extended the GNUNET_OS_check_helper_binary parameters to do previlege

checking in windows. To do so, tested binaries must still be supplied 
with valid commandline arguments, but on windows gnunet will utilize the 
-d flag to run the programs initialization phase or privileged 
operations only. In these modes, a program will not enter its mainloop 
or communicate with the outside.

updated relevant function calls gnunet-wide to meet the extended 
function parameters.

  

20 files changed, 252 insertions, 176 deletions

diff --git a/src/dns/gnunet-service-dns.c b/src/dns/gnunet-service-dns.c
index d1689f4d2..a2d5354de 100644
--- a/src/dns/gnunet-service-dns.c
+++ b/src/dns/gnunet-service-dns.c
@@ -1043,7 +1043,7 @@ run (void *cls, struct GNUNET_SERVER_Handle *server,
   cfg = cfg_;
   binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-dns");
   if (GNUNET_YES !=
-      GNUNET_OS_check_helper_binary (binary))
+      GNUNET_OS_check_helper_binary (binary, TRUE, NULL))
   {
     GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
                 _("`%s' must be installed SUID, refusing to run\n"),
diff --git a/src/exit/gnunet-daemon-exit.c b/src/exit/gnunet-daemon-exit.c
index 877630fa8..2c5bb1ecd 100644
--- a/src/exit/gnunet-daemon-exit.c
+++ b/src/exit/gnunet-daemon-exit.c
@@ -3344,7 +3344,7 @@ run (void *cls, char *const *args GNUNET_UNUSED,
   {
     binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-exit");
     if (GNUNET_YES !=
-        GNUNET_OS_check_helper_binary (binary))
+        GNUNET_OS_check_helper_binary (binary, TRUE, NULL)) // FIXME: CF: add test-parameters
     {
       GNUNET_free (binary);
       GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
diff --git a/src/exit/gnunet-helper-exit-windows.c b/src/exit/gnunet-helper-exit-windows.c
index e6ade4ba3..dd6237bc6 100644
--- a/src/exit/gnunet-helper-exit-windows.c
+++ b/src/exit/gnunet-helper-exit-windows.c
@@ -63,9 +63,9 @@
 #endif
 
 /**
- * Will this binary be run in dryrun-mode? 
+ * Will this binary be run in permissions testing mode? 
  */
-static BOOL dryrun = FALSE;
+static boolean privilege_testing = FALSE;
 
 /**
  * Maximum size of a GNUnet message (GNUNET_SERVER_MAX_MESSAGE_SIZE)
@@ -1357,9 +1357,9 @@ run (HANDLE tap_handle)
    * DHCP and such are all features we will never use in gnunet afaik.
    * But for openvpn those are essential.
    */
-  if (! tun_up (tap_handle))
-    return;
-
+  if ((privilege_testing) || (! tun_up (tap_handle) ))
+    goto teardown_final;
+    
   /* Initialize our overlapped IO structures*/
   if (! (initialize_io_facility (&tap_read, IOSTATE_READY, FALSE)
         && initialize_io_facility (&tap_write, IOSTATE_WAITING, TRUE)
@@ -1412,8 +1412,6 @@ run (HANDLE tap_handle)
       goto teardown;
     }
 #endif
-  if (dryrun)
-    goto teardown;
   
   fprintf (stderr, "DEBUG: mainloop has begun\n");
   
@@ -1471,11 +1469,12 @@ main (int argc, char **argv)
   BOOL have_nat44 = FALSE;
   
   if ( (1 < argc) && (0 != strcmp (argv[1], "-d"))){
-      dryrun = TRUE;
-      fprintf (stderr, "DEBUG: Running binary in dryrun mode.", argv[0]);
+      privilege_testing = TRUE;
+      fprintf (stderr, "DEBUG: Running binary in privilege testing mode.", argv[0]);
       argv++;
       argc--;
     }
+  
   if (6 != argc)
     {
       fprintf (stderr, "FATAL: must supply 6 arguments\nUsage:\ngnunet-helper-exit [-d] <if name prefix> <uplink-interface name> <address6 or \"-\"> <netbits6> <address4 or \"-\"> <netmask4>\n", argv[0]);
diff --git a/src/gns/test_gns_proxy.c b/src/gns/test_gns_proxy.c
index 1b904cec9..68830ca7f 100644
--- a/src/gns/test_gns_proxy.c
+++ b/src/gns/test_gns_proxy.c
@@ -446,13 +446,13 @@ main (int argc, char *const *argv)
 {
   char *binary;
 
-  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("gnunet-gns-proxy"))
+  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("gnunet-gns-proxy", FALSE, NULL))
   {
     fprintf (stderr, "Proxy binary not in PATH... skipping!\n");
     return 0;
   }
   binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-dns");
-  if (GNUNET_YES != GNUNET_OS_check_helper_binary (binary))
+  if (GNUNET_YES != GNUNET_OS_check_helper_binary (binary, TRUE, NULL))
   {
     fprintf (stderr, "DNS helper binary has wrong permissions... skipping!\n");
     GNUNET_free (binary);
diff --git a/src/include/gnunet_os_lib.h b/src/include/gnunet_os_lib.h
index e4bbab8a9..425c565ba 100644
--- a/src/include/gnunet_os_lib.h
+++ b/src/include/gnunet_os_lib.h
@@ -483,13 +483,19 @@ GNUNET_OS_install_parent_control_handler (void *cls,
  * Attempts to find the file using the current
  * PATH environment variable as a search path.
  *
- * @param binary the name of the file to check
- * @return GNUNET_YES if the file is SUID,
- *         GNUNET_NO if not SUID (but binary exists)
+ * @param binary the name of the file to check.
+ *        W32: must not have an .exe suffix.
+ * @param check_suid input true if the binary should be checked for SUID (*nix)
+ *        W32: checks if the program has sufficient privileges by executing this
+ *             binary with the -d flag. -d omits a programs main loop and only
+ *             executes all privileged operations in an binary.
+ * @param params parameters used for w32 privilege checking (can be NULL for != w32, or when not checking for suid/permissions )
+ * @return GNUNET_YES if the file is SUID (*nix) or can be executed with current privileges (W32),
+ *         GNUNET_NO if not SUID (but binary exists),
  *         GNUNET_SYSERR on error (no such binary or not executable)
  */
-int
-GNUNET_OS_check_helper_binary (const char *binary);
+int 
+GNUNET_OS_check_helper_binary (const char *binary, const boolean check_suid, const char * params);
 
 
 #if 0                           /* keep Emacsens' auto-indent happy */
diff --git a/src/nat/Makefile.am b/src/nat/Makefile.am
index 1b57ab63e..e27611ba9 100644
--- a/src/nat/Makefile.am
+++ b/src/nat/Makefile.am
@@ -15,9 +15,9 @@ dist_pkgcfg_DATA = \
   nat.conf
 
 if LINUX
-NATBIN = gnunet-helper-nat-server gnunet-helper-nat-client
-NATSERVER = gnunet-helper-nat-server.c
-NATCLIENT = gnunet-helper-nat-client.c
+  NATBIN = gnunet-helper-nat-server gnunet-helper-nat-client
+  NATSERVER = gnunet-helper-nat-server.c
+  NATCLIENT = gnunet-helper-nat-client.c
 install-exec-hook:
         $(top_srcdir)/src/nat/install-nat-helper.sh $(libexecdir) $(SUDO_BINARY) || true
 else
diff --git a/src/nat/gnunet-helper-nat-client-windows.c b/src/nat/gnunet-helper-nat-client-windows.c
index 47fbc0b86..b28b28584 100644
--- a/src/nat/gnunet-helper-nat-client-windows.c
+++ b/src/nat/gnunet-helper-nat-client-windows.c
@@ -167,6 +167,10 @@ struct udp_header
   uint16_t crc;
 };
 
+/**
+ * Will this binary be run in permissions testing mode? 
+ */
+static boolean privilege_testing = FALSE;
 
 /**
  * Socket we use to send our ICMP packets.
@@ -463,8 +467,14 @@ main (int argc, char *const *argv)
   struct in_addr external;
   struct in_addr target;
   WSADATA wsaData;
-
   unsigned int p;
+  
+  if (argc > 1 && 0 != strcmp (argv[1], "-d")){
+      privilege_testing = TRUE;
+      fprintf (stderr, "DEBUG: Running binary in privilege testing mode.", argv[0]);
+      argv++;
+      argc--;
+    }
 
   if (argc != 4)
   {
@@ -497,9 +507,11 @@ main (int argc, char *const *argv)
   }
   if (-1 == (rawsock = make_raw_socket ()))
     return 3;
-  send_icmp (&external, &target);
-  send_icmp_udp (&external, &target);
-  closesocket (rawsock);
+  if (!privilege_testing){
+    send_icmp (&external, &target);
+    send_icmp_udp (&external, &target);
+  }
+  closesocket (rawsock); 
   WSACleanup ();
   return 0;
 }
diff --git a/src/nat/gnunet-helper-nat-server-windows.c b/src/nat/gnunet-helper-nat-server-windows.c
index d970ffd70..fb564a188 100644
--- a/src/nat/gnunet-helper-nat-server-windows.c
+++ b/src/nat/gnunet-helper-nat-server-windows.c
@@ -188,6 +188,11 @@ struct udp_header
 };
 
 /**
+ * Will this binary be run in permissions testing mode? 
+ */
+static boolean privilege_testing = FALSE;
+
+/**
  * Socket we use to receive "fake" ICMP replies.
  */
 static SOCKET icmpsock;
@@ -526,9 +531,15 @@ main (int argc, char *const *argv)
   fd_set rs;
   struct timeval tv;
   WSADATA wsaData;
-  unsigned int alt;
+  unsigned int alt = 0;
 
-  alt = 0;
+  if (argc > 1 && 0 != strcmp (argv[1], "-d")){
+      privilege_testing = TRUE;
+      fprintf (stderr, "DEBUG: Running binary in privilege testing mode.", argv[0]);
+      argv++;
+      argc--;
+    }
+  
   if (2 != argc)
   {
     fprintf (stderr,
@@ -566,7 +577,8 @@ main (int argc, char *const *argv)
     closesocket (rawsock);
     return 3;
   }
-  while (1)
+
+  while ( ! privilege_testing)
   {
     FD_ZERO (&rs);
     FD_SET (icmpsock, &rs);
@@ -591,6 +603,8 @@ main (int argc, char *const *argv)
   closesocket (rawsock);
   closesocket (udpsock);
   WSACleanup ();
+  if (privilege_testing)
+    return 0;
   return 4;
 }
 
diff --git a/src/nat/nat.c b/src/nat/nat.c
index dd63224c0..fd9d5eaa0 100644
--- a/src/nat/nat.c
+++ b/src/nat/nat.c
@@ -1171,7 +1171,7 @@ GNUNET_NAT_register (const struct GNUNET_CONFIGURATION_Handle *cfg, int is_tcp,
   binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-nat-server");
   if ((h->behind_nat == GNUNET_YES) && (GNUNET_YES == h->enable_nat_server) &&
       (GNUNET_YES !=
-       GNUNET_OS_check_helper_binary (binary)))
+       GNUNET_OS_check_helper_binary (binary, TRUE, NULL))) // FIXME: CF: add test-parameters
   {
     h->enable_nat_server = GNUNET_NO;
     LOG (GNUNET_ERROR_TYPE_WARNING,
@@ -1183,7 +1183,7 @@ GNUNET_NAT_register (const struct GNUNET_CONFIGURATION_Handle *cfg, int is_tcp,
   binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-nat-client");
   if ((GNUNET_YES == h->enable_nat_client) &&
       (GNUNET_YES !=
-       GNUNET_OS_check_helper_binary (binary)))
+       GNUNET_OS_check_helper_binary (binary, TRUE, NULL))) // FIXME: CF: add test-parameters
   {
     h->enable_nat_client = GNUNET_NO;
     LOG (GNUNET_ERROR_TYPE_WARNING,
diff --git a/src/nat/nat_auto.c b/src/nat/nat_auto.c
index baa1cc78d..f382a9ac6 100644
--- a/src/nat/nat_auto.c
+++ b/src/nat/nat_auto.c
@@ -392,7 +392,7 @@ test_upnpc (struct GNUNET_NAT_AutoHandle *ah)
 
   /* test if upnpc is available */
   have_upnpc = (GNUNET_SYSERR !=
-                GNUNET_OS_check_helper_binary ("upnpc"));
+                GNUNET_OS_check_helper_binary ("upnpc", FALSE, NULL));
   /* FIXME: test if upnpc is actually working, that is, if transports
      start to work once we use UPnP */
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
@@ -426,7 +426,7 @@ test_icmp_server (struct GNUNET_NAT_AutoHandle *ah)
        (GNUNET_YES ==
         GNUNET_CONFIGURATION_get_value_yesno (ah->cfg, "nat", "BEHIND_NAT")) &&
        (GNUNET_YES ==
-        GNUNET_OS_check_helper_binary (binary)));
+        GNUNET_OS_check_helper_binary (binary, TRUE, NULL))); // FIXME: CF: add test-parameters
   GNUNET_free_non_null (tmp);
   GNUNET_free (binary);
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
@@ -461,7 +461,7 @@ test_icmp_client (struct GNUNET_NAT_AutoHandle *ah)
        (GNUNET_YES !=
         GNUNET_CONFIGURATION_get_value_yesno (ah->cfg, "nat", "BEHIND_NAT")) &&
        (GNUNET_YES ==
-        GNUNET_OS_check_helper_binary (binary)));
+        GNUNET_OS_check_helper_binary (binary, TRUE, NULL))); // FIXME: CF: add test-parameters
   GNUNET_free_non_null (tmp);
   GNUNET_free (binary);
   GNUNET_log (GNUNET_ERROR_TYPE_INFO,
diff --git a/src/nat/nat_mini.c b/src/nat/nat_mini.c
index fbb6e769a..29b26ee28 100644
--- a/src/nat/nat_mini.c
+++ b/src/nat/nat_mini.c
@@ -164,7 +164,7 @@ GNUNET_NAT_mini_get_external_ipv4 (struct GNUNET_TIME_Relative timeout,
 {
   struct GNUNET_NAT_ExternalHandle *eh;
 
-  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("external-ip"))
+  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("external-ip", FALSE, NULL))
   {
     LOG (GNUNET_ERROR_TYPE_INFO,
          _("`external-ip' command not found\n"));
@@ -499,7 +499,7 @@ GNUNET_NAT_mini_map_start (uint16_t port, int is_tcp,
   struct GNUNET_NAT_MiniHandle *ret;
   char pstr[6];
 
-  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("upnpc"))
+  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary ("upnpc", FALSE, NULL))
   {
     LOG (GNUNET_ERROR_TYPE_INFO,
          _("`upnpc' command not found\n"));
diff --git a/src/nat/test_nat_test.c b/src/nat/test_nat_test.c
index c213ffa1e..7d4964b5c 100644
--- a/src/nat/test_nat_test.c
+++ b/src/nat/test_nat_test.c
@@ -92,7 +92,7 @@ main (int argc, char *const argv[])
                     "WARNING",
                     NULL);
 
-  nat_res = GNUNET_OS_check_helper_binary ("gnunet-nat-server");
+  nat_res = GNUNET_OS_check_helper_binary ("gnunet-nat-server", FALSE, NULL);
   if (GNUNET_SYSERR == nat_res)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
diff --git a/src/pt/Makefile.am b/src/pt/Makefile.am
index b9a8e497c..ed7892fe0 100644
--- a/src/pt/Makefile.am
+++ b/src/pt/Makefile.am
@@ -1,102 +1,109 @@
-INCLUDES = -I$(top_srcdir)/src/include
-
-if MINGW
-  WINFLAGS = -Wl,--no-undefined -Wl,--export-all-symbols
-endif
-
-if USE_COVERAGE
-  AM_CFLAGS = --coverage -O0
-endif
-
-pkgcfgdir= $(pkgdatadir)/config.d/
-
-libexecdir= $(pkglibdir)/libexec/
-
-plugindir = $(libdir)/gnunet
-
-dist_pkgcfg_DATA = \
-  pt.conf
-
-libexec_PROGRAMS = \
-  gnunet-daemon-pt 
-
-gnunet_daemon_pt_SOURCES = \
- gnunet-daemon-pt.c 
-gnunet_daemon_pt_LDADD = \
-  $(top_builddir)/src/vpn/libgnunetvpn.la \
-  $(top_builddir)/src/mesh/libgnunetmesh.la \
-  $(top_builddir)/src/dns/libgnunetdns.la \
-  $(top_builddir)/src/dns/libgnunetdnsparser.la \
-  $(top_builddir)/src/statistics/libgnunetstatistics.la \
-  $(top_builddir)/src/util/libgnunetutil.la \
-  $(top_builddir)/src/mesh/libgnunetmesh.la \
-  $(GN_LIBINTL)
-
-if HAVE_MHD
-if LINUX
- VPN_TEST = \
- test_gnunet_vpn-4_to_6 \
- test_gnunet_vpn-6_to_4 \
- test_gnunet_vpn-6_over \
- test_gnunet_vpn-4_over \
- test_gns_vpn
-endif
-endif
-
-check_PROGRAMS = $(VPN_TEST)
-
-if ENABLE_TEST_RUN
-TESTS = $(check_PROGRAMS)
-endif
-
-EXTRA_DIST = \
- test_gnunet_vpn.conf \
- test_gns_vpn.conf
-
-
-
-test_gns_vpn_SOURCES = \
- test_gns_vpn.c
-test_gns_vpn_LDADD = -lmicrohttpd @LIBCURL@ \
- $(top_builddir)/src/namestore/libgnunetnamestore.la \
- $(top_builddir)/src/testing/libgnunettesting.la \
- $(top_builddir)/src/util/libgnunetutil.la
-test_gns_vpn_CPPFLAGS = \
- @LIBCURL_CPPFLAGS@
-
-test_gnunet_vpn_4_over_SOURCES = \
- test_gnunet_vpn.c
-test_gnunet_vpn_4_over_LDADD = -lmicrohttpd @LIBCURL@ \
- $(top_builddir)/src/vpn/libgnunetvpn.la \
- $(top_builddir)/src/testing/libgnunettesting.la \
- $(top_builddir)/src/util/libgnunetutil.la 
-test_gnunet_vpn_4_over_CPPFLAGS = \
- @LIBCURL_CPPFLAGS@
-
-test_gnunet_vpn_6_over_SOURCES = \
- test_gnunet_vpn.c
-test_gnunet_vpn_6_over_LDADD = -lmicrohttpd @LIBCURL@ \
- $(top_builddir)/src/vpn/libgnunetvpn.la \
- $(top_builddir)/src/testing/libgnunettesting.la \
- $(top_builddir)/src/util/libgnunetutil.la 
-test_gnunet_vpn_6_over_CPPFLAGS = \
- @LIBCURL_CPPFLAGS@
-
-test_gnunet_vpn_4_to_6_SOURCES = \
- test_gnunet_vpn.c
-test_gnunet_vpn_4_to_6_LDADD = -lmicrohttpd @LIBCURL@ \
- $(top_builddir)/src/vpn/libgnunetvpn.la \
- $(top_builddir)/src/testing/libgnunettesting.la \
- $(top_builddir)/src/util/libgnunetutil.la 
-test_gnunet_vpn_4_to_6_CPPFLAGS = \
- @LIBCURL_CPPFLAGS@
-
-test_gnunet_vpn_6_to_4_SOURCES = \
- test_gnunet_vpn.c
-test_gnunet_vpn_6_to_4_LDADD = -lmicrohttpd @LIBCURL@ \
- $(top_builddir)/src/vpn/libgnunetvpn.la \
- $(top_builddir)/src/testing/libgnunettesting.la \
- $(top_builddir)/src/util/libgnunetutil.la 
-test_gnunet_vpn_6_to_4_CPPFLAGS = \
- @LIBCURL_CPPFLAGS@
-
+INCLUDES = -I$(top_srcdir)/src/include

+

+if MINGW

+  WINFLAGS = -Wl,--no-undefined -Wl,--export-all-symbols

+endif

+

+if USE_COVERAGE

+  AM_CFLAGS = --coverage -O0

+endif

+

+pkgcfgdir= $(pkgdatadir)/config.d/

+

+libexecdir= $(pkglibdir)/libexec/

+

+plugindir = $(libdir)/gnunet

+

+dist_pkgcfg_DATA = \

+  pt.conf

+

+libexec_PROGRAMS = \

+  gnunet-daemon-pt 

+

+gnunet_daemon_pt_SOURCES = \

+ gnunet-daemon-pt.c 

+gnunet_daemon_pt_LDADD = \

+  $(top_builddir)/src/vpn/libgnunetvpn.la \

+  $(top_builddir)/src/mesh/libgnunetmesh.la \

+  $(top_builddir)/src/dns/libgnunetdns.la \

+  $(top_builddir)/src/dns/libgnunetdnsparser.la \

+  $(top_builddir)/src/statistics/libgnunetstatistics.la \

+  $(top_builddir)/src/util/libgnunetutil.la \

+  $(top_builddir)/src/mesh/libgnunetmesh.la \

+  $(GN_LIBINTL)

+

+if HAVE_MHD

+if LINUX

+ VPN_TEST = \

+ test_gnunet_vpn-4_to_6 \

+ test_gnunet_vpn-6_to_4 \

+ test_gnunet_vpn-6_over \

+ test_gnunet_vpn-4_over \

+ test_gns_vpn

+endif

+if MINGW

+ VPN_TEST = \

+ test_gnunet_vpn-4_to_6 \

+ test_gnunet_vpn-6_to_4 \

+ test_gnunet_vpn-6_over \

+ test_gnunet_vpn-4_over 

+endif

+endif

+

+check_PROGRAMS = $(VPN_TEST)

+

+if ENABLE_TEST_RUN

+TESTS = $(check_PROGRAMS)

+endif

+

+EXTRA_DIST = \

+ test_gnunet_vpn.conf \

+ test_gns_vpn.conf

+

+

+

+test_gns_vpn_SOURCES = \

+ test_gns_vpn.c

+test_gns_vpn_LDADD = -lmicrohttpd @LIBCURL@ \

+ $(top_builddir)/src/namestore/libgnunetnamestore.la \

+ $(top_builddir)/src/testing/libgnunettesting.la \

+ $(top_builddir)/src/util/libgnunetutil.la

+test_gns_vpn_CPPFLAGS = \

+ @LIBCURL_CPPFLAGS@

+

+test_gnunet_vpn_4_over_SOURCES = \

+ test_gnunet_vpn.c

+test_gnunet_vpn_4_over_LDADD = -lmicrohttpd @LIBCURL@ \

+ $(top_builddir)/src/vpn/libgnunetvpn.la \

+ $(top_builddir)/src/testing/libgnunettesting.la \

+ $(top_builddir)/src/util/libgnunetutil.la 

+test_gnunet_vpn_4_over_CPPFLAGS = \

+ @LIBCURL_CPPFLAGS@

+

+test_gnunet_vpn_6_over_SOURCES = \

+ test_gnunet_vpn.c

+test_gnunet_vpn_6_over_LDADD = -lmicrohttpd @LIBCURL@ \

+ $(top_builddir)/src/vpn/libgnunetvpn.la \

+ $(top_builddir)/src/testing/libgnunettesting.la \

+ $(top_builddir)/src/util/libgnunetutil.la 

+test_gnunet_vpn_6_over_CPPFLAGS = \

+ @LIBCURL_CPPFLAGS@

+

+test_gnunet_vpn_4_to_6_SOURCES = \

+ test_gnunet_vpn.c

+test_gnunet_vpn_4_to_6_LDADD = -lmicrohttpd @LIBCURL@ \

+ $(top_builddir)/src/vpn/libgnunetvpn.la \

+ $(top_builddir)/src/testing/libgnunettesting.la \

+ $(top_builddir)/src/util/libgnunetutil.la 

+test_gnunet_vpn_4_to_6_CPPFLAGS = \

+ @LIBCURL_CPPFLAGS@

+

+test_gnunet_vpn_6_to_4_SOURCES = \

+ test_gnunet_vpn.c

+test_gnunet_vpn_6_to_4_LDADD = -lmicrohttpd @LIBCURL@ \

+ $(top_builddir)/src/vpn/libgnunetvpn.la \

+ $(top_builddir)/src/testing/libgnunettesting.la \

+ $(top_builddir)/src/util/libgnunetutil.la 

+test_gnunet_vpn_6_to_4_CPPFLAGS = \

+ @LIBCURL_CPPFLAGS@

+

diff --git a/src/pt/test_gns_vpn.c b/src/pt/test_gns_vpn.c
index 6fe1e63a2..0ae875d0f 100644
--- a/src/pt/test_gns_vpn.c
+++ b/src/pt/test_gns_vpn.c
@@ -543,11 +543,11 @@ main (int argc, char *const *argv)
   bin_dns = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-dns");
   if ( (0 != geteuid ()) &&
        ( (GNUNET_YES !=
-          GNUNET_OS_check_helper_binary (bin_vpn)) ||
+          GNUNET_OS_check_helper_binary (bin_vpn, TRUE, NULL)) ||
          (GNUNET_YES !=
-          GNUNET_OS_check_helper_binary (bin_exit)) ||
+          GNUNET_OS_check_helper_binary (bin_exit, TRUE, NULL)) ||
          (GNUNET_YES !=
-          GNUNET_OS_check_helper_binary (bin_dns))) )
+          GNUNET_OS_check_helper_binary (bin_dns, TRUE, NULL))) )
   {    
     fprintf (stderr,
              "WARNING: gnunet-helper-{exit,vpn,dns} binaries in $PATH are not SUID, refusing to run test (as it would have to fail).\n");
diff --git a/src/pt/test_gnunet_vpn.c b/src/pt/test_gnunet_vpn.c
index c50837459..b6e8980c9 100644
--- a/src/pt/test_gnunet_vpn.c
+++ b/src/pt/test_gnunet_vpn.c
@@ -414,8 +414,8 @@ main (int argc, char *const *argv)
   exit_binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-exit.exe");

   fprintf (stderr,"%s\n", vpn_binary);

   fprintf (stderr,"%s\n", exit_binary);

-  if ((GNUNET_YES != (ret = GNUNET_OS_check_helper_binary (vpn_binary))) ||

-      (GNUNET_YES != (ret = GNUNET_OS_check_helper_binary (exit_binary))))

+  if ((GNUNET_YES != (ret = GNUNET_OS_check_helper_binary (vpn_binary, TRUE, NULL))) || // FIXME: CF: add test-parameters

+      (GNUNET_YES != (ret = GNUNET_OS_check_helper_binary (exit_binary, TRUE, NULL)))) // FIXME: CF: add test-parameters

   {

     GNUNET_free (vpn_binary);

     GNUNET_free (exit_binary);

diff --git a/src/transport/plugin_transport_wlan.c b/src/transport/plugin_transport_wlan.c
index 9e2a0ff77..29070560e 100644
--- a/src/transport/plugin_transport_wlan.c
+++ b/src/transport/plugin_transport_wlan.c
@@ -1739,7 +1739,7 @@ libgnunet_plugin_transport_wlan_init (void *cls)
   }
   binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-transport-wlan");
   if ( (0 == testmode) &&
-       (GNUNET_YES != GNUNET_OS_check_helper_binary (binary)) )
+       (GNUNET_YES != GNUNET_OS_check_helper_binary (binary, TRUE, NULL)) )
   {
     LOG (GNUNET_ERROR_TYPE_ERROR,
          _("Helper binary `%s' not SUID, cannot run WLAN transport\n"),
diff --git a/src/util/os_installation.c b/src/util/os_installation.c
index b63a19d2e..8445fd1cc 100644
--- a/src/util/os_installation.c
+++ b/src/util/os_installation.c
@@ -654,12 +654,17 @@ GNUNET_OS_get_libexec_binary_path (const char *progname)
  *
  * @param binary the name of the file to check.
  *        W32: must not have an .exe suffix.
- * @return GNUNET_YES if the file is SUID,
- *         GNUNET_NO if not SUID (but binary exists)
+ * @param check_suid input true if the binary should be checked for SUID (*nix)
+ *        W32: checks if the program has sufficient privileges by executing this
+ *             binary with the -d flag. -d omits a programs main loop and only
+ *             executes all privileged operations in an binary.
+ * @param params parameters used for w32 privilege checking (can be NULL for != w32 )
+ * @return GNUNET_YES if the file is SUID (*nix) or can be executed with current privileges (W32),
+ *         GNUNET_NO if not SUID (but binary exists),
  *         GNUNET_SYSERR on error (no such binary or not executable)
  */
 int
-GNUNET_OS_check_helper_binary (const char *binary)
+GNUNET_OS_check_helper_binary (const char *binary, const boolean check_suid, const char *params)
 {
   struct stat statbuf;
   char *p;
@@ -725,24 +730,62 @@ GNUNET_OS_check_helper_binary (const char *binary)
     GNUNET_free (p);
     return GNUNET_SYSERR;
   }
+  if (check_suid){
 #ifndef MINGW
-  if ((0 != (statbuf.st_mode & S_ISUID)) && (0 == statbuf.st_uid))
-  {
-    GNUNET_free (p);
-    return GNUNET_YES;
-  }
-  /* binary exists, but not SUID */
+    if ((0 != (statbuf.st_mode & S_ISUID)) && (0 == statbuf.st_uid))
+    {
+      GNUNET_free (p);
+      return GNUNET_YES;
+    }
+    /* binary exists, but not SUID */
 #else
-  return GNUNET_YES;
-  /* FIXME: 
-   * no suid for windows possible!
-   * permissions-checking is too specific(as in non-portable)
-   * user/group checking is pointless (users/applications can drop privileges)
-   * using token checking for elevated permissions would limit gnunet
-   * to run only on winserver 2008 and 2012!
-   * 
-   * thus, ad add "dryrun" checking */
+    STARTUPINFO start;
+    char parameters[512];
+    PROCESS_INFORMATION proc;
+    DWORD exit_value;
+    
+    GNUNET_snprintf (&parameters, 512, "-d %s", params);
+    memset (&start, 0, sizeof (start));
+    start.cb = sizeof (start);
+    memset (&proc, 0, sizeof (proc));
+
+            
+    // Start the child process. 
+    if ( ! (CreateProcess( p,   // current windows (2k3 and up can handle / instead of \ in paths))
+        parameters,           // execute dryrun/priviliege checking mode
+        NULL,           // Process handle not inheritable
+        NULL,           // Thread handle not inheritable
+        FALSE,          // Set handle inheritance to FALSE
+        CREATE_DEFAULT_ERROR_MODE, // No creation flags
+        NULL,           // Use parent's environment block
+        NULL,           // Use parent's starting directory 
+        &start,            // Pointer to STARTUPINFO structure
+        &proc )           // Pointer to PROCESS_INFORMATION structure
+                               )) 
+      {
+        LOG (GNUNET_ERROR_TYPE_ERROR, 
+             _("CreateProcess failed for binary %s (%d).\n"),
+             p, GetLastError());
+        return GNUNET_SYSERR;
+    }
+
+    // Wait until child process exits.
+    WaitForSingleObject( proc.hProcess, INFINITE );
+    
+    if ( ! GetExitCodeProcess (proc.hProcess, &exit_value)){
+        LOG (GNUNET_ERROR_TYPE_ERROR, 
+             _("GetExitCodeProcess failed for binary %s (%d).\n"), 
+             p, GetLastError() );
+        return GNUNET_SYSERR;
+      }
+    // Close process and thread handles. 
+    CloseHandle( proc.hProcess );
+    CloseHandle( proc.hThread );
+  
+    if (!exit_value)
+      return GNUNET_YES;
 #endif
+    }
   GNUNET_free (p);
   return GNUNET_NO;
 }
diff --git a/src/util/os_priority.c b/src/util/os_priority.c
index b8b854963..e86de968a 100644
--- a/src/util/os_priority.c
+++ b/src/util/os_priority.c
@@ -634,7 +634,7 @@ start_process (int pipe_control,
   int fd_stdin_read;
   int fd_stdin_write;
 
-  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary (filename))
+  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary (filename, FALSE, NULL))
     return NULL; /* not executable */
   if (GNUNET_YES == pipe_control)
   {
@@ -865,7 +865,7 @@ start_process (int pipe_control,
   BOOL bresult;
   DWORD error_code;
 
-  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary (filename))
+  if (GNUNET_SYSERR == GNUNET_OS_check_helper_binary (filename, FALSE, NULL))
     return NULL; /* not executable */
  
   /* Search in prefix dir (hopefully - the directory from which
diff --git a/src/vpn/gnunet-helper-vpn-windows.c b/src/vpn/gnunet-helper-vpn-windows.c
index 5166a055c..7dee53609 100644
--- a/src/vpn/gnunet-helper-vpn-windows.c
+++ b/src/vpn/gnunet-helper-vpn-windows.c
@@ -63,9 +63,9 @@
 #endif
 
 /**
- * Will this binary be run in dryrun-mode? 
+ * Will this binary be run in permissions testing mode? 
  */
-static BOOL dryrun = FALSE;
+static boolean privilege_testing = FALSE;
 
 /**
  * Maximum size of a GNUnet message (GNUNET_SERVER_MAX_MESSAGE_SIZE)
@@ -1356,8 +1356,8 @@ run (HANDLE tap_handle)
    * DHCP and such are all features we will never use in gnunet afaik.
    * But for openvpn those are essential.
    */
-  if (! tun_up (tap_handle))
-    return;
+  if ((privilege_testing) || (! tun_up (tap_handle))
+    goto teardown_final;
 
   /* Initialize our overlapped IO structures*/
   if (! (initialize_io_facility (&tap_read, IOSTATE_READY, FALSE)
@@ -1412,9 +1412,6 @@ run (HANDLE tap_handle)
     }
 #endif
 
-  if (dryrun)
-    goto teardown;
-  
   fprintf (stderr, "DEBUG: mainloop has begun\n");
 
   while (std_out.path_open || tap_write.path_open)
@@ -1441,9 +1438,7 @@ teardown:
   CancelIo (tap_handle);
   CancelIo (std_in.handle);
   CancelIo (std_out.handle);
-
 teardown_final:
-      
   CloseHandle (tap_handle);
 }
 
@@ -1470,8 +1465,8 @@ main (int argc, char **argv)
   BOOL have_ip6 = FALSE;
   
   if (argc > 1 && 0 != strcmp (argv[1], "-d")){
-      dryrun = TRUE;
-      fprintf (stderr, "DEBUG: Running binary in dryrun mode.", argv[0]);
+      privilege_testing = TRUE;
+      fprintf (stderr, "DEBUG: Running binary in privilege testing mode.", argv[0]);
       argv++;
       argc--;
     }
diff --git a/src/vpn/gnunet-service-vpn.c b/src/vpn/gnunet-service-vpn.c
index 1a46f0b5e..e3bc8a49c 100644
--- a/src/vpn/gnunet-service-vpn.c
+++ b/src/vpn/gnunet-service-vpn.c
@@ -3062,7 +3062,7 @@ run (void *cls,
   binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-vpn");
 
   if (GNUNET_YES !=
-      GNUNET_OS_check_helper_binary (binary))
+      GNUNET_OS_check_helper_binary (binary, TRUE, NULL)) // FIXME: CF: add test-parameters
   {
     fprintf (stderr,
              "`%s' is not SUID, refusing to run.\n",