Commit Graph

726 Commits (5204df0e8079a1f34b7e0c442155da8d2ee55736)

Author SHA1 Message Date
Selva Nair 5204df0e80 Use RTL layout for Farsi
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-11-28 13:25:28 -05:00
justwho 6002404e2b Update openvpn-gui-res-zh-hans.rc 2022-11-11 15:47:37 -05:00
Frank Lichtenheld 82a6701eb5
Merge pull request #540 from flichtenheld/master
Bump version to 11.31.0.0
2022-11-10 18:36:22 +01:00
justwho ed66957dc7 Update openvpn-gui-res-zh-hans.rc 2022-11-08 11:18:40 -05:00
Frank Lichtenheld 7b0479efb5 Bump version to 11.31.0.0
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
2022-11-07 10:29:15 +01:00
Selva Nair 18ba3b2480 PLAP: Document usage in README
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-11-05 18:18:06 -04:00
Selva Nair f6d844b71d Update README
- Remove description about run-as-admin that is out-dated.
  Simply state that the GUI is supposed to be run as a limited user.

- Document persistent connections support in the GUI.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-11-05 18:18:06 -04:00
Selva Nair d83ec473ef Forget passwords while stopping persistent connections
In case of persistent connections, openvpn.exe is still running
after a disconnect, and another user can restart it without needing
credentials using cached passwords. Avoid this by sending
"forget-passwords" to the management interface before disconnect.

Only persistent connections are affected.

In openvpn.exe versions >= 2.5.8, this will also clear cached
auth_token, if present.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-11-05 18:18:06 -04:00
Selva Nair be8a8cca12 Add OpenVPN version in 'About' page
The version of openvpn.exe found at runtime is shown
on the About page.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-11-05 18:17:11 -04:00
Selva Nair 41a92199e4 Update copyright year in About tab
Also remove related variables from configure.ac
as those are unused since we updated resources to be
MSVC compliant.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-11-05 18:17:11 -04:00
Selva Nair 2d72958f8d Bump version to 11.30
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-11-04 11:34:26 -04:00
Lev Stipakov 6924b09a35 service: change CheckServiceStatus() return type to VOID
CheckServiceStatus() return value is never used - the status
is set to global options_t struct.

While on it, remove unneccessary "false" argument
and reformat the code.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-10-20 21:25:38 -04:00
Selva Nair 7d078dd151 PLAP: Add an option to register the COM dll
- ShellExecute with runas is used to elevate
- This Option is hidden if PLAP dll is not found in the
  install_path bin folder
- Depends on the presence of openvpn-plap-install.reg
  and openvpn-plap-uninstall.reg in the install-path bin
  folder.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-19 09:49:15 -04:00
Selva Nair 577d982b51 PLAP: try to start automatic service if not running
Connection profiles shown on the login screen using PLAP
requires automatic service that starts openvpn.exe
processes for these profiles.

This commit adds an attempt to start the service from
PLAP dll. The service is started only if any PLAP enabled
profiles are found.

As starting the service can spawn up OpenVPN.exe processes and
the GUI may attach to them, auto-connect in the GUI is
suspended during session lock to leave the connections free to
be controlled from PLAP screen.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-19 09:49:15 -04:00
Selva Nair 67a8db7664 PLAP: Do not show profiles with no management address
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-19 09:49:15 -04:00
Selva Nair d6775b9b71 Persistent connections: show an error msg when connect fails
If '--management' option cannot be parsed in the config file of a
persistent profile (due to missing option, unreadable password etc.),
connecting it from the GUI menu fails.
In such cases show an error message instead of silently failing.
The message is shown only during manual connect attempts,
not during auto-connect or resume.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-19 09:49:15 -04:00
Selva Nair 2ea4bf9229 Add a test program for PLAP provider module
- instantiate OpenVPN PLAP provider which will enumerate configs
  in config-auto directory.
- Attempt to connect each config found one after the other

The test program is deliberately written in C++ as that's how most
Windows programs (and likely, LogonUI.exe) may use the COM object.

Note that duplicate configs are ignored, so ensure  that config
files in config-auto are not "shadowed" by identical named one's
in user's profile or in global config folder.

Additional notes:
The test program is not linked to the plap dll.
Instead it finds the module using CoGetClassObject,
so the plap dll must be registered in the system.

It also tests dynamically loading the dll from
C:\Program Files\OpenVPN\bin\libopenvpn_plap.dll
which should succeed even if the registration is not
proper.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair a60b3c540b Enable MSVC build of libopenvpn_plap.dll
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair c5c856aaa1 Add credentialprovider.h not in mingw-w64
This header has been recently added to mingw-w64 on our
request. Until its available in released versions,
wget it from mingw-w64's github repo.

Only affects autotools-based builds -- MSVC builds will pick the
native header.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair ed0ceeb95b Add a progress dialog during Connect()
- The dialog supports retry and cancel and shows
  a progress marquee

Signed-off-by: Selva Nair <selva.nair@gmail.com
2022-10-17 11:05:44 -04:00
Selva Nair e64b18074f Intercept management callbacks for better control of the UI
- Dialog windows of connections can popup at any time due to
  restarts not in user's control. Avoid this by marking current
  current profile being connected, and intercepting dialogs for
  other profiles.

  This is implemented by hooking into management callbacks such as
  OnPassword, OnNeedOk etc.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Lev Stipakov 70610afc2f Add a BMP image for PLAP tile and use it 2022-10-17 11:05:44 -04:00
Selva Nair a500b9553e Implement Pre-Logon Access Provider for start before logon
- COM interfaces for ICredentialProvider and
  IConnectableCredentialProviderCredential combined
  with a trimmed down user-interface implemented as
  libopenvpn_plap.dll

- Connections autostarted by OpenVPNService are enumerated
  as possible PLAP connections. The user is expected to leave
  these in management hold so that "connect" will popup any
  required user dialogs.

To use:
 - Register the dll as a PLAP provider (see included .reg files)
 - The enumerated connections will show up as tiles in the PLAP
   screen of the login desktop (secure desktop).

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair b828e763ad Some refactoring to help code reuse
- Move MsgToEventLog from main.c to misc.c
- Move dpi_initialize from main.c to misc.c

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair b2f60c239a Change state to connecting/resuming before return from StartOpenVPN
- Early state change from the main thread makes it synchronous and
  thus easier to wait on the connection to complete when started
  programmatically.
  Made use of in Connect() in the PLAP implementation that follows.

Does not affect on the current mode of operation.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair 47f950eca7 Store daemon_state in connection struct
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair 4acafcf355 Parent status and message box windows in the GUI
- Proper parenting is required for PLAP and cannot
  hurt in general. The parent window in GUI mode
  is the main window. In PLAP it will be the handle
  obtained from LogonUI.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
justwho 89e46df455
Update openvpn-gui-res-zh-hans.rc (#520)
* Update openvpn-gui-res-zh-hans.rc
2022-10-15 12:02:27 -04:00
Lev Stipakov 9294485657 Fix crash on empty state response
OpenVPN3 doesn't yet support "state"
management command without parameters.

While this has to be fixed on OpenVPN3
side, it doesn't mean that gui could simply crash.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-09-02 10:39:52 -04:00
phoeo 732875d8ff
Add missing Russian localization lines (#517)
* Add missing Russian localization lines

* fix lines mentioned in code review
2022-08-11 14:16:34 -04:00
Selva Nair c1b0f0bbd2 Auto adjust column widths in pkcs11 list view
Currently a fixed width is assigned for valid until
column and its not enough for the date in all locales
(e.g., date in Chinese traditional overflows).

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-10 09:22:12 -04:00
Selva Nair e5ab9d74bd Fix potential string mishandling in LocalizedTime
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-10 09:22:12 -04:00
Selva Nair 788a4c1f9e Do not tokenize comments -- save it as a string
- Comments (whole line or trailing segment) are assigned as
  a single string to ce->comment. The comment character is
  preserved.

- Also some bug fixes and error logging:
    Initialize status variable before use
    Do not parse escaped single quote (matches openvpn.exe)
    Log parsing error
    Remove leading "--" from first token

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 170a9b9e76 Copy resources for persistent connections
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 6932c5e710 Change the logic of releasing persistent connections in OnHold
(i)
State is changed to detached before auto-starting
so that OnHold() will see state = resuming and keep the hold.

State is set to disconnected instead of detached on detach
so that manual starts will release the hold automatically.

End result: While connecting automatically, do not release if
management-hold is on. But while started manually, release
from hold so that connection can complete without further
user action.

In normal use of automatic service, one would not add management
hold into the config. However, if the user disconnects the connection
the GUI puts it on hold, and we do not want to auto-start it after a
lock-unlock or some other automatic action.

(ii)
Also, currently, for persistent connections, the status
window is not shown automatically which feels unnatural in
real use. Instead, popup the status window when connection
is manually initiated. Its not popped up when automatically
attached to or if silent_connection is on.

Only persistent connections are affected by the change.

fixup: config file list is not recreated from scratch when
enable_persistent == 2 (auto attach mode) to avoid losing info
such as auto_connect = false on detached connections.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 314ceb04b4 Show a message if waiting for management interface
When retrying connect() on management socket, log a message.
Especially useful when waiting for a persistent daemon to
come up after an unexpected exit or service disconnect.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 44990cd83d Detach persistent connections on switch user
This allows a new user to attach to the mgmt i/f of
persistent connections which would be otherwise blocked
by the previously logged in user.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 7f794eec3d Add a button for detaching from the management interface
Useful for releasing the management interface if the user wants to
connect to it by other means.

Detached connections are set to state = detached (no disconnected)
and auto_connect disabled, so that they could be handled properly
during a re-attach.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 0e76e4b544 Option to disable attaching to persistent connections
Three options are provided to control scanning of persistent
(pre-satrted) connections in config-auto folder, and how they
are attached to.

Auto: Scan and list persistent connections and attach to their
      management i/f automatically at startup, and periodically
      retry on failure to attach.
Manual: Scan and list as above, but do not attach automatically.
      User can attach to such connections by manually clicking
      connect.
Never: Do not scan config-auto folder.

Default is "Auto"

Change of this setting in the settings menu will take full effect
only if none of the connections are in connecting/connected/detached
state so that the connection list can be updated. Otherwise
restart the GUI.

TODO: Copying the settings dialog changes to all languages

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 0baf486cb4 Extend management socket state
Distinguish between management socket connected and
ready for interaction with the server. The former can
happen even if the server is connected to another client
and thus non-responsive.

Use manage.connected = 1 in place of true when connected
and = 2 when handshake with server completed and ready for
input.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair e417976b27 Gracefully handle management password mismatch
With persistent connections, we may not have the password
or may have a wrong password. Handle such cases while
connecting to the management interface.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 147bc1a106 Parse the config file for management i/f params
- Parse the management interface address and password
  from the config file
- Hide the status Window by default for persistent
  connections --- their startup is automated and may
  distract the user otherwise. The user can use the
  menu to review status when required.
- Seed srand() using threadId instead of time. Although we
  use rand() only for cosmetics, the latter is almost
  never unique among threads when multiple connections can
  get started in a succession with this patch set.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair fc05de0c7b Add a parser for ovpn config files
- This will be used for reading the management i/f
parameters for externally started (persistent) openpvn.exe

TODO: replace the parsing of config file in passphrase.c
using this.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 477c61ff83 Parse config-auto directory for persistent connections
- Parse the config-auto folder used by automatic service
  and mark these profiles as persistent.

- These connections are marked as auto_connect to try
attaching to them at start up with periodic retry in
case the daemon or service are restarted.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 8f0dbbc8a3 Always check status of automatic service
- Remove service-only mode (start/stop service) which has not been in
  use since we moved to running the GUI as limited user.
  Also its not very useful as it does not allow any control of
  service-started daemons

- Keep CheckServiceStatus and always check the status of
automatic service.

The status of the service will be used to toggle supporting
control of persistent connections started by the service.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair 428ee29246 Add support for marking connections as persistent
Persistent connections have openvpn.exe daemon started
external to the GUI (e.g., by the automatic service).
This patch adds support for attaching to the management
i/f of such daemons from the GUI and control the connection.

The GUI never stops or starts the openvpn.exe process in this
case. Instead, connect and disconnect buttons signal the
management interface of a running openvpn.exe process to start
the tunnel by attaching to mgmt i/f and sending hold-release if
needed  or stop it and wait in management-hold state
(see DisconnectDaemon()).

When the GUI process exits, persistent connections are left in their
current state using DetachOpenVPN().

No connections are marked as persistent as yet. That is done
in a following commit.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Selva Nair f8a1495667 Refactor StartOpenVPN()
- Split starting the status thread and launch of the
daemon process (openvpn.exe) into separate functions.

This is useful for implementing control of persistent connections
where the daemon is launched externally: e.g., by the
automatic service.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
justwho 552441e407
Update openvpn-gui-res-zh-hans.rc (#514)
* Update openvpn-gui-res-zh-hans.rc

* Update openvpn-gui-res-zh-hans.rc
2022-07-28 09:51:03 -04:00
Ilya Shipitsin 55580d33b7 adjust build options to harden binaries
enable hardware-enforced stack protection on
compatible hardware/software (/CETCOMPAT linker option)

enable QSpectre protection

enable Control Flow Guard

issues were found by Microsoft BinSkim
2022-07-25 09:41:59 -04:00
Selva Nair 4f0b94bf19 Copy new dialog and resources to all language files
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-19 12:08:02 +02:00