Hi,
Looks good now and works as expected.
On Tue, Jul 23, 2019 at 5:22 AM Lev Stipakov <lstipa...@gmail.com> wrote:
>
> From: Lev Stipakov <l...@openvpn.net>
>
> This patch enables interactive service to open tun device.
> This is mostly needed by Wintun, which could be opened
> only by privileged process.
>
> When interactive service is used, instead of calling
> CreateFile() directly by openvpn process we pass tun device path
> into service process. There we open device, duplicate handle
> and pass it back to openvpn process.
>
> Signed-off-by: Lev Stipakov <l...@openvpn.net>
> ---
> v6:
> - simplify and strengthen guid check with wcsspn()
> - fix doxygen comment
>
> v5:
> - further strengthen security by passing only device guid from client
> process
> to service, validating guid and constructing device path on service side
>
> v4:
> - strengthen security by adding basic validation to device path
> - reorder fields in msg_open_tun_device_result for backward compatibility
>
> v3:
> - ensure that device path passed by client is null-terminated
> - support for multiple openvpn processes
> - return proper error code when device handle is invalid
>
> v2:
> - introduce send_msg_iservice_ex() instead of changing
> signature of existing send_msg_iservice()
> - use wchar_t strings in interactive service code
>
> include/openvpn-msg.h | 12 +++++++
> src/openvpn/tun.c | 83
> ++++++++++++++++++++++++++++++++++---------
> src/openvpn/win32.c | 9 ++++-
> src/openvpn/win32.h | 30 +++++++++++++---
> src/openvpnserv/interactive.c | 78 ++++++++++++++++++++++++++++++++++++++--
> 5 files changed, 188 insertions(+), 24 deletions(-)
...
> diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
> index 623c3ff..1b4a5e2 100644
> --- a/src/openvpnserv/interactive.c
> +++ b/src/openvpnserv/interactive.c
> @@ -58,7 +58,6 @@ static settings_t settings;
> static HANDLE rdns_semaphore = NULL;
> #define RDNS_TIMEOUT 600 /* seconds to wait for the semaphore */
>
> -
> openvpn_service_t interactive_service = {
> interactive,
> TEXT(PACKAGE_NAME "ServiceInteractive"),
> @@ -1198,8 +1197,62 @@ HandleEnableDHCPMessage(const enable_dhcp_message_t
> *dhcp)
> return err;
> }
>
> +static DWORD
> +HandleOpenTunDeviceMessage(const open_tun_device_message_t *open_tun, HANDLE
> ovpn_proc, HANDLE *remote_handle)
> +{
> + DWORD err = ERROR_SUCCESS;
> + HANDLE local_handle;
> + LPWSTR wguid = NULL;
> + WCHAR device_path[256] = {0};
> + const WCHAR prefix[] = L"\\\\.\\Global\\";
> + const WCHAR tap_suffix[] = L".tap";
> +
> + *remote_handle = INVALID_HANDLE_VALUE;
> +
> + wguid = utf8to16(open_tun->device_guid);
> + if (!wguid)
> + {
> + err = ERROR_OUTOFMEMORY;
> + goto out;
> + }
> +
> + /* validate device guid */
> + const size_t guid_len = wcslen(wguid);
> + if (guid_len != 38 || wcsspn(wguid, L"0123456789ABCDEFabcdef-{}") !=
> guid_len)
> + {
> + err = ERROR_MESSAGE_DATA;
> + MsgToEventLog(MSG_FLAGS_ERROR, TEXT("Invalid device guild (%s)"),
> wguid);
guild -> guid (as pointed out by tincanteksup)
> + goto out;
> + }
> +
whitespace in line above.
These could be fixed at commit time.
Acked-by: Selva Nair <selva.n...@gmail.com>
Selva
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
