x86)} 'Microsoft Visual Studio\Installer\vswhere.exe'
+          $msbuild = & $vswhere -latest -products * -requires Microsoft.Component.MSBuild -find 'MSBuild\**\Bin\MSBuild.exe' | Select-Object -First 1
+          if (-not $msbuild) {
+            throw 'MSBuild.exe not found'
+          }
+
+          $env:CL = '/Brepro'
+          $env:LINK = '/Brepro'
+          $artifactDir = Join-Path $env:RUNNER_TEMP 'winredirect-driver-sync'
+          $failureDir = Join-Path $artifactDir 'failure'
+          Remove-Item -LiteralPath $artifactDir -Recurse -Force -ErrorAction SilentlyContinue
+          New-Item -ItemType Directory -Path $artifactDir -Force | Out-Null
+
+          function Invoke-DriverBuild([string] $platform) {
+            Remove-Item -LiteralPath "internal/winredirect/driver/build/$platform" -Recurse -Force -ErrorAction SilentlyContinue
+            Remove-Item -LiteralPath "internal/winredirect/driver/intermediate/$platform" -Recurse -Force -ErrorAction SilentlyContinue
+            & $msbuild 'internal/winredirect/driver/winredirect.vcxproj' '/t:Rebuild' '/p:Configuration=Release' "/p:Platform=$platform" '/p:SpectreMitigation=false' '/v:minimal'
+            if ($LASTEXITCODE -ne 0) {
+              throw "MSBuild failed for $platform with exit code $LASTEXITCODE"
+            }
+          }
+
+          $targets = @(
+            @{ platform = 'x64'; repo = 'internal/winredirect/amd64/winredirect.sys' },
+            @{ platform = 'ARM64'; repo = 'internal/winredirect/arm64/winredirect.sys' }
+          )
+
+          Write-Host 'ARM and x86 are intentionally skipped here: WDK 10.0.26100 on GitHub-hosted CI does not support them.'
+
+          $changed = $false
+          foreach ($target in $targets) {
+            $platform = $target.platform
+            $tracked = $target.repo
+            $buildOutput = "internal/winredirect/driver/build/$platform/Release/winredirect.sys"
+            $run1 = Join-Path $artifactDir "$platform-run1.sys"
+            $run2 = Join-Path $artifactDir "$platform-run2.sys"
+
+            Invoke-DriverBuild $platform
+            Copy-Item -LiteralPath $buildOutput -Destination $run1 -Force
+
+            Invoke-DriverBuild $platform
+            Copy-Item -LiteralPath $buildOutput -Destination $run2 -Force
+
+            & python '.github/scripts/compare_signed_pe.py' $run1 $run2
+            switch ($LASTEXITCODE) {
+              0 {
+                Write-Host "$platform reproduced after stripping Authenticode data."
+              }
+              1 {
+                New-Item -ItemType Directory -Path $failureDir -Force | Out-Null
+                Copy-Item -LiteralPath $run1 -Destination (Join-Path $failureDir "$platform-run1.sys") -Force
+                Copy-Item -LiteralPath $run2 -Destination (Join-Path $failureDir "$platform-run2.sys") -Force
+                throw "$platform build is not reproducible beyond signing metadata."
+              }
+              default {
+                throw "reproducibility comparison failed for $platform with exit code $LASTEXITCODE"
+              }
+            }
+
+            & python '.github/scripts/compare_signed_pe.py' $run2 $tracked
+            switch ($LASTEXITCODE) {
+              0 {
+                Write-Host "$platform matches the tracked driver after stripping Authenticode data."
+              }
+              1 {
+                Write-Host "$platform differs beyond signing metadata; replacing tracked driver."
+                Copy-Item -LiteralPath $run2 -Destination $tracked -Force
+                git add -- $tracked
+                $changed = $true
+              }
+              default {
+                throw "comparison failed for $platform with exit code $LASTEXITCODE"
+              }
+            }
+          }
+
+          if ($changed) {
+            "changed=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+          } else {
+            "changed=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+          }
+
+      - name: Upload failed reproducibility artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: winredirect-repro-failure-${{ github.run_id }}-${{ github.run_attempt }}
+          path: ${{ runner.temp }}\winredirect-driver-sync\failure\*.sys
+          if-no-files-found: warn
+
+      - name: Commit and push refreshed drivers
+        if: steps.sync.outputs.changed == 'true'
+        shell: pwsh
+        working-directory: ${{ env.REPO_DIR }}
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+
+          git diff --cached --quiet
+          if ($LASTEXITCODE -eq 0) {
+            exit 0
+          }
+
+          git commit -m 'winredirect: update bundled drivers'
+          git push origin "HEAD:${{ github.event.pull_request.head.ref }}"

internal/winredirect/amd64/winredirect.sys

@@ -439,8 +439,9 @@ void EvtIoDeviceControl(
         if (NT_SUCCESS(status)) {
             WINREDIRECT_CONFIG* config = (WINREDIRECT_CONFIG*)inBuf;
             NET_LUID tunLuid = {0};
+            const GUID nullGuid = {0};
             KIRQL oldIrql;
-            if (config->RedirectPort == 0 || config->ProxyPID == 0 || InlineIsEqualGUID(&GUID_NULL, &config->TunGuid)) {
+            if (config->RedirectPort == 0 || config->ProxyPID == 0 || InlineIsEqualGUID(&nullGuid, &config->TunGuid)) {
                 status = STATUS_INVALID_PARAMETER;
             } else {
                 status = ConvertInterfaceGuidToLuid(&config->TunGuid, &tunLuid);

internal/winredirect/arm64/winredirect.sys

@@ -79,6 +79,7 @@
     </ClCompile>
     <Link>
       <AdditionalDependencies>Fwpkclnt.lib;$(DDK_LIB_PATH)netio.lib;$(DDK_LIB_PATH)wdmsec.lib;$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfLdr.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfDriverEntry.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
     </Link>
     <Inf>
       <Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>