In this case, as per management-notes.txt, a CRV1 response with
an empty password should be submitted. Currently we ignore
such "challenges" causing the regular user-auth dialog to be shown
instead.
Fix by displaying the message received from the server. Depending
on user action (OK or CANCEL), a properly formatted reponse with an
empty password is returned or the connection is aborted.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
In private key passphrase and dynamic-challenge/pkcs11 PIN
dialogs:
- Disable the OK button by default
- Require non-empty user input before the OK button is enabled
Signed-off-by: Selva Nair <selva.nair@gmail.com>
We had earlier supported blank passwords or OTPs to be submitted. Change
this by enabling the OK button only if some minimal inputs are present.
- In static challenge dialog require username and either password or
challenge-reponse (OTP) fields to be non-empty
- In normal user-auth dialog require username and password to be non-empty
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Process four new echo commands to construct messages to be
displayed to the user:
echo msg message-text
echo msg-n message-text
echo msg-window message-title
echo msg-notify message-title
Note: All rules of push and echo processing apply and determine
what is received as echo commands by the GUI. In addition,
'url-encoded' characters (% followed by two hex digits) are
decoded and displayed.
The message is constructed in the GUI by concatenating the text
specified in one or more "echo msg text" or "echo msg-n text"
commands. In case of "echo msg text" text is appended with a new
line. An empty text in this case will
just add a new line.
The message ends and gets displayed when one of the following
are receieved:
echo msg-window title
echo msg-notify title
where "title" becomes the title of the message window. In case of
msg-window, a modeless window shows the message, in the latter case
a notification balloon is shown.
Example: when pushed from the server:
push "echo msg I say let the world go to hell%2C"
push "echo msg I must have my cup of tea."
push "echo msg-window Notes from the underground"
will display a modeless window with title
"Notes from the underground" and a two line body
--
I say let the world go to hell,
I must have my cup of tea.
--
Note that the message itself is not quoted in the above examples
and so it relies on the server's option-parser combining
individual words into a space separated string. Number of words
on a line is limited by the maximum number of parameters allowed
in openvpn commands (16). This limitation may be avoided by quoting
the text that follows so that the option parser sees it as one
parameter.
The comma character is not allowed in pushed strings, so
it has to be sent encoded as %2C as shown above.
Such encoding of arbitrary bytes is suppored. For example,
newlines may be embedded as %0A, though discouraged. Instead
use multiple "echo msg" commands to separate lines by new line.
An example with embedded spaces and multiple lines concatenated
without a new line in between (note use of single quotes):
push "echo msg-n I swear to you gentlemen%2C that to be"
push "echo msg-n ' overly conscious is a sickness%2C ' "
push "echo msg-n a real%2C thorough sickness."
push "echo msg-notify Quote of the Day"
will show up as a notification that displays for an
OS-dependent interval as:
--
Quote of the Day
I swear to you gentlemen, that to be overly conscious
is a sickness, a real, thorough sickness.
--
where the location of the line break is automatically determined
by the notification API and is OS version-dependent.
Commands like "echo msg ..." in the config file are also
processed the same way. It gets displayed when the GUI connects
to the management interface and receives all pending echo.
Pushed message(s) get displayed when the client daemon
processes push-reply and passes on echo directives to the
GUI.
TODO: The actual window that displays the messages is
implemented in the next commit.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Currently we pop up the status window on double click only
if one connection is active though there is no strong reason to
limit this behaviour. In fact, when multiple connections are
stuck in the connecting state, its very useful to have a quick
way to examine their progress instead of having to drill down
the menu. Especially so when nested menu is in use.
A random variation of up to 100 pixel is added to the initial
position of the status window to avoid all windows falling on
top of each other.
To prevent an explosion of new windows in the very unlikely event
of numerous active connections, restrict the maximum windows
shown to 10.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
We didn't use interactive service when gui was running
under admin because of some privilege escalation vulnerability in Vista.
Apparently this issue doesn't exist on Win7 and newer versions so
it is safe to use iservice on those systems.
Introduce "Always use interactive service" option,
which is "on" by default. This should enable users,
who by various reasons run gui as admin, use Wintun.
When gui is running as admin and interactive service
cannot be started or not installed, warn that wintun will not work.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The current code re-issues the next read request in the I/O
completion routine before the previous message is fully handled.
This could potentially lead to lost messages as the message buffer
is reused.
Fix by re-queuing the next read from OnService() after duplicating
the previous message.
The length check of the read message is omitted as it is implicitly
checked when scanning the message. Makes the logic simpler.
Reported by Lev Stipakov <lstipakov@gmail.com>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Parent keeping the handle to write end of child's stdout will
cause ERROR_BROKEN_PIPE not signalled if/when the child exits.
Also add a wrapper for CloseHandle()
Fixes the GUI process hanging in read from child
if the latter unexpectedly dies due to some error.
Trac #1203
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When using interactive service, route addition should use the
service. The user may not have privileges to set routes
otherwise. We already override any --route-method set in the
config file as openvpn.exe is started with --msg-channel as the
last option which sets route-method to ROUTE_METHOD_SERVICE.
This patch extends that to pushed --route-method
Also change _T("") to L"" in the edited lines to be explicit about
wide and narrow strings. We no longer support non-unicode builds.
No change when interactive service is not used.
Ref: issue #281
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Implement connection specific env variables. These are merged
with the process environment strings and passed to scripts.
- To set an env variable, use 'echo setenv name value' in the config
or push from the server. This will set "OPENVPN_name=value" in
the connections's env set. Note that "name" is mangled as
"OPENVPN_name" to avoid servers overwriting sensitive variables
such as PATH. Names are set in the order received and same name
overwrites any previously set value.
- Environment variable names are allowed to contain only alpha numeric
characters and underscore as in openvpn.exe. But, unlike openvpn.exe,
invalid names are ignored, not sanitized.
v2 changes (Dec 16, 2017):
- If value is missing, the directive is interpreted as a delete command
and the env var with matching name in the connection's env set is removed.
- Windows needs env block to be ordered:
While merging connection specific env vars with process env block, order
the entries 'alphabetically' (locale independent, case insensitive
unicode ordinal order). In case of duplicates, the value in connection
env set replaces the one in process env.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
After a failure the auth-pass dialog is shown with the password
field prefilled but highlighted. This allows the user to easily
overwrite the password or resubmit the old password if the
failure was temporary.
After a private key passphrase failure, the dialog is not
prefilled with saved password as this failure happens locally
and in such cases the password is very likely wrong.
If the user aborts the dialog by pressing cancel, the saved
password will get used during the next connection attempt.
Wrong username or password warning text is changed to: "Wrong
credentials".
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- As disable_save_passwords may be enforced system-wide by an Administrator,
"echo save-passwords" should not be allowed to over-ride it. This was
overlooked in commit d4090a8842.
Fix it by ignoring this echo directive if disable_save_passwords is in
effect. Also write a log message to the status window.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Show the assigned IP numbers, traffic stats (bytes in/out), and
the GUI and OpenVPN core versions on the status window.
Note: IDS_TXT_BYTECOUNT = "Bytes in: %s out %s" needs translation.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- New option --command <action> <params> to send commands to
a running instance of openvpn-gui.exe
Supported actions are
connect, disconnect, reconnect
each of which takes the name of the config (with or without the
extension .ovpn) as a parameter;
disconnect_all, exit
which take no parameter and
silent_connection
which takes an optional parameter = 0 or 1 (1 is the default)
Examples: with the gui running, start a new instance as
openvpn-gui.exe --command disconnect myvpn : ask running instance
to disconnect myvpn if connected
openvpn-gui.exe --command status myvpn : ask running instance
to show the status window for myvpn if available
openvpn-gui.exe --command disconnect_all : ask running instance
to disconnect all active connections
- The second instance exits after issuing a SendMessage to the
already running instance. If no action is specified, the running
instance is notified to show a balloon to alert the user
- These messages may also be sent from scripts as COPYDATA messages
with the wData element specifying the action to execute and lpData
a pointer to the parameter. The dwData param must be one of
WM_OVPN_xxx with xxx = START, STOP, RESTART, STOPALL, EXIT or
SILENT. See main.h for their values.
v2: Bug fixes based on test reports from larson0815
here: https://github.com/selvanair/openvpn-gui/issues/5
and cron410 here: https://github.com/OpenVPN/openvpn-gui/issues/104
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- This works the same way as restart button in the status window
but is more conveniently accessible from the tray menu.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- This case was missed by commit 5fb23f6ad9 that introduced
automatic username/password submission.
- Also avoid auto submit if the recalled password is an empty
string.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Effective only when username and password are saved.
- The user may interrupt auto submission and edit the username/password.
- If silent_connection is on the dialog is bypassed without any delay.
v2 changes:
- Display message in normal text color and show remaining time
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Flag password and username input if these contain an invalid character
(currently only embedded '\n' is disallowed). Shows a popup when OK
is pressed so that the user can correct the input and resubmit.
- Add an error message to the log when the management i/f returns
ERROR for incorrectly parsed commands. Otherwise such errors go
unnoticed.
Note: IDS_ERR_INVALID_USERNAME/PASSWORD need translations.
Reported and tested by: Florian Beier (H4ndl3 on github)
Fixes Trac: #958
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Change text color of log lines with flags = W, N, F
v2: replace strchr with memchr to avoid modifying line
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- "Wrong username or password" message shown in the auth userpass dialog after
an auth failure
- "Wrong password" message shown in the private key password dialog after a
password failure.
These message texts are colored red by default (TODO: make the color customizable)
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When the username is filled automatically, set the focus to
the password field. This way you can enter the password
immedediately without having the press TAB (or even worst
users using the mouse to click on the password field).
- A new registry HKLM\Software\OpenVPN\disable_save_passwords
(32 bit DWORD value) may be set to a non-zero value to
disable password saving by users. Applies to both auth and
private key passwords. Usernames are always saved.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Support the following echo commands
- "echo forget-passwords": delete passwords internally saved by the GUI
but do not disable the password save feature. Useful when pushed
from the server so that it gets processed after authentication. Also see
management-notes.txt in openvpn docs.
- "echo save-passwords": enables private-key and auth-user-pass passwords
to be saved. Will be effective at startup only if present in the config
file. If pushed from the server, will get used for subsequent
password prompts. Essentially this has the effect of presenting the password
dialogs to the user with save-password checkbox selected. The user may still
uncheck it during the dialog.
Note: echo commands are processed as and when they are received and in the order
received.
TODO: support for "echo setenv name var", "echo disable-save-passwords" etc..
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Without this the service will continue to wait for input from GUI
and log pipe read errors to the event log.
Also fix a typo in the error messgae shown.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Avoid reporting a connection that completed with errors (state change
message = CONNECTED,ERROR) as successful.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Check system metric for large and small icon sizes and
try to load the correct size instaed of scaling from one size.
Scaling will still happen if the required size is not available
in the icon resource. As we add more icon sizes they will
get automatically used as needed.
LoadImage scales up from next smallest size available. Revisit this
when LoadIconWithScaleDown (Vista+) becomes available in mingw.
Resolves Trac: #772 (icon scaling issue)
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Set dpi-awareness to true in the manifest (i.e., "system-dpi aware")
- Check system dpi and scale and/or position widgets and windows
that depend on the system dpi (only components within the status
window are affected).
Note: Declaring dpi awareness eliminates automatic rescaling of
windows that causes blurred text on high dpi monitors.
Windows 8.1 and later allow per monitor dpi setting which is
not handled here.
Note: IDS_NFO_TOKEN_PASSWORD_CAPTION and IDS_NFO_TOKEN_PASSWORD_REQUEST
strings need translation.
TODO: support for selecting pkcs11-id from the GUI
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Add a base64 decode function using Windows CyptoAPI
- Move multibyte to widechar conversions to a function
- Add config name to caption of password dialogs to help user
identify the request
- Add new dialog template for generic password/PIN requests
and use it to handle dynamic challenge
Note 1: if dynamic challenge response verification fails, an auth-failed
message is returned by the server causing the GUI to clear any saved
password even if the user-auth dialog itself succeeeded.
Note 2: Dialog template ID_DLG_CHALLENGE_RESPONSE added to language
files may require translation.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
WINAPI is __stdcall in 32 bit windows (ignored in 64 bit) causing
this bug to show up in the 32 bit version only.
Also fix out-of-bounds write of ovpn_version[] in openvpn.c
Resolves Trac #758
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When openvpn exits due to error, the GUI pops up a modal dialog and
waits on user to click OK before cleaning up resources and closing
the status window. During this phase if the user clicks "connect"
from the tray menu, a new thread is started overwriiting several
handles in the connection struct.
Fix: Refuse to start a connection when previous status thread is
still active. Instead, bring the exisiting status window to fore-ground.
Also make the modal dialog a child of the status window for better
visibility.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Sometimes gracefully stopping openvpn fails leaving the
process running in background. This causes restarting of
connections to fail until those processes are manually killed.
- Read process ID from interactive service to get process
handle when openvpn is started by the service.
- Add a last resort method to forcefully terminate openvpn
process that fails to exit aftier sending stop signal. Terminate
is triggered after a 3 second timeout following Stop.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Option ediitng dialogs are in two tabs: General and Advanced.
Proxy related options are left in the proxy tab. Options
config_dir, config_ext, log_dir, script timeouts and
service-only flag are in the Advanced tab. All other more commonly
used flags and options are in the General tab.
- As options are editable, save values in registry only when they differ
from the default values. This leaves the registry clean and makes changing
options and their defaults during updates easier.
- Entries for config_dir and log_dir must be absolute paths.
Environemental variables such as %PROFILEDIR% may be used
to construct these.
- Empty config_dir, config_ext and log_dir entries are silently
ignored (i.e., the current values are left unchanged).
- Store all numeric and boolean parameters in registry as DWORD instead of
strings.
- On startup, the default parameters are loaded, then the registry is read
and finally command-line parameters parsedi.
- Out of range script timeout values in registry truncated with a
warning instead of fatal error. This allows the user to access the
settings dialog and make corrections.
- Save proxy and language settings under the same
HKCU\Software\OpenVPN-GUI key as other options instead of under Nilings.
- Save the current version of the GUI in regsitry so that updates
can be detected and any needed registry cleanup done.
- If no version info is present in the registry any values in OpenVPN-GUI
key in HKCU are deleted for a clean start as this is the first version
to save registry values in HKCU. Language and proxy data if present
under Nilings is migrated.
Note: new controls in the General tab and newly added Advanced tab dialog
are copied to all language files from the English version. These need to
be translated.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Replace allow_password by a runtime check that enables password
change menu only when the user has write-access to the key file.
- Read exe_path and priority from HKLM and do not duplicate in HKCU.
- Always allow the user to view the config: edit will succeed if user
has write access.
- Always include the proxy settings tab which is the default.
- Remove the unused power event handling and disconnect_on_suspend key.
- Remove password_attempts -- user can stop the password dilaog
by clicking cancel.
- Remove allow_service: implicitly enabled if service_only is used.
- Deprecate removed options in cmd-line parser
- Update README.rst
- Close config file before exit in GetKeyFileName
- Close thread and dialog handles in passphrase.c
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Username and, optionally, password as well as the private
key passphrase are saved in config-specific registry keys
- All saved data are kept encrypted using DPAPI
- The passphrase dialog is skipped if a valid saved private
key password is available. However, the user-auth dialog
is always presented, prefilled with the saved username
and password.
Note: A text string "Save password" is added to three dialogs
in all language resource files. Additional text with ids
IDS_MENU_CLEARPASS and IDS_NFO_DELETE_PASS are added to the
STRINGTABLE only in the English language resource file.
All these need translations.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
PostThreadMessage used to trigger exit event gets lost while
in modal dialog loops such as auth dialog. Replace it by PostMessage
and handle it in the status window callback.
Fixes openvpn processes left behind if exit is pressed while
user-auth dialog is active.
Changes after feedback:
- Use PostMessage correctly in SuspendOpenVPN() (error pointed
out by leobasilio@gmail.com).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Asynchronously read Input on the service pipe which are mostly
errors reported by the service. Display the errors on the status log
window and to the log file if its not opened by openvpn.
If/when openvpn fails to start or exits with error, close
the connection without waiting for management socket timeout.
v2:
- rebase to master
- fix a bug in setting manage.connected state
- ensure management socket is closed and resources freed before thread exit
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When a connection is attempted using a config in a location
that would fail, offer an option to add the user to the "OpenVPN
Administrators" group. This is done using shell-execute which will
show a UAC prompt for elevation. If it fails (due to user chooses
NO or the UAC dialog fails) the connection is not started.
v2 Changes
- Rebase to master
- Automaticlaly add the admin group if it doesn't exist
- Allow unicode strings in debug output
- Use domain\username to identify user
- Fix the PrintDebug macro
Minor changes based on user feedback
- Bring the window back to foreground after UAC prompt completion
- Show a message if another connection is tried during authorization
- Do not add user to ovpn_admin_group if it is same as the built-in admin group
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Handle early errors (openvpn exits before management connection is up)
with a helpful error message that points the user to view log.
- Include only readable config files in the connection list
- Warn if no connection profiles found
TODO: handle startup errors from interactive service
This is needed to avoid early messages going to stdout leaving no
trace of errors when openvpn exits before management interface is up.
It also ensures that any --log directives in the config do not override
the log file location.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Connecting to a named pipe server while running with admin rights is not
secure in some windows versions. As the interactive service is not required
to set routes while running as admin, this looks like a safe compromise.
Fix based on feedback from Heiko Hund
- Move IsUserAdmin() check before opening the service pipe
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Proxy settings are fetched from the users Internet Options
for the active connection. If WPAD or a PAC script is configured
they are preferred and used for automatic proxy detection.
Proxy bypass configuration is completely ignored.
Selva Nair