|
|
|
/*
|
|
|
|
* This file is a part of OpenVPN-GUI -- A Windows GUI for OpenVPN.
|
|
|
|
*
|
|
|
|
* Copyright (C) 2016 Selva Nair <selva.nair@gmail.com>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program (see the file COPYING included with this
|
|
|
|
* distribution); if not, write to the Free Software Foundation, Inc.,
|
|
|
|
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include "config.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <windows.h>
|
|
|
|
#include <wincrypt.h>
|
|
|
|
|
|
|
|
#include "main.h"
|
|
|
|
#include "registry.h"
|
|
|
|
#include "save_pass.h"
|
|
|
|
#include "misc.h"
|
|
|
|
|
|
|
|
#define KEY_PASS_DATA L"key-data"
|
|
|
|
#define AUTH_PASS_DATA L"auth-data"
|
|
|
|
#define ENTROPY_DATA L"entropy"
|
|
|
|
#define AUTH_USER_DATA L"username"
|
|
|
|
#define ENTROPY_LEN 16
|
|
|
|
|
|
|
|
static DWORD
|
|
|
|
crypt_protect(BYTE *data, int szdata, char *entropy, BYTE **out)
|
|
|
|
{
|
|
|
|
DATA_BLOB data_out;
|
|
|
|
DATA_BLOB data_in;
|
|
|
|
DATA_BLOB e;
|
|
|
|
|
|
|
|
data_in.pbData = data;
|
|
|
|
data_in.cbData = szdata;
|
|
|
|
e.pbData = (BYTE*) entropy;
|
|
|
|
e.cbData = entropy? strlen(entropy) : 0;
|
|
|
|
|
|
|
|
if(CryptProtectData(&data_in, NULL, &e, NULL, NULL, 0, &data_out))
|
|
|
|
{
|
|
|
|
*out = data_out.pbData;
|
|
|
|
return data_out.cbData;
|
|
|
|
}
|
|
|
|
PrintDebug(L"CryptProtectData failed (error = %lu)", GetLastError());
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static DWORD
|
|
|
|
crypt_unprotect(BYTE *data, int szdata, char *entropy, BYTE **out)
|
|
|
|
{
|
|
|
|
DATA_BLOB data_in;
|
|
|
|
DATA_BLOB data_out = {0,0};
|
|
|
|
DATA_BLOB e;
|
|
|
|
|
|
|
|
data_in.pbData = data;
|
|
|
|
data_in.cbData = szdata;
|
|
|
|
e.pbData = (BYTE *) entropy;
|
|
|
|
e.cbData = entropy? strlen(entropy) : 0;
|
|
|
|
|
|
|
|
if(CryptUnprotectData(&data_in, NULL, &e, NULL, NULL, 0, &data_out))
|
|
|
|
{
|
|
|
|
*out = data_out.pbData;
|
|
|
|
return data_out.cbData;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
PrintDebug(L"CryptUnprotectData: decryption failed");
|
|
|
|
LocalFree (data_out.pbData);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If not found in registry and generate is true, a new nul terminated
|
|
|
|
* random string is generated and saved in registry.
|
|
|
|
* Else a zero-length string is returned and registry is not updated.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
get_entropy(const WCHAR *config_name, char *e, int sz, BOOL generate)
|
|
|
|
{
|
|
|
|
int len;
|
|
|
|
|
|
|
|
len = GetConfigRegistryValue(config_name, ENTROPY_DATA, (BYTE *) e, sz);
|
|
|
|
if (len > 0)
|
|
|
|
{
|
|
|
|
e[len-1] = '\0';
|
|
|
|
PrintDebug(L"Got entropy from registry: %hs (len = %d)", e, len);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
else if (generate && GetRandomPassword(e, sz))
|
|
|
|
{
|
|
|
|
e[sz-1] = '\0';
|
|
|
|
PrintDebug(L"Created new entropy string : %hs", e);
|
|
|
|
if (SetConfigRegistryValueBinary(config_name, ENTROPY_DATA, (BYTE *)e, sz))
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (generate)
|
|
|
|
PrintDebug(L"Failed to generate or save new entropy string -- using null string");
|
|
|
|
*e = '\0';
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Given a nul terminated string password, encrypt it and save in
|
|
|
|
* a config specific registry key with specified name.
|
|
|
|
* Returns 1 on success.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
save_encrypted(const WCHAR *config_name, const WCHAR *password, const WCHAR *name)
|
|
|
|
{
|
|
|
|
BYTE *out;
|
|
|
|
DWORD len = (wcslen(password) + 1) * sizeof(WCHAR);
|
|
|
|
char entropy[ENTROPY_LEN+1];
|
|
|
|
|
|
|
|
get_entropy(config_name, entropy, sizeof(entropy), true);
|
|
|
|
len = crypt_protect((BYTE*) password, len, entropy, &out);
|
|
|
|
if(len > 0)
|
|
|
|
{
|
|
|
|
SetConfigRegistryValueBinary(config_name, name, out, len);
|
|
|
|
LocalFree(out);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Encrypt the nul terminated string password and store it in the
|
|
|
|
* registry with key name KEY_PASS_DATA. Returns 1 on success.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
SaveKeyPass(const WCHAR *config_name, const WCHAR *password)
|
|
|
|
{
|
|
|
|
return save_encrypted(config_name, password, KEY_PASS_DATA);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Encrypt the nul terminated string password and store it in the
|
|
|
|
* registry with key name AUTH_PASS_DATA. Returns 1 on success.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
SaveAuthPass(const WCHAR *config_name, const WCHAR *password)
|
|
|
|
{
|
|
|
|
return save_encrypted(config_name, password, AUTH_PASS_DATA);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns 1 on success, 0 on failure. password should have space
|
|
|
|
* for up to capacity wide chars incluing nul termination
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
recall_encrypted(const WCHAR *config_name, WCHAR *password, DWORD capacity, const WCHAR *name)
|
|
|
|
{
|
|
|
|
BYTE in[2048];
|
|
|
|
BYTE *out;
|
|
|
|
DWORD len;
|
|
|
|
int retval = 0;
|
|
|
|
char entropy[ENTROPY_LEN+1];
|
|
|
|
|
|
|
|
get_entropy(config_name, entropy, sizeof(entropy), false);
|
|
|
|
|
|
|
|
memset (password, 0, capacity);
|
|
|
|
|
|
|
|
len = GetConfigRegistryValue(config_name, name, in, sizeof(in));
|
|
|
|
if(len == 0)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
len = crypt_unprotect(in, len, entropy, &out);
|
|
|
|
if(len == 0)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (len <= capacity * sizeof(*password))
|
|
|
|
{
|
|
|
|
memcpy(password, out, len);
|
|
|
|
password[capacity-1] = L'\0'; /* in case the data was corrupted */
|
|
|
|
retval = 1;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
PrintDebug(L"recall_encrypted: saved '%ls' too long (len = %d bytes)", name, len);
|
|
|
|
|
|
|
|
SecureZeroMemory(out, len);
|
|
|
|
LocalFree(out);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Reccall saved private key password. The buffer password should be
|
|
|
|
* have space for up to KEY_PASS_LEN WCHARs including nul.
|
|
|
|
* Returns 1 on success, 0 on failure.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
RecallKeyPass(const WCHAR *config_name, WCHAR *password)
|
|
|
|
{
|
|
|
|
return recall_encrypted(config_name, password, KEY_PASS_LEN, KEY_PASS_DATA);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Reccall saved auth password. The buffer password should be
|
|
|
|
* have space for up to USER_PASS_LEN WCHARs including nul.
|
|
|
|
* Returns 1 on success, 0 on failure.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
RecallAuthPass(const WCHAR *config_name, WCHAR *password)
|
|
|
|
{
|
|
|
|
return recall_encrypted(config_name, password, USER_PASS_LEN, AUTH_PASS_DATA);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
SaveUsername(const WCHAR *config_name, const WCHAR *username)
|
|
|
|
{
|
|
|
|
DWORD len = (wcslen(username) + 1) * sizeof(*username);
|
|
|
|
SetConfigRegistryValueBinary(config_name, AUTH_USER_DATA,(BYTE *) username, len);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* The buffer username should be have space for up to USER_PASS_LEN
|
|
|
|
* WCHARs including nul.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
RecallUsername(const WCHAR *config_name, WCHAR *username)
|
|
|
|
{
|
|
|
|
DWORD capacity = USER_PASS_LEN * sizeof(WCHAR);
|
|
|
|
DWORD len;
|
|
|
|
|
|
|
|
len = GetConfigRegistryValue(config_name, AUTH_USER_DATA, (BYTE *) username, capacity);
|
|
|
|
if (len == 0)
|
|
|
|
return 0;
|
|
|
|
username[USER_PASS_LEN-1] = L'\0';
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
DeleteSavedKeyPass(const WCHAR *config_name)
|
|
|
|
{
|
|
|
|
DeleteConfigRegistryValue(config_name, KEY_PASS_DATA);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
DeleteSavedAuthPass(const WCHAR *config_name)
|
|
|
|
{
|
|
|
|
DeleteConfigRegistryValue(config_name, AUTH_PASS_DATA);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* delete saved config-specific auth password and private key passphrase */
|
|
|
|
void
|
|
|
|
DeleteSavedPasswords(const WCHAR *config_name)
|
|
|
|
{
|
|
|
|
DeleteConfigRegistryValue(config_name, KEY_PASS_DATA);
|
|
|
|
DeleteConfigRegistryValue(config_name, AUTH_PASS_DATA);
|
|
|
|
DeleteConfigRegistryValue(config_name, ENTROPY_DATA);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* check if auth password is saved */
|
|
|
|
BOOL
|
|
|
|
IsAuthPassSaved(const WCHAR *config_name)
|
|
|
|
{
|
|
|
|
DWORD len = 0;
|
|
|
|
len = GetConfigRegistryValue(config_name, AUTH_PASS_DATA, NULL, 0);
|
|
|
|
PrintDebug(L"checking auth-pass-data in registry returned len = %d", len);
|
|
|
|
return (len > 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* check if key password is saved */
|
|
|
|
BOOL
|
|
|
|
IsKeyPassSaved(const WCHAR *config_name)
|
|
|
|
{
|
|
|
|
DWORD len = 0;
|
|
|
|
len = GetConfigRegistryValue(config_name, KEY_PASS_DATA, NULL, 0);
|
|
|
|
PrintDebug(L"checking key-pass-data in registry returned len = %d", len);
|
|
|
|
return (len > 0);
|
|
|
|
}
|