summaryrefslogtreecommitdiff
path: root/openvpn/src/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'openvpn/src/plugins')
-rw-r--r--openvpn/src/plugins/README47
-rwxr-xr-xopenvpn/src/plugins/auth-pam/Makefile32
-rw-r--r--openvpn/src/plugins/auth-pam/README74
-rw-r--r--openvpn/src/plugins/auth-pam/auth-pam.c804
-rw-r--r--openvpn/src/plugins/auth-pam/pamdl.c180
-rw-r--r--openvpn/src/plugins/auth-pam/pamdl.h7
-rw-r--r--openvpn/src/plugins/defer/README16
-rwxr-xr-xopenvpn/src/plugins/defer/build15
-rw-r--r--openvpn/src/plugins/defer/simple.c305
-rwxr-xr-xopenvpn/src/plugins/defer/simple.def6
-rwxr-xr-xopenvpn/src/plugins/defer/winbuild18
-rwxr-xr-xopenvpn/src/plugins/down-root/Makefile18
-rw-r--r--openvpn/src/plugins/down-root/README29
-rw-r--r--openvpn/src/plugins/down-root/down-root.c553
-rw-r--r--openvpn/src/plugins/examples/README16
-rwxr-xr-xopenvpn/src/plugins/examples/build15
-rw-r--r--openvpn/src/plugins/examples/log.c184
-rw-r--r--openvpn/src/plugins/examples/log_v3.c247
-rw-r--r--openvpn/src/plugins/examples/simple.c120
-rwxr-xr-xopenvpn/src/plugins/examples/simple.def6
-rwxr-xr-xopenvpn/src/plugins/examples/winbuild18
21 files changed, 2710 insertions, 0 deletions
diff --git a/openvpn/src/plugins/README b/openvpn/src/plugins/README
new file mode 100644
index 00000000..6e490c5a
--- /dev/null
+++ b/openvpn/src/plugins/README
@@ -0,0 +1,47 @@
+OpenVPN Plugins
+---------------
+
+Starting with OpenVPN 2.0-beta17, compiled plugin modules are
+supported on any *nix OS which includes libdl or on Windows.
+One or more modules may be loaded into OpenVPN using
+the --plugin directive, and each plugin module is capable of
+intercepting any of the script callbacks which OpenVPN supports:
+
+(1) up
+(2) down
+(3) route-up
+(4) ipchange
+(5) tls-verify
+(6) auth-user-pass-verify
+(7) client-connect
+(8) client-disconnect
+(9) learn-address
+
+See the openvpn-plugin.h file in the top-level directory of the
+OpenVPN source distribution for more detailed information
+on the plugin interface.
+
+Included Plugins
+----------------
+
+auth-pam -- Authenticate using PAM and a split privilege
+ execution model which functions even if
+ root privileges or the execution environment
+ have been altered with --user/--group/--chroot.
+ Tested on Linux only.
+
+down-root -- Enable the running of down scripts with root privileges
+ even if --user/--group/--chroot have been used
+ to drop root privileges or change the execution
+ environment. Not applicable on Windows.
+
+examples -- A simple example that demonstrates a portable
+ plugin, i.e. one which can be built for *nix
+ or Windows from the same source.
+
+Building Plugins
+----------------
+
+cd to the top-level directory of a plugin, and use the
+"make" command to build it. The examples plugin is
+built using a build script, not a makefile.
diff --git a/openvpn/src/plugins/auth-pam/Makefile b/openvpn/src/plugins/auth-pam/Makefile
new file mode 100755
index 00000000..c0b9c79e
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/Makefile
@@ -0,0 +1,32 @@
+#
+# Build the OpenVPN auth-pam plugin module.
+#
+
+# If PAM modules are not linked against libpam.so, set DLOPEN_PAM to 1. This
+# must be done on SUSE 9.1, at least.
+DLOPEN_PAM=0
+
+ifeq ($(DLOPEN_PAM),1)
+ LIBPAM=-ldl
+else
+ LIBPAM=-lpam
+endif
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS=-I../../../include
+
+CC=gcc
+CFLAGS=-O2 -Wall
+DEFS = -DDLOPEN_PAM=$(DLOPEN_PAM)
+
+openvpn-auth-pam.so : auth-pam.o pamdl.o
+ $(CC) $(CFLAGS) -fPIC -shared $(LDFLAGS) -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
+
+auth-pam.o : auth-pam.c pamdl.h
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) -fPIC -c auth-pam.c
+
+pamdl.o : pamdl.c pamdl.h
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) -fPIC -c pamdl.c
+
+clean :
+ -rm -f *.o *.so
diff --git a/openvpn/src/plugins/auth-pam/README b/openvpn/src/plugins/auth-pam/README
new file mode 100644
index 00000000..e1236902
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/README
@@ -0,0 +1,74 @@
+openvpn-auth-pam
+
+SYNOPSIS
+
+The openvpn-auth-pam module implements username/password
+authentication via PAM, and essentially allows any authentication
+method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
+passwords) to be used with OpenVPN. While PAM supports
+username/password authentication, this can be combined with X509
+certificates to provide two indepedent levels of authentication.
+
+This module uses a split privilege execution model which will
+function even if you drop openvpn daemon privileges using the user,
+group, or chroot directives.
+
+BUILD
+
+To build openvpn-auth-pam, you will need to have the pam-devel
+package installed.
+
+Build with the "make" command. The module will be named
+openvpn-auth-pam.so
+
+USAGE
+
+To use this plugin module, add to your OpenVPN config file:
+
+ plugin openvpn-auth-pam.so service-type
+
+The required service-type parameter corresponds to
+the PAM service definition file usually found
+in /etc/pam.d.
+
+This plugin also supports the usage of a list of name/value
+pairs to answer PAM module queries.
+
+For example:
+
+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
+
+tells auth-pam to (a) use the "login" PAM module, (b) answer a
+"login" query with the username given by the OpenVPN client, and
+(c) answer a "password" query with the password given by the
+OpenVPN client. This provides flexibility in dealing with the different
+types of query strings which different PAM modules might generate.
+For example, suppose you were using a PAM module called
+"test" which queried for "name" rather than "login":
+
+ plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
+
+While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
+to client-supplied values, it is also possible to name literal values
+to use as PAM module query responses. For example, suppose that the
+login module queried for a third parameter, "domain" which
+is to be answered with the constant value "mydomain.com":
+
+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"
+
+The following OpenVPN directives can also influence
+the operation of this plugin:
+
+ client-cert-not-required
+ username-as-common-name
+
+Run OpenVPN with --verb 7 or higher to get debugging output from
+this plugin, including the list of queries presented by the
+underlying PAM module. This is a useful debugging tool to figure
+out which queries a given PAM module is making, so that you can
+craft the appropriate plugin directive to answer it.
+
+CAVEATS
+
+This module will only work on *nix systems which support PAM,
+not Windows.
diff --git a/openvpn/src/plugins/auth-pam/auth-pam.c b/openvpn/src/plugins/auth-pam/auth-pam.c
new file mode 100644
index 00000000..e52f6322
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/auth-pam.c
@@ -0,0 +1,804 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * OpenVPN plugin module to do PAM authentication using a split
+ * privilege model.
+ */
+
+#if DLOPEN_PAM
+#include <dlfcn.h>
+#include "pamdl.h"
+#else
+#include <security/pam_appl.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <syslog.h>
+
+#include "openvpn-plugin.h"
+
+#define DEBUG(verb) ((verb) >= 4)
+
+/* Command codes for foreground -> background communication */
+#define COMMAND_VERIFY 0
+#define COMMAND_EXIT 1
+
+/* Response codes for background -> foreground communication */
+#define RESPONSE_INIT_SUCCEEDED 10
+#define RESPONSE_INIT_FAILED 11
+#define RESPONSE_VERIFY_SUCCEEDED 12
+#define RESPONSE_VERIFY_FAILED 13
+
+/*
+ * Plugin state, used by foreground
+ */
+struct auth_pam_context
+{
+ /* Foreground's socket to background process */
+ int foreground_fd;
+
+ /* Process ID of background process */
+ pid_t background_pid;
+
+ /* Verbosity level of OpenVPN */
+ int verb;
+};
+
+/*
+ * Name/Value pairs for conversation function.
+ * Special Values:
+ *
+ * "USERNAME" -- substitute client-supplied username
+ * "PASSWORD" -- substitute client-specified password
+ * "COMMONNAME" -- substitute client certificate common name
+ */
+
+#define N_NAME_VALUE 16
+
+struct name_value {
+ const char *name;
+ const char *value;
+};
+
+struct name_value_list {
+ int len;
+ struct name_value data[N_NAME_VALUE];
+};
+
+/*
+ * Used to pass the username/password
+ * to the PAM conversation function.
+ */
+struct user_pass {
+ int verb;
+
+ char username[128];
+ char password[128];
+ char common_name[128];
+
+ const struct name_value_list *name_value_list;
+};
+
+/* Background process function */
+static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list);
+
+/* Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return
+ * a pointer to the NEW string. Does not modify the input strings. Will not enter an
+ * infinite loop with clever 'searchfor' and 'replacewith' strings.
+ * Daniel Johnson - Progman2000@usa.net / djohnson@progman.us
+ */
+static char *
+searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith)
+{
+ const char *searching=tosearch;
+ char *scratch;
+ char temp[strlen(tosearch)*10];
+ temp[0]=0;
+
+ if (!tosearch || !searchfor || !replacewith) return 0;
+ if (!strlen(tosearch) || !strlen(searchfor) || !strlen(replacewith)) return 0;
+
+ scratch = strstr(searching,searchfor);
+ if (!scratch) return strdup(tosearch);
+
+ while (scratch) {
+ strncat(temp,searching,scratch-searching);
+ strcat(temp,replacewith);
+
+ searching=scratch+strlen(searchfor);
+ scratch = strstr(searching,searchfor);
+ }
+ return strdup(temp);
+}
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+/*
+ * Return the length of a string array
+ */
+static int
+string_array_len (const char *array[])
+{
+ int i = 0;
+ if (array)
+ {
+ while (array[i])
+ ++i;
+ }
+ return i;
+}
+
+/*
+ * Socket read/write functions.
+ */
+
+static int
+recv_control (int fd)
+{
+ unsigned char c;
+ const ssize_t size = read (fd, &c, sizeof (c));
+ if (size == sizeof (c))
+ return c;
+ else
+ {
+ /*fprintf (stderr, "AUTH-PAM: DEBUG recv_control.read=%d\n", (int)size);*/
+ return -1;
+ }
+}
+
+static int
+send_control (int fd, int code)
+{
+ unsigned char c = (unsigned char) code;
+ const ssize_t size = write (fd, &c, sizeof (c));
+ if (size == sizeof (c))
+ return (int) size;
+ else
+ return -1;
+}
+
+static int
+recv_string (int fd, char *buffer, int len)
+{
+ if (len > 0)
+ {
+ ssize_t size;
+ memset (buffer, 0, len);
+ size = read (fd, buffer, len);
+ buffer[len-1] = 0;
+ if (size >= 1)
+ return (int)size;
+ }
+ return -1;
+}
+
+static int
+send_string (int fd, const char *string)
+{
+ const int len = strlen (string) + 1;
+ const ssize_t size = write (fd, string, len);
+ if (size == len)
+ return (int) size;
+ else
+ return -1;
+}
+
+#ifdef DO_DAEMONIZE
+
+/*
+ * Daemonize if "daemon" env var is true.
+ * Preserve stderr across daemonization if
+ * "daemon_log_redirect" env var is true.
+ */
+static void
+daemonize (const char *envp[])
+{
+ const char *daemon_string = get_env ("daemon", envp);
+ if (daemon_string && daemon_string[0] == '1')
+ {
+ const char *log_redirect = get_env ("daemon_log_redirect", envp);
+ int fd = -1;
+ if (log_redirect && log_redirect[0] == '1')
+ fd = dup (2);
+ if (daemon (0, 0) < 0)
+ {
+ fprintf (stderr, "AUTH-PAM: daemonization failed\n");
+ }
+ else if (fd >= 3)
+ {
+ dup2 (fd, 2);
+ close (fd);
+ }
+ }
+}
+
+#endif
+
+/*
+ * Close most of parent's fds.
+ * Keep stdin/stdout/stderr, plus one
+ * other fd which is presumed to be
+ * our pipe back to parent.
+ * Admittedly, a bit of a kludge,
+ * but posix doesn't give us a kind
+ * of FD_CLOEXEC which will stop
+ * fds from crossing a fork().
+ */
+static void
+close_fds_except (int keep)
+{
+ int i;
+ closelog ();
+ for (i = 3; i <= 100; ++i)
+ {
+ if (i != keep)
+ close (i);
+ }
+}
+
+/*
+ * Usually we ignore signals, because our parent will
+ * deal with them.
+ */
+static void
+set_signals (void)
+{
+ signal (SIGTERM, SIG_DFL);
+
+ signal (SIGINT, SIG_IGN);
+ signal (SIGHUP, SIG_IGN);
+ signal (SIGUSR1, SIG_IGN);
+ signal (SIGUSR2, SIG_IGN);
+ signal (SIGPIPE, SIG_IGN);
+}
+
+/*
+ * Return 1 if query matches match.
+ */
+static int
+name_value_match (const char *query, const char *match)
+{
+ while (!isalnum (*query))
+ {
+ if (*query == '\0')
+ return 0;
+ ++query;
+ }
+ return strncasecmp (match, query, strlen (match)) == 0;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ pid_t pid;
+ int fd[2];
+
+ struct auth_pam_context *context;
+ struct name_value_list name_value_list;
+
+ const int base_parms = 2;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct auth_pam_context *) calloc (1, sizeof (struct auth_pam_context));
+ if (!context)
+ goto error;
+ context->foreground_fd = -1;
+
+ /*
+ * Intercept the --auth-user-pass-verify callback.
+ */
+ *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+
+ /*
+ * Make sure we have two string arguments: the first is the .so name,
+ * the second is the PAM service type.
+ */
+ if (string_array_len (argv) < base_parms)
+ {
+ fprintf (stderr, "AUTH-PAM: need PAM service parameter\n");
+ goto error;
+ }
+
+ /*
+ * See if we have optional name/value pairs to match against
+ * PAM module queried fields in the conversation function.
+ */
+ name_value_list.len = 0;
+ if (string_array_len (argv) > base_parms)
+ {
+ const int nv_len = string_array_len (argv) - base_parms;
+ int i;
+
+ if ((nv_len & 1) == 1 || (nv_len / 2) > N_NAME_VALUE)
+ {
+ fprintf (stderr, "AUTH-PAM: bad name/value list length\n");
+ goto error;
+ }
+
+ name_value_list.len = nv_len / 2;
+ for (i = 0; i < name_value_list.len; ++i)
+ {
+ const int base = base_parms + i * 2;
+ name_value_list.data[i].name = argv[base];
+ name_value_list.data[i].value = argv[base+1];
+ }
+ }
+
+ /*
+ * Get verbosity level from environment
+ */
+ {
+ const char *verb_string = get_env ("verb", envp);
+ if (verb_string)
+ context->verb = atoi (verb_string);
+ }
+
+ /*
+ * Make a socket for foreground and background processes
+ * to communicate.
+ */
+ if (socketpair (PF_UNIX, SOCK_DGRAM, 0, fd) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: socketpair call failed\n");
+ goto error;
+ }
+
+ /*
+ * Fork off the privileged process. It will remain privileged
+ * even after the foreground process drops its privileges.
+ */
+ pid = fork ();
+
+ if (pid)
+ {
+ int status;
+
+ /*
+ * Foreground Process
+ */
+
+ context->background_pid = pid;
+
+ /* close our copy of child's socket */
+ close (fd[1]);
+
+ /* don't let future subprocesses inherit child socket */
+ if (fcntl (fd[0], F_SETFD, FD_CLOEXEC) < 0)
+ fprintf (stderr, "AUTH-PAM: Set FD_CLOEXEC flag on socket file descriptor failed\n");
+
+ /* wait for background child process to initialize */
+ status = recv_control (fd[0]);
+ if (status == RESPONSE_INIT_SUCCEEDED)
+ {
+ context->foreground_fd = fd[0];
+ return (openvpn_plugin_handle_t) context;
+ }
+ }
+ else
+ {
+ /*
+ * Background Process
+ */
+
+ /* close all parent fds except our socket back to parent */
+ close_fds_except (fd[1]);
+
+ /* Ignore most signals (the parent will receive them) */
+ set_signals ();
+
+#ifdef DO_DAEMONIZE
+ /* Daemonize if --daemon option is set. */
+ daemonize (envp);
+#endif
+
+ /* execute the event loop */
+ pam_server (fd[1], argv[1], context->verb, &name_value_list);
+
+ close (fd[1]);
+
+ exit (0);
+ return 0; /* NOTREACHED */
+ }
+
+ error:
+ if (context)
+ free (context);
+ return NULL;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct auth_pam_context *context = (struct auth_pam_context *) handle;
+
+ if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+ const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : "";
+
+ if (username && strlen (username) > 0 && password)
+ {
+ if (send_control (context->foreground_fd, COMMAND_VERIFY) == -1
+ || send_string (context->foreground_fd, username) == -1
+ || send_string (context->foreground_fd, password) == -1
+ || send_string (context->foreground_fd, common_name) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");
+ }
+ else
+ {
+ const int status = recv_control (context->foreground_fd);
+ if (status == RESPONSE_VERIFY_SUCCEEDED)
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ if (status == -1)
+ fprintf (stderr, "AUTH-PAM: Error receiving auth confirmation from background process\n");
+ }
+ }
+ }
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct auth_pam_context *context = (struct auth_pam_context *) handle;
+
+ if (DEBUG (context->verb))
+ fprintf (stderr, "AUTH-PAM: close\n");
+
+ if (context->foreground_fd >= 0)
+ {
+ /* tell background process to exit */
+ if (send_control (context->foreground_fd, COMMAND_EXIT) == -1)
+ fprintf (stderr, "AUTH-PAM: Error signaling background process to exit\n");
+
+ /* wait for background process to exit */
+ if (context->background_pid > 0)
+ waitpid (context->background_pid, NULL, 0);
+
+ close (context->foreground_fd);
+ context->foreground_fd = -1;
+ }
+
+ free (context);
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
+{
+ struct auth_pam_context *context = (struct auth_pam_context *) handle;
+
+ /* tell background process to exit */
+ if (context && context->foreground_fd >= 0)
+ {
+ send_control (context->foreground_fd, COMMAND_EXIT);
+ close (context->foreground_fd);
+ context->foreground_fd = -1;
+ }
+}
+
+/*
+ * PAM conversation function
+ */
+static int
+my_conv (int n, const struct pam_message **msg_array,
+ struct pam_response **response_array, void *appdata_ptr)
+{
+ const struct user_pass *up = ( const struct user_pass *) appdata_ptr;
+ struct pam_response *aresp;
+ int i;
+ int ret = PAM_SUCCESS;
+
+ *response_array = NULL;
+
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return (PAM_CONV_ERR);
+ if ((aresp = calloc (n, sizeof *aresp)) == NULL)
+ return (PAM_BUF_ERR);
+
+ /* loop through each PAM-module query */
+ for (i = 0; i < n; ++i)
+ {
+ const struct pam_message *msg = msg_array[i];
+ aresp[i].resp_retcode = 0;
+ aresp[i].resp = NULL;
+
+ if (DEBUG (up->verb))
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: my_conv[%d] query='%s' style=%d\n",
+ i,
+ msg->msg ? msg->msg : "NULL",
+ msg->msg_style);
+ }
+
+ if (up->name_value_list && up->name_value_list->len > 0)
+ {
+ /* use name/value list match method */
+ const struct name_value_list *list = up->name_value_list;
+ int j;
+
+ /* loop through name/value pairs */
+ for (j = 0; j < list->len; ++j)
+ {
+ const char *match_name = list->data[j].name;
+ const char *match_value = list->data[j].value;
+
+ if (name_value_match (msg->msg, match_name))
+ {
+ /* found name/value match */
+ aresp[i].resp = NULL;
+
+ if (DEBUG (up->verb))
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'\n",
+ msg->msg,
+ match_name,
+ match_value);
+
+ if (strstr(match_value, "USERNAME"))
+ aresp[i].resp = searchandreplace(match_value, "USERNAME", up->username);
+ else if (strstr(match_value, "PASSWORD"))
+ aresp[i].resp = searchandreplace(match_value, "PASSWORD", up->password);
+ else if (strstr(match_value, "COMMONNAME"))
+ aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name);
+ else
+ aresp[i].resp = strdup (match_value);
+
+ if (aresp[i].resp == NULL)
+ ret = PAM_CONV_ERR;
+ break;
+ }
+ }
+
+ if (j == list->len)
+ ret = PAM_CONV_ERR;
+ }
+ else
+ {
+ /* use PAM_PROMPT_ECHO_x hints */
+ switch (msg->msg_style)
+ {
+ case PAM_PROMPT_ECHO_OFF:
+ aresp[i].resp = strdup (up->password);
+ if (aresp[i].resp == NULL)
+ ret = PAM_CONV_ERR;
+ break;
+
+ case PAM_PROMPT_ECHO_ON:
+ aresp[i].resp = strdup (up->username);
+ if (aresp[i].resp == NULL)
+ ret = PAM_CONV_ERR;
+ break;
+
+ case PAM_ERROR_MSG:
+ case PAM_TEXT_INFO:
+ break;
+
+ default:
+ ret = PAM_CONV_ERR;
+ break;
+ }
+ }
+ }
+
+ if (ret == PAM_SUCCESS)
+ *response_array = aresp;
+ return ret;
+}
+
+/*
+ * Return 1 if authenticated and 0 if failed.
+ * Called once for every username/password
+ * to be authenticated.
+ */
+static int
+pam_auth (const char *service, const struct user_pass *up)
+{
+ struct pam_conv conv;
+ pam_handle_t *pamh = NULL;
+ int status = PAM_SUCCESS;
+ int ret = 0;
+ const int name_value_list_provided = (up->name_value_list && up->name_value_list->len > 0);
+
+ /* Initialize PAM */
+ conv.conv = my_conv;
+ conv.appdata_ptr = (void *)up;
+ status = pam_start (service, name_value_list_provided ? NULL : up->username, &conv, &pamh);
+ if (status == PAM_SUCCESS)
+ {
+ /* Call PAM to verify username/password */
+ status = pam_authenticate(pamh, 0);
+ if (status == PAM_SUCCESS)
+ status = pam_acct_mgmt (pamh, 0);
+ if (status == PAM_SUCCESS)
+ ret = 1;
+
+ /* Output error message if failed */
+ if (!ret)
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to authenticate: %s\n",
+ up->username,
+ pam_strerror (pamh, status));
+ }
+
+ /* Close PAM */
+ pam_end (pamh, status);
+ }
+
+ return ret;
+}
+
+/*
+ * Background process -- runs with privilege.
+ */
+static void
+pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list)
+{
+ struct user_pass up;
+ int command;
+#if DLOPEN_PAM
+ static const char pam_so[] = "libpam.so";
+#endif
+
+ /*
+ * Do initialization
+ */
+ if (DEBUG (verb))
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: INIT service='%s'\n", service);
+
+#if DLOPEN_PAM
+ /*
+ * Load PAM shared object
+ */
+ if (!dlopen_pam (pam_so))
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: could not load PAM lib %s: %s\n", pam_so, dlerror());
+ send_control (fd, RESPONSE_INIT_FAILED);
+ goto done;
+ }
+#endif
+
+ /*
+ * Tell foreground that we initialized successfully
+ */
+ if (send_control (fd, RESPONSE_INIT_SUCCEEDED) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [1]\n");
+ goto done;
+ }
+
+ /*
+ * Event loop
+ */
+ while (1)
+ {
+ memset (&up, 0, sizeof (up));
+ up.verb = verb;
+ up.name_value_list = name_value_list;
+
+ /* get a command from foreground process */
+ command = recv_control (fd);
+
+ if (DEBUG (verb))
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: received command code: %d\n", command);
+
+ switch (command)
+ {
+ case COMMAND_VERIFY:
+ if (recv_string (fd, up.username, sizeof (up.username)) == -1
+ || recv_string (fd, up.password, sizeof (up.password)) == -1
+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
+ command);
+ goto done;
+ }
+
+ if (DEBUG (verb))
+ {
+#if 0
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
+ up.username, up.password);
+#else
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
+#endif
+ }
+
+ if (pam_auth (service, &up)) /* Succeeded */
+ {
+ if (send_control (fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [2]\n");
+ goto done;
+ }
+ }
+ else /* Failed */
+ {
+ if (send_control (fd, RESPONSE_VERIFY_FAILED) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [3]\n");
+ goto done;
+ }
+ }
+ break;
+
+ case COMMAND_EXIT:
+ goto done;
+
+ case -1:
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel\n");
+ goto done;
+
+ default:
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: unknown command code: code=%d, exiting\n",
+ command);
+ goto done;
+ }
+ }
+ done:
+
+#if DLOPEN_PAM
+ dlclose_pam ();
+#endif
+ if (DEBUG (verb))
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: EXIT\n");
+
+ return;
+}
diff --git a/openvpn/src/plugins/auth-pam/pamdl.c b/openvpn/src/plugins/auth-pam/pamdl.c
new file mode 100644
index 00000000..8636a8e4
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/pamdl.c
@@ -0,0 +1,180 @@
+#if DLOPEN_PAM
+/*
+ * If you want to dynamically load libpam using dlopen() or something,
+ * then dlopen( ' this shared object ' ); It takes care of exporting
+ * the right symbols to any modules loaded by libpam.
+ *
+ * Modified by JY for use with openvpn-pam-auth
+ */
+
+#include <stdio.h>
+#include <dlfcn.h>
+#include <security/pam_appl.h>
+
+#include "pamdl.h"
+
+static void *libpam_h = NULL;
+
+#define RESOLVE_PAM_FUNCTION(x, y, z, err) \
+ { \
+ union { const void *tpointer; y (*fn) z ; } fptr; \
+ fptr.tpointer = dlsym(libpam_h, #x); real_##x = fptr.fn; \
+ if (real_##x == NULL) { \
+ fprintf (stderr, "PAMDL: unable to resolve '%s': %s\n", #x, dlerror()); \
+ return err; \
+ } \
+ }
+
+int
+dlopen_pam (const char *so)
+{
+ if (libpam_h == NULL)
+ {
+ libpam_h = dlopen(so, RTLD_GLOBAL|RTLD_NOW);
+ }
+ return libpam_h != NULL;
+}
+
+void
+dlclose_pam (void)
+{
+ if (libpam_h != NULL)
+ {
+ dlclose(libpam_h);
+ libpam_h = NULL;
+ }
+}
+
+int pam_start(const char *service_name, const char *user,
+ const struct pam_conv *pam_conversation,
+ pam_handle_t **pamh)
+{
+ int (*real_pam_start)(const char *, const char *,
+ const struct pam_conv *,
+ pam_handle_t **);
+ RESOLVE_PAM_FUNCTION(pam_start, int, (const char *, const char *,
+ const struct pam_conv *,
+ pam_handle_t **), PAM_ABORT);
+ return real_pam_start(service_name, user, pam_conversation, pamh);
+}
+
+int pam_end(pam_handle_t *pamh, int pam_status)
+{
+ int (*real_pam_end)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_end, int, (pam_handle_t *, int), PAM_ABORT);
+ return real_pam_end(pamh, pam_status);
+}
+
+int pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
+{
+ int (*real_pam_set_item)(pam_handle_t *, int, const void *);
+ RESOLVE_PAM_FUNCTION(pam_set_item, int,
+ (pam_handle_t *, int, const void *), PAM_ABORT);
+ return real_pam_set_item(pamh, item_type, item);
+}
+
+int pam_get_item(pam_handle_t *pamh, int item_type, const void **item)
+{
+ int (*real_pam_get_item)(const pam_handle_t *, int, const void **);
+ RESOLVE_PAM_FUNCTION(pam_get_item, int,
+ (const pam_handle_t *, int, const void **),
+ PAM_ABORT);
+ return real_pam_get_item(pamh, item_type, item);
+}
+
+int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay)
+{
+ int (*real_pam_fail_delay)(pam_handle_t *, unsigned int);
+ RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int),
+ PAM_ABORT);
+ return real_pam_fail_delay(pamh, musec_delay);
+}
+
+typedef const char * const_char_pointer;
+
+const_char_pointer pam_strerror(pam_handle_t *pamh, int errnum)
+{
+ const_char_pointer (*real_pam_strerror)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer,
+ (pam_handle_t *, int), NULL);
+ return real_pam_strerror(pamh, errnum);
+}
+
+int pam_putenv(pam_handle_t *pamh, const char *name_value)
+{
+ int (*real_pam_putenv)(pam_handle_t *, const char *);
+ RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *),
+ PAM_ABORT);
+ return real_pam_putenv(pamh, name_value);
+}
+
+const_char_pointer pam_getenv(pam_handle_t *pamh, const char *name)
+{
+ const_char_pointer (*real_pam_getenv)(pam_handle_t *, const char *);
+ RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer,
+ (pam_handle_t *, const char *), NULL);
+ return real_pam_getenv(pamh, name);
+}
+
+typedef char ** char_ppointer;
+char_ppointer pam_getenvlist(pam_handle_t *pamh)
+{
+ char_ppointer (*real_pam_getenvlist)(pam_handle_t *);
+ RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *),
+ NULL);
+ return real_pam_getenvlist(pamh);
+}
+
+/* Authentication management */
+
+int pam_authenticate(pam_handle_t *pamh, int flags)
+{
+ int (*real_pam_authenticate)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int),
+ PAM_ABORT);
+ return real_pam_authenticate(pamh, flags);
+}
+
+int pam_setcred(pam_handle_t *pamh, int flags)
+{
+ int (*real_pam_setcred)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_setcred, int, (pam_handle_t *, int), PAM_ABORT);
+ return real_pam_setcred(pamh, flags);
+}
+
+/* Account Management API's */
+
+int pam_acct_mgmt(pam_handle_t *pamh, int flags)
+{
+ int (*real_pam_acct_mgmt)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_acct_mgmt, int, (pam_handle_t *, int), PAM_ABORT);
+ return real_pam_acct_mgmt(pamh, flags);
+}
+
+/* Session Management API's */
+
+int pam_open_session(pam_handle_t *pamh, int flags)
+{
+ int (*real_pam_open_session)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int),
+ PAM_ABORT);
+ return real_pam_open_session(pamh, flags);
+}
+
+int pam_close_session(pam_handle_t *pamh, int flags)
+{
+ int (*real_pam_close_session)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int),
+ PAM_ABORT);
+ return real_pam_close_session(pamh, flags);
+}
+
+/* Password Management API's */
+
+int pam_chauthtok(pam_handle_t *pamh, int flags)
+{
+ int (*real_pam_chauthtok)(pam_handle_t *, int);
+ RESOLVE_PAM_FUNCTION(pam_chauthtok, int, (pam_handle_t *, int), PAM_ABORT);
+ return real_pam_chauthtok(pamh, flags);
+}
+#endif
diff --git a/openvpn/src/plugins/auth-pam/pamdl.h b/openvpn/src/plugins/auth-pam/pamdl.h
new file mode 100644
index 00000000..b10b035a
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/pamdl.h
@@ -0,0 +1,7 @@
+#if DLOPEN_PAM
+#include <security/pam_appl.h>
+
+/* Dynamically load and unload the PAM library */
+int dlopen_pam (const char *so);
+void dlclose_pam (void);
+#endif
diff --git a/openvpn/src/plugins/defer/README b/openvpn/src/plugins/defer/README
new file mode 100644
index 00000000..d8990f8b
--- /dev/null
+++ b/openvpn/src/plugins/defer/README
@@ -0,0 +1,16 @@
+OpenVPN plugin examples.
+
+Examples provided:
+
+simple.c -- using the --auth-user-pass-verify callback,
+ test deferred authentication.
+
+To build:
+
+ ./build simple (Linux/BSD/etc.)
+ ./winbuild simple (MinGW on Windows)
+
+To use in OpenVPN, add to config file:
+
+ plugin simple.so (Linux/BSD/etc.)
+ plugin simple.dll (MinGW on Windows)
diff --git a/openvpn/src/plugins/defer/build b/openvpn/src/plugins/defer/build
new file mode 100755
index 00000000..0612c080
--- /dev/null
+++ b/openvpn/src/plugins/defer/build
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+#
+# Build an OpenVPN plugin module on *nix. The argument should
+# be the base name of the C source file (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS="${CPPFLAGS:--I../../../include}"
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--O2 -Wall -g}"
+
+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
+$CC $CFLAGS -fPIC -shared ${LDFLAS} -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/openvpn/src/plugins/defer/simple.c b/openvpn/src/plugins/defer/simple.c
new file mode 100644
index 00000000..65398657
--- /dev/null
+++ b/openvpn/src/plugins/defer/simple.c
@@ -0,0 +1,305 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will test deferred authentication and packet filtering.
+ *
+ * Will run on Windows or *nix.
+ *
+ * Sample usage:
+ *
+ * setenv test_deferred_auth 20
+ * setenv test_packet_filter 10
+ * plugin plugin/defer/simple.so
+ *
+ * This will enable deferred authentication to occur 20
+ * seconds after the normal TLS authentication process,
+ * and will cause a packet filter file to be generated 10
+ * seconds after the initial TLS negotiation, using
+ * {common-name}.pf as the source.
+ *
+ * Sample packet filter configuration:
+ *
+ * [CLIENTS DROP]
+ * +otherclient
+ * [SUBNETS DROP]
+ * +10.0.0.0/8
+ * -10.10.0.8
+ * [END]
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/* bool definitions */
+#define bool int
+#define true 1
+#define false 0
+
+/*
+ * Our context, where we keep our state.
+ */
+
+struct plugin_context {
+ int test_deferred_auth;
+ int test_packet_filter;
+};
+
+struct plugin_per_client_context {
+ int n_calls;
+ bool generated_pf_file;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+/* used for safe printf of possible NULL strings */
+static const char *
+np (const char *str)
+{
+ if (str)
+ return str;
+ else
+ return "[NULL]";
+}
+
+static int
+atoi_null0 (const char *str)
+{
+ if (str)
+ return atoi (str);
+ else
+ return 0;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ printf ("FUNC: openvpn_plugin_open_v1\n");
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ context->test_deferred_auth = atoi_null0 (get_env ("test_deferred_auth", envp));
+ printf ("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth);
+
+ context->test_packet_filter = atoi_null0 (get_env ("test_packet_filter", envp));
+ printf ("TEST_PACKET_FILTER %d\n", context->test_packet_filter);
+
+ /*
+ * Which callbacks to intercept.
+ */
+ *type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ENABLE_PF);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+static int
+auth_user_pass_verify (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
+{
+ if (context->test_deferred_auth)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ /* get auth_control_file filename from envp string array*/
+ const char *auth_control_file = get_env ("auth_control_file", envp);
+
+ printf ("DEFER u='%s' p='%s' acf='%s'\n",
+ np(username),
+ np(password),
+ np(auth_control_file));
+
+ /* Authenticate asynchronously in n seconds */
+ if (auth_control_file)
+ {
+ char buf[256];
+ int auth = 2;
+ sscanf (username, "%d", &auth);
+ snprintf (buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &",
+ context->test_deferred_auth,
+ auth_control_file,
+ auth,
+ pcc->n_calls < auth,
+ auth_control_file);
+ printf ("%s\n", buf);
+ system (buf);
+ pcc->n_calls++;
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+static int
+tls_final (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
+{
+ if (context->test_packet_filter)
+ {
+ if (!pcc->generated_pf_file)
+ {
+ const char *pff = get_env ("pf_file", envp);
+ const char *cn = get_env ("username", envp);
+ if (pff && cn)
+ {
+ char buf[256];
+ snprintf (buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &",
+ context->test_packet_filter, cn, pff, cn, pff);
+ printf ("%s\n", buf);
+ system (buf);
+ pcc->generated_pf_file = true;
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
+ const int type,
+ const char *argv[],
+ const char *envp[],
+ void *per_client_context,
+ struct openvpn_plugin_string_list **return_list)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ return auth_user_pass_verify (context, pcc, argv, envp);
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ return tls_final (context, pcc, argv, envp);
+ case OPENVPN_PLUGIN_ENABLE_PF:
+ printf ("OPENVPN_PLUGIN_ENABLE_PF\n");
+ if (context->test_packet_filter)
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+}
+
+OPENVPN_EXPORT void *
+openvpn_plugin_client_constructor_v1 (openvpn_plugin_handle_t handle)
+{
+ printf ("FUNC: openvpn_plugin_client_constructor_v1\n");
+ return calloc (1, sizeof (struct plugin_per_client_context));
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_client_destructor_v1 (openvpn_plugin_handle_t handle, void *per_client_context)
+{
+ printf ("FUNC: openvpn_plugin_client_destructor_v1\n");
+ free (per_client_context);
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ printf ("FUNC: openvpn_plugin_close_v1\n");
+ free (context);
+}
diff --git a/openvpn/src/plugins/defer/simple.def b/openvpn/src/plugins/defer/simple.def
new file mode 100755
index 00000000..a87507d1
--- /dev/null
+++ b/openvpn/src/plugins/defer/simple.def
@@ -0,0 +1,6 @@
+LIBRARY OpenVPN_PLUGIN_SAMPLE
+DESCRIPTION "Sample OpenVPN plug-in module."
+EXPORTS
+ openvpn_plugin_open_v1 @1
+ openvpn_plugin_func_v1 @2
+ openvpn_plugin_close_v1 @3
diff --git a/openvpn/src/plugins/defer/winbuild b/openvpn/src/plugins/defer/winbuild
new file mode 100755
index 00000000..82927d96
--- /dev/null
+++ b/openvpn/src/plugins/defer/winbuild
@@ -0,0 +1,18 @@
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../build"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp
diff --git a/openvpn/src/plugins/down-root/Makefile b/openvpn/src/plugins/down-root/Makefile
new file mode 100755
index 00000000..e66c99ae
--- /dev/null
+++ b/openvpn/src/plugins/down-root/Makefile
@@ -0,0 +1,18 @@
+#
+# Build the OpenVPN down-root plugin module.
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS=-I../../../include
+
+CC=gcc
+CFLAGS=-O2 -Wall
+
+down-root.so : down-root.o
+ $(CC) $(CFLAGS) -fPIC -shared $(LDFLAGS) -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
+
+down-root.o : down-root.c
+ $(CC) $(CPPFLAGS) $(CFLAGS) -fPIC -c down-root.c
+
+clean :
+ -rm -f *.o *.so
diff --git a/openvpn/src/plugins/down-root/README b/openvpn/src/plugins/down-root/README
new file mode 100644
index 00000000..d337ffe9
--- /dev/null
+++ b/openvpn/src/plugins/down-root/README
@@ -0,0 +1,29 @@
+down-root -- an OpenVPN Plugin Module
+
+SYNOPSIS
+
+The down-root module allows an OpenVPN configuration to
+call a down script with root privileges, even when privileges
+have been dropped using --user/--group/--chroot.
+
+This module uses a split privilege execution model which will
+fork() before OpenVPN drops root privileges, at the point where
+the --up script is usually called. The module will then remain
+in a wait state until it receives a message from OpenVPN via
+pipe to execute the down script. Thus, the down script will be
+run in the same execution environment as the up script.
+
+BUILD
+
+Build this module with the "make" command. The plugin
+module will be named openvpn-down-root.so
+
+USAGE
+
+To use this module, add to your OpenVPN config file:
+
+ plugin openvpn-down-root.so "command ..."
+
+CAVEATS
+
+This module will only work on *nix systems, not Windows.
diff --git a/openvpn/src/plugins/down-root/down-root.c b/openvpn/src/plugins/down-root/down-root.c
new file mode 100644
index 00000000..fced23be
--- /dev/null
+++ b/openvpn/src/plugins/down-root/down-root.c
@@ -0,0 +1,553 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * OpenVPN plugin module to do privileged down-script execution.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <syslog.h>
+
+#include "openvpn-plugin.h"
+
+#define DEBUG(verb) ((verb) >= 7)
+
+/* Command codes for foreground -> background communication */
+#define COMMAND_RUN_SCRIPT 0
+#define COMMAND_EXIT 1
+
+/* Response codes for background -> foreground communication */
+#define RESPONSE_INIT_SUCCEEDED 10
+#define RESPONSE_INIT_FAILED 11
+#define RESPONSE_SCRIPT_SUCCEEDED 12
+#define RESPONSE_SCRIPT_FAILED 13
+
+/* Background process function */
+static void down_root_server (const int fd, char *command, const char *argv[], const char *envp[], const int verb);
+
+/*
+ * Plugin state, used by foreground
+ */
+struct down_root_context
+{
+ /* Foreground's socket to background process */
+ int foreground_fd;
+
+ /* Process ID of background process */
+ pid_t background_pid;
+
+ /* Verbosity level of OpenVPN */
+ int verb;
+
+ /* down command */
+ char *command;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+/*
+ * Return the length of a string array
+ */
+static int
+string_array_len (const char *array[])
+{
+ int i = 0;
+ if (array)
+ {
+ while (array[i])
+ ++i;
+ }
+ return i;
+}
+
+/*
+ * Socket read/write functions.
+ */
+
+static int
+recv_control (int fd)
+{
+ unsigned char c;
+ const ssize_t size = read (fd, &c, sizeof (c));
+ if (size == sizeof (c))
+ return c;
+ else
+ return -1;
+}
+
+static int
+send_control (int fd, int code)
+{
+ unsigned char c = (unsigned char) code;
+ const ssize_t size = write (fd, &c, sizeof (c));
+ if (size == sizeof (c))
+ return (int) size;
+ else
+ return -1;
+}
+
+/*
+ * Daemonize if "daemon" env var is true.
+ * Preserve stderr across daemonization if
+ * "daemon_log_redirect" env var is true.
+ */
+static void
+daemonize (const char *envp[])
+{
+ const char *daemon_string = get_env ("daemon", envp);
+ if (daemon_string && daemon_string[0] == '1')
+ {
+ const char *log_redirect = get_env ("daemon_log_redirect", envp);
+ int fd = -1;
+ if (log_redirect && log_redirect[0] == '1')
+ fd = dup (2);
+ if (daemon (0, 0) < 0)
+ {
+ fprintf (stderr, "DOWN-ROOT: daemonization failed\n");
+ }
+ else if (fd >= 3)
+ {
+ dup2 (fd, 2);
+ close (fd);
+ }
+ }
+}
+
+/*
+ * Close most of parent's fds.
+ * Keep stdin/stdout/stderr, plus one
+ * other fd which is presumed to be
+ * our pipe back to parent.
+ * Admittedly, a bit of a kludge,
+ * but posix doesn't give us a kind
+ * of FD_CLOEXEC which will stop
+ * fds from crossing a fork().
+ */
+static void
+close_fds_except (int keep)
+{
+ int i;
+ closelog ();
+ for (i = 3; i <= 100; ++i)
+ {
+ if (i != keep)
+ close (i);
+ }
+}
+
+/*
+ * Usually we ignore signals, because our parent will
+ * deal with them.
+ */
+static void
+set_signals (void)
+{
+ signal (SIGTERM, SIG_DFL);
+
+ signal (SIGINT, SIG_IGN);
+ signal (SIGHUP, SIG_IGN);
+ signal (SIGUSR1, SIG_IGN);
+ signal (SIGUSR2, SIG_IGN);
+ signal (SIGPIPE, SIG_IGN);
+}
+
+/*
+ * convert system() return into a success/failure value
+ */
+int
+system_ok (int stat)
+{
+#ifdef WIN32
+ return stat == 0;
+#else
+ return stat != -1 && WIFEXITED (stat) && WEXITSTATUS (stat) == 0;
+#endif
+}
+
+static char *
+build_command_line (const char *argv[])
+{
+ int size = 0;
+ int n = 0;
+ int i;
+ char *string;
+
+ /* precompute size */
+ if (argv)
+ {
+ for (i = 0; argv[i]; ++i)
+ {
+ size += (strlen (argv[i]) + 1); /* string length plus trailing space */
+ ++n;
+ }
+ }
+ ++size; /* for null terminator */
+
+ /* allocate memory */
+ string = (char *) malloc (size);
+ if (!string)
+ {
+ fprintf (stderr, "DOWN-ROOT: out of memory\n");
+ exit (1);
+ }
+ string[0] = '\0';
+
+ /* build string */
+ for (i = 0; i < n; ++i)
+ {
+ strcat (string, argv[i]);
+ if (i + 1 < n)
+ strcat (string, " ");
+ }
+ return string;
+}
+
+static void
+free_context (struct down_root_context *context)
+{
+ if (context)
+ {
+ if (context->command)
+ free (context->command);
+ free (context);
+ }
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct down_root_context *context;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct down_root_context *) calloc (1, sizeof (struct down_root_context));
+ if (!context)
+ goto error;
+ context->foreground_fd = -1;
+
+ /*
+ * Intercept the --up and --down callbacks
+ */
+ *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) | OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN);
+
+ /*
+ * Make sure we have two string arguments: the first is the .so name,
+ * the second is the script command.
+ */
+ if (string_array_len (argv) < 2)
+ {
+ fprintf (stderr, "DOWN-ROOT: need down script command\n");
+ goto error;
+ }
+
+ /*
+ * Save our argument in context
+ */
+ context->command = build_command_line (&argv[1]);
+
+ /*
+ * Get verbosity level from environment
+ */
+ {
+ const char *verb_string = get_env ("verb", envp);
+ if (verb_string)
+ context->verb = atoi (verb_string);
+ }
+
+ return (openvpn_plugin_handle_t) context;
+
+ error:
+ free_context (context);
+ return NULL;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct down_root_context *context = (struct down_root_context *) handle;
+
+ if (type == OPENVPN_PLUGIN_UP && context->foreground_fd == -1) /* fork off a process to hold onto root */
+ {
+ pid_t pid;
+ int fd[2];
+
+ /*
+ * Make a socket for foreground and background processes
+ * to communicate.
+ */
+ if (socketpair (PF_UNIX, SOCK_DGRAM, 0, fd) == -1)
+ {
+ fprintf (stderr, "DOWN-ROOT: socketpair call failed\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ /*
+ * Fork off the privileged process. It will remain privileged
+ * even after the foreground process drops its privileges.
+ */
+ pid = fork ();
+
+ if (pid)
+ {
+ int status;
+
+ /*
+ * Foreground Process
+ */
+
+ context->background_pid = pid;
+
+ /* close our copy of child's socket */
+ close (fd[1]);
+
+ /* don't let future subprocesses inherit child socket */
+ if (fcntl (fd[0], F_SETFD, FD_CLOEXEC) < 0)
+ fprintf (stderr, "DOWN-ROOT: Set FD_CLOEXEC flag on socket file descriptor failed\n");
+
+ /* wait for background child process to initialize */
+ status = recv_control (fd[0]);
+ if (status == RESPONSE_INIT_SUCCEEDED)
+ {
+ context->foreground_fd = fd[0];
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ }
+ }
+ else
+ {
+ /*
+ * Background Process
+ */
+
+ /* close all parent fds except our socket back to parent */
+ close_fds_except (fd[1]);
+
+ /* Ignore most signals (the parent will receive them) */
+ set_signals ();
+
+ /* Daemonize if --daemon option is set. */
+ daemonize (envp);
+
+ /* execute the event loop */
+ down_root_server (fd[1], context->command, argv, envp, context->verb);
+
+ close (fd[1]);
+ exit (0);
+ return 0; /* NOTREACHED */
+ }
+ }
+ else if (type == OPENVPN_PLUGIN_DOWN && context->foreground_fd >= 0)
+ {
+ if (send_control (context->foreground_fd, COMMAND_RUN_SCRIPT) == -1)
+ {
+ fprintf (stderr, "DOWN-ROOT: Error sending script execution signal to background process\n");
+ }
+ else
+ {
+ const int status = recv_control (context->foreground_fd);
+ if (status == RESPONSE_SCRIPT_SUCCEEDED)
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ if (status == -1)
+ fprintf (stderr, "DOWN-ROOT: Error receiving script execution confirmation from background process\n");
+ }
+ }
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct down_root_context *context = (struct down_root_context *) handle;
+
+ if (DEBUG (context->verb))
+ fprintf (stderr, "DOWN-ROOT: close\n");
+
+ if (context->foreground_fd >= 0)
+ {
+ /* tell background process to exit */
+ if (send_control (context->foreground_fd, COMMAND_EXIT) == -1)
+ fprintf (stderr, "DOWN-ROOT: Error signaling background process to exit\n");
+
+ /* wait for background process to exit */
+ if (context->background_pid > 0)
+ waitpid (context->background_pid, NULL, 0);
+
+ close (context->foreground_fd);
+ context->foreground_fd = -1;
+ }
+
+ free_context (context);
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
+{
+ struct down_root_context *context = (struct down_root_context *) handle;
+
+ if (context && context->foreground_fd >= 0)
+ {
+ /* tell background process to exit */
+ send_control (context->foreground_fd, COMMAND_EXIT);
+ close (context->foreground_fd);
+ context->foreground_fd = -1;
+ }
+}
+
+/*
+ * Background process -- runs with privilege.
+ */
+static void
+down_root_server (const int fd, char *command, const char *argv[], const char *envp[], const int verb)
+{
+ const char *p[3];
+ char *command_line = NULL;
+ char *argv_cat = NULL;
+ int i;
+
+ /*
+ * Do initialization
+ */
+ if (DEBUG (verb))
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: INIT command='%s'\n", command);
+
+ /*
+ * Tell foreground that we initialized successfully
+ */
+ if (send_control (fd, RESPONSE_INIT_SUCCEEDED) == -1)
+ {
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: write error on response socket [1]\n");
+ goto done;
+ }
+
+ /*
+ * Build command line
+ */
+ if (string_array_len (argv) >= 2)
+ argv_cat = build_command_line (&argv[1]);
+ else
+ argv_cat = build_command_line (NULL);
+ p[0] = command;
+ p[1] = argv_cat;
+ p[2] = NULL;
+ command_line = build_command_line (p);
+
+ /*
+ * Save envp in environment
+ */
+ for (i = 0; envp[i]; ++i)
+ {
+ putenv ((char *)envp[i]);
+ }
+
+ /*
+ * Event loop
+ */
+ while (1)
+ {
+ int command_code;
+ int status;
+
+ /* get a command from foreground process */
+ command_code = recv_control (fd);
+
+ if (DEBUG (verb))
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: received command code: %d\n", command_code);
+
+ switch (command_code)
+ {
+ case COMMAND_RUN_SCRIPT:
+ status = system (command_line);
+ if (system_ok (status)) /* Succeeded */
+ {
+ if (send_control (fd, RESPONSE_SCRIPT_SUCCEEDED) == -1)
+ {
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: write error on response socket [2]\n");
+ goto done;
+ }
+ }
+ else /* Failed */
+ {
+ if (send_control (fd, RESPONSE_SCRIPT_FAILED) == -1)
+ {
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: write error on response socket [3]\n");
+ goto done;
+ }
+ }
+ break;
+
+ case COMMAND_EXIT:
+ goto done;
+
+ case -1:
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: read error on command channel\n");
+ goto done;
+
+ default:
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: unknown command code: code=%d, exiting\n",
+ command_code);
+ goto done;
+ }
+ }
+
+ done:
+ if (argv_cat)
+ free (argv_cat);
+ if (command_line)
+ free (command_line);
+ if (DEBUG (verb))
+ fprintf (stderr, "DOWN-ROOT: BACKGROUND: EXIT\n");
+
+ return;
+}
diff --git a/openvpn/src/plugins/examples/README b/openvpn/src/plugins/examples/README
new file mode 100644
index 00000000..4400cd30
--- /dev/null
+++ b/openvpn/src/plugins/examples/README
@@ -0,0 +1,16 @@
+OpenVPN plugin examples.
+
+Examples provided:
+
+simple.c -- using the --auth-user-pass-verify callback, verify
+ that the username/password is "foo"/"bar".
+
+To build:
+
+ ./build simple (Linux/BSD/etc.)
+ ./winbuild simple (MinGW on Windows)
+
+To use in OpenVPN, add to config file:
+
+ plugin simple.so (Linux/BSD/etc.)
+ plugin simple.dll (MinGW on Windows)
diff --git a/openvpn/src/plugins/examples/build b/openvpn/src/plugins/examples/build
new file mode 100755
index 00000000..bbb05f7c
--- /dev/null
+++ b/openvpn/src/plugins/examples/build
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+#
+# Build an OpenVPN plugin module on *nix. The argument should
+# be the base name of the C source file (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS="${CPPFLAGS:--I../../..}"
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--O2 -Wall -g}"
+
+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
+$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/openvpn/src/plugins/examples/log.c b/openvpn/src/plugins/examples/log.c
new file mode 100644
index 00000000..1cc4650e
--- /dev/null
+++ b/openvpn/src/plugins/examples/log.c
@@ -0,0 +1,184 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This plugin is similar to simple.c, except it also logs extra information
+ * to stdout for every plugin method called by OpenVPN.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /*
+ * Set the username/password we will require.
+ */
+ context->username = "foo";
+ context->password = "bar";
+
+ /*
+ * Which callbacks to intercept.
+ */
+ *type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+void
+show (const int type, const char *argv[], const char *envp[])
+{
+ size_t i;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ break;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ break;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ break;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ break;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ break;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ break;
+ }
+
+ printf ("ARGV\n");
+ for (i = 0; argv[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, argv[i]);
+
+ printf ("ENVP\n");
+ for (i = 0; envp[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, envp[i]);
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+
+ show (type, argv, envp);
+
+ /* check entered username/password against what we require */
+ if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/openvpn/src/plugins/examples/log_v3.c b/openvpn/src/plugins/examples/log_v3.c
new file mode 100644
index 00000000..742c7568
--- /dev/null
+++ b/openvpn/src/plugins/examples/log_v3.c
@@ -0,0 +1,247 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2010 David Sommerseth <dazo@users.sourceforge.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This plugin is similar to simple.c, except it also logs extra information
+ * to stdout for every plugin method called by OpenVPN. The only difference
+ * between this (log_v3.c) and log.c is that this module uses the v3 plug-in
+ * API.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#define ENABLE_SSL
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3 (const int v3structver,
+ struct openvpn_plugin_args_open_in const *args,
+ struct openvpn_plugin_args_open_return *ret)
+{
+ struct plugin_context *context = NULL;
+
+ /* Check that we are API compatible */
+ if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) {
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ /* Which callbacks to intercept. */
+ ret->type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
+
+
+ /* Allocate our context */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /* Set the username/password we will require. */
+ context->username = "foo";
+ context->password = "bar";
+
+ /* Point the global context handle to our newly created context */
+ ret->handle = (void *) context;
+
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+void
+show (const int type, const char *argv[], const char *envp[])
+{
+ size_t i;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ break;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ break;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ break;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ break;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ break;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ break;
+ }
+
+ printf ("ARGV\n");
+ for (i = 0; argv[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, argv[i]);
+
+ printf ("ENVP\n");
+ for (i = 0; envp[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, envp[i]);
+}
+
+static void
+x509_print_info (X509 *x509crt)
+{
+ int i, n;
+ int fn_nid;
+ ASN1_OBJECT *fn;
+ ASN1_STRING *val;
+ X509_NAME *x509_name;
+ X509_NAME_ENTRY *ent;
+ const char *objbuf;
+ unsigned char *buf;
+
+ x509_name = X509_get_subject_name (x509crt);
+ n = X509_NAME_entry_count (x509_name);
+ for (i = 0; i < n; ++i)
+ {
+ ent = X509_NAME_get_entry (x509_name, i);
+ if (!ent)
+ continue;
+ fn = X509_NAME_ENTRY_get_object (ent);
+ if (!fn)
+ continue;
+ val = X509_NAME_ENTRY_get_data (ent);
+ if (!val)
+ continue;
+ fn_nid = OBJ_obj2nid (fn);
+ if (fn_nid == NID_undef)
+ continue;
+ objbuf = OBJ_nid2sn (fn_nid);
+ if (!objbuf)
+ continue;
+ buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+ if (ASN1_STRING_to_UTF8 (&buf, val) <= 0)
+ continue;
+
+ printf("X509 %s: %s\n", objbuf, (char *)buf);
+ OPENSSL_free (buf);
+ }
+}
+
+
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v3 (const int version,
+ struct openvpn_plugin_args_func_in const *args,
+ struct openvpn_plugin_args_func_return *retptr)
+{
+ struct plugin_context *context = (struct plugin_context *) args->handle;
+
+ printf("\nopenvpn_plugin_func_v3() :::::>> ");
+ show (args->type, args->argv, args->envp);
+
+ /* Dump some X509 information if we're in the TLS_VERIFY phase */
+ if ((args->type == OPENVPN_PLUGIN_TLS_VERIFY) && args->current_cert ) {
+ printf("---- X509 Subject information ----\n");
+ printf("Certificate depth: %i\n", args->current_cert_depth);
+ x509_print_info(args->current_cert);
+ printf("----------------------------------\n");
+ }
+
+ /* check entered username/password against what we require */
+ if (args->type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", args->envp);
+ const char *password = get_env ("password", args->envp);
+
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/openvpn/src/plugins/examples/simple.c b/openvpn/src/plugins/examples/simple.c
new file mode 100644
index 00000000..f26d89f6
--- /dev/null
+++ b/openvpn/src/plugins/examples/simple.c
@@ -0,0 +1,120 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will examine the username/password provided by a client,
+ * and make an accept/deny determination. Will run
+ * on Windows or *nix.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+ {
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+ return cp + 1;
+ }
+ }
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /*
+ * Set the username/password we will require.
+ */
+ context->username = "foo";
+ context->password = "bar";
+
+ /*
+ * We are only interested in intercepting the
+ * --auth-user-pass-verify callback.
+ */
+ *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ /* check entered username/password against what we require */
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/openvpn/src/plugins/examples/simple.def b/openvpn/src/plugins/examples/simple.def
new file mode 100755
index 00000000..a87507d1
--- /dev/null
+++ b/openvpn/src/plugins/examples/simple.def
@@ -0,0 +1,6 @@
+LIBRARY OpenVPN_PLUGIN_SAMPLE
+DESCRIPTION "Sample OpenVPN plug-in module."
+EXPORTS
+ openvpn_plugin_open_v1 @1
+ openvpn_plugin_func_v1 @2
+ openvpn_plugin_close_v1 @3
diff --git a/openvpn/src/plugins/examples/winbuild b/openvpn/src/plugins/examples/winbuild
new file mode 100755
index 00000000..decf05f8
--- /dev/null
+++ b/openvpn/src/plugins/examples/winbuild
@@ -0,0 +1,18 @@
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../include"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp