From 23a783836e5765514c85f83a510b9225a43cdfc1 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Sat, 21 Jul 2012 01:11:36 +0200
Subject: Update openvpn to Version 2.3_alpha3

--HG--
rename : openvpn/src/plugins/README => openvpn/doc/README.plugins
rename : openvpn/src/plugins/defer/README => openvpn/sample/sample-plugins/defer/README
rename : openvpn/src/plugins/defer/build => openvpn/sample/sample-plugins/defer/build
rename : openvpn/src/plugins/defer/simple.c => openvpn/sample/sample-plugins/defer/simple.c
rename : openvpn/src/plugins/examples/simple.def => openvpn/sample/sample-plugins/defer/simple.def
rename : openvpn/src/plugins/defer/winbuild => openvpn/sample/sample-plugins/defer/winbuild
rename : openvpn/src/plugins/examples/build => openvpn/sample/sample-plugins/log/build
rename : openvpn/src/plugins/examples/log.c => openvpn/sample/sample-plugins/log/log.c
rename : openvpn/src/plugins/examples/log_v3.c => openvpn/sample/sample-plugins/log/log_v3.c
rename : openvpn/src/plugins/examples/winbuild => openvpn/sample/sample-plugins/log/winbuild
rename : openvpn/src/plugins/examples/README => openvpn/sample/sample-plugins/simple/README
rename : openvpn/src/plugins/examples/build => openvpn/sample/sample-plugins/simple/build
rename : openvpn/src/plugins/examples/simple.c => openvpn/sample/sample-plugins/simple/simple.c
rename : openvpn/src/plugins/examples/simple.def => openvpn/sample/sample-plugins/simple/simple.def
rename : openvpn/src/plugins/examples/winbuild => openvpn/sample/sample-plugins/simple/winbuild
rename : openvpn/src/plugins/auth-pam/README => openvpn/src/plugins/auth-pam/README.auth-pam
rename : openvpn/src/plugins/down-root/README => openvpn/src/plugins/down-root/README.down-root
---
 openvpn/src/plugins/auth-pam/Makefile         | 32 ------------
 openvpn/src/plugins/auth-pam/Makefile.am      | 27 ++++++++++
 openvpn/src/plugins/auth-pam/README           | 74 ---------------------------
 openvpn/src/plugins/auth-pam/README.auth-pam  | 74 +++++++++++++++++++++++++++
 openvpn/src/plugins/auth-pam/auth-pam.c       | 18 ++++---
 openvpn/src/plugins/auth-pam/auth-pam.exports |  4 ++
 openvpn/src/plugins/auth-pam/pamdl.c          |  8 ++-
 openvpn/src/plugins/auth-pam/pamdl.h          |  4 +-
 8 files changed, 122 insertions(+), 119 deletions(-)
 delete mode 100755 openvpn/src/plugins/auth-pam/Makefile
 create mode 100644 openvpn/src/plugins/auth-pam/Makefile.am
 delete mode 100644 openvpn/src/plugins/auth-pam/README
 create mode 100644 openvpn/src/plugins/auth-pam/README.auth-pam
 create mode 100644 openvpn/src/plugins/auth-pam/auth-pam.exports

(limited to 'openvpn/src/plugins/auth-pam')

diff --git a/openvpn/src/plugins/auth-pam/Makefile b/openvpn/src/plugins/auth-pam/Makefile
deleted file mode 100755
index c0b9c79e..00000000
--- a/openvpn/src/plugins/auth-pam/Makefile
+++ /dev/null
@@ -1,32 +0,0 @@
-#
-# Build the OpenVPN auth-pam plugin module.
-#
-
-# If PAM modules are not linked against libpam.so, set DLOPEN_PAM to 1. This
-# must be done on SUSE 9.1, at least.
-DLOPEN_PAM=0
-
-ifeq ($(DLOPEN_PAM),1)
-	LIBPAM=-ldl
-else
-	LIBPAM=-lpam
-endif
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS=-I../../../include
-
-CC=gcc
-CFLAGS=-O2 -Wall
-DEFS = -DDLOPEN_PAM=$(DLOPEN_PAM)
-
-openvpn-auth-pam.so : auth-pam.o pamdl.o
-	$(CC) $(CFLAGS) -fPIC -shared $(LDFLAGS) -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
-
-auth-pam.o : auth-pam.c pamdl.h
-	$(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) -fPIC -c auth-pam.c
-
-pamdl.o : pamdl.c pamdl.h
-	$(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) -fPIC -c pamdl.c
-
-clean :
-	-rm -f *.o *.so
diff --git a/openvpn/src/plugins/auth-pam/Makefile.am b/openvpn/src/plugins/auth-pam/Makefile.am
new file mode 100644
index 00000000..701a7497
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/Makefile.am
@@ -0,0 +1,27 @@
+#
+#  OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin
+#
+#  Copyright (C) 2012      Alon Bar-Lev <alon.barlev@gmail.com>
+#
+
+MAINTAINERCLEANFILES = \
+	$(srcdir)/Makefile.in
+
+AM_CFLAGS = \
+	-I$(top_srcdir)/include
+	$(PLUGIN_AUTH_PAM_CFLAGS)
+
+if ENABLE_PLUGIN_AUTH_PAM
+plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la
+dist_doc_DATA = README.auth-pam
+endif
+
+openvpn_plugin_auth_pam_la_SOURCES = \
+	auth-pam.c \
+	pamdl.c  pamdl.h \
+	auth-pam.exports
+openvpn_plugin_auth_pam_la_LIBADD = \
+	$(PLUGIN_AUTH_PAM_LIBS)
+openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \
+	-export-symbols "$(srcdir)/auth-pam.exports" \
+	-module -shared -avoid-version -no-undefined
diff --git a/openvpn/src/plugins/auth-pam/README b/openvpn/src/plugins/auth-pam/README
deleted file mode 100644
index e1236902..00000000
--- a/openvpn/src/plugins/auth-pam/README
+++ /dev/null
@@ -1,74 +0,0 @@
-openvpn-auth-pam
-
-SYNOPSIS
-
-The openvpn-auth-pam module implements username/password
-authentication via PAM, and essentially allows any authentication
-method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
-passwords) to be used with OpenVPN.  While PAM supports
-username/password authentication, this can be combined with X509
-certificates to provide two indepedent levels of authentication.
-
-This module uses a split privilege execution model which will
-function even if you drop openvpn daemon privileges using the user,
-group, or chroot directives.
-
-BUILD
-
-To build openvpn-auth-pam, you will need to have the pam-devel
-package installed.
-
-Build with the "make" command.  The module will be named
-openvpn-auth-pam.so
-
-USAGE
-
-To use this plugin module, add to your OpenVPN config file:
-
-  plugin openvpn-auth-pam.so service-type
-
-The required service-type parameter corresponds to
-the PAM service definition file usually found
-in /etc/pam.d.
-
-This plugin also supports the usage of a list of name/value
-pairs to answer PAM module queries.
-
-For example:
-
-  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
-
-tells auth-pam to (a) use the "login" PAM module, (b) answer a
-"login" query with the username given by the OpenVPN client, and
-(c) answer a "password" query with the password given by the
-OpenVPN client.  This provides flexibility in dealing with the different
-types of query strings which different PAM modules might generate.
-For example, suppose you were using a PAM module called
-"test" which queried for "name" rather than "login":
-
-  plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
-
-While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
-to client-supplied values, it is also possible to name literal values
-to use as PAM module query responses.  For example, suppose that the
-login module queried for a third parameter, "domain" which
-is to be answered with the constant value "mydomain.com":
-
-  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"
-
-The following OpenVPN directives can also influence
-the operation of this plugin:
-
-  client-cert-not-required
-  username-as-common-name
-
-Run OpenVPN with --verb 7 or higher to get debugging output from
-this plugin, including the list of queries presented by the
-underlying PAM module.  This is a useful debugging tool to figure
-out which queries a given PAM module is making, so that you can
-craft the appropriate plugin directive to answer it.
-
-CAVEATS
-
-This module will only work on *nix systems which support PAM,
-not Windows.
diff --git a/openvpn/src/plugins/auth-pam/README.auth-pam b/openvpn/src/plugins/auth-pam/README.auth-pam
new file mode 100644
index 00000000..e1236902
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/README.auth-pam
@@ -0,0 +1,74 @@
+openvpn-auth-pam
+
+SYNOPSIS
+
+The openvpn-auth-pam module implements username/password
+authentication via PAM, and essentially allows any authentication
+method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
+passwords) to be used with OpenVPN.  While PAM supports
+username/password authentication, this can be combined with X509
+certificates to provide two indepedent levels of authentication.
+
+This module uses a split privilege execution model which will
+function even if you drop openvpn daemon privileges using the user,
+group, or chroot directives.
+
+BUILD
+
+To build openvpn-auth-pam, you will need to have the pam-devel
+package installed.
+
+Build with the "make" command.  The module will be named
+openvpn-auth-pam.so
+
+USAGE
+
+To use this plugin module, add to your OpenVPN config file:
+
+  plugin openvpn-auth-pam.so service-type
+
+The required service-type parameter corresponds to
+the PAM service definition file usually found
+in /etc/pam.d.
+
+This plugin also supports the usage of a list of name/value
+pairs to answer PAM module queries.
+
+For example:
+
+  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
+
+tells auth-pam to (a) use the "login" PAM module, (b) answer a
+"login" query with the username given by the OpenVPN client, and
+(c) answer a "password" query with the password given by the
+OpenVPN client.  This provides flexibility in dealing with the different
+types of query strings which different PAM modules might generate.
+For example, suppose you were using a PAM module called
+"test" which queried for "name" rather than "login":
+
+  plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
+
+While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
+to client-supplied values, it is also possible to name literal values
+to use as PAM module query responses.  For example, suppose that the
+login module queried for a third parameter, "domain" which
+is to be answered with the constant value "mydomain.com":
+
+  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"
+
+The following OpenVPN directives can also influence
+the operation of this plugin:
+
+  client-cert-not-required
+  username-as-common-name
+
+Run OpenVPN with --verb 7 or higher to get debugging output from
+this plugin, including the list of queries presented by the
+underlying PAM module.  This is a useful debugging tool to figure
+out which queries a given PAM module is making, so that you can
+craft the appropriate plugin directive to answer it.
+
+CAVEATS
+
+This module will only work on *nix systems which support PAM,
+not Windows.
diff --git a/openvpn/src/plugins/auth-pam/auth-pam.c b/openvpn/src/plugins/auth-pam/auth-pam.c
index e52f6322..bd717927 100644
--- a/openvpn/src/plugins/auth-pam/auth-pam.c
+++ b/openvpn/src/plugins/auth-pam/auth-pam.c
@@ -26,12 +26,14 @@
  * OpenVPN plugin module to do PAM authentication using a split
  * privilege model.
  */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
 
-#if DLOPEN_PAM
-#include <dlfcn.h>
-#include "pamdl.h"
-#else
 #include <security/pam_appl.h>
+
+#ifdef USE_PAM_DLOPEN
+#include "pamdl.h"
 #endif
 
 #include <stdio.h>
@@ -46,7 +48,7 @@
 #include <signal.h>
 #include <syslog.h>
 
-#include "openvpn-plugin.h"
+#include <openvpn-plugin.h>
 
 #define DEBUG(verb) ((verb) >= 4)
 
@@ -693,7 +695,7 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
 {
   struct user_pass up;
   int command;
-#if DLOPEN_PAM
+#ifdef USE_PAM_DLOPEN
   static const char pam_so[] = "libpam.so";
 #endif
 
@@ -703,7 +705,7 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
   if (DEBUG (verb))
     fprintf (stderr, "AUTH-PAM: BACKGROUND: INIT service='%s'\n", service);
 
-#if DLOPEN_PAM
+#ifdef USE_PAM_DLOPEN
   /*
    * Load PAM shared object
    */
@@ -794,7 +796,7 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
     }
  done:
 
-#if DLOPEN_PAM
+#ifdef USE_PAM_DLOPEN
   dlclose_pam ();
 #endif
   if (DEBUG (verb))
diff --git a/openvpn/src/plugins/auth-pam/auth-pam.exports b/openvpn/src/plugins/auth-pam/auth-pam.exports
new file mode 100644
index 00000000..b07937cc
--- /dev/null
+++ b/openvpn/src/plugins/auth-pam/auth-pam.exports
@@ -0,0 +1,4 @@
+openvpn_plugin_open_v1
+openvpn_plugin_func_v1
+openvpn_plugin_close_v1
+openvpn_plugin_abort_v1
diff --git a/openvpn/src/plugins/auth-pam/pamdl.c b/openvpn/src/plugins/auth-pam/pamdl.c
index 8636a8e4..26e98215 100644
--- a/openvpn/src/plugins/auth-pam/pamdl.c
+++ b/openvpn/src/plugins/auth-pam/pamdl.c
@@ -1,4 +1,8 @@
-#if DLOPEN_PAM
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef USE_PAM_DLOPEN
 /*
  * If you want to dynamically load libpam using dlopen() or something,
  * then dlopen( ' this shared object ' ); It takes care of exporting
@@ -73,7 +77,7 @@ int pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
     return real_pam_set_item(pamh, item_type, item);
 }
 
-int pam_get_item(pam_handle_t *pamh, int item_type, const void **item)
+int pam_get_item(const pam_handle_t *pamh, int item_type, const void **item)
 {
     int (*real_pam_get_item)(const pam_handle_t *, int, const void **);
     RESOLVE_PAM_FUNCTION(pam_get_item, int,
diff --git a/openvpn/src/plugins/auth-pam/pamdl.h b/openvpn/src/plugins/auth-pam/pamdl.h
index b10b035a..12ba0684 100644
--- a/openvpn/src/plugins/auth-pam/pamdl.h
+++ b/openvpn/src/plugins/auth-pam/pamdl.h
@@ -1,6 +1,4 @@
-#if DLOPEN_PAM
-#include <security/pam_appl.h>
-
+#ifdef USE_PAM_DLOPEN
 /* Dynamically load and unload the PAM library */
 int dlopen_pam (const char *so);
 void dlclose_pam (void);
-- 
cgit v1.2.3