@@ -141,6 +141,6 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS) \
$(OPTIONAL_INOTIFY_LIBS)
if WIN32
-openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h ring_buffer.c ring_buffer.h
+openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h ring_buffer.h
openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4 -lncrypt -lsetupapi
endif
@@ -189,7 +189,6 @@
<ClCompile Include="ps.c" />
<ClCompile Include="push.c" />
<ClCompile Include="reliable.c" />
- <ClCompile Include="ring_buffer.c" />
<ClCompile Include="route.c" />
<ClCompile Include="run_command.c" />
<ClCompile Include="schedule.c" />
@@ -240,9 +240,6 @@
<ClCompile Include="vlan.c">
<Filter>Source Files</Filter>
</ClCompile>
- <ClCompile Include="ring_buffer.c">
- <Filter>Source Files</Filter>
- </ClCompile>
<ClCompile Include="ssl_ncp.c">
<Filter>Source Files</Filter>
</ClCompile>
deleted file mode 100644
@@ -1,56 +0,0 @@
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2019 OpenVPN Inc <sales@openvpn.net>
- * 2019 Lev Stipakov <lev@openvpn.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "ring_buffer.h"
-
-#ifdef _WIN32
-
-bool
-register_ring_buffers(HANDLE device,
- struct tun_ring *send_ring,
- struct tun_ring *receive_ring,
- HANDLE send_tail_moved,
- HANDLE receive_tail_moved)
-{
- struct tun_register_rings rr;
- BOOL res;
- DWORD bytes_returned;
-
- ZeroMemory(&rr, sizeof(rr));
-
- rr.send.ring = send_ring;
- rr.send.ring_size = sizeof(struct tun_ring);
- rr.send.tail_moved = send_tail_moved;
-
- rr.receive.ring = receive_ring;
- rr.receive.ring_size = sizeof(struct tun_ring);
- rr.receive.tail_moved = receive_tail_moved;
-
- res = DeviceIoControl(device, TUN_IOCTL_REGISTER_RINGS, &rr, sizeof(rr),
- NULL, 0, &bytes_returned, NULL);
-
- return res != FALSE;
-}
-
-#endif /* ifdef _WIN32 */
\ No newline at end of file
@@ -94,11 +94,32 @@ struct TUN_PACKET
* that data has been written to receive ring
* @return true if registration is successful, false otherwise - use GetLastError()
*/
-bool register_ring_buffers(HANDLE device,
- struct tun_ring *send_ring,
- struct tun_ring *receive_ring,
- HANDLE send_tail_moved,
- HANDLE receive_tail_moved);
+static bool
+register_ring_buffers(HANDLE device,
+ struct tun_ring *send_ring,
+ struct tun_ring *receive_ring,
+ HANDLE send_tail_moved,
+ HANDLE receive_tail_moved)
+{
+ struct tun_register_rings rr;
+ BOOL res;
+ DWORD bytes_returned;
+
+ ZeroMemory(&rr, sizeof(rr));
+
+ rr.send.ring = send_ring;
+ rr.send.ring_size = sizeof(struct tun_ring);
+ rr.send.tail_moved = send_tail_moved;
+
+ rr.receive.ring = receive_ring;
+ rr.receive.ring_size = sizeof(struct tun_ring);
+ rr.receive.tail_moved = receive_tail_moved;
+
+ res = DeviceIoControl(device, TUN_IOCTL_REGISTER_RINGS, &rr, sizeof(rr),
+ NULL, 0, &bytes_returned, NULL);
+
+ return res != FALSE;
+}
#endif /* ifndef OPENVPN_RING_BUFFER_H */
#endif /* ifdef _WIN32 */
@@ -6148,35 +6148,10 @@ wintun_register_ring_buffer(struct tuntap *tt, const char *device_guid)
}
else
{
- if (!impersonate_as_system())
- {
- msg(M_FATAL, "ERROR: Failed to impersonate as SYSTEM, make sure process is running under privileged account");
- }
- if (!register_ring_buffers(tt->hand,
- tt->wintun_send_ring,
- tt->wintun_receive_ring,
- tt->rw_handle.read,
- tt->rw_handle.write))
- {
- switch (GetLastError())
- {
- case ERROR_ACCESS_DENIED:
- msg(M_FATAL, "Access denied registering ring buffers. Is this process run as SYSTEM?");
- break;
-
- case ERROR_ALREADY_INITIALIZED:
- msg(M_NONFATAL, "Adapter %s is already in use", device_guid);
- break;
-
- default:
- msg(M_NONFATAL | M_ERRNO, "Failed to register ring buffers");
- }
- ret = false;
- }
- if (!RevertToSelf())
- {
- msg(M_FATAL, "ERROR: RevertToSelf error: %lu", GetLastError());
- }
+ msg(M_FATAL, "ERROR: Wintun requires SYSTEM privileges and therefore "
+ "should be used with interactive service. If you want to "
+ "use openvpn from command line, you need to do SYSTEM "
+ "elevation yourself (for example with psexec).");
}
return ret;
@@ -1493,99 +1493,4 @@ send_msg_iservice(HANDLE pipe, const void *data, size_t size,
return ret;
}
-bool
-impersonate_as_system()
-{
- HANDLE thread_token, process_snapshot, winlogon_process, winlogon_token, duplicated_token;
- PROCESSENTRY32 entry;
- BOOL ret;
- DWORD pid = 0;
- TOKEN_PRIVILEGES privileges;
-
- CLEAR(entry);
- CLEAR(privileges);
-
- entry.dwSize = sizeof(PROCESSENTRY32);
-
- privileges.PrivilegeCount = 1;
- privileges.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
-
- if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &privileges.Privileges[0].Luid))
- {
- return false;
- }
-
- if (!ImpersonateSelf(SecurityImpersonation))
- {
- return false;
- }
-
- if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &thread_token))
- {
- RevertToSelf();
- return false;
- }
- if (!AdjustTokenPrivileges(thread_token, FALSE, &privileges, sizeof(privileges), NULL, NULL))
- {
- CloseHandle(thread_token);
- RevertToSelf();
- return false;
- }
- CloseHandle(thread_token);
-
- process_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if (process_snapshot == INVALID_HANDLE_VALUE)
- {
- RevertToSelf();
- return false;
- }
- for (ret = Process32First(process_snapshot, &entry); ret; ret = Process32Next(process_snapshot, &entry))
- {
- if (!_stricmp(entry.szExeFile, "winlogon.exe"))
- {
- pid = entry.th32ProcessID;
- break;
- }
- }
- CloseHandle(process_snapshot);
- if (!pid)
- {
- RevertToSelf();
- return false;
- }
-
- winlogon_process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
- if (!winlogon_process)
- {
- RevertToSelf();
- return false;
- }
-
- if (!OpenProcessToken(winlogon_process, TOKEN_IMPERSONATE | TOKEN_DUPLICATE, &winlogon_token))
- {
- CloseHandle(winlogon_process);
- RevertToSelf();
- return false;
- }
- CloseHandle(winlogon_process);
-
- if (!DuplicateToken(winlogon_token, SecurityImpersonation, &duplicated_token))
- {
- CloseHandle(winlogon_token);
- RevertToSelf();
- return false;
- }
- CloseHandle(winlogon_token);
-
- if (!SetThreadToken(NULL, duplicated_token))
- {
- CloseHandle(duplicated_token);
- RevertToSelf();
- return false;
- }
- CloseHandle(duplicated_token);
-
- return true;
-}
-
#endif /* ifdef _WIN32 */
@@ -37,4 +37,4 @@ openvpnserv_SOURCES = \
validate.c validate.h \
$(top_srcdir)/src/openvpn/block_dns.c $(top_srcdir)/src/openvpn/block_dns.h \
openvpnserv_resources.rc \
- $(top_srcdir)/src/openvpn/ring_buffer.c $(top_srcdir)/src/openvpn/ring_buffer.h
+ $(top_srcdir)/src/openvpn/ring_buffer.h
@@ -115,7 +115,6 @@
</Link>
</ItemDefinitionGroup>
<ItemGroup>
- <ClCompile Include="..\openvpn\ring_buffer.c" />
<ClCompile Include="automatic.c" />
<ClCompile Include="common.c" />
<ClCompile Include="interactive.c" />
@@ -33,9 +33,6 @@
<ClCompile Include="..\openvpn\block_dns.c">
<Filter>Source Files</Filter>
</ClCompile>
- <ClCompile Include="..\openvpn\ring_buffer.c">
- <Filter>Source Files</Filter>
- </ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="service.h">