Commit Graph

676 Commits (e5482597221ec04c9474144db969af035f698409)

Author SHA1 Message Date
Selva Nair e548259722 Copy IDS_ERR_URL_IMPORT_PROFILE resource to all language files
This was missed in an earlier commit.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-19 12:08:02 +02:00
Selva Nair 6d67f81814 Show certificate details on double-clicking pkcs11 list entries
- For mingw builds, currently this works only for x64 target
  due to missing library for i686 target.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-19 12:08:02 +02:00
Selva Nair 84be448777 Handle pkcs11-id query from daemon
Add support for selecting pkcs11-id  from the GUI.
Requires --management-pkcs11-id in the config file.
This option is not added by the GUI.

A list of all available pkcs11 certificates are presented to the
user with buttons OK, Cancel, Retry. OK submits the selected
entry, Cancel closes the connection, Retry reconstructs the
list of certificates by querying the daemon again. The latter
can be used to retry after inserting a token.

If no certificates are found, a message suggesting to insert
a token and press 'Retry' is displayed.

The list shows the "Issued-to", "Issued-by" names
(usually the subject & issuer common names) and valid-until
date in current locale for each certificate.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-19 12:08:02 +02:00
Selva Nair 05779fbb9b Add LocalizedFileTime function
- refactor LocalizedTime

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-19 12:08:02 +02:00
Selva Nair 819629e2a5 Find a free port for management interface
Bind a socket and then close to identify
a free port and use it when starting openvpn.exe.

Try port = offset + config-index is first, matching
the current usage, and fallback to a dynamic port if
the former fails.

Trac: #1051
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-01 10:57:51 -04:00
justwho f22a45e349 Update openvpn-gui-res-zh-hans.rc 2022-06-21 13:57:11 +02:00
Selva Nair b44e685ff8 Retry on management timeout instead of aborting
In  some cases the service may take a while to startup openvpn.exe,
causing connection to the management interface to timeout. This could
leave  behind the OpenVPN process if/when it eventually starts up.
(Trac 905, 1050).

As errors in starting up the OpenVPN daemon are independently
handled, its better to keep retrying the management interface connection
until aborted due to errors or by the user.

- On timeout, log a message on the status window and retry the
  management interface connection

- Eliminate the timed-out state that is no longer used

- Call StopOpenVPN() before abort so that OpenVPN daemon
  is not left running in case it starts up later.

- In the unlikely event that OpenManagement() fails, show an error

- User can abort by pressing disconnect

A "retrying.." message is logged on to the status window every
15 seconds.

See Trac: #905, #1050

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-06-20 13:15:45 -04:00
Selva Nair 3e37291e5d Set WS_EX_TOPMOST style on dialogs
This extended style makes the window topmost in z-order.
We currently set this for the user-auth and private-key
passphrase dialogs, but useful for any dialog that may popup
without user interaction.
(Eg., challenge response during a server-initiated restart
or reneg).

Trac: #1465

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-06-20 09:08:54 -04:00
Lev Stipakov d60325acde Support for OpenVPN 3
This adds optional support for using OpenVPN3 client
as an alternative to openvpn2.

Just replacing one client with another will not work:

 - OpenVPN3 doesn't use interactive service, it uses
"agent" service with completely different protocol. OpenVPN GUI
needs to talk to agent using HTTP and JSON.

 - OpenVPN3 management interface realtime notifications must be
explicitly turned on in order for GUI to work.

To enable using openvpn3:

 - use any of *-ovpn3 presets (cmake build system)

 - ./configure --enable-ovpn3 (mingw)

To switch betweet openvpn2 and openvpn3, see "OpenVPN Engine"
radiobutton group in Settings -> Advanced dialog.

OnReady() implementation was slighly changed - "log all on"
replaced with "log on all" - according to management interface
documentation this is the right way to do it, and also OpenVPN3
only supports "on all" order.

Management interface - enabled OpenVPN3 client (omiclient.exe) and
agent (ovpnagent.exe) are now part of openvpn3 repo.

Co-authored-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-06-15 10:32:36 -04:00
Samuli Seppänen 8f3c7a0b38 Bump version to 11.29
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
2022-05-31 11:52:18 +00:00
Lev Stipakov 271648c6c3 cmake: replace Ninja generator with MSVC
Ninja makes build slightly faster but requires running
"x64" developer command prompt, not the "default" one.
Without that, cmake silenly produces x86 binaries and it might
take a while to find out the reason. To avoid confusion, switch back
to MSVC generator.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-05-31 11:56:30 +03:00
Lev Stipakov a85bba9654 CMakePresets: fix arm64 debug/release config
Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-05-26 21:21:45 +03:00
Lev Stipakov 09aa7ef730 CMakePresets.json: use MSVC generator for ARM64 builds
Sadly, CMake/Ninja combo doesn't work well for ARM64
(similar to
https://stackoverflow.com/questions/47581784/building-a-x86-application-with-cmake-ninja-and-clang-on-x64-windows)
- it silently produces x64 binaries instead of arm64.

Switch to slower MSVC generator.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-05-26 16:24:13 +03:00
Lev Stipakov 307e043d7e build.rst: add MSVC build instructions
Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-05-24 14:20:51 +03:00
Lev Stipakov b6f26818a9 Use vcpkg manifest and cmake presets
Manifest is a convenient way to automatically
install dependencies. Since we have to support
both OpenSSL 1.1.1 (for OpenVPN 2.5) and OpenSSL 3
(for coming OpenVPN 2.6) and manifest file name
is hardcoded, we create two manifests and put them
into different directories.

To simplify build process, define configuration presets
for arch (x86/x64/arm64), debug/release and oss1.1.1/ossl3.

This way building is greatly simplified:

  cmake -S . --preset x64-debug-ossl3
  cmake --build --preset x64-debug-ossl3

Update GitHub Actions script accordingly.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-05-24 14:20:51 +03:00
Selva Nair 79f5cb91c6 Do not escape single quote character
Commit 6271d2f67 added escaping of single quote in
quoted strings which is wrong. Fix it.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-04-04 19:58:36 +02:00
Selva Nair 2cc5788367 Check pointer is not NULL before passing to strlen
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-03-11 21:24:25 +01:00
Selva Nair 6271d2f674 Fix passing username for CRV1 response
Escape the username string before passing to management
interface. For other dialogs this is already done.

Move string-escape to a function and process the username
through it.
Also escape space, single quote in addition to double quote
and backslash.

Reported by: Jakob Curdes <jc@info-systems.de>

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-03-11 07:50:08 +01:00
Lev Stipakov 9d2e79dc6a GitHib Actions: add MinGW builds
Add mingw/mingw64 builds with ossl1.1.1/ossl3.0.1.

Remove appveyor and travis scripts.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-02-10 09:30:28 -05:00
Selva Nair 9356ccb806 passphrase.c: on failure to decrypt private key, retry with legacy provider
- Support legacy algorithms while decrypting keys by loading
  legacy provider unless default pros has fips enabled.

- Use the recommended PKCS8 format and AES-256-CBC cipher when
  encrypting PEM keys.
  For PKCS12, OpenSSL's default is used which is PBKDF2 with
  AES-256-CBC in OpenSSL 3.0

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-02-10 09:30:05 -05:00
Selva Nair 24b9d06957 Update OpenSSL initialization
- Set env variables such as OPENSSL_CONF and OPENSSL_MODULES
- Replace deprecated initialization (since OpenSSL 1.1.0)
  by OpenSSL_init_crypto()

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-02-10 09:30:05 -05:00
Lev Stipakov d27fd21222 Add openssl3 support for msvc build
- remove vcpkg manifest and use whatever openssl
 version is installed. To build with openssl3, one could
 use openssl3 port from openvpn/contrib/vcpkg-ports.

 - build with openssl1.1.1 and openssl3 in GitHub Actions

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-02-02 19:45:49 +01:00
Lev Stipakov cd4748fb25 wcstok: use security-enhanced version
Replace old wcstok signature with security-enhanced
version, which stores position information between calls in
"context" parameter instead of internal per-thread context.

This allows to get rid of _CRT_NON_CONFORMING_WCSTOK
define in CMakeLists.txt

Reported-by: Kai Schtrom

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-02-02 19:44:00 +01:00
Samuli Seppänen 5c1cae2042 Bump version to 11.27.0.0
Signed-off-by: Samuli Seppänen <samuli.seppanen@gmail.com>
2021-12-15 08:34:27 +02:00
Lev Stipakov f42b91dc2f Github Actions: use Release build configuration
Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-11-30 09:02:41 +01:00
Selva Nair bb6b6e29fb
Provide more space for challenge dialog text (#469)
* Provide more space for challenge dialog text

We do use a re-sizeable dialog box for dynamic challenge-response
to cater for potentially long lines of challenge text. But the
space specified for the widget is enough for only a single short line
(~60 characters) of text.

Increase the horizontal and vertical space to allow for up to
two lines of ~120 characters per line.

The default size of the Window is not changed. But it is
automatically resized if the space required for the text
is longer than the window width minus some margin. The max
horizontal size of the window is capped at 640 nominal pixels
as longer text will be wrapped in to two lines.

Github issue #468

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-29 11:44:13 -05:00
Selva Nair e8257d8672 Copy new string resource to all language files
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-18 14:33:09 -05:00
Selva Nair 9c82e666d8 Show a prompt during profile import using --import
The user is prompted with a message showing the config
name that will be imported. The user can accept or cancel
the operation.

If the user was already prompted for over-write permission
because a config with the same name exists, no further dialog
is shown.

Import using the menu (Import File...) is not affected.

Rationale:
We want to set "Import" as the default verb for the context
menu of .ovpn files. This will allow import of configs by
double-click. Also when .ovpn file is downloaded using a browser,
setting the default bowser action to "open" will result in an import.
In such cases a silent import action could be surprising, and a
prompt showing what is being imported could provide a better UX.

On the flip-side, the prompt/dialog will also be shown when import
is done from the context menu of .ovpn by "right click and
choose import" or when "openvpn-gui.exe --import foo"
or "openvpn-gui.exe --command import foo" is executed. As import
is an action that does not result in an immediately visible result
(unlike, say, edit or print), a prompt requiring user action is of
some value even in these cases. At worst it's a minor annoyance.

See also: https://github.com/OpenVPN/openvpn-build/pull/227
and discussions there-in

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-18 14:33:09 -05:00
Lev Stipakov 650663dd62 Fix broken "change password" functionality
When we link with natively-built OpenSSL .DLLs
(not cross compiled with MinGW), we are expected to include
applink.c, which provides glue between OpenSSL BIO layer
and compiler run-time. This doesn't apply to ARM64.

Failure to do that results in "no OPENSSL_Applink" fatal error
during password change.

See the corresponding fix in openvpn2:

https://sourceforge.net/p/openvpn/mailman/message/37361982/
Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-11-18 17:06:36 +01:00
Lev Stipakov a9f176224f Fix crash when clicking on tray icon after importing the first profile
When clicking on tray icon, menu items are deleted and then recreated.
Deletion uses o.num_config:

    for (i = 0; i < o.num_configs; i++)
        DestroyMenu(hMenuConn[i]);

Commit 8e4183f9 ("Add '--command import' command line option")
added BuildFileList() call which modifies o.num_configs
but doesn't touch menus. When clicking on tray icon after import,
abovementioned code attemps to access invalid item in hMenuConn array
and crashes when this is the first imported profile and hMenuConn is NULL.
In other DestryMenu is called with invalid argument.

Fix by recreating popup menus instead of just rescan file list -
this will first delete menus with correct o.num_config value.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-11-12 10:07:17 -05:00
Selva Nair 77e32fa676 During import from url take filename from content-disposition
If the http header "Content-Disposition:"  is present take the
filename specified in there as the name of the imported profile,
falling back to scanning the file contents for metadata.

If both filename= and filename*= attributes are present, the
latter takes precedence provided the character set is utf-8.
(Extended attributes as defined in RFC 5987).

In case of import from AS, the behaviour is unchanaged.

Issue: #450.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-03 16:36:40 -04:00
Selva Nair 859d0fbf2f Show import success using balloon notification
Less intrusive than a message box that user has
to close. Also the imported filename stub is now
included in the message.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-03 16:36:40 -04:00
Selva Nair 56ee704501 Use C standrad compliant printf specifications
%S --> %hs in wide format strings, %ls otherwise
%s --> %ls in wide format strings, unchanged otherwise
%c --> %lc in wide format strings

Resource files together have about 970 lines affected and
were edited by looping through all with
sed -i 's/%S/%hs/g' $file
sed -i 's/%s/%ls/g' $file
All other files were manually changed (about 85 lines).

Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO
if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei).

This breaks non-standard spec such as %S. Anyway, we have been
gradually getting rid of those.

MSVC builds should not be affected.

v2: multiple occurrences in same line was missed in v1 (/g missing in
sed expression). Fixed.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-03 16:20:17 -04:00
Selva Nair 489a219888 Bugfix for character remapping in filename
- as.c: Use widechar string and comparison for
  reserved characters.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-03 16:20:17 -04:00
Selva Nair ef14a62d34 Ensure dialogResult is initialized before use
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-11-03 16:20:17 -04:00
PlayDay b19965dd2b Fix typo in openvpn-gui-res-ua.rc 2021-11-02 09:33:01 -04:00
Samuli Seppänen 6758dd0900 Bump version to 11.26.0.0
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
2021-10-05 08:57:10 +03:00
Selva Nair 5fd17835f5 Clear password used for profile import
- HTTP auth password appears to be cached and reused
  unless replaced by a non-empty string. When user-supplied
  password is empty, use some arbitrary string "x" as the
  password.

- Make username required for generic URL as well.

- Also clear password buffers after use.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-09-01 12:27:37 -04:00
Selva Nair 69195ee6b1 Add a timeout for http download
Download profile from AS or URL use blocking network calls
in the main thread. Set reasonable timeouts for connect
and receive.

TODO: This is not perfect as the download can still stall
in erratic links, and we have no way to abort. Ideally
we should either use Async calls and/or threads.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-08-31 21:55:59 -04:00
Selva Nair 4e223916ae Copy resource changes to all languages
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-08-31 21:55:59 -04:00
Selva Nair 90cc9e3cdb Add content-type check for import from URL
For Import from URL, require that response
from server must have
content-type: application/x-openvpn-profile

This reduces chances of mistyped input causing
import of random html pages as connection profile.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-08-31 21:55:59 -04:00
Selva Nair e80a39c825 Implement importing profile from a generic URL
ParseUrl extended to parse generic URLs and parse
the path. DownloadProfile() function re-factored
for reuse with generic URL.

Also:
- INTERNET_FLAG_RELOAD added to the request
  call to force reloading the data from server instead
  of using possibly cached data.
- Input box for URL extended in length to about
   50 characters wide.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-08-31 21:55:59 -04:00
Selva Nair 480d9e456b Copy changes to all language resource files
For openvpn-res-cs.rc, some missing help message
entries are also copied.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-08-31 14:48:20 -04:00
Selva Nair 8e4183f9a9 Add '--command import' command line option
Import a config file from command line as

`openvpn-gui.exe --command import <file-path>`

The command is send to a running instance if any.
Otherwise the GUI extecutable is started and
the import processed.

`openvpn-gui --import <file-path>`

is interpreted as the same command.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-08-31 14:48:20 -04:00
Selva Nair e03ce9c5f1 During import check whether profile with same name exists
Currently we construct the destination path and check whether
it exists. This could miss a connection profile with same
name in another directory.

If a config with same name is found we set it as the destination,
and ask the user for permission to overwrite. However, if the duplicate
is in the global_config_dir, the behaviour is not changed -- that is,
the config is imported with no further prompts.

Also fix the use of same buffer as destination and source in
swprintf(). It seems to work, but is not 'legal'.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2021-08-31 14:48:20 -04:00
Lev Stipakov 82d932a503 URL profile import: disable profile download in case of certificate errors
Allow users to bypass HTTPS is not good, but may nevertheless be useful during development.

DEBUG macro is widely used in openvpn-gui code but was missing from CMakeLists.txt, so add it there.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00
Lev Stipakov e3b06efcd2 URL profile import: support for 2FA
When 2FA is enabled, server (such as AS)
replies with HTTP 401 and issues a challenge.

Use existing facilities to parse CRV message
and prompt user for a response, then call REST
method again with encoded response as HTTP auth password.

See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication
for more information.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00
Lev Stipakov c7beb04ff5 URL profile import: download and import profile
Use WinInet to download profile into memory buffer.
If there are certain certificate errors (invalid CN,
wrong date, unknown CA, revocation check failed),
ask if user wants to continue.

Extract profile name from content, sanitize name and
save profile in temp directory. Then import profile
using existing facilities.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00
Lev Stipakov d6a622a023 URL profile import: allow specifying owner window of message box
This will be used later when parent window
needs to be disabled when message box is displayed.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00
Lev Stipakov 78ee9b981d URL profile import: refactor ImportConfigFile
Factor out importing part (everything except file open dialog)
into separate function, which can be used when importing
profile from URL.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00