Commit Graph

18 Commits (fa1191b799d68aee38a5cdf3fcad22000c0b2802)

Author SHA1 Message Date
Selva Nair 0bea5549f1 Remove private key password-change feature
- With this, dependence on OpenSSL is also gone. CI build
  tasks are updated accordingly.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2023-03-27 07:50:21 -07:00
Lev Stipakov 7c11841f5d Suppress certain warnings
We have tons of warnings like

  warning C4244: '=': conversion from 'DWORD' to 'LANGID', possible loss of data
  warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data
  warning C4996: 'wcsncpy': This function or variable may be unsafe

We should fix those at some point, but meanwhile let's suppress those since they
pollute build logs and make it very hard to analyse.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2023-01-20 17:26:02 -08:00
Selva Nair 577d982b51 PLAP: try to start automatic service if not running
Connection profiles shown on the login screen using PLAP
requires automatic service that starts openvpn.exe
processes for these profiles.

This commit adds an attempt to start the service from
PLAP dll. The service is started only if any PLAP enabled
profiles are found.

As starting the service can spawn up OpenVPN.exe processes and
the GUI may attach to them, auto-connect in the GUI is
suspended during session lock to leave the connections free to
be controlled from PLAP screen.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-19 09:49:15 -04:00
Selva Nair 2ea4bf9229 Add a test program for PLAP provider module
- instantiate OpenVPN PLAP provider which will enumerate configs
  in config-auto directory.
- Attempt to connect each config found one after the other

The test program is deliberately written in C++ as that's how most
Windows programs (and likely, LogonUI.exe) may use the COM object.

Note that duplicate configs are ignored, so ensure  that config
files in config-auto are not "shadowed" by identical named one's
in user's profile or in global config folder.

Additional notes:
The test program is not linked to the plap dll.
Instead it finds the module using CoGetClassObject,
so the plap dll must be registered in the system.

It also tests dynamically loading the dll from
C:\Program Files\OpenVPN\bin\libopenvpn_plap.dll
which should succeed even if the registration is not
proper.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair a60b3c540b Enable MSVC build of libopenvpn_plap.dll
Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-10-17 11:05:44 -04:00
Selva Nair fc05de0c7b Add a parser for ovpn config files
- This will be used for reading the management i/f
parameters for externally started (persistent) openpvn.exe

TODO: replace the parsing of config file in passphrase.c
using this.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-08-08 10:11:25 -04:00
Ilya Shipitsin 55580d33b7 adjust build options to harden binaries
enable hardware-enforced stack protection on
compatible hardware/software (/CETCOMPAT linker option)

enable QSpectre protection

enable Control Flow Guard

issues were found by Microsoft BinSkim
2022-07-25 09:41:59 -04:00
Selva Nair 6d67f81814 Show certificate details on double-clicking pkcs11 list entries
- For mingw builds, currently this works only for x64 target
  due to missing library for i686 target.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-19 12:08:02 +02:00
Selva Nair 84be448777 Handle pkcs11-id query from daemon
Add support for selecting pkcs11-id  from the GUI.
Requires --management-pkcs11-id in the config file.
This option is not added by the GUI.

A list of all available pkcs11 certificates are presented to the
user with buttons OK, Cancel, Retry. OK submits the selected
entry, Cancel closes the connection, Retry reconstructs the
list of certificates by querying the daemon again. The latter
can be used to retry after inserting a token.

If no certificates are found, a message suggesting to insert
a token and press 'Retry' is displayed.

The list shows the "Issued-to", "Issued-by" names
(usually the subject & issuer common names) and valid-until
date in current locale for each certificate.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
2022-07-19 12:08:02 +02:00
Lev Stipakov d60325acde Support for OpenVPN 3
This adds optional support for using OpenVPN3 client
as an alternative to openvpn2.

Just replacing one client with another will not work:

 - OpenVPN3 doesn't use interactive service, it uses
"agent" service with completely different protocol. OpenVPN GUI
needs to talk to agent using HTTP and JSON.

 - OpenVPN3 management interface realtime notifications must be
explicitly turned on in order for GUI to work.

To enable using openvpn3:

 - use any of *-ovpn3 presets (cmake build system)

 - ./configure --enable-ovpn3 (mingw)

To switch betweet openvpn2 and openvpn3, see "OpenVPN Engine"
radiobutton group in Settings -> Advanced dialog.

OnReady() implementation was slighly changed - "log all on"
replaced with "log on all" - according to management interface
documentation this is the right way to do it, and also OpenVPN3
only supports "on all" order.

Management interface - enabled OpenVPN3 client (omiclient.exe) and
agent (ovpnagent.exe) are now part of openvpn3 repo.

Co-authored-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-06-15 10:32:36 -04:00
Lev Stipakov b6f26818a9 Use vcpkg manifest and cmake presets
Manifest is a convenient way to automatically
install dependencies. Since we have to support
both OpenSSL 1.1.1 (for OpenVPN 2.5) and OpenSSL 3
(for coming OpenVPN 2.6) and manifest file name
is hardcoded, we create two manifests and put them
into different directories.

To simplify build process, define configuration presets
for arch (x86/x64/arm64), debug/release and oss1.1.1/ossl3.

This way building is greatly simplified:

  cmake -S . --preset x64-debug-ossl3
  cmake --build --preset x64-debug-ossl3

Update GitHub Actions script accordingly.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-05-24 14:20:51 +03:00
Lev Stipakov d27fd21222 Add openssl3 support for msvc build
- remove vcpkg manifest and use whatever openssl
 version is installed. To build with openssl3, one could
 use openssl3 port from openvpn/contrib/vcpkg-ports.

 - build with openssl1.1.1 and openssl3 in GitHub Actions

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-02-02 19:45:49 +01:00
Lev Stipakov cd4748fb25 wcstok: use security-enhanced version
Replace old wcstok signature with security-enhanced
version, which stores position information between calls in
"context" parameter instead of internal per-thread context.

This allows to get rid of _CRT_NON_CONFORMING_WCSTOK
define in CMakeLists.txt

Reported-by: Kai Schtrom

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2022-02-02 19:44:00 +01:00
Lev Stipakov 82d932a503 URL profile import: disable profile download in case of certificate errors
Allow users to bypass HTTPS is not good, but may nevertheless be useful during development.

DEBUG macro is widely used in openvpn-gui code but was missing from CMakeLists.txt, so add it there.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00
Lev Stipakov c7beb04ff5 URL profile import: download and import profile
Use WinInet to download profile into memory buffer.
If there are certain certificate errors (invalid CN,
wrong date, unknown CA, revocation check failed),
ask if user wants to continue.

Extract profile name from content, sanitize name and
save profile in temp directory. Then import profile
using existing facilities.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00
Lev Stipakov 9ded7996ab URL profile import: add profile import dialog
This is the first patch from series which implemets
importing profile from URL, currently implemented
by OpenVPN Access Server.

Move "Import from file" menu item under new "Import"
item. Add "Import from AS..." item under "Import", which
opens new profile import dialog.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-08-23 12:07:18 -04:00
Lev Stipakov 8d878e8f7b CMake: read version from configure.ac
Instead of using hardcoded major/minor version in config-msvc.h,
use the values from configure.ac.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-05-24 09:01:33 -04:00
Lev Stipakov 4a483b029b replace msvc project with cmake
Signed-off-by: Lev Stipakov <lev@openvpn.net>
2021-05-14 17:20:00 -04:00