summaryrefslogtreecommitdiff
path: root/sample
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2021-02-24 19:54:12 +0100
committerBernhard Schmidt <berni@debian.org>2021-02-24 19:54:12 +0100
commit4ee98f284a93c3b855092d35ac21371d9dcad65b (patch)
treedc5a9759b8165b50d028db416367767b82f42f49 /sample
parent0816f633cec4254ccfd98901252eefe84b0e2648 (diff)
New upstream version 2.5.1upstream/2.5.1
Diffstat (limited to 'sample')
-rw-r--r--sample/sample-plugins/Makefile8
-rw-r--r--sample/sample-plugins/defer/simple.c399
2 files changed, 302 insertions, 105 deletions
diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile
index 1cf5e2c..f709998 100644
--- a/sample/sample-plugins/Makefile
+++ b/sample/sample-plugins/Makefile
@@ -210,7 +210,7 @@ OPENSSL_CFLAGS =
OPENSSL_LIBS = -lssl -lcrypto
OPENVPN_VERSION_MAJOR = 2
OPENVPN_VERSION_MINOR = 5
-OPENVPN_VERSION_PATCH = .0
+OPENVPN_VERSION_PATCH = .1
OPTIONAL_CRYPTO_CFLAGS =
OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto
OPTIONAL_DL_LIBS = -ldl
@@ -231,10 +231,10 @@ P11KIT_LIBS =
PACKAGE = openvpn
PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net
PACKAGE_NAME = OpenVPN
-PACKAGE_STRING = OpenVPN 2.5.0
+PACKAGE_STRING = OpenVPN 2.5.1
PACKAGE_TARNAME = openvpn
PACKAGE_URL =
-PACKAGE_VERSION = 2.5.0
+PACKAGE_VERSION = 2.5.1
PATH_SEPARATOR = :
PKCS11_HELPER_CFLAGS =
PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper
@@ -264,7 +264,7 @@ TAP_WIN_MIN_MINOR = 9
TEST_CFLAGS = -I$(top_srcdir)/include
TEST_LDFLAGS = -lssl -lcrypto -llzo2
TMPFILES_DIR =
-VERSION = 2.5.0
+VERSION = 2.5.1
abs_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
abs_srcdir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
abs_top_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn
diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c
index 64338b4..6f08bed 100644
--- a/sample/sample-plugins/defer/simple.c
+++ b/sample/sample-plugins/defer/simple.c
@@ -54,13 +54,30 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <stdbool.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
#include "openvpn-plugin.h"
-/* bool definitions */
-#define bool int
-#define true 1
-#define false 0
+/* Pointers to functions exported from openvpn */
+static plugin_log_t plugin_log = NULL;
+
+/*
+ * Constants indicating minimum API and struct versions by the functions
+ * in this plugin. Consult openvpn-plugin.h, look for:
+ * OPENVPN_PLUGIN_VERSION and OPENVPN_PLUGINv3_STRUCTVER
+ *
+ * Strictly speaking, this sample code only requires plugin_log, a feature
+ * of structver version 1. However, '1' lines up with ancient versions
+ * of openvpn that are past end-of-support. As such, we are requiring
+ * structver '5' here to indicate a desire for modern openvpn, rather
+ * than a need for any particular feature found in structver beyond '1'.
+ */
+#define OPENVPN_PLUGIN_VERSION_MIN 3
+#define OPENVPN_PLUGIN_STRUCTVER_MIN 5
/*
* Our context, where we keep our state.
@@ -76,6 +93,9 @@ struct plugin_per_client_context {
bool generated_pf_file;
};
+/* module name for plugin_log() */
+static char *MODULE = "defer/simple";
+
/*
* Given an environmental variable name, search
* the envp array for its value, returning it
@@ -130,33 +150,52 @@ atoi_null0(const char *str)
}
}
-OPENVPN_EXPORT openvpn_plugin_handle_t
-openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[])
+/* Require a minimum OpenVPN Plugin API */
+OPENVPN_EXPORT int
+openvpn_plugin_min_version_required_v1()
+{
+ return OPENVPN_PLUGIN_VERSION_MIN;
+}
+
+/* use v3 functions so we can use openvpn's logging and base64 etc. */
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3(const int v3structver,
+ struct openvpn_plugin_args_open_in const *args,
+ struct openvpn_plugin_args_open_return *ret)
{
+ const char **envp = args->envp; /* environment variables */
struct plugin_context *context;
- printf("FUNC: openvpn_plugin_open_v1\n");
+ if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN)
+ {
+ fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE);
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ /* Save global pointers to functions exported from openvpn */
+ plugin_log = args->callbacks->plugin_log;
+
+ plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_open_v3");
/*
* Allocate our context
*/
context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
- if (context == NULL)
+ if (!context)
{
- printf("PLUGIN: allocating memory for context failed\n");
- return NULL;
+ goto error;
}
context->test_deferred_auth = atoi_null0(get_env("test_deferred_auth", envp));
- printf("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth);
+ plugin_log(PLOG_NOTE, MODULE, "TEST_DEFERRED_AUTH %d", context->test_deferred_auth);
context->test_packet_filter = atoi_null0(get_env("test_packet_filter", envp));
- printf("TEST_PACKET_FILTER %d\n", context->test_packet_filter);
+ plugin_log(PLOG_NOTE, MODULE, "TEST_PACKET_FILTER %d", context->test_packet_filter);
/*
* Which callbacks to intercept.
*/
- *type_mask =
+ ret->type_mask =
OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
|OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
|OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
@@ -166,157 +205,315 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
|OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
|OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
|OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL)
- |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ENABLE_PF);
+ |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
- return (openvpn_plugin_handle_t) context;
+ /* ENABLE_PF should only be called if we're actually willing to do PF */
+ if (context->test_packet_filter)
+ {
+ ret->type_mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ENABLE_PF);
+ }
+
+ ret->handle = (openvpn_plugin_handle_t *) context;
+ plugin_log(PLOG_NOTE, MODULE, "initialization succeeded");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+
+error:
+ if (context)
+ {
+ free(context);
+ }
+ plugin_log(PLOG_NOTE, MODULE, "initialization failed");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
}
static int
-auth_user_pass_verify(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
+auth_user_pass_verify(struct plugin_context *context,
+ struct plugin_per_client_context *pcc,
+ const char *argv[], const char *envp[])
{
- if (context->test_deferred_auth)
+ if (!context->test_deferred_auth)
{
- /* get username/password from envp string array */
- const char *username = get_env("username", envp);
- const char *password = get_env("password", envp);
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ }
- /* get auth_control_file filename from envp string array*/
- const char *auth_control_file = get_env("auth_control_file", envp);
+ /* get username/password from envp string array */
+ const char *username = get_env("username", envp);
+ const char *password = get_env("password", envp);
- printf("DEFER u='%s' p='%s' acf='%s'\n",
+ /* get auth_control_file filename from envp string array*/
+ const char *auth_control_file = get_env("auth_control_file", envp);
+
+ plugin_log(PLOG_NOTE, MODULE, "DEFER u='%s' p='%s' acf='%s'",
np(username),
np(password),
np(auth_control_file));
- /* Authenticate asynchronously in n seconds */
- if (auth_control_file)
- {
- char buf[256];
- int auth = 2;
- sscanf(username, "%d", &auth);
- snprintf(buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &",
- context->test_deferred_auth,
- auth_control_file,
- auth,
- pcc->n_calls < auth,
- auth_control_file);
- printf("%s\n", buf);
- system(buf);
- pcc->n_calls++;
- return OPENVPN_PLUGIN_FUNC_DEFERRED;
- }
- else
- {
- return OPENVPN_PLUGIN_FUNC_ERROR;
- }
+ /* Authenticate asynchronously in n seconds */
+ if (!auth_control_file)
+ {
+ return OPENVPN_PLUGIN_FUNC_ERROR;
}
- else
+
+ /* we do not want to complicate our lives with having to wait()
+ * for child processes (so they are not zombiefied) *and* we MUST NOT
+ * fiddle with signal handlers (= shared with openvpn main), so
+ * we use double-fork() trick.
+ */
+
+ /* fork, sleep, succeed (no "real" auth done = always succeed) */
+ pid_t p1 = fork();
+ if (p1 < 0) /* Fork failed */
{
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ if (p1 > 0) /* parent process */
+ {
+ waitpid(p1, NULL, 0);
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+ }
+
+ /* first gen child process, fork() again and exit() right away */
+ pid_t p2 = fork();
+ if (p2 < 0)
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
+ exit(1);
+ }
+
+ if (p2 != 0) /* new parent: exit right away */
+ {
+ exit(0);
+ }
+
+ /* (grand-)child process
+ * - never call "return" now (would mess up openvpn)
+ * - return status is communicated by file
+ * - then exit()
+ */
+
+ /* do mighty complicated work that will really take time here... */
+ plugin_log(PLOG_NOTE, MODULE, "in async/deferred handler, sleep(%d)", context->test_deferred_auth);
+ sleep(context->test_deferred_auth);
+
+ /* now signal success state to openvpn */
+ int fd = open(auth_control_file, O_WRONLY);
+ if (fd < 0)
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", auth_control_file);
+ exit(1);
}
+
+ plugin_log(PLOG_NOTE, MODULE, "auth_user_pass_verify: done" );
+
+ if (write(fd, "1", 1) != 1)
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", auth_control_file );
+ }
+ close(fd);
+
+ exit(0);
}
static int
tls_final(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
{
- if (context->test_packet_filter)
+ if (!context->test_packet_filter) /* no PF testing, nothing to do */
{
- if (!pcc->generated_pf_file)
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ }
+
+ if (pcc->generated_pf_file) /* we already have created a file */
+ {
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ const char *pff = get_env("pf_file", envp);
+ const char *cn = get_env("username", envp);
+ if (!pff || !cn) /* required vars missing */
+ {
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ pcc->generated_pf_file = true;
+
+ /* the PF API is, basically
+ * - OpenVPN sends a filename (pf_file) to the plugin
+ * - OpenVPN main loop will check every second if that file shows up
+ * - when it does, it will be read & used for the pf config
+ * the pre-created file needs to be removed in ...ENABLE_PF
+ * to make deferred PF setup work
+ *
+ * the regular PF hook does not know the client username or CN, so
+ * this is deferred to the TLS_FINAL hook which knows these things
+ */
+
+ /* do the double fork dance (see above for more verbose comments)
+ */
+ pid_t p1 = fork();
+ if (p1 < 0) /* Fork failed */
+ {
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ if (p1 > 0) /* parent process */
+ {
+ waitpid(p1, NULL, 0);
+ return OPENVPN_PLUGIN_FUNC_SUCCESS; /* no _DEFERRED here! */
+ }
+
+ /* first gen child process, fork() again and exit() right away */
+ pid_t p2 = fork();
+ if (p2 < 0)
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
+ exit(1);
+ }
+
+ if (p2 != 0) /* new parent: exit right away */
+ {
+ exit(0);
+ }
+
+ /* (grand-)child process
+ * - never call "return" now (would mess up openvpn)
+ * - return status is communicated by file
+ * - then exit()
+ */
+
+ /* at this point, the plugin can take its time, because OpenVPN will
+ * no longer block waiting for the call to finish
+ *
+ * in this example, we build a PF file by copying over a file
+ * named "<username>.pf" to the OpenVPN-provided pf file name
+ *
+ * a real example could do a LDAP lookup, a REST call, ...
+ */
+ plugin_log(PLOG_NOTE, MODULE, "in async/deferred tls_final handler, sleep(%d)", context->test_packet_filter);
+ sleep(context->test_packet_filter);
+
+ char buf[256];
+ snprintf(buf, sizeof(buf), "%s.pf", cn );
+
+ /* there is a small race condition here - OpenVPN could detect our
+ * file while we have only written half of it. So "perfect" code
+ * needs to create this with a temp file name, and then rename() it
+ * after it has been written. But I am lazy.
+ */
+
+ int w_fd = open( pff, O_WRONLY|O_CREAT, 0600 );
+ if (w_fd < 0)
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "can't write to '%s'", pff);
+ exit(0);
+ }
+
+ int r_fd = open( buf, O_RDONLY );
+ if (r_fd < 0)
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "can't read '%s', creating empty pf file", buf);
+ close(w_fd);
+ exit(0);
+ }
+
+ char data[1024];
+
+ int r;
+ do
+ {
+ r = read(r_fd, data, sizeof(data));
+ if (r < 0)
{
- const char *pff = get_env("pf_file", envp);
- const char *cn = get_env("username", envp);
- if (pff && cn)
- {
- char buf[256];
- snprintf(buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &",
- context->test_packet_filter, cn, pff, cn, pff);
- printf("%s\n", buf);
- system(buf);
- pcc->generated_pf_file = true;
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- }
- else
- {
- return OPENVPN_PLUGIN_FUNC_ERROR;
- }
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "error reading '%s'", buf);
+ close(r_fd);
+ close(w_fd);
+ exit(0);
}
- else
+ int w = write(w_fd, data, r);
+ if (w < 0 || w != r)
{
- return OPENVPN_PLUGIN_FUNC_ERROR;
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "error writing %d bytes to '%s'", r, pff);
+ close(r_fd);
+ close(w_fd);
+ exit(0);
}
}
- else
- {
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- }
+ while(r > 0);
+
+ plugin_log(PLOG_NOTE, MODULE, "copied PF config from '%s' to '%s', job done", buf, pff);
+ exit(0);
}
OPENVPN_EXPORT int
-openvpn_plugin_func_v2(openvpn_plugin_handle_t handle,
- const int type,
- const char *argv[],
- const char *envp[],
- void *per_client_context,
- struct openvpn_plugin_string_list **return_list)
+openvpn_plugin_func_v3(const int v3structver,
+ struct openvpn_plugin_args_func_in const *args,
+ struct openvpn_plugin_args_func_return *ret)
{
- struct plugin_context *context = (struct plugin_context *) handle;
- struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
- switch (type)
+ if (v3structver < OPENVPN_PLUGIN_STRUCTVER_MIN)
+ {
+ fprintf(stderr, "%s: this plugin is incompatible with the running version of OpenVPN\n", MODULE);
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ const char **argv = args->argv;
+ const char **envp = args->envp;
+ struct plugin_context *context = (struct plugin_context *) args->handle;
+ struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) args->per_client_context;
+ switch (args->type)
{
case OPENVPN_PLUGIN_UP:
- printf("OPENVPN_PLUGIN_UP\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_UP");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_DOWN:
- printf("OPENVPN_PLUGIN_DOWN\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_DOWN");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_ROUTE_UP:
- printf("OPENVPN_PLUGIN_ROUTE_UP\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ROUTE_UP");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_IPCHANGE:
- printf("OPENVPN_PLUGIN_IPCHANGE\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_IPCHANGE");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_TLS_VERIFY:
- printf("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_VERIFY");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
- printf("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY");
return auth_user_pass_verify(context, pcc, argv, envp);
case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
- printf("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
- printf("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_LEARN_ADDRESS:
- printf("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_LEARN_ADDRESS");
return OPENVPN_PLUGIN_FUNC_SUCCESS;
case OPENVPN_PLUGIN_TLS_FINAL:
- printf("OPENVPN_PLUGIN_TLS_FINAL\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_FINAL");
return tls_final(context, pcc, argv, envp);
case OPENVPN_PLUGIN_ENABLE_PF:
- printf("OPENVPN_PLUGIN_ENABLE_PF\n");
- if (context->test_packet_filter)
- {
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- }
- else
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ENABLE_PF");
+
+ /* OpenVPN pre-creates the file, which gets in the way of
+ * deferred pf setup - so remove it here, and re-create
+ * it in the background handler (in tls_final()) when ready
+ */
+ const char *pff = get_env("pf_file", envp);
+ if (pff)
{
- return OPENVPN_PLUGIN_FUNC_ERROR;
+ (void) unlink(pff);
}
+ return OPENVPN_PLUGIN_FUNC_SUCCESS; /* must succeed */
default:
- printf("OPENVPN_PLUGIN_?\n");
+ plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_?");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
}
@@ -324,14 +521,14 @@ openvpn_plugin_func_v2(openvpn_plugin_handle_t handle,
OPENVPN_EXPORT void *
openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
{
- printf("FUNC: openvpn_plugin_client_constructor_v1\n");
+ plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_client_constructor_v1");
return calloc(1, sizeof(struct plugin_per_client_context));
}
OPENVPN_EXPORT void
openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context)
{
- printf("FUNC: openvpn_plugin_client_destructor_v1\n");
+ plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_client_destructor_v1");
free(per_client_context);
}
@@ -339,6 +536,6 @@ OPENVPN_EXPORT void
openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
{
struct plugin_context *context = (struct plugin_context *) handle;
- printf("FUNC: openvpn_plugin_close_v1\n");
+ plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_close_v1");
free(context);
}