OpenVPN · selvanair · Jun 22, 2018 · Jun 24, 2018 · Jul 3, 2018 · Jun 25, 2018
diff --git a/Makefile.am b/Makefile.am
@@ -92,6 +92,7 @@ openvpn_gui_SOURCES = \
 	chartable.h \
 	save_pass.c save_pass.h \
 	env_set.c env_set.h \
+	script_security.c script_security.h \
 	openvpn-gui-res.h
 
 openvpn_gui_LDFLAGS = -mwindows

diff --git a/localization.c b/localization.c
@@ -469,6 +469,8 @@ GeneralSettingsDlgProc(HWND hwndDlg, UINT msg, UNUSED WPARAM wParam, LPARAM lPar
             CheckRadioButton (hwndDlg, ID_RB_BALLOON0, ID_RB_BALLOON2, ID_RB_BALLOON2);
         if (o.show_script_window)
             Button_SetCheck(GetDlgItem(hwndDlg, ID_CHK_SHOW_SCRIPT_WIN), BST_CHECKED);
+        if (o.disable_ssec_override)
+            Button_SetCheck(GetDlgItem(hwndDlg, ID_CHK_SSEC_OVERRIDE), BST_CHECKED);
 
         break;
 
@@ -496,6 +498,8 @@ GeneralSettingsDlgProc(HWND hwndDlg, UINT msg, UNUSED WPARAM wParam, LPARAM lPar
                 o.show_balloon = 1;
             o.show_script_window =
                 (Button_GetCheck(GetDlgItem(hwndDlg, ID_CHK_SHOW_SCRIPT_WIN)) == BST_CHECKED);
+            o.disable_ssec_override =
+                (Button_GetCheck(GetDlgItem(hwndDlg, ID_CHK_SSEC_OVERRIDE)) == BST_CHECKED);
 
             SaveRegistryKeys();
 

diff --git a/main.c b/main.c
@@ -559,6 +559,9 @@ LRESULT CALLBACK WindowProcedure (HWND hwnd, UINT message, WPARAM wParam, LPARAM
       if ( (LOWORD(wParam) >= IDM_CLEARPASSMENU) && (LOWORD(wParam) < IDM_CLEARPASSMENU + MAX_CONFIGS) ) {
         ResetSavePasswords(&o.conn[LOWORD(wParam) - IDM_CLEARPASSMENU]);
       }
+      if ( (LOWORD(wParam) >= IDM_CONFIGUREMENU) && (LOWORD(wParam) < IDM_CONFIGUREMENU + MAX_CONFIGS) ) {
+        ConfigOptions(&o.conn[LOWORD(wParam) - IDM_CONFIGUREMENU]);
+      }
 #ifndef DISABLE_CHANGE_PASSWORD
       if ( (LOWORD(wParam) >= IDM_PASSPHRASEMENU) && (LOWORD(wParam) < IDM_PASSPHRASEMENU + MAX_CONFIGS) ) {
         ShowChangePassphraseDialog(&o.conn[LOWORD(wParam) - IDM_PASSPHRASEMENU]);

diff --git a/misc.c b/misc.c
@@ -499,3 +499,124 @@ wcs_concat2(WCHAR *dest, int len, const WCHAR *src1, const WCHAR *src2, const WC
         n = 0;
     dest[n] = L'\0';
 }
+
+/* Initialize a hash context.
+ * The caller must release resources by calling
+ * md_ctx_free() when finished using the context.
+ *
+ * Returns 0 on success, a system error code on failure.
+ */
+DWORD
+md_ctx_init(struct md_ctx *ctx, ALG_ID alg)
+{
+    if (!CryptAcquireContext(&ctx->prov, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
+    {
+        ctx->prov = 0;
+        return GetLastError();
+    }
+    else if (!CryptCreateHash(ctx->prov, alg, 0, 0, &ctx->hash))
+    {
+        ctx->hash = 0;
+        CryptReleaseContext(ctx->prov, 0);
+        ctx->prov = 0;
+        return GetLastError();
+    }
+
+    return 0;
+}
+
+/* Release a hash context */
+void
+md_ctx_free(struct md_ctx *ctx)
+{
+    if (ctx && ctx->hash)
+        CryptDestroyHash(ctx->hash);
+
+    if (ctx && ctx->prov)
+        CryptReleaseContext(ctx->prov, 0);
+}
+
+/* Add data to a hash object. The context |ctx| must be previously initialized
+ * by a call to md_ctx_init().
+ * Returns 0 on success, a system error code on failure.
+ */
+DWORD
+md_update(struct md_ctx *ctx, const BYTE *data, DWORD len)
+{
+    DWORD err = 0;
+
+    if (!CryptHashData(ctx->hash, data, len, 0))
+        err = GetLastError();
+
+    return err;
+}
+
+/* Retrieve the hash from a hash context. Returns 0 on success, an error code on failure.
+ * On entry the buffer |digest| must have space for atleast |len| bytes. On return
+ * the hash is in |digest| and its length is in |len|.
+ */
+
+DWORD
+md_hashval(struct md_ctx *ctx, BYTE *digest, DWORD *digest_len)
+{
+    DWORD err = 0;
+
+    if (!CryptGetHashParam(ctx->hash, HP_HASHVAL, digest, digest_len, 0))
+    {
+        err = GetLastError();
+    }
+
+    return err;
+}
+
+/* Convenience function to hash a data buffer and return the hash */
+DWORD
+md_buffer(ALG_ID alg, const BYTE *data, DWORD len, BYTE *digest, DWORD *digest_len)
+{
+    struct md_ctx ctx = {0};
+    DWORD err = 0;
+
+    err = md_ctx_init(&ctx, alg);
+    if (err) return err;
+
+    err = md_update(&ctx, data, len);
+    if (!err)
+        err = md_hashval(&ctx, digest, digest_len);
+
+    md_ctx_free(&ctx);
+
+    return err;
+}
+
+/* Hash a file and return the hash. Use full path for the file name |fname| */
+DWORD
+md_file(ALG_ID alg, const wchar_t *fname, BYTE *digest, DWORD *digest_len)
+{
+    DWORD err = 0;
+    struct md_ctx ctx = {0};
+    BYTE buf[1024];
+    DWORD nread = 0;
+
+    err = md_ctx_init(&ctx, alg);
+    if (err) return err;
+
+    HANDLE hfile = CreateFile(fname, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
+                              FILE_FLAG_SEQUENTIAL_SCAN, NULL);
+    if (hfile == NULL || hfile == INVALID_HANDLE_VALUE)
+    {
+        md_ctx_free(&ctx);
+        return GetLastError();
+    }
+
+    while (ReadFile(hfile, buf, _countof(buf), &nread, NULL) && nread && !err)
+    {
+        err = md_update(&ctx, buf, nread);
+    }
+    if (!err)
+        err = md_hashval(&ctx, digest, digest_len);
+
+    md_ctx_free(&ctx);
+    CloseHandle(hfile);
+
+    return err;
+}
diff --git a/misc.h b/misc.h
@@ -22,6 +22,8 @@
 #ifndef MISC_H
 #define MISC_H
 
+#include <wincrypt.h>
+
 BOOL ManagementCommandFromInput(connection_t *, LPCSTR, HWND, int);
 BOOL ManagementCommandFromInputBase64(connection_t *, LPCSTR, HWND, int, int);
 
@@ -45,4 +47,23 @@ BOOL validate_input(const WCHAR *input, const WCHAR *exclude);
 void wcs_concat2(WCHAR *dest, int len, const WCHAR *src1, const WCHAR *src2, const WCHAR *sep);
 void CloseSemaphore(HANDLE sem);
 
+/* digest context and functions */
+struct md_ctx {
+    HCRYPTPROV prov;
+    HCRYPTHASH hash;
+};
+
+DWORD md_ctx_init(struct md_ctx *ctx, ALG_ID alg);
+
+void md_ctx_free(struct md_ctx *ctx);
+
+DWORD md_update(struct md_ctx *ctx, const BYTE *data, DWORD data_len);
+
+DWORD md_hashval(struct md_ctx *ctx, BYTE *digest, DWORD *digest_len);
+
+DWORD md_buffer(ALG_ID alg, const BYTE *data, DWORD data_len, BYTE *digest, DWORD *digest_len);
+
+DWORD md_file(ALG_ID alg, const wchar_t *fname, BYTE *digest, DWORD *digest_len);
+
+
 #endif
diff --git a/openvpn-gui-res.h b/openvpn-gui-res.h
@@ -118,9 +118,19 @@
 #define ID_EDT_PRECONNECT_TIMEOUT        282
 #define ID_EDT_CONNECT_TIMEOUT           283
 #define ID_EDT_DISCONNECT_TIMEOUT        284
+#define ID_CHK_SSEC_OVERRIDE             285
 
 /* Connections dialog */
 #define ID_DLG_CONNECTIONS               290
+#define ID_TXT_PATH                      291
+#define ID_EDT_DISPLAY_NAME              292
+#define ID_CHK_AUTH_USER                 293
+#define ID_CHK_AUTH_PASS                 294
+#define ID_CHK_KEY_PASS                  295
+#define ID_CMB_SCRIPT_SECURITY           296
+#define IDS_SCRIPT_NO_OVERRIDE           297
+#define IDS_ALLOW_SCRIPT_BUILT_IN        299
+#define IDS_ERR_SCRIPT_OVERRIDE          300
 
 /*
  * String Table Resources
@@ -153,6 +163,7 @@
 #define IDS_MENU_IMPORT                 1023
 #define IDS_MENU_CLEARPASS              1024
 #define IDS_MENU_RECONNECT              1025
+#define IDS_MENU_CONFIGURE              1026
 
 /* LogViewer Dialog */
 #define IDS_ERR_START_LOG_VIEWER        1101