- HTTP auth password appears to be cached and reused
unless replaced by a non-empty string. When user-supplied
password is empty, use some arbitrary string "x" as the
password.
- Make username required for generic URL as well.
- Also clear password buffers after use.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Download profile from AS or URL use blocking network calls
in the main thread. Set reasonable timeouts for connect
and receive.
TODO: This is not perfect as the download can still stall
in erratic links, and we have no way to abort. Ideally
we should either use Async calls and/or threads.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
For Import from URL, require that response
from server must have
content-type: application/x-openvpn-profile
This reduces chances of mistyped input causing
import of random html pages as connection profile.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
ParseUrl extended to parse generic URLs and parse
the path. DownloadProfile() function re-factored
for reuse with generic URL.
Also:
- INTERNET_FLAG_RELOAD added to the request
call to force reloading the data from server instead
of using possibly cached data.
- Input box for URL extended in length to about
50 characters wide.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Import a config file from command line as
`openvpn-gui.exe --command import <file-path>`
The command is send to a running instance if any.
Otherwise the GUI extecutable is started and
the import processed.
`openvpn-gui --import <file-path>`
is interpreted as the same command.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Currently we construct the destination path and check whether
it exists. This could miss a connection profile with same
name in another directory.
If a config with same name is found we set it as the destination,
and ask the user for permission to overwrite. However, if the duplicate
is in the global_config_dir, the behaviour is not changed -- that is,
the config is imported with no further prompts.
Also fix the use of same buffer as destination and source in
swprintf(). It seems to work, but is not 'legal'.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Allow users to bypass HTTPS is not good, but may nevertheless be useful during development.
DEBUG macro is widely used in openvpn-gui code but was missing from CMakeLists.txt, so add it there.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When 2FA is enabled, server (such as AS)
replies with HTTP 401 and issues a challenge.
Use existing facilities to parse CRV message
and prompt user for a response, then call REST
method again with encoded response as HTTP auth password.
See https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md#challengeresponse-authentication
for more information.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use WinInet to download profile into memory buffer.
If there are certain certificate errors (invalid CN,
wrong date, unknown CA, revocation check failed),
ask if user wants to continue.
Extract profile name from content, sanitize name and
save profile in temp directory. Then import profile
using existing facilities.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Factor out importing part (everything except file open dialog)
into separate function, which can be used when importing
profile from URL.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is the first patch from series which implemets
importing profile from URL, currently implemented
by OpenVPN Access Server.
Move "Import from file" menu item under new "Import"
item. Add "Import from AS..." item under "Import", which
opens new profile import dialog.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 131c75e5 ("Notify dialog windows when OpenVPN state changes") added callback
function, but forgot to specify __stdcall calling convention with CALLBACK keyword.
This is not an issue for x64 builds, but x86 requires __stdcall calling convention for callbacks,
otherwise compiler throws an error:
Error: D:\a\openvpn-gui\openvpn-gui\openvpn.c(292): error C2440: 'function': cannot convert from 'BOOL (__cdecl *)(HWND,LPARAM)' to 'WNDENUMPROC'
Reported-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Currently we show a messagebox with OK/CANCEL when response is
not required but that cannot handle state change messages.
Instead, show the "GenericPass" dialog with input disabled.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Use a custom message to pass state change notification from OpenVPN
to all top level windows in the thread. Currently only the pending auth
dialog responds to this message by closing when the state changes.
The state change could be due to timeout, errors or success via
out-of-band authentication which makes the dialog no longer valid.
The case of CR_TEXT messages that do not require a response is handled
in the next commit.
See also issue #440https://github.com/OpenVPN/openvpn-gui/issues/440
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Also add an edit box for setting the mute interval for
repeated echo messages. To be specified in hours
>=0. A zero value disables muting.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
As with CRV1, submit an empty string as the response.
Our base64-encode functiton can handle empty input to generate
an empty string as output.
Also make ensure the message box is shown in foreground,
and not dependent on the status window which may be hidden.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
This adds support for crtext method of pending authentication,
used by Access Server 2.7 and newer.
When enabled on the server side and on the client side (IV_SSO=crtext),
server returns AUTH_PENDING with Info command like:
CR_TEXT:R,E:Enter Authenticator Code
Client prompts user for the response and sends base64-encoded response
to the server via management interface command:
cr-response SGFsbG8gV2VsdCE=
See https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt (crtext part)
for more information.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This adds support for web-based extra authentication, which may be
used by OpenVPN Cloud. When enabled and client sends IV_SSO=openurl,
server pushes Info command OPEN_URL:<url>. The client opens that URL and
user authenticates.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use the image in the connecting state icon with background
color replaced by that of the menu for use as the checkmark.
MSDN docs on SetMenuItemBitmaps is unclear about the use of
color bitmaps for checkmarks, but this appears to display well.
(Tested on Windows 10 only).
The bitmap is recreated everytime the popup menus are made
although its sufficient to recreate it when system colours
change.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
The About text is truncated in Spanish version when
compiled with MSVC as LTEXT can't exceed 256 characters.
Removing the repeated phrase fixes this for now. If future
translations increase the length, please consider breaking
the paragraph into two.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Remove intermediate quotes in continued lines
- Remove macro substitutions in strings
- Split two long LTEXT (>256 characters) into two
All changes autogenerated using a sed script here
https://gist.github.com/selvanair/ae78c29869d7c1d15abcb909f04676c6
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Use an empty password to clear any existing password in the
private key file. If not empty, the requirement of minimum 8
characters is retained.
For PEM key file, an empty password will clear encryption on
the key. For pkcs12 files it will set an empty password.
As use of an empty password is the default first try in
OpenVPN.exe when reading pkcs12 file, this effectively leads
to the user not prompted for a private key password during
connection setup.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
By some reasons Release build ignores _INC_MATH and includes math.h,
which conflicts with our own log definition. Rename it to log_.
While on it, also rename other enum names for consistency.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In this case, as per management-notes.txt, a CRV1 response with
an empty password should be submitted. Currently we ignore
such "challenges" causing the regular user-auth dialog to be shown
instead.
Fix by displaying the message received from the server. Depending
on user action (OK or CANCEL), a properly formatted reponse with an
empty password is returned or the connection is aborted.
Signed-off-by: Selva Nair <selva.nair@gmail.com>