github
/
openvpn-gui
mirror of https://github.com/OpenVPN/openvpn-gui
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
784 Commits
3 Branches
112 Tags
18 MiB
Tag: OpenVPN-2.6.0-I003
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'OpenVPN-2.6.0-I003'
${ noResults }
openvpn-gui/as.c

718 lines
22 KiB
Raw Permalink Normal View History Unescape

URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
/*
* OpenVPN-GUI -- A Windows GUI for OpenVPN.
*
* Copyright (C) 2021 Lev Stipakov <lstipakov@gmail.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <windows.h>
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
#include <wininet.h>
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
#include <stdlib.h>
During import from url take filename from content-disposition If the http header "Content-Disposition:" is present take the filename specified in there as the name of the imported profile, falling back to scanning the file contents for metadata. If both filename= and filename*= attributes are present, the latter takes precedence provided the character set is utf-8. (Extended attributes as defined in RFC 5987). In case of import from AS, the behaviour is unchanaged. Issue: #450. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
#include <shlwapi.h>
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
#include "config.h"
#include "localization.h"
#include "main.h"
#include "misc.h"
#include "openvpn.h"
#include "openvpn-gui-res.h"
#include "save_pass.h"
#define URL_LEN 1024
#define PROFILE_NAME_LEN 128
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
#define READ_CHUNK_LEN 65536
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
#define PROFILE_NAME_TOKEN L"# OVPN_ACCESS_SERVER_PROFILE="
#define FRIENDLY_NAME_TOKEN L"# OVPN_ACCESS_SERVER_FRIENDLY_NAME="
During import from url take filename from content-disposition If the http header "Content-Disposition:" is present take the filename specified in there as the name of the imported profile, falling back to scanning the file contents for metadata. If both filename= and filename*= attributes are present, the latter takes precedence provided the character set is utf-8. (Extended attributes as defined in RFC 5987). In case of import from AS, the behaviour is unchanaged. Issue: #450. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/** Replace characters not allowed in Windows filenames with '_' */
void
SanitizeFilename(wchar_t *fname)
{
const wchar_t *reserved = L"<>:\"/\\|?*;"; /* remap these and ascii 1 to 31 */
while (*fname) {
wchar_t c = *fname;
if (c < 32 || wcschr(reserved, c))
{
*fname = L'_';
}
++fname;
}
}
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
/**
* Extract profile name from profile content.
*
* Profile name is either (sorted in priority order):
* - value of OVPN_ACCESS_SERVER_FRIENDLY_NAME
* - value of OVPN_ACCESS_SERVER_PROFILE
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
* - specified default_name
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
*
* @param profile profile content
* @param default_name default name for profile if it doesn't contain name
* @param out_name extracted profile name
* @param out_name_length max length of out_name char array
*/
void
ExtractProfileName(const WCHAR *profile, const WCHAR *default_name, WCHAR *out_name, size_t out_name_length)
{
WCHAR friendly_name[PROFILE_NAME_LEN] = { 0 };
WCHAR profile_name[PROFILE_NAME_LEN] = { 0 };
/* wcstok() modifies string, need to make a copy */
WCHAR *buf = _wcsdup(profile);
WCHAR *pch = NULL;
wcstok: use security-enhanced version Replace old wcstok signature with security-enhanced version, which stores position information between calls in "context" parameter instead of internal per-thread context. This allows to get rid of _CRT_NON_CONFORMING_WCSTOK define in CMakeLists.txt Reported-by: Kai Schtrom Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
WCHAR *ctx = NULL;
pch = wcstok_s(buf, L"\r\n", &ctx);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
while (pch != NULL) {
if (wcsbegins(pch, PROFILE_NAME_TOKEN)) {
wcsncpy(profile_name, pch + wcslen(PROFILE_NAME_TOKEN), PROFILE_NAME_LEN - 1);
profile_name[PROFILE_NAME_LEN - 1] = L'\0';
}
else if (wcsbegins(pch, FRIENDLY_NAME_TOKEN)) {
wcsncpy(friendly_name, pch + wcslen(FRIENDLY_NAME_TOKEN), PROFILE_NAME_LEN - 1);
friendly_name[PROFILE_NAME_LEN - 1] = L'\0';
}
wcstok: use security-enhanced version Replace old wcstok signature with security-enhanced version, which stores position information between calls in "context" parameter instead of internal per-thread context. This allows to get rid of _CRT_NON_CONFORMING_WCSTOK define in CMakeLists.txt Reported-by: Kai Schtrom Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
pch = wcstok_s(NULL, L"\r\n", &ctx);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
}
/* we use .ovpn here, but extension could be customized */
/* actual extension will be applied during import */
if (wcslen(friendly_name) > 0)
swprintf(out_name, out_name_length, L"%ls.ovpn", friendly_name);
else if (wcslen(profile_name) > 0)
swprintf(out_name, out_name_length, L"%ls.ovpn", profile_name);
else
swprintf(out_name, out_name_length, L"%ls.ovpn", default_name);
out_name[out_name_length - 1] = L'\0';
During import from url take filename from content-disposition If the http header "Content-Disposition:" is present take the filename specified in there as the name of the imported profile, falling back to scanning the file contents for metadata. If both filename= and filename*= attributes are present, the latter takes precedence provided the character set is utf-8. (Extended attributes as defined in RFC 5987). In case of import from AS, the behaviour is unchanaged. Issue: #450. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
SanitizeFilename(out_name);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
free(buf);
}
void
ShowWinInetError(HANDLE hWnd)
{
WCHAR err[256] = { 0 };
FormatMessageW(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_FROM_SYSTEM, GetModuleHandleW(L"wininet.dll"),
GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), err, _countof(err), NULL);
ShowLocalizedMsgEx(MB_OK, hWnd, _T(PACKAGE_NAME), IDS_ERR_URL_IMPORT_PROFILE, GetLastError(), err);
}
struct UrlComponents
{
int port;
WCHAR host[URL_LEN];
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
WCHAR path[URL_LEN];
Add content-type check for import from URL For Import from URL, require that response from server must have content-type: application/x-openvpn-profile This reduces chances of mistyped input causing import of random html pages as connection profile. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
char content_type[256];
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
bool https;
};
/**
* Extracts protocol, port and hostname from URL
*
* @param url URL to parse, length must be less than URL_MAX
*/
void
ParseUrl(const WCHAR *url, struct UrlComponents* comps)
{
ZeroMemory(comps, sizeof(struct UrlComponents));
comps->port = 443;
comps->https = true;
if (wcsbegins(url, L"http://")) {
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
url += 7;
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
} else if (wcsbegins(url, L"https://")) {
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
url +=8;
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
}
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
WCHAR *strport = wcsstr(url, L":");
WCHAR *pathptr = wcsstr(url, L"/");
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
if (strport) {
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
wcsncpy_s(comps->host, URL_LEN, url, strport - url);
comps->port = wcstol(strport + 1, NULL, 10);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
}
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
else if (pathptr)
{
wcsncpy_s(comps->host, URL_LEN, url, pathptr - url);
}
else
{
wcsncpy_s(comps->host, URL_LEN, url, _TRUNCATE);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
}
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
if (pathptr)
{
wcsncpy_s(comps->path, URL_LEN, pathptr + 1, _TRUNCATE);
}
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
}
/**
* Download profile content. In case of error displays error message.
*
* @param hWnd handle of window which initiated download
* @param hRequest WinInet request handle
* @param pbuf pointer to a buffer, will be allocated by this function. Caller must free it after use.
* @param psize pointer to a profile size, assigned by this function
*/
BOOL
DownloadProfileContent(HANDLE hWnd, HINTERNET hRequest, char** pbuf, size_t* psize)
{
size_t pos = 0;
size_t size = READ_CHUNK_LEN;
*pbuf = calloc(1, size + 1);
char* buf = *pbuf;
if (buf == NULL) {
MessageBoxW(hWnd, L"Out of memory", _T(PACKAGE_NAME), MB_OK);
return FALSE;
}
while (true) {
DWORD bytesRead = 0;
if (!InternetReadFile(hRequest, buf + pos, READ_CHUNK_LEN, &bytesRead)) {
ShowWinInetError(hWnd);
return FALSE;
}
buf[pos + bytesRead] = '\0';
if (bytesRead == 0) {
size = pos;
break;
}
if (pos + bytesRead >= size) {
size += READ_CHUNK_LEN;
*pbuf = realloc(*pbuf, size + 1);
if (!*pbuf) {
free(buf);
MessageBoxW(hWnd, L"Out of memory", _T(PACKAGE_NAME), MB_OK);
return FALSE;
}
buf = *pbuf;
}
pos += bytesRead;
}
*psize = size;
return TRUE;
}
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
/*
* DialogProc for challenge-response
*/
INT_PTR CALLBACK
CRDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
auth_param_t * param = NULL;
switch (msg) {
case WM_INITDIALOG:
param = (auth_param_t*)lParam;
Check return value of SetProp() (#591) * Check return value of SetProp - If SetProp() is unsuccessful, we'll crash later when GetProp() returns null. Add a check, log the error and close the dialog. We could abort here, but closing the current dialog and possibly the corresponding connection, provides a chance for the user to fix the OOM condition which is the most likely cause of SetProp() failure. - In pkcs11.c if SetProp() fails just do not use bold font for header instead of leaking the font resource. Also correct a bad fixup in commit 80697ecae6: hfontProp was not set! Github: Fixes OpenVPN/openvpn-gui#577 Signed-off-by: Selva Nair <selva.nair@gmail.com>
2 years ago
TRY_SETPROP(hwndDlg, cfgProp, (HANDLE)param);
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
WCHAR *wstr = Widen(param->str);
if (!wstr) {
EndDialog(hwndDlg, LOWORD(wParam));
break;
}
SetDlgItemTextW(hwndDlg, ID_TXT_DESCRIPTION, wstr);
free(wstr);
/* Set password echo on if needed */
if (param->flags & FLAG_CR_ECHO)
SendMessage(GetDlgItem(hwndDlg, ID_EDT_RESPONSE), EM_SETPASSWORDCHAR, 0, 0);
SetForegroundWindow(hwndDlg);
/* disable OK button by default - not disabled in resources */
EnableWindow(GetDlgItem(hwndDlg, IDOK), FALSE);
break;
case WM_COMMAND:
param = (auth_param_t*)GetProp(hwndDlg, cfgProp);
switch (LOWORD(wParam)) {
case ID_EDT_RESPONSE:
if (HIWORD(wParam) == EN_UPDATE) {
/* enable OK if response is non-empty */
BOOL enableOK = GetWindowTextLength((HWND)lParam);
EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK);
}
break;
case IDOK: {
int len = 0;
GetDlgItemTextUtf8(hwndDlg, ID_EDT_RESPONSE, &param->cr_response, &len);
EndDialog(hwndDlg, LOWORD(wParam));
}
return TRUE;
case IDCANCEL:
EndDialog(hwndDlg, LOWORD(wParam));
return TRUE;
}
break;
case WM_CLOSE:
EndDialog(hwndDlg, LOWORD(wParam));
return TRUE;
case WM_NCDESTROY:
RemoveProp(hwndDlg, cfgProp);
break;
}
return FALSE;
}
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
/**
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
* Construct the REST URL for AS profile
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
*
* @param host AS hostname, entered by user, might contain protocol and port
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
* @param autologin should autologin profile be used
* @param comps Pointer to UrlComponents. Value assigned by this function.
*/
static void
GetASUrl(const WCHAR *host, bool autologin, struct UrlComponents *comps)
{
ParseUrl(host, comps);
swprintf(comps->path, URL_LEN, L"/rest/%ls?tls-cryptv2=1&action=import", autologin ? L"GetAutologin" : L"GetUserlogin");
comps->path[URL_LEN - 1] = L'\0';
}
During import from url take filename from content-disposition If the http header "Content-Disposition:" is present take the filename specified in there as the name of the imported profile, falling back to scanning the file contents for metadata. If both filename= and filename*= attributes are present, the latter takes precedence provided the character set is utf-8. (Extended attributes as defined in RFC 5987). In case of import from AS, the behaviour is unchanaged. Issue: #450. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/**
* Read content-disposition header and extract file name if any.
* Returns true on success, false otherwise.
*/
bool
ExtractFilenameFromHeader(HINTERNET hRequest, wchar_t *name, size_t len)
{
DWORD index = 0;
char *buf = NULL;
DWORD buflen = 256;
bool res = false;
UINT codepage = 28591; /* ISO 8859_1 -- the default char set for http header */
buf = malloc(buflen);
if (!buf
|| (!HttpQueryInfoA(hRequest, HTTP_QUERY_CONTENT_DISPOSITION, buf, &buflen, &index)
&& GetLastError() != ERROR_INSUFFICIENT_BUFFER))
{
goto done;
}
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
/* try again with more space */
free(buf);
buf = malloc(buflen);
if (!buf
|| !HttpQueryInfoA(hRequest, HTTP_QUERY_CONTENT_DISPOSITION, buf, &buflen, &index))
{
goto done;
}
}
/* look for filename=<name> */
char *p = strtok(buf, ";");
char *fn = NULL;
for ( ; p; p = strtok(NULL, ";"))
{
if ((fn = strstr(p, "filename=")) != NULL)
{
fn += 9;
continue;
}
else if ((fn = strstr(p, "filename*=utf-8''")) != NULL)
{
fn += 17;
UrlUnescapeA(fn, NULL, NULL, URL_UNESCAPE_INPLACE);
codepage = CP_UTF8;
break; /* we prefer filename*= value */
}
}
if (fn && strlen(fn))
{
StrTrimA(fn, " \""); /* strip leading and trailing spaces and quotes */
wchar_t *wfn = WidenEx(codepage, fn);
if (wfn)
{
wcsncpy_s(name, len, wfn, _TRUNCATE);
res = true;
free(wfn);
}
}
SanitizeFilename(name);
done:
free(buf);
return res;
}
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/**
* Download profile from a generic URL and save it to a temp file
*
* @param hWnd handle of window which initiated download
* @param comps pointer to struct UrlComponents describing the URL
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
* @param username UTF-8 encoded username used for HTTP basic auth
* @param password UTF-8 encoded password used for HTTP basic auth
* @param out_path full path to where profile is downloaded. Value assigned by this function.
* @param out_path_size number of elements in out_path arrray
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
*
* Filename in out_path is parsed from tags in received data
* with the url hostname as a fallback.
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
*/
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
static BOOL
DownloadProfile(HANDLE hWnd, const struct UrlComponents *comps, const char *username,
const char *password_orig, WCHAR *out_path, size_t out_path_size)
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
{
HANDLE hInternet = NULL;
HANDLE hConnect = NULL;
HANDLE hRequest = NULL;
BOOL result = FALSE;
char* buf = NULL;
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/* need to make copy of password to use it for dynamic response */
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
char password[USER_PASS_LEN] = { 0 };
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
strncpy_s(password, _countof(password), password_orig, _TRUNCATE);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
Clear password used for profile import - HTTP auth password appears to be cached and reused unless replaced by a non-empty string. When user-supplied password is empty, use some arbitrary string "x" as the password. - Make username required for generic URL as well. - Also clear password buffers after use. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/* empty password causes reuse of previously cached value -- set it to some character */
if (strlen(password) == 0)
{
password[0] = 'x';
}
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
hInternet = InternetOpenW(L"openvpn-gui/1.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (!hInternet) {
ShowWinInetError(hWnd);
goto done;
}
Add a timeout for http download Download profile from AS or URL use blocking network calls in the main thread. Set reasonable timeouts for connect and receive. TODO: This is not perfect as the download can still stall in erratic links, and we have no way to abort. Ideally we should either use Async calls and/or threads. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/* Calls to connect and receive block: set timeouts that are not too long */
unsigned long timeout = 30000; /* 30 seconds */
InternetSetOption(hInternet, INTERNET_OPTION_CONNECT_TIMEOUT, &timeout, sizeof(timeout));
InternetSetOption(hInternet, INTERNET_OPTION_RECEIVE_TIMEOUT, &timeout, sizeof(timeout));
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
/* wait cursor will be automatically reverted later */
SetCursor(LoadCursorW(0, IDC_WAIT));
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
hConnect = InternetConnectW(hInternet, comps->host, comps->port, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
if (!hConnect) {
ShowWinInetError(hWnd);
goto done;
}
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
DWORD req_flags = INTERNET_FLAG_RELOAD; /* load from server, do not use cached data */
req_flags |= comps->https ? INTERNET_FLAG_SECURE : 0;
hRequest = HttpOpenRequestW(hConnect, NULL, comps->path, NULL, NULL, NULL, req_flags, 0);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
if (!hRequest) {
ShowWinInetError(hWnd);
goto done;
}
again:
if (buf) {
free(buf);
buf = NULL;
}
/* turns out that *A WinAPI function must be used with UTF-8 encoded parameters to get
* correct Base64 encoding (used by Basic HTTP auth) for non-ASCII characters
*/
InternetSetOptionA(hRequest, INTERNET_OPTION_USERNAME, (LPVOID)username, (DWORD)strlen(username));
InternetSetOptionA(hRequest, INTERNET_OPTION_PASSWORD, (LPVOID)password, (DWORD)strlen(password));
/* handle cert errors */
/* https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/182888 */
if (!HttpSendRequestW(hRequest, NULL, 0, NULL, 0)) {
URL profile import: disable profile download in case of certificate errors Allow users to bypass HTTPS is not good, but may nevertheless be useful during development. DEBUG macro is widely used in openvpn-gui code but was missing from CMakeLists.txt, so add it there. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
#ifdef DEBUG
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
DWORD err = GetLastError();
if ((err == ERROR_INTERNET_INVALID_CA) ||
(err == ERROR_INTERNET_SEC_CERT_CN_INVALID) ||
(err == ERROR_INTERNET_SEC_CERT_DATE_INVALID) ||
(err == ERROR_INTERNET_SEC_CERT_REV_FAILED)) {
/* ask user what to do and modify options if needed */
DWORD dlg_result = InternetErrorDlg(hWnd, hRequest,
err,
FLAGS_ERROR_UI_FILTER_FOR_ERRORS |
FLAGS_ERROR_UI_FLAGS_GENERATE_DATA |
FLAGS_ERROR_UI_FLAGS_CHANGE_OPTIONS,
NULL);
if (dlg_result == ERROR_SUCCESS) {
/* for unknown reasons InternetErrorDlg() doesn't change options for ERROR_INTERNET_SEC_CERT_REV_FAILED,
* despite user is willing to continue, so we have to do it manually */
if (err == ERROR_INTERNET_SEC_CERT_REV_FAILED) {
DWORD flags;
DWORD len = sizeof(flags);
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
InternetQueryOptionW(hRequest, INTERNET_OPTION_SECURITY_FLAGS, (LPVOID)&flags, &len);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
flags |= SECURITY_FLAG_IGNORE_REVOCATION;
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
InternetSetOptionW(hRequest, INTERNET_OPTION_SECURITY_FLAGS, &flags, sizeof(flags));
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
goto again;
}
SetCursor(LoadCursorW(0, IDC_WAIT));
goto again;
}
else
goto done;
}
URL profile import: disable profile download in case of certificate errors Allow users to bypass HTTPS is not good, but may nevertheless be useful during development. DEBUG macro is widely used in openvpn-gui code but was missing from CMakeLists.txt, so add it there. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
#endif
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
ShowWinInetError(hWnd);
goto done;
}
/* get http status code */
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
DWORD status_code = 0;
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
DWORD length = sizeof(DWORD);
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
HttpQueryInfoW(hRequest, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &status_code, &length, NULL);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
size_t size = 0;
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
/* download profile content */
if ((status_code == 200) || (status_code == 401)) {
if (!DownloadProfileContent(hWnd, hRequest, &buf, &size))
goto done;
char* msg_begin = strstr(buf, "<Message>CRV1:");
char* msg_end = strstr(buf, "</Message>");
if ((status_code == 401) && msg_begin && msg_end) {
*msg_end = '\0';
auth_param_t* param = (auth_param_t*)calloc(1, sizeof(auth_param_t));
if (!param)
goto done;
if (parse_dynamic_cr(msg_begin + 14, param)) {
/* prompt user for dynamic challenge */
INT_PTR res = LocalizedDialogBoxParam(ID_DLG_CHALLENGE_RESPONSE, CRDialogFunc, (LPARAM)param);
if (res == IDOK)
_snprintf_0(password, "CRV1::%s::%s", param->id, param->cr_response);
free_auth_param(param);
if (res == IDOK)
goto again;
}
else {
free_auth_param(param);
}
}
}
if (status_code != 200) {
ShowLocalizedMsgEx(MB_OK, hWnd, _T(PACKAGE_NAME), IDS_ERR_URL_IMPORT_PROFILE, status_code, L"HTTP error");
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
goto done;
URL profile import: support for 2FA When 2FA is enabled, server (such as AS) replies with HTTP 401 and issues a challenge. Use existing facilities to parse CRV message and prompt user for a response, then call REST method again with encoded response as HTTP auth password. See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication for more information. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
}
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
Add content-type check for import from URL For Import from URL, require that response from server must have content-type: application/x-openvpn-profile This reduces chances of mistyped input causing import of random html pages as connection profile. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/* check content-type if specified */
if (strlen(comps->content_type) > 0)
{
char tmp[256];
DWORD len = sizeof(tmp);
BOOL res = HttpQueryInfoA(hRequest, HTTP_QUERY_CONTENT_TYPE, tmp, &len, NULL);
if (!res || stricmp(comps->content_type, tmp))
{
ShowLocalizedMsgEx(MB_OK, hWnd, _T(PACKAGE_NAME), IDS_ERR_URL_IMPORT_PROFILE, 0,
L"HTTP content-type mismatch");
goto done;
}
}
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
WCHAR name[MAX_PATH] = {0};
During import from url take filename from content-disposition If the http header "Content-Disposition:" is present take the filename specified in there as the name of the imported profile, falling back to scanning the file contents for metadata. If both filename= and filename*= attributes are present, the latter takes precedence provided the character set is utf-8. (Extended attributes as defined in RFC 5987). In case of import from AS, the behaviour is unchanaged. Issue: #450. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/* read filename from header or from the profile metadata */
if (strlen(comps->content_type) == 0 /* AS profile */
|| !ExtractFilenameFromHeader(hRequest, name, MAX_PATH))
{
WCHAR* wbuf = Widen(buf);
if (!wbuf) {
MessageBoxW(hWnd, L"Failed to convert profile content to wchar", _T(PACKAGE_NAME), MB_OK);
goto done;
}
ExtractProfileName(wbuf, comps->host, name, MAX_PATH);
free(wbuf);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
}
/* save profile content into tmp file */
DWORD res = GetTempPathW((DWORD)out_path_size, out_path);
if (res == 0 || res > out_path_size) {
MessageBoxW(hWnd, L"Failed to get TMP path", _T(PACKAGE_NAME), MB_OK);
goto done;
}
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
swprintf(out_path, out_path_size, L"%ls%ls", out_path, name);
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
out_path[out_path_size - 1] = '\0';
FILE* f = _wfopen(out_path, L"w");
if (f == NULL) {
MessageBoxW(hWnd, L"Unable to save downloaded profile", _T(PACKAGE_NAME), MB_OK);
goto done;
}
fwrite(buf, sizeof(char), size, f);
fclose(f);
result = TRUE;
done:
if (buf)
free(buf);
Clear password used for profile import - HTTP auth password appears to be cached and reused unless replaced by a non-empty string. When user-supplied password is empty, use some arbitrary string "x" as the password. - Make username required for generic URL as well. - Also clear password buffers after use. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/* wipe the password */
SecureZeroMemory(password, sizeof(password));
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
if (hRequest)
InternetCloseHandle(hRequest);
if (hConnect)
InternetCloseHandle(hConnect);
if (hInternet)
InternetCloseHandle(hInternet);
return result;
}
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
typedef enum {
server_as = 1,
server_generic = 2
} server_type_t;
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
INT_PTR CALLBACK
ImportProfileFromURLDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
WCHAR url[URL_LEN] = {0};
BOOL autologin = FALSE;
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
server_type_t type;
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
switch (msg)
{
case WM_INITDIALOG:
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
type = (server_type_t) lParam;
Check return value of SetProp() (#591) * Check return value of SetProp - If SetProp() is unsuccessful, we'll crash later when GetProp() returns null. Add a check, log the error and close the dialog. We could abort here, but closing the current dialog and possibly the corresponding connection, provides a chance for the user to fix the OOM condition which is the most likely cause of SetProp() failure. - In pkcs11.c if SetProp() fails just do not use bold font for header instead of leaking the font resource. Also correct a bad fixup in commit 80697ecae6: hfontProp was not set! Github: Fixes OpenVPN/openvpn-gui#577 Signed-off-by: Selva Nair <selva.nair@gmail.com>
2 years ago
TRY_SETPROP(hwndDlg, cfgProp, (HANDLE)lParam);
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
SetStatusWinIcon(hwndDlg, ID_ICO_APP);
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
if (type == server_generic)
{
/* Change window title and hide autologin checkbox */
SetWindowTextW(hwndDlg, LoadLocalizedString(IDS_MENU_IMPORT_URL));
ShowWindow(GetDlgItem(hwndDlg, ID_CHK_AUTOLOGIN), SW_HIDE);
}
/* disable OK button until required data is filled in */
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
EnableWindow(GetDlgItem(hwndDlg, IDOK), FALSE);
break;
case WM_COMMAND:
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
type = (server_type_t) GetProp(hwndDlg, cfgProp);
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
switch (LOWORD(wParam))
{
case ID_EDT_AUTH_USER:
case ID_EDT_AUTH_PASS:
case ID_EDT_URL:
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
if (HIWORD(wParam) == EN_UPDATE) {
Clear password used for profile import - HTTP auth password appears to be cached and reused unless replaced by a non-empty string. When user-supplied password is empty, use some arbitrary string "x" as the password. - Make username required for generic URL as well. - Also clear password buffers after use. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
/* enable OK button only if url and username are filled */
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
BOOL enableOK = GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_URL))
Clear password used for profile import - HTTP auth password appears to be cached and reused unless replaced by a non-empty string. When user-supplied password is empty, use some arbitrary string "x" as the password. - Make username required for generic URL as well. - Also clear password buffers after use. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
&& GetWindowTextLengthW(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER));
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK);
}
break;
case IDOK:
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
GetDlgItemTextW(hwndDlg, ID_EDT_URL, url, _countof(url));
int username_len = 0;
char *username = NULL;
GetDlgItemTextUtf8(hwndDlg, ID_EDT_AUTH_USER, &username, &username_len);
int password_len = 0;
char *password = NULL;
GetDlgItemTextUtf8(hwndDlg, ID_EDT_AUTH_PASS, &password, &password_len);
WCHAR path[MAX_PATH + 1] = { 0 };
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
struct UrlComponents comps = {0};
if (type == server_as)
{
autologin = IsDlgButtonChecked(hwndDlg, ID_CHK_AUTOLOGIN) == BST_CHECKED;
GetASUrl(url, autologin, &comps);
}
else
{
ParseUrl(url, &comps);
Add content-type check for import from URL For Import from URL, require that response from server must have content-type: application/x-openvpn-profile This reduces chances of mistyped input causing import of random html pages as connection profile. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
strncpy_s(comps.content_type, _countof(comps.content_type),
"application/x-openvpn-profile", _TRUNCATE);
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
}
BOOL downloaded = DownloadProfile(hwndDlg, &comps, username, password, path, _countof(path));
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
Clear password used for profile import - HTTP auth password appears to be cached and reused unless replaced by a non-empty string. When user-supplied password is empty, use some arbitrary string "x" as the password. - Make username required for generic URL as well. - Also clear password buffers after use. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
if (username_len > 0)
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
free(username);
Clear password used for profile import - HTTP auth password appears to be cached and reused unless replaced by a non-empty string. When user-supplied password is empty, use some arbitrary string "x" as the password. - Make username required for generic URL as well. - Also clear password buffers after use. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
if (password_len > 0)
{
SecureZeroMemory(password, strlen(password));
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
free(password);
Clear password used for profile import - HTTP auth password appears to be cached and reused unless replaced by a non-empty string. When user-supplied password is empty, use some arbitrary string "x" as the password. - Make username required for generic URL as well. - Also clear password buffers after use. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
}
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
if (downloaded) {
EndDialog(hwndDlg, LOWORD(wParam));
Show a prompt during profile import using --import The user is prompted with a message showing the config name that will be imported. The user can accept or cancel the operation. If the user was already prompted for over-write permission because a config with the same name exists, no further dialog is shown. Import using the menu (Import File...) is not affected. Rationale: We want to set "Import" as the default verb for the context menu of .ovpn files. This will allow import of configs by double-click. Also when .ovpn file is downloaded using a browser, setting the default bowser action to "open" will result in an import. In such cases a silent import action could be surprising, and a prompt showing what is being imported could provide a better UX. On the flip-side, the prompt/dialog will also be shown when import is done from the context menu of .ovpn by "right click and choose import" or when "openvpn-gui.exe --import foo" or "openvpn-gui.exe --command import foo" is executed. As import is an action that does not result in an immediately visible result (unlike, say, edit or print), a prompt requiring user action is of some value even in these cases. At worst it's a minor annoyance. See also: https://github.com/OpenVPN/openvpn-build/pull/227 and discussions there-in Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
ImportConfigFile(path, false); /* do not prompt user */
URL profile import: download and import profile Use WinInet to download profile into memory buffer. If there are certain certificate errors (invalid CN, wrong date, unknown CA, revocation check failed), ask if user wants to continue. Extract profile name from content, sanitize name and save profile in temp directory. Then import profile using existing facilities. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
_wunlink(path);
}
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
return TRUE;
case IDCANCEL:
EndDialog(hwndDlg, LOWORD(wParam));
return TRUE;
}
break;
case WM_CLOSE:
EndDialog(hwndDlg, LOWORD(wParam));
return TRUE;
case WM_NCDESTROY:
Check return value of SetProp() (#591) * Check return value of SetProp - If SetProp() is unsuccessful, we'll crash later when GetProp() returns null. Add a check, log the error and close the dialog. We could abort here, but closing the current dialog and possibly the corresponding connection, provides a chance for the user to fix the OOM condition which is the most likely cause of SetProp() failure. - In pkcs11.c if SetProp() fails just do not use bold font for header instead of leaking the font resource. Also correct a bad fixup in commit 80697ecae6: hfontProp was not set! Github: Fixes OpenVPN/openvpn-gui#577 Signed-off-by: Selva Nair <selva.nair@gmail.com>
2 years ago
RemoveProp(hwndDlg, cfgProp);
URL profile import: add profile import dialog This is the first patch from series which implemets importing profile from URL, currently implemented by OpenVPN Access Server. Move "Import from file" menu item under new "Import" item. Add "Import from AS..." item under "Import", which opens new profile import dialog. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
break;
}
return FALSE;
}
void ImportConfigFromAS()
{
Implement importing profile from a generic URL ParseUrl extended to parse generic URLs and parse the path. DownloadProfile() function re-factored for reuse with generic URL. Also: - INTERNET_FLAG_RELOAD added to the request call to force reloading the data from server instead of using possibly cached data. - Input box for URL extended in length to about 50 characters wide. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
LocalizedDialogBoxParam(ID_DLG_URL_PROFILE_IMPORT, ImportProfileFromURLDialogFunc, (LPARAM) server_as);
}
void ImportConfigFromURL()
{
LocalizedDialogBoxParam(ID_DLG_URL_PROFILE_IMPORT, ImportProfileFromURLDialogFunc, (LPARAM) server_generic);
}