Add a timer to periodically simulate mouse movement
using SendInput, preventing the pre-logon UI from being
dismissed due to inactivity during mobile QR code authentication.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When CR_TEXT or dynamic CR prompt is triggered with
'response not required' ('R' not present in flags), we hide the response
box, but not the password reveal eye icon. Fix it.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Instead of opening the browser window in PLAP context (which is insecure),
display a dialog with QR code and ask user to scan it on mobile device.
QR code generation is taken from MIT-licensed library:
https://github.com/nayuki/QR-Code-generator/blob/master/c/qrcodegen.c
Before I tried vcpkg libqrencode package but gave up after
10 mins of dependencies building (it requires msys2 etc).
Note that you need to add
setenv IV_SSO webauth
to PLAP profile to make it work.
Fixes: https://github.com/OpenVPN/openvpn-gui/issues/687
Signed-off-by: Lev Stipakov <lev@openvpn.net>
C:\\windows\\Temp\\ has been write-protected since a while,
so instead of hardcoding the (wrong) path, use GetTempPath().
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Since the introduction of persistent connections, we
no longer recreate the entire config menu but only add newly
added connection profiles during each rescan. This leaves
any deleted configs actively displayed in the menu until the
GUI is restarted.
Improve this situation by graying out entries corresponding to
profiles not readable from file system. If the file reappears,
the item gets automatically enabled again.
Also, if the corresponding connection is active, the item is not
grayed out to allow the user to disconnect or reconnect it.
Otherwise the corresponding OpenVPN core process will hang around
with no way to control it from the GUI. Here "active" includes
those on management-hold in case of persistent connections, as
those can be started even if the underlying config file has
gone missing.
Addresses github issue #729
Signed-off-by: Selva Nair <selva.nair@gmail.com>
echo.c:221:72: error: comparison of integer expressions of
different signedness: ‘long unsigned int’ and
‘time_t’ {aka ‘long int’} [-Werror=sign-compare]
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
tray.c:783:36: error: the comparison will always
evaluate as ‘true’ for the pointer operand [...]
must not be NULL [-Werror=address]
True.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This happens on newer MinGW versions:
openvpn.c:176:19: error: the comparison will always
evaluate as ‘false’ for the pointer operand in
‘flags + -1’ must not be NULL [-Werror=address]
Strictly speaking this is a false positive, but
the pointer handling is a bit weird, so make the
code more straight-forward.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
But avoid -Wcast-function-type (from -Wextra)
since that is not useful for code using
GetProcAddress.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Avoid
warning C4996: '_snwprintf': This function or variable may be unsafe
Also makes the code generally simpler.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
openvpn.c:1709:29: warning: ISO C does not support the 'I'
scanf flag [-Wformat=]
openvpn.c:1709:34: warning: format ‘%u’ expects argument
of type ‘unsigned int *’, but argument 3 has type
‘long long unsigned int *’ [-Wformat=]
Switch to using portable identifiers.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This allows one to ignore the project-wide reformats
for the purposes of git blame.
File comment copied from openvpn.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
- Remove useless caching. Currently the build doesn't
need any dependencies.
- Remove useless sub-directory
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Int32x32To64 macro internally truncates the arguments to int32,
while time_t is 64-bit on most/all modern platforms.
Therefore, usage of this macro creates a Year 2038 bug.
* Position tooltip below the taskbar when it is at the top of the screen
Fixes github issue #710
Signed-off-by: Selva Nair <selva.nair@gmail.com>
* Update CHANGES.rst
Signed-off-by: Selva Nair <selva.nair@gmail.com>
---------
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Add a checkbox to the general settings menu
to always prompt for OTP when prompting for password
even if no static-challenge request is received from
the management interface.
The response is appeneded to the password using the
concatenation format and submitted to the management interface.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Parse the flag in SC:<flag>,TEXT directive for static-challenge,
and enable the option to concatenate password and response
if indicated in flag.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Static challenge response and password are optionally
concatenated and submitted instead of using the SCRV1
protocol. The code is activated in the next commit.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
If an attacker with SeImeprsonatePrivilege manages to create a
namedpipe server with a name matching that used by the "Interactive
Service", the GUI connecting to it could allow the attacker to
impersonate the GUI user.
Fix by validating the service pipe by comparing the pid of the pipe
server with that of the "Interactive Service".
Note: GetNamedPipeServerProcessId() returns the pid of the process
that created the first instance of the pipe. So, this patch only
guards against a rogue pipe instance created before the service
has started. This has to work in combination with a patch for the
service that disallows creation of additional pipe instances when
the service is running.
CVE: CVE-2024-4877
Reported by: Zeze with TeamT5 <zeze7w@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Use Shell_NotifyGetRect to find the icon location and place the
tip window a fixed distance above/below it.
It appears GUID_NULL used for above is not pulled in by shellapi.h.
Define locally when absent.
Also add TTF_RTLREADING for RTL languages. How to right justify
as well in this case is unclear.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
openvpn-inc-ci