gmane.network.openvpn.devel
http://blog.gmane.org/gmane.network.openvpn.devel
hourly11901-01-01T00:00+00:00Gmanehttp://gmane.org/img/gmane-25t.png
http://gmane.org
[PATCH] build: check minimum polarssl version
http://comments.gmane.org/gmane.network.openvpn.devel/6613
<pre>Pre 1.1 is unsupported, API was changed.
Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
configure.ac | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/configure.ac b/configure.ac
index 4592727..5ace128 100644
--- a/configure.ac
+++ b/configure.ac
< at >< at > -743,6 +743,27 < at >< at > if test -z "${POLARSSL_LIBS}"; then
)
fi
+if test "${with_crypto_library}" = "polarssl" ; then
+AC_MSG_CHECKING([polarssl version])
+old_CFLAGS="${CFLAGS}"
+CFLAGS="${POLARSSL_CFLAGS} ${CFLAGS}"
+AC_COMPILE_IFELSE(
+[AC_LANG_PROGRAM(
+[[
+#include <polarssl/version.h>
+]],
+[[
+#if POLARSSL_VERSION_NUMBER <= 0x01010000
+#error invalid version
+#endif
+]]
+)],
+[AC_MSG_RESULT([ok])],
+[AC_MSG_ERROR([invalid polarssl version])]
+)
+CFLAGS="${old_CFLAGS}"
+fi
+
AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo])
AC_ARG_VAR([LZO_LIBS], [linker flags for lzo])
have_lzo="yes"
</pre>Alon Bar-Lev2012-05-21T11:04:14Pre-2.3-alpha2 Windows installers now available
http://comments.gmane.org/gmane.network.openvpn.devel/6602
<pre>Hi all,
Here are the first fully-functional Windows installers built (by me)
with Alon's new cross-compilation environment (a.k.a. "generic"
buildsystem):
<http://build.openvpn.net/downloads/snapshots/openvpn-install-2.3_master-I000_master-i686.exe>
<http://build.openvpn.net/downloads/snapshots/openvpn-install-2.3_master-I000_master-x86_64.exe>
The installers and executables and libraries in them have been signed
with a self-signed test certificate. This means that Windows Vista/7
64-bit will refuse to install the (self-signed) TAP-drivers, unless this
CA certificate is in the system keystore:
<http://build.openvpn.net/downloads/openvpntestca-cert.cer>
This certificate can be imported using Microsoft management console
(mmc.exe):
- Add the "Certificates" snap-in
- Go to "Trusted root certificates"
- Right-click "Certificates"
- Select "All tasks" -> "Import"
After this you can run the OpenVPN installer and it should just work. A
version of OpenVPN signed with paid-for certificate is coming soonish.
That one will work on any supported Windows version without jumping
through these hoops.
Have fun (and please report back any issues you find),
</pre>Samuli Seppänen2012-05-16T11:27:49eurephia plugin
http://comments.gmane.org/gmane.network.openvpn.devel/6597
<pre>Hello David,
I guess this is yours:
---
* Additions for eurephia plugin done by:
* David Sommerseth <dazo< at >users.sourceforge.net> Copyright (C) 2009
---
Looking at the code the eurephia plugin only do the following:
---
#ifdef ENABLE_PLUGIN_EUREPHIA
/* export X509 cert SHA1 fingerprint */
{
unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc);
openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);
setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,
":", &gc));
}
#endif
---
Can you please explain what this plugin is and why just remove the conditional?
Thanks,
Alon.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
</pre>Alon Bar-Lev2012-05-16T07:17:11[PATCH] cleanup: update .gitignore
http://comments.gmane.org/gmane.network.openvpn.devel/6596
<pre>Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
.gitignore | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
index 9f546a3..f762089 100644
--- a/.gitignore
+++ b/.gitignore
< at >< at > -1,4 +1,5 < at >< at >
*.[oa]
+*.l[oa]
*.dll
*.exe
*.exe.*
< at >< at > -17,6 +18,7 < at >< at > Release
Debug
Win32-Output
.deps
+.libs
Makefile
Makefile.in
aclocal.m4
</pre>Alon Bar-Lev2012-05-15T22:21:15[PATCH] build: integrate plugins build into corebuild
http://comments.gmane.org/gmane.network.openvpn.devel/6591
<pre>As disucssed[1], keep plugins in repository.
1, Proper automake/libtool build.
2. Move example plugins to samples/sample-plugins.
3. Plugins are installed at LIBDIR/openvpn/plugins.
[1] http://comments.gmane.org/gmane.network.openvpn.devel/6436
Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
configure.ac | 63 +++++++
distro/rpm/openvpn.spec.in | 47 +-----
doc/Makefile.am | 5 +-
doc/README.plugins | 47 +++++
sample/Makefile.am | 1 +
sample/sample-plugins/defer/README | 16 ++
sample/sample-plugins/defer/build | 15 ++
sample/sample-plugins/defer/simple.c | 305 +++++++++++++++++++++++++++++++
sample/sample-plugins/defer/simple.def | 6 +
sample/sample-plugins/defer/winbuild | 18 ++
sample/sample-plugins/log/build | 15 ++
sample/sample-plugins/log/log.c | 184 +++++++++++++++++++
sample/sample-plugins/log/log_v3.c | 247 +++++++++++++++++++++++++
sample/sample-plugins/log/winbuild | 18 ++
sample/sample-plugins/simple/README | 16 ++
sample/sample-plugins/simple/build | 15 ++
sample/sample-plugins/simple/simple.c | 120 ++++++++++++
sample/sample-plugins/simple/simple.def | 6 +
sample/sample-plugins/simple/winbuild | 18 ++
src/Makefile.am | 5 +-
src/plugins/Makefile.am | 15 ++
src/plugins/README | 47 -----
src/plugins/auth-pam/Makefile | 32 ----
src/plugins/auth-pam/Makefile.am | 27 +++
src/plugins/auth-pam/README | 74 --------
src/plugins/auth-pam/README.auth-pam | 74 ++++++++
src/plugins/auth-pam/auth-pam.c | 18 +-
src/plugins/auth-pam/auth-pam.exports | 4 +
src/plugins/auth-pam/pamdl.c | 8 +-
src/plugins/auth-pam/pamdl.h | 4 +-
src/plugins/defer/README | 16 --
src/plugins/defer/build | 15 --
src/plugins/defer/simple.c | 305 -------------------------------
src/plugins/defer/simple.def | 6 -
src/plugins/defer/winbuild | 18 --
src/plugins/down-root/Makefile | 18 --
src/plugins/down-root/Makefile.am | 23 +++
src/plugins/down-root/README | 29 ---
src/plugins/down-root/README.down-root | 29 +++
src/plugins/down-root/down-root.c | 6 +-
src/plugins/down-root/down-root.exports | 4 +
src/plugins/examples/README | 16 --
src/plugins/examples/build | 15 --
src/plugins/examples/log.c | 184 -------------------
src/plugins/examples/log_v3.c | 247 -------------------------
src/plugins/examples/simple.c | 120 ------------
src/plugins/examples/simple.def | 6 -
src/plugins/examples/winbuild | 18 --
48 files changed, 1317 insertions(+), 1228 deletions(-)
create mode 100644 doc/README.plugins
create mode 100644 sample/sample-plugins/defer/README
create mode 100755 sample/sample-plugins/defer/build
create mode 100644 sample/sample-plugins/defer/simple.c
create mode 100755 sample/sample-plugins/defer/simple.def
create mode 100755 sample/sample-plugins/defer/winbuild
create mode 100755 sample/sample-plugins/log/build
create mode 100644 sample/sample-plugins/log/log.c
create mode 100644 sample/sample-plugins/log/log_v3.c
create mode 100755 sample/sample-plugins/log/winbuild
create mode 100644 sample/sample-plugins/simple/README
create mode 100755 sample/sample-plugins/simple/build
create mode 100644 sample/sample-plugins/simple/simple.c
create mode 100755 sample/sample-plugins/simple/simple.def
create mode 100755 sample/sample-plugins/simple/winbuild
create mode 100644 src/plugins/Makefile.am
delete mode 100644 src/plugins/README
delete mode 100755 src/plugins/auth-pam/Makefile
create mode 100644 src/plugins/auth-pam/Makefile.am
delete mode 100644 src/plugins/auth-pam/README
create mode 100644 src/plugins/auth-pam/README.auth-pam
create mode 100644 src/plugins/auth-pam/auth-pam.exports
delete mode 100644 src/plugins/defer/README
delete mode 100755 src/plugins/defer/build
delete mode 100644 src/plugins/defer/simple.c
delete mode 100755 src/plugins/defer/simple.def
delete mode 100755 src/plugins/defer/winbuild
delete mode 100755 src/plugins/down-root/Makefile
create mode 100644 src/plugins/down-root/Makefile.am
delete mode 100644 src/plugins/down-root/README
create mode 100644 src/plugins/down-root/README.down-root
create mode 100644 src/plugins/down-root/down-root.exports
delete mode 100644 src/plugins/examples/README
delete mode 100755 src/plugins/examples/build
delete mode 100644 src/plugins/examples/log.c
delete mode 100644 src/plugins/examples/log_v3.c
delete mode 100644 src/plugins/examples/simple.c
delete mode 100755 src/plugins/examples/simple.def
delete mode 100755 src/plugins/examples/winbuild
diff --git a/configure.ac b/configure.ac
index 4592727..c1fa12e 100644
--- a/configure.ac
+++ b/configure.ac
< at >< at > -194,6 +194,27 < at >< at > AC_ARG_ENABLE(
)
AC_ARG_ENABLE(
+[plugin-auth-pam],
+[AS_HELP_STRING([--disable-plugin-auth-pam], [disable auth-pam plugin < at ><:< at >default=yes< at >:>< at >])],
+,
+[enable_plugin_auth_pam="yes"]
+)
+
+AC_ARG_ENABLE(
+[plugin-down-root],
+[AS_HELP_STRING([--disable-plugin-down-root], [disable down-root plugin < at ><:< at >default=yes< at >:>< at >])],
+,
+[enable_plugin_down_root="yes"]
+)
+
+AC_ARG_ENABLE(
+[pam-dlopen],
+[AS_HELP_STRING([--enable-pam-dlopen], [dlopen libpam < at ><:< at >default=no< at >:>< at >])],
+,
+[enable_pam_dlopen="no"]
+)
+
+AC_ARG_ENABLE(
[strict],
[AS_HELP_STRING([--enable-strict], [enable strict compiler warnings (debugging option) < at ><:< at >default=no< at >:>< at >])],
,
< at >< at > -258,6 +279,14 < at >< at > AC_ARG_WITH(
[with_crypto_library="openssl"]
)
+AC_ARG_WITH(
+[plugindir],
+[AS_HELP_STRING([--with-plugindir], [plugin directory < at ><:< at >default=LIBDIR/openvpn< at >:>< at >])],
+,
+[with_plugindir="\$(libdir)/openvpn/plugins"]
+)
+
+
AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host])
case "$host" in
*-*-linux*)
< at >< at > -622,6 +651,16 < at >< at > AC_CHECK_LIB(
)
AC_SUBST([SELINUX_LIBS])
+AC_ARG_VAR([LIBPAM_CFLAGS], [C compiler flags for libpam])
+AC_ARG_VAR([LIBPAM_LIBS], [linker flags for libpam])
+if test -z "${LIBPAM_LIBS}"; then
+AC_CHECK_LIB(
+[pam],
+[pam_start],
+[LIBPAM_LIBS="-lpam"]
+)
+fi
+
case "${with_mem_check}" in
valgrind)
AC_CHECK_HEADER(
< at >< at > -871,6 +910,9 < at >< at > if test "${enable_plugins}" = "yes"; then
OPTIONAL_DL_LIBS="${DL_LIBS}"
AC_DEFINE([ENABLE_PLUGIN], [1], [Enable systemd support])
test "${enable_eurephia}" = "yes" && AC_DEFINE([ENABLE_EUREPHIA], [1], [Enable support for the eurephia plug-in])
+else
+enable_plugin_auth_pam="no"
+enable_plugin_down_root="no"
fi
if test "${enable_iproute2}" = "yes"; then
< at >< at > -922,6 +964,17 < at >< at > if test "${WIN32}" = "yes"; then
test -z "${MAN2HTML}" && AC_MSG_ERROR([man2html is required for win32])
fi
+if test "${enable_plugin_auth_pam}" = "yes"; then
+PLUGIN_AUTH_PAM_CFLAGS="${LIBPAM_CFLAGS}"
+if test "${enable_pam_dlopen}" = "yes"; then
+AC_DEFINE([USE_PAM_DLOPEN], [1], [dlopen libpam])
+PLUGIN_AUTH_PAM_LIBS="${DL_LIBS}"
+else
+test -z "${LIBPAM_LIBS}" && AC_MSG_ERROR([libpam required but missing])
+PLUGIN_AUTH_PAM_LIBS="${LIBPAM_LIBS}"
+fi
+fi
+
CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings])
< at >< at > -944,10 +997,17 < at >< at > AC_SUBST([OPTIONAL_LZO_LIBS])
AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])
AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])
+AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS])
+AC_SUBST([PLUGIN_AUTH_PAM_LIBS])
+
AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
+AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"])
+AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])
+plugindir="${with_plugindir}"
sampledir="\$(docdir)/sample"
+AC_SUBST([plugindir])
AC_SUBST([sampledir])
AC_CONFIG_FILES([
< at >< at > -964,6 +1024,9 < at >< at > AC_CONFIG_FILES([
src/compat/Makefile
src/openvpn/Makefile
src/openvpnserv/Makefile
+src/plugins/Makefile
+src/plugins/auth-pam/Makefile
+src/plugins/down-root/Makefile
tests/Makefile
sample/Makefile
doc/Makefile
diff --git a/distro/rpm/openvpn.spec.in b/distro/rpm/openvpn.spec.in
index 3c316bf..20a8c89 100644
--- a/distro/rpm/openvpn.spec.in
+++ b/distro/rpm/openvpn.spec.in
< at >< at > -83,13 +83,6 < at >< at > Development support for OpenVPN.
%endif
#
-# Should we build the auth-pam module?
-#
-
-%define build_auth_pam 1
-%{?without_pam:%define build_auth_pam 0}
-
-#
# Other definitions
#
< at >< at > -108,20 +101,9 < at >< at > Development support for OpenVPN.
--docdir="%{_docdir}/%{name}-%{version}" \
%{?with_password_save:--enable-password-save} \
%{!?without_lzo:--enable-lzo} \
-%{?with_pkcs11:--enable-pkcs11}
-%__make
-
-# Build down-root plugin
-pushd src/plugins/down-root
+%{?with_pkcs11:--enable-pkcs11} \
+%{?without_pam:--disable-plugin-auth-pam}
%__make
-popd
-
-# Build auth-pam plugin
-%if %{build_auth_pam}
-pushd src/plugins/auth-pam
-%__make
-popd
-%endif
#
# Installation section
< at >< at > -143,29 +125,8 < at >< at > popd
# Install /etc/openvpn
%__install -c -d -m 755 "%{buildroot}/etc/%{name}"
-#
-# Build /usr/share/openvpn
-#
-
-%__mkdir_p %{buildroot}%{_datadir}/%{name}
-
-#
-# Install the plugins
-#
-
-%__mkdir_p "%{buildroot}%{_datadir}/%{name}/plugins/lib"
-
-for pi in auth-pam down-root; do
- %__mv -f src/plugins/$pi/README src/plugins/README.$pi
- if [ -e src/plugins/$pi/openvpn-$pi.so ]; then
- %__install -c -m 755 src/plugins/$pi/openvpn-$pi.so "%{buildroot}%{_datadir}/openvpn/plugins/lib/openvpn-$pi.so"
- fi
-done
-
-%__mv -f src/plugins/README src/plugins/README.plugins
-
# Install extra %doc stuff
-cp -r AUTHORS ChangeLog NEWS contrib/ sample/ src/plugins/README.* \
+cp -r AUTHORS ChangeLog NEWS contrib/ sample/ \
"%{buildroot}/%{_docdir}/%{name}-%{version}"
#
< at >< at > -218,7 +179,7 < at >< at > fi
%defattr(-,root,root)
%{_mandir}
%{_sbindir}/%{name}
-%{_datadir}/%{name}
+%{_libdir}/%{name}
%{_docdir}/%{name}-%{version}
%dir /etc/%{name}
%if "%{VENDOR}" == "SuSE"
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 46687b2..d33e1ed 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
< at >< at > -17,8 +17,11 < at >< at > CLEANFILES = openvpn.8.html
dist_doc_DATA = \
management-notes.txt
+dist_noinst_DATA = \
+README.plugins
+
if WIN32
-dist_noinst_DATA = openvpn.8
+dist_noinst_DATA += openvpn.8
nodist_html_DATA = openvpn.8.html
openvpn.8.html: $(srcdir)/openvpn.8
$(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html
diff --git a/doc/README.plugins b/doc/README.plugins
new file mode 100644
index 0000000..6e490c5
--- /dev/null
+++ b/doc/README.plugins
< at >< at > -0,0 +1,47 < at >< at >
+OpenVPN Plugins
+---------------
+
+Starting with OpenVPN 2.0-beta17, compiled plugin modules are
+supported on any *nix OS which includes libdl or on Windows.
+One or more modules may be loaded into OpenVPN using
+the --plugin directive, and each plugin module is capable of
+intercepting any of the script callbacks which OpenVPN supports:
+
+(1) up
+(2) down
+(3) route-up
+(4) ipchange
+(5) tls-verify
+(6) auth-user-pass-verify
+(7) client-connect
+(8) client-disconnect
+(9) learn-address
+
+See the openvpn-plugin.h file in the top-level directory of the
+OpenVPN source distribution for more detailed information
+on the plugin interface.
+
+Included Plugins
+----------------
+
+auth-pam -- Authenticate using PAM and a split privilege
+ execution model which functions even if
+ root privileges or the execution environment
+ have been altered with --user/--group/--chroot.
+ Tested on Linux only.
+
+down-root -- Enable the running of down scripts with root privileges
+ even if --user/--group/--chroot have been used
+ to drop root privileges or change the execution
+ environment. Not applicable on Windows.
+
+examples -- A simple example that demonstrates a portable
+ plugin, i.e. one which can be built for *nix
+ or Windows from the same source.
+
+Building Plugins
+----------------
+
+cd to the top-level directory of a plugin, and use the
+"make" command to build it. The examples plugin is
+built using a build script, not a makefile.
diff --git a/sample/Makefile.am b/sample/Makefile.am
index 8e35bfc..be30c88 100644
--- a/sample/Makefile.am
+++ b/sample/Makefile.am
< at >< at > -13,6 +13,7 < at >< at > MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
EXTRA_DIST = \
+sample-plugins \
sample-config-files \
sample-windows \
sample-keys \
diff --git a/sample/sample-plugins/defer/README b/sample/sample-plugins/defer/README
new file mode 100644
index 0000000..d8990f8
--- /dev/null
+++ b/sample/sample-plugins/defer/README
< at >< at > -0,0 +1,16 < at >< at >
+OpenVPN plugin examples.
+
+Examples provided:
+
+simple.c -- using the --auth-user-pass-verify callback,
+ test deferred authentication.
+
+To build:
+
+ ./build simple (Linux/BSD/etc.)
+ ./winbuild simple (MinGW on Windows)
+
+To use in OpenVPN, add to config file:
+
+ plugin simple.so (Linux/BSD/etc.)
+ plugin simple.dll (MinGW on Windows)
diff --git a/sample/sample-plugins/defer/build b/sample/sample-plugins/defer/build
new file mode 100755
index 0000000..0612c08
--- /dev/null
+++ b/sample/sample-plugins/defer/build
< at >< at > -0,0 +1,15 < at >< at >
+#!/bin/sh
+
+#
+# Build an OpenVPN plugin module on *nix. The argument should
+# be the base name of the C source file (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS="${CPPFLAGS:--I../../../include}"
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--O2 -Wall -g}"
+
+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
+$CC $CFLAGS -fPIC -shared ${LDFLAS} -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c
new file mode 100644
index 0000000..6539865
--- /dev/null
+++ b/sample/sample-plugins/defer/simple.c
< at >< at > -0,0 +1,305 < at >< at >
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will test deferred authentication and packet filtering.
+ *
+ * Will run on Windows or *nix.
+ *
+ * Sample usage:
+ *
+ * setenv test_deferred_auth 20
+ * setenv test_packet_filter 10
+ * plugin plugin/defer/simple.so
+ *
+ * This will enable deferred authentication to occur 20
+ * seconds after the normal TLS authentication process,
+ * and will cause a packet filter file to be generated 10
+ * seconds after the initial TLS negotiation, using
+ * {common-name}.pf as the source.
+ *
+ * Sample packet filter configuration:
+ *
+ * [CLIENTS DROP]
+ * +otherclient
+ * [SUBNETS DROP]
+ * +10.0.0.0/8
+ * -10.10.0.8
+ * [END]
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/* bool definitions */
+#define bool int
+#define true 1
+#define false 0
+
+/*
+ * Our context, where we keep our state.
+ */
+
+struct plugin_context {
+ int test_deferred_auth;
+ int test_packet_filter;
+};
+
+struct plugin_per_client_context {
+ int n_calls;
+ bool generated_pf_file;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+{
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+return cp + 1;
+ }
+}
+ }
+ return NULL;
+}
+
+/* used for safe printf of possible NULL strings */
+static const char *
+np (const char *str)
+{
+ if (str)
+ return str;
+ else
+ return "[NULL]";
+}
+
+static int
+atoi_null0 (const char *str)
+{
+ if (str)
+ return atoi (str);
+ else
+ return 0;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ printf ("FUNC: openvpn_plugin_open_v1\n");
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ context->test_deferred_auth = atoi_null0 (get_env ("test_deferred_auth", envp));
+ printf ("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth);
+
+ context->test_packet_filter = atoi_null0 (get_env ("test_packet_filter", envp));
+ printf ("TEST_PACKET_FILTER %d\n", context->test_packet_filter);
+
+ /*
+ * Which callbacks to intercept.
+ */
+ *type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ENABLE_PF);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+static int
+auth_user_pass_verify (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
+{
+ if (context->test_deferred_auth)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ /* get auth_control_file filename from envp string array*/
+ const char *auth_control_file = get_env ("auth_control_file", envp);
+
+ printf ("DEFER u='%s' p='%s' acf='%s'\n",
+ np(username),
+ np(password),
+ np(auth_control_file));
+
+ /* Authenticate asynchronously in n seconds */
+ if (auth_control_file)
+{
+ char buf[256];
+ int auth = 2;
+ sscanf (username, "%d", &auth);
+ snprintf (buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &",
+ context->test_deferred_auth,
+ auth_control_file,
+ auth,
+ pcc->n_calls < auth,
+ auth_control_file);
+ printf ("%s\n", buf);
+ system (buf);
+ pcc->n_calls++;
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+}
+ else
+return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+static int
+tls_final (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
+{
+ if (context->test_packet_filter)
+ {
+ if (!pcc->generated_pf_file)
+{
+ const char *pff = get_env ("pf_file", envp);
+ const char *cn = get_env ("username", envp);
+ if (pff && cn)
+ {
+ char buf[256];
+ snprintf (buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &",
+context->test_packet_filter, cn, pff, cn, pff);
+ printf ("%s\n", buf);
+ system (buf);
+ pcc->generated_pf_file = true;
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+ else
+return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
+const int type,
+const char *argv[],
+const char *envp[],
+void *per_client_context,
+struct openvpn_plugin_string_list **return_list)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ return auth_user_pass_verify (context, pcc, argv, envp);
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ return tls_final (context, pcc, argv, envp);
+ case OPENVPN_PLUGIN_ENABLE_PF:
+ printf ("OPENVPN_PLUGIN_ENABLE_PF\n");
+ if (context->test_packet_filter)
+return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+return OPENVPN_PLUGIN_FUNC_ERROR;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+}
+
+OPENVPN_EXPORT void *
+openvpn_plugin_client_constructor_v1 (openvpn_plugin_handle_t handle)
+{
+ printf ("FUNC: openvpn_plugin_client_constructor_v1\n");
+ return calloc (1, sizeof (struct plugin_per_client_context));
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_client_destructor_v1 (openvpn_plugin_handle_t handle, void *per_client_context)
+{
+ printf ("FUNC: openvpn_plugin_client_destructor_v1\n");
+ free (per_client_context);
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ printf ("FUNC: openvpn_plugin_close_v1\n");
+ free (context);
+}
diff --git a/sample/sample-plugins/defer/simple.def b/sample/sample-plugins/defer/simple.def
new file mode 100755
index 0000000..a87507d
--- /dev/null
+++ b/sample/sample-plugins/defer/simple.def
< at >< at > -0,0 +1,6 < at >< at >
+LIBRARY OpenVPN_PLUGIN_SAMPLE
+DESCRIPTION "Sample OpenVPN plug-in module."
+EXPORTS
+ openvpn_plugin_open_v1 < at >1
+ openvpn_plugin_func_v1 < at >2
+ openvpn_plugin_close_v1 < at >3
diff --git a/sample/sample-plugins/defer/winbuild b/sample/sample-plugins/defer/winbuild
new file mode 100755
index 0000000..82927d9
--- /dev/null
+++ b/sample/sample-plugins/defer/winbuild
< at >< at > -0,0 +1,18 < at >< at >
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../build"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp
diff --git a/sample/sample-plugins/log/build b/sample/sample-plugins/log/build
new file mode 100755
index 0000000..bbb05f7
--- /dev/null
+++ b/sample/sample-plugins/log/build
< at >< at > -0,0 +1,15 < at >< at >
+#!/bin/sh
+
+#
+# Build an OpenVPN plugin module on *nix. The argument should
+# be the base name of the C source file (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS="${CPPFLAGS:--I../../..}"
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--O2 -Wall -g}"
+
+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
+$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/log/log.c b/sample/sample-plugins/log/log.c
new file mode 100644
index 0000000..1cc4650
--- /dev/null
+++ b/sample/sample-plugins/log/log.c
< at >< at > -0,0 +1,184 < at >< at >
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This plugin is similar to simple.c, except it also logs extra information
+ * to stdout for every plugin method called by OpenVPN.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+{
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+return cp + 1;
+ }
+}
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /*
+ * Set the username/password we will require.
+ */
+ context->username = "foo";
+ context->password = "bar";
+
+ /*
+ * Which callbacks to intercept.
+ */
+ *type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+void
+show (const int type, const char *argv[], const char *envp[])
+{
+ size_t i;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ break;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ break;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ break;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ break;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ break;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ break;
+ }
+
+ printf ("ARGV\n");
+ for (i = 0; argv[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, argv[i]);
+
+ printf ("ENVP\n");
+ for (i = 0; envp[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, envp[i]);
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+
+ show (type, argv, envp);
+
+ /* check entered username/password against what we require */
+ if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/sample/sample-plugins/log/log_v3.c b/sample/sample-plugins/log/log_v3.c
new file mode 100644
index 0000000..742c756
--- /dev/null
+++ b/sample/sample-plugins/log/log_v3.c
< at >< at > -0,0 +1,247 < at >< at >
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
+ * Copyright (C) 2010 David Sommerseth <dazo< at >users.sourceforge.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This plugin is similar to simple.c, except it also logs extra information
+ * to stdout for every plugin method called by OpenVPN. The only difference
+ * between this (log_v3.c) and log.c is that this module uses the v3 plug-in
+ * API.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#define ENABLE_SSL
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+{
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+return cp + 1;
+ }
+}
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3 (const int v3structver,
+ struct openvpn_plugin_args_open_in const *args,
+ struct openvpn_plugin_args_open_return *ret)
+{
+ struct plugin_context *context = NULL;
+
+ /* Check that we are API compatible */
+ if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) {
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
+ /* Which callbacks to intercept. */
+ ret->type_mask =
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
+ OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
+
+
+ /* Allocate our context */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /* Set the username/password we will require. */
+ context->username = "foo";
+ context->password = "bar";
+
+ /* Point the global context handle to our newly created context */
+ ret->handle = (void *) context;
+
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+void
+show (const int type, const char *argv[], const char *envp[])
+{
+ size_t i;
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ printf ("OPENVPN_PLUGIN_UP\n");
+ break;
+ case OPENVPN_PLUGIN_DOWN:
+ printf ("OPENVPN_PLUGIN_DOWN\n");
+ break;
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
+ break;
+ case OPENVPN_PLUGIN_IPCHANGE:
+ printf ("OPENVPN_PLUGIN_IPCHANGE\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
+ break;
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
+ break;
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
+ break;
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
+ break;
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ break;
+ }
+
+ printf ("ARGV\n");
+ for (i = 0; argv[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, argv[i]);
+
+ printf ("ENVP\n");
+ for (i = 0; envp[i] != NULL; ++i)
+ printf ("%d '%s'\n", (int)i, envp[i]);
+}
+
+static void
+x509_print_info (X509 *x509crt)
+{
+ int i, n;
+ int fn_nid;
+ ASN1_OBJECT *fn;
+ ASN1_STRING *val;
+ X509_NAME *x509_name;
+ X509_NAME_ENTRY *ent;
+ const char *objbuf;
+ unsigned char *buf;
+
+ x509_name = X509_get_subject_name (x509crt);
+ n = X509_NAME_entry_count (x509_name);
+ for (i = 0; i < n; ++i)
+ {
+ ent = X509_NAME_get_entry (x509_name, i);
+ if (!ent)
+continue;
+ fn = X509_NAME_ENTRY_get_object (ent);
+ if (!fn)
+continue;
+ val = X509_NAME_ENTRY_get_data (ent);
+ if (!val)
+continue;
+ fn_nid = OBJ_obj2nid (fn);
+ if (fn_nid == NID_undef)
+continue;
+ objbuf = OBJ_nid2sn (fn_nid);
+ if (!objbuf)
+continue;
+ buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+ if (ASN1_STRING_to_UTF8 (&buf, val) <= 0)
+continue;
+
+ printf("X509 %s: %s\n", objbuf, (char *)buf);
+ OPENSSL_free (buf);
+ }
+}
+
+
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v3 (const int version,
+ struct openvpn_plugin_args_func_in const *args,
+ struct openvpn_plugin_args_func_return *retptr)
+{
+ struct plugin_context *context = (struct plugin_context *) args->handle;
+
+ printf("\nopenvpn_plugin_func_v3() :::::>> ");
+ show (args->type, args->argv, args->envp);
+
+ /* Dump some X509 information if we're in the TLS_VERIFY phase */
+ if ((args->type == OPENVPN_PLUGIN_TLS_VERIFY) && args->current_cert ) {
+ printf("---- X509 Subject information ----\n");
+ printf("Certificate depth: %i\n", args->current_cert_depth);
+ x509_print_info(args->current_cert);
+ printf("----------------------------------\n");
+ }
+
+ /* check entered username/password against what we require */
+ if (args->type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ {
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", args->envp);
+ const char *password = get_env ("password", args->envp);
+
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+ else
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/sample/sample-plugins/log/winbuild b/sample/sample-plugins/log/winbuild
new file mode 100755
index 0000000..decf05f
--- /dev/null
+++ b/sample/sample-plugins/log/winbuild
< at >< at > -0,0 +1,18 < at >< at >
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../include"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp
diff --git a/sample/sample-plugins/simple/README b/sample/sample-plugins/simple/README
new file mode 100644
index 0000000..4400cd3
--- /dev/null
+++ b/sample/sample-plugins/simple/README
< at >< at > -0,0 +1,16 < at >< at >
+OpenVPN plugin examples.
+
+Examples provided:
+
+simple.c -- using the --auth-user-pass-verify callback, verify
+ that the username/password is "foo"/"bar".
+
+To build:
+
+ ./build simple (Linux/BSD/etc.)
+ ./winbuild simple (MinGW on Windows)
+
+To use in OpenVPN, add to config file:
+
+ plugin simple.so (Linux/BSD/etc.)
+ plugin simple.dll (MinGW on Windows)
diff --git a/sample/sample-plugins/simple/build b/sample/sample-plugins/simple/build
new file mode 100755
index 0000000..bbb05f7
--- /dev/null
+++ b/sample/sample-plugins/simple/build
< at >< at > -0,0 +1,15 < at >< at >
+#!/bin/sh
+
+#
+# Build an OpenVPN plugin module on *nix. The argument should
+# be the base name of the C source file (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+CPPFLAGS="${CPPFLAGS:--I../../..}"
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--O2 -Wall -g}"
+
+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
+$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/simple/simple.c b/sample/sample-plugins/simple/simple.c
new file mode 100644
index 0000000..f26d89f
--- /dev/null
+++ b/sample/sample-plugins/simple/simple.c
< at >< at > -0,0 +1,120 < at >< at >
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will examine the username/password provided by a client,
+ * and make an accept/deny determination. Will run
+ * on Windows or *nix.
+ *
+ * See the README file for build instructions.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "openvpn-plugin.h"
+
+/*
+ * Our context, where we keep our state.
+ */
+struct plugin_context {
+ const char *username;
+ const char *password;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env (const char *name, const char *envp[])
+{
+ if (envp)
+ {
+ int i;
+ const int namelen = strlen (name);
+ for (i = 0; envp[i]; ++i)
+{
+ if (!strncmp (envp[i], name, namelen))
+ {
+ const char *cp = envp[i] + namelen;
+ if (*cp == '=')
+return cp + 1;
+ }
+}
+ }
+ return NULL;
+}
+
+OPENVPN_EXPORT openvpn_plugin_handle_t
+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context;
+
+ /*
+ * Allocate our context
+ */
+ context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
+
+ /*
+ * Set the username/password we will require.
+ */
+ context->username = "foo";
+ context->password = "bar";
+
+ /*
+ * We are only interested in intercepting the
+ * --auth-user-pass-verify callback.
+ */
+ *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+
+ return (openvpn_plugin_handle_t) context;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+
+ /* check entered username/password against what we require */
+ if (username && !strcmp (username, context->username)
+ && password && !strcmp (password, context->password))
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
+{
+ struct plugin_context *context = (struct plugin_context *) handle;
+ free (context);
+}
diff --git a/sample/sample-plugins/simple/simple.def b/sample/sample-plugins/simple/simple.def
new file mode 100755
index 0000000..a87507d
--- /dev/null
+++ b/sample/sample-plugins/simple/simple.def
< at >< at > -0,0 +1,6 < at >< at >
+LIBRARY OpenVPN_PLUGIN_SAMPLE
+DESCRIPTION "Sample OpenVPN plug-in module."
+EXPORTS
+ openvpn_plugin_open_v1 < at >1
+ openvpn_plugin_func_v1 < at >2
+ openvpn_plugin_close_v1 < at >3
diff --git a/sample/sample-plugins/simple/winbuild b/sample/sample-plugins/simple/winbuild
new file mode 100755
index 0000000..decf05f
--- /dev/null
+++ b/sample/sample-plugins/simple/winbuild
< at >< at > -0,0 +1,18 < at >< at >
+#
+# Build an OpenVPN plugin module on Windows/MinGW.
+# The argument should be the base name of the C source file
+# (without the .c).
+#
+
+# This directory is where we will look for openvpn-plugin.h
+INCLUDE="-I../../../include"
+
+CC_FLAGS="-O2 -Wall"
+
+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
+rm junk.tmp
+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
+rm base.tmp
+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
+rm temp.exp
diff --git a/src/Makefile.am b/src/Makefile.am
index b894977..c04468a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
< at >< at > -12,7 +12,4 < at >< at >
MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
-EXTRA_DIST = \
-plugins
-
-SUBDIRS = compat openvpn openvpnserv
+SUBDIRS = compat openvpn openvpnserv plugins
diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am
new file mode 100644
index 0000000..17b72b9
--- /dev/null
+++ b/src/plugins/Makefile.am
< at >< at > -0,0 +1,15 < at >< at >
+#
+# OpenVPN -- An application to securely tunnel IP networks
+# over a single UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
+# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev< at >gmail.com>
+#
+
+MAINTAINERCLEANFILES = \
+$(srcdir)/Makefile.in
+
+SUBDIRS = auth-pam down-root
diff --git a/src/plugins/README b/src/plugins/README
deleted file mode 100644
index 6e490c5..0000000
--- a/src/plugins/README
+++ /dev/null
< at >< at > -1,47 +0,0 < at >< at >
-OpenVPN Plugins
----------------
-
-Starting with OpenVPN 2.0-beta17, compiled plugin modules are
-supported on any *nix OS which includes libdl or on Windows.
-One or more modules may be loaded into OpenVPN using
-the --plugin directive, and each plugin module is capable of
-intercepting any of the script callbacks which OpenVPN supports:
-
-(1) up
-(2) down
-(3) route-up
-(4) ipchange
-(5) tls-verify
-(6) auth-user-pass-verify
-(7) client-connect
-(8) client-disconnect
-(9) learn-address
-
-See the openvpn-plugin.h file in the top-level directory of the
-OpenVPN source distribution for more detailed information
-on the plugin interface.
-
-Included Plugins
-----------------
-
-auth-pam -- Authenticate using PAM and a split privilege
- execution model which functions even if
- root privileges or the execution environment
- have been altered with --user/--group/--chroot.
- Tested on Linux only.
-
-down-root -- Enable the running of down scripts with root privileges
- even if --user/--group/--chroot have been used
- to drop root privileges or change the execution
- environment. Not applicable on Windows.
-
-examples -- A simple example that demonstrates a portable
- plugin, i.e. one which can be built for *nix
- or Windows from the same source.
-
-Building Plugins
-----------------
-
-cd to the top-level directory of a plugin, and use the
-"make" command to build it. The examples plugin is
-built using a build script, not a makefile.
diff --git a/src/plugins/auth-pam/Makefile b/src/plugins/auth-pam/Makefile
deleted file mode 100755
index c0b9c79..0000000
--- a/src/plugins/auth-pam/Makefile
+++ /dev/null
< at >< at > -1,32 +0,0 < at >< at >
-#
-# Build the OpenVPN auth-pam plugin module.
-#
-
-# If PAM modules are not linked against libpam.so, set DLOPEN_PAM to 1. This
-# must be done on SUSE 9.1, at least.
-DLOPEN_PAM=0
-
-ifeq ($(DLOPEN_PAM),1)
-LIBPAM=-ldl
-else
-LIBPAM=-lpam
-endif
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS=-I../../../include
-
-CC=gcc
-CFLAGS=-O2 -Wall
-DEFS = -DDLOPEN_PAM=$(DLOPEN_PAM)
-
-openvpn-auth-pam.so : auth-pam.o pamdl.o
-$(CC) $(CFLAGS) -fPIC -shared $(LDFLAGS) -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
-
-auth-pam.o : auth-pam.c pamdl.h
-$(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) -fPIC -c auth-pam.c
-
-pamdl.o : pamdl.c pamdl.h
-$(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) -fPIC -c pamdl.c
-
-clean :
--rm -f *.o *.so
diff --git a/src/plugins/auth-pam/Makefile.am b/src/plugins/auth-pam/Makefile.am
new file mode 100644
index 0000000..701a749
--- /dev/null
+++ b/src/plugins/auth-pam/Makefile.am
< at >< at > -0,0 +1,27 < at >< at >
+#
+# OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin
+#
+# Copyright (C) 2012 Alon Bar-Lev <alon.barlev< at >gmail.com>
+#
+
+MAINTAINERCLEANFILES = \
+$(srcdir)/Makefile.in
+
+AM_CFLAGS = \
+-I$(top_srcdir)/include
+$(PLUGIN_AUTH_PAM_CFLAGS)
+
+if ENABLE_PLUGIN_AUTH_PAM
+plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la
+dist_doc_DATA = README.auth-pam
+endif
+
+openvpn_plugin_auth_pam_la_SOURCES = \
+auth-pam.c \
+pamdl.c pamdl.h \
+auth-pam.exports
+openvpn_plugin_auth_pam_la_LIBADD = \
+$(PLUGIN_AUTH_PAM_LIBS)
+openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \
+-export-symbols "$(srcdir)/auth-pam.exports" \
+-module -shared -avoid-version -no-undefined
diff --git a/src/plugins/auth-pam/README b/src/plugins/auth-pam/README
deleted file mode 100644
index e123690..0000000
--- a/src/plugins/auth-pam/README
+++ /dev/null
< at >< at > -1,74 +0,0 < at >< at >
-openvpn-auth-pam
-
-SYNOPSIS
-
-The openvpn-auth-pam module implements username/password
-authentication via PAM, and essentially allows any authentication
-method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
-passwords) to be used with OpenVPN. While PAM supports
-username/password authentication, this can be combined with X509
-certificates to provide two indepedent levels of authentication.
-
-This module uses a split privilege execution model which will
-function even if you drop openvpn daemon privileges using the user,
-group, or chroot directives.
-
-BUILD
-
-To build openvpn-auth-pam, you will need to have the pam-devel
-package installed.
-
-Build with the "make" command. The module will be named
-openvpn-auth-pam.so
-
-USAGE
-
-To use this plugin module, add to your OpenVPN config file:
-
- plugin openvpn-auth-pam.so service-type
-
-The required service-type parameter corresponds to
-the PAM service definition file usually found
-in /etc/pam.d.
-
-This plugin also supports the usage of a list of name/value
-pairs to answer PAM module queries.
-
-For example:
-
- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
-
-tells auth-pam to (a) use the "login" PAM module, (b) answer a
-"login" query with the username given by the OpenVPN client, and
-(c) answer a "password" query with the password given by the
-OpenVPN client. This provides flexibility in dealing with the different
-types of query strings which different PAM modules might generate.
-For example, suppose you were using a PAM module called
-"test" which queried for "name" rather than "login":
-
- plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
-
-While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
-to client-supplied values, it is also possible to name literal values
-to use as PAM module query responses. For example, suppose that the
-login module queried for a third parameter, "domain" which
-is to be answered with the constant value "mydomain.com":
-
- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"
-
-The following OpenVPN directives can also influence
-the operation of this plugin:
-
- client-cert-not-required
- username-as-common-name
-
-Run OpenVPN with --verb 7 or higher to get debugging output from
-this plugin, including the list of queries presented by the
-underlying PAM module. This is a useful debugging tool to figure
-out which queries a given PAM module is making, so that you can
-craft the appropriate plugin directive to answer it.
-
-CAVEATS
-
-This module will only work on *nix systems which support PAM,
-not Windows.
diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam
new file mode 100644
index 0000000..e123690
--- /dev/null
+++ b/src/plugins/auth-pam/README.auth-pam
< at >< at > -0,0 +1,74 < at >< at >
+openvpn-auth-pam
+
+SYNOPSIS
+
+The openvpn-auth-pam module implements username/password
+authentication via PAM, and essentially allows any authentication
+method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
+passwords) to be used with OpenVPN. While PAM supports
+username/password authentication, this can be combined with X509
+certificates to provide two indepedent levels of authentication.
+
+This module uses a split privilege execution model which will
+function even if you drop openvpn daemon privileges using the user,
+group, or chroot directives.
+
+BUILD
+
+To build openvpn-auth-pam, you will need to have the pam-devel
+package installed.
+
+Build with the "make" command. The module will be named
+openvpn-auth-pam.so
+
+USAGE
+
+To use this plugin module, add to your OpenVPN config file:
+
+ plugin openvpn-auth-pam.so service-type
+
+The required service-type parameter corresponds to
+the PAM service definition file usually found
+in /etc/pam.d.
+
+This plugin also supports the usage of a list of name/value
+pairs to answer PAM module queries.
+
+For example:
+
+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
+
+tells auth-pam to (a) use the "login" PAM module, (b) answer a
+"login" query with the username given by the OpenVPN client, and
+(c) answer a "password" query with the password given by the
+OpenVPN client. This provides flexibility in dealing with the different
+types of query strings which different PAM modules might generate.
+For example, suppose you were using a PAM module called
+"test" which queried for "name" rather than "login":
+
+ plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
+
+While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
+to client-supplied values, it is also possible to name literal values
+to use as PAM module query responses. For example, suppose that the
+login module queried for a third parameter, "domain" which
+is to be answered with the constant value "mydomain.com":
+
+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"
+
+The following OpenVPN directives can also influence
+the operation of this plugin:
+
+ client-cert-not-required
+ username-as-common-name
+
+Run OpenVPN with --verb 7 or higher to get debugging output from
+this plugin, including the list of queries presented by the
+underlying PAM module. This is a useful debugging tool to figure
+out which queries a given PAM module is making, so that you can
+craft the appropriate plugin directive to answer it.
+
+CAVEATS
+
+This module will only work on *nix systems which support PAM,
+not Windows.
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index e52f632..bd71792 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
< at >< at > -26,12 +26,14 < at >< at >
* OpenVPN plugin module to do PAM authentication using a split
* privilege model.
*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
-#if DLOPEN_PAM
-#include <dlfcn.h>
-#include "pamdl.h"
-#else
#include <security/pam_appl.h>
+
+#ifdef USE_PAM_DLOPEN
+#include "pamdl.h"
#endif
#include <stdio.h>
< at >< at > -46,7 +48,7 < at >< at >
#include <signal.h>
#include <syslog.h>
-#include "openvpn-plugin.h"
+#include <openvpn-plugin.h>
#define DEBUG(verb) ((verb) >= 4)
< at >< at > -693,7 +695,7 < at >< at > pam_server (int fd, const char *service, int verb, const struct name_value_list
{
struct user_pass up;
int command;
-#if DLOPEN_PAM
+#ifdef USE_PAM_DLOPEN
static const char pam_so[] = "libpam.so";
#endif
< at >< at > -703,7 +705,7 < at >< at > pam_server (int fd, const char *service, int verb, const struct name_value_list
if (DEBUG (verb))
fprintf (stderr, "AUTH-PAM: BACKGROUND: INIT service='%s'\n", service);
-#if DLOPEN_PAM
+#ifdef USE_PAM_DLOPEN
/*
* Load PAM shared object
*/
< at >< at > -794,7 +796,7 < at >< at > pam_server (int fd, const char *service, int verb, const struct name_value_list
}
done:
-#if DLOPEN_PAM
+#ifdef USE_PAM_DLOPEN
dlclose_pam ();
#endif
if (DEBUG (verb))
diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports
new file mode 100644
index 0000000..b07937c
--- /dev/null
+++ b/src/plugins/auth-pam/auth-pam.exports
< at >< at > -0,0 +1,4 < at >< at >
+openvpn_plugin_open_v1
+openvpn_plugin_func_v1
+openvpn_plugin_close_v1
+openvpn_plugin_abort_v1
diff --git a/src/plugins/auth-pam/pamdl.c b/src/plugins/auth-pam/pamdl.c
index 8636a8e..26e9821 100644
--- a/src/plugins/auth-pam/pamdl.c
+++ b/src/plugins/auth-pam/pamdl.c
< at >< at > -1,4 +1,8 < at >< at >
-#if DLOPEN_PAM
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef USE_PAM_DLOPEN
/*
* If you want to dynamically load libpam using dlopen() or something,
* then dlopen( ' this shared object ' ); It takes care of exporting
< at >< at > -73,7 +77,7 < at >< at > int pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
return real_pam_set_item(pamh, item_type, item);
}
-int pam_get_item(pam_handle_t *pamh, int item_type, const void **item)
+int pam_get_item(const pam_handle_t *pamh, int item_type, const void **item)
{
int (*real_pam_get_item)(const pam_handle_t *, int, const void **);
RESOLVE_PAM_FUNCTION(pam_get_item, int,
diff --git a/src/plugins/auth-pam/pamdl.h b/src/plugins/auth-pam/pamdl.h
index b10b035..12ba068 100644
--- a/src/plugins/auth-pam/pamdl.h
+++ b/src/plugins/auth-pam/pamdl.h
< at >< at > -1,6 +1,4 < at >< at >
-#if DLOPEN_PAM
-#include <security/pam_appl.h>
-
+#ifdef USE_PAM_DLOPEN
/* Dynamically load and unload the PAM library */
int dlopen_pam (const char *so);
void dlclose_pam (void);
diff --git a/src/plugins/defer/README b/src/plugins/defer/README
deleted file mode 100644
index d8990f8..0000000
--- a/src/plugins/defer/README
+++ /dev/null
< at >< at > -1,16 +0,0 < at >< at >
-OpenVPN plugin examples.
-
-Examples provided:
-
-simple.c -- using the --auth-user-pass-verify callback,
- test deferred authentication.
-
-To build:
-
- ./build simple (Linux/BSD/etc.)
- ./winbuild simple (MinGW on Windows)
-
-To use in OpenVPN, add to config file:
-
- plugin simple.so (Linux/BSD/etc.)
- plugin simple.dll (MinGW on Windows)
diff --git a/src/plugins/defer/build b/src/plugins/defer/build
deleted file mode 100755
index 0612c08..0000000
--- a/src/plugins/defer/build
+++ /dev/null
< at >< at > -1,15 +0,0 < at >< at >
-#!/bin/sh
-
-#
-# Build an OpenVPN plugin module on *nix. The argument should
-# be the base name of the C source file (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS="${CPPFLAGS:--I../../../include}"
-
-CC="${CC:-gcc}"
-CFLAGS="${CFLAGS:--O2 -Wall -g}"
-
-$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
-$CC $CFLAGS -fPIC -shared ${LDFLAS} -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/src/plugins/defer/simple.c b/src/plugins/defer/simple.c
deleted file mode 100644
index 6539865..0000000
--- a/src/plugins/defer/simple.c
+++ /dev/null
< at >< at > -1,305 +0,0 < at >< at >
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
- * This file implements a simple OpenVPN plugin module which
- * will test deferred authentication and packet filtering.
- *
- * Will run on Windows or *nix.
- *
- * Sample usage:
- *
- * setenv test_deferred_auth 20
- * setenv test_packet_filter 10
- * plugin plugin/defer/simple.so
- *
- * This will enable deferred authentication to occur 20
- * seconds after the normal TLS authentication process,
- * and will cause a packet filter file to be generated 10
- * seconds after the initial TLS negotiation, using
- * {common-name}.pf as the source.
- *
- * Sample packet filter configuration:
- *
- * [CLIENTS DROP]
- * +otherclient
- * [SUBNETS DROP]
- * +10.0.0.0/8
- * -10.10.0.8
- * [END]
- *
- * See the README file for build instructions.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "openvpn-plugin.h"
-
-/* bool definitions */
-#define bool int
-#define true 1
-#define false 0
-
-/*
- * Our context, where we keep our state.
- */
-
-struct plugin_context {
- int test_deferred_auth;
- int test_packet_filter;
-};
-
-struct plugin_per_client_context {
- int n_calls;
- bool generated_pf_file;
-};
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env (const char *name, const char *envp[])
-{
- if (envp)
- {
- int i;
- const int namelen = strlen (name);
- for (i = 0; envp[i]; ++i)
-{
- if (!strncmp (envp[i], name, namelen))
- {
- const char *cp = envp[i] + namelen;
- if (*cp == '=')
-return cp + 1;
- }
-}
- }
- return NULL;
-}
-
-/* used for safe printf of possible NULL strings */
-static const char *
-np (const char *str)
-{
- if (str)
- return str;
- else
- return "[NULL]";
-}
-
-static int
-atoi_null0 (const char *str)
-{
- if (str)
- return atoi (str);
- else
- return 0;
-}
-
-OPENVPN_EXPORT openvpn_plugin_handle_t
-openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
-{
- struct plugin_context *context;
-
- printf ("FUNC: openvpn_plugin_open_v1\n");
-
- /*
- * Allocate our context
- */
- context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
-
- context->test_deferred_auth = atoi_null0 (get_env ("test_deferred_auth", envp));
- printf ("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth);
-
- context->test_packet_filter = atoi_null0 (get_env ("test_packet_filter", envp));
- printf ("TEST_PACKET_FILTER %d\n", context->test_packet_filter);
-
- /*
- * Which callbacks to intercept.
- */
- *type_mask =
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ENABLE_PF);
-
- return (openvpn_plugin_handle_t) context;
-}
-
-static int
-auth_user_pass_verify (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
-{
- if (context->test_deferred_auth)
- {
- /* get username/password from envp string array */
- const char *username = get_env ("username", envp);
- const char *password = get_env ("password", envp);
-
- /* get auth_control_file filename from envp string array*/
- const char *auth_control_file = get_env ("auth_control_file", envp);
-
- printf ("DEFER u='%s' p='%s' acf='%s'\n",
- np(username),
- np(password),
- np(auth_control_file));
-
- /* Authenticate asynchronously in n seconds */
- if (auth_control_file)
-{
- char buf[256];
- int auth = 2;
- sscanf (username, "%d", &auth);
- snprintf (buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &",
- context->test_deferred_auth,
- auth_control_file,
- auth,
- pcc->n_calls < auth,
- auth_control_file);
- printf ("%s\n", buf);
- system (buf);
- pcc->n_calls++;
- return OPENVPN_PLUGIN_FUNC_DEFERRED;
-}
- else
-return OPENVPN_PLUGIN_FUNC_ERROR;
- }
- else
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
-}
-
-static int
-tls_final (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])
-{
- if (context->test_packet_filter)
- {
- if (!pcc->generated_pf_file)
-{
- const char *pff = get_env ("pf_file", envp);
- const char *cn = get_env ("username", envp);
- if (pff && cn)
- {
- char buf[256];
- snprintf (buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &",
-context->test_packet_filter, cn, pff, cn, pff);
- printf ("%s\n", buf);
- system (buf);
- pcc->generated_pf_file = true;
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- }
- else
- return OPENVPN_PLUGIN_FUNC_ERROR;
-}
- else
-return OPENVPN_PLUGIN_FUNC_ERROR;
- }
- else
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
-}
-
-OPENVPN_EXPORT int
-openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
-const int type,
-const char *argv[],
-const char *envp[],
-void *per_client_context,
-struct openvpn_plugin_string_list **return_list)
-{
- struct plugin_context *context = (struct plugin_context *) handle;
- struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
- switch (type)
- {
- case OPENVPN_PLUGIN_UP:
- printf ("OPENVPN_PLUGIN_UP\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_DOWN:
- printf ("OPENVPN_PLUGIN_DOWN\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_ROUTE_UP:
- printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_IPCHANGE:
- printf ("OPENVPN_PLUGIN_IPCHANGE\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_TLS_VERIFY:
- printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
- printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
- return auth_user_pass_verify (context, pcc, argv, envp);
- case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
- printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
- printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_LEARN_ADDRESS:
- printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- case OPENVPN_PLUGIN_TLS_FINAL:
- printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
- return tls_final (context, pcc, argv, envp);
- case OPENVPN_PLUGIN_ENABLE_PF:
- printf ("OPENVPN_PLUGIN_ENABLE_PF\n");
- if (context->test_packet_filter)
-return OPENVPN_PLUGIN_FUNC_SUCCESS;
- else
-return OPENVPN_PLUGIN_FUNC_ERROR;
- default:
- printf ("OPENVPN_PLUGIN_?\n");
- return OPENVPN_PLUGIN_FUNC_ERROR;
- }
-}
-
-OPENVPN_EXPORT void *
-openvpn_plugin_client_constructor_v1 (openvpn_plugin_handle_t handle)
-{
- printf ("FUNC: openvpn_plugin_client_constructor_v1\n");
- return calloc (1, sizeof (struct plugin_per_client_context));
-}
-
-OPENVPN_EXPORT void
-openvpn_plugin_client_destructor_v1 (openvpn_plugin_handle_t handle, void *per_client_context)
-{
- printf ("FUNC: openvpn_plugin_client_destructor_v1\n");
- free (per_client_context);
-}
-
-OPENVPN_EXPORT void
-openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
-{
- struct plugin_context *context = (struct plugin_context *) handle;
- printf ("FUNC: openvpn_plugin_close_v1\n");
- free (context);
-}
diff --git a/src/plugins/defer/simple.def b/src/plugins/defer/simple.def
deleted file mode 100755
index a87507d..0000000
--- a/src/plugins/defer/simple.def
+++ /dev/null
< at >< at > -1,6 +0,0 < at >< at >
-LIBRARY OpenVPN_PLUGIN_SAMPLE
-DESCRIPTION "Sample OpenVPN plug-in module."
-EXPORTS
- openvpn_plugin_open_v1 < at >1
- openvpn_plugin_func_v1 < at >2
- openvpn_plugin_close_v1 < at >3
diff --git a/src/plugins/defer/winbuild b/src/plugins/defer/winbuild
deleted file mode 100755
index 82927d9..0000000
--- a/src/plugins/defer/winbuild
+++ /dev/null
< at >< at > -1,18 +0,0 < at >< at >
-#
-# Build an OpenVPN plugin module on Windows/MinGW.
-# The argument should be the base name of the C source file
-# (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-INCLUDE="-I../../../build"
-
-CC_FLAGS="-O2 -Wall"
-
-gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
-gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
-rm junk.tmp
-dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
-rm base.tmp
-gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
-rm temp.exp
diff --git a/src/plugins/down-root/Makefile b/src/plugins/down-root/Makefile
deleted file mode 100755
index e66c99a..0000000
--- a/src/plugins/down-root/Makefile
+++ /dev/null
< at >< at > -1,18 +0,0 < at >< at >
-#
-# Build the OpenVPN down-root plugin module.
-#
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS=-I../../../include
-
-CC=gcc
-CFLAGS=-O2 -Wall
-
-down-root.so : down-root.o
-$(CC) $(CFLAGS) -fPIC -shared $(LDFLAGS) -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
-
-down-root.o : down-root.c
-$(CC) $(CPPFLAGS) $(CFLAGS) -fPIC -c down-root.c
-
-clean :
--rm -f *.o *.so
diff --git a/src/plugins/down-root/Makefile.am b/src/plugins/down-root/Makefile.am
new file mode 100644
index 0000000..064aa30
--- /dev/null
+++ b/src/plugins/down-root/Makefile.am
< at >< at > -0,0 +1,23 < at >< at >
+#
+# OpenVPN (TM) Down Root Plugin -- OpenVPN Plugin
+#
+# Copyright (C) 2012 Alon Bar-Lev <alon.barlev< at >gmail.com>
+#
+
+MAINTAINERCLEANFILES = \
+$(srcdir)/Makefile.in
+
+AM_CFLAGS = \
+-I$(top_srcdir)/include
+
+if ENABLE_PLUGIN_DOWN_ROOT
+plugin_LTLIBRARIES = openvpn-plugin-down-root.la
+dist_doc_DATA = README.down-root
+endif
+
+openvpn_plugin_down_root_la_SOURCES = \
+down-root.c \
+down-root.exports
+openvpn_plugin_down_root_la_LDFLAGS = $(AM_LDFLAGS) \
+-export-symbols "$(srcdir)/down-root.exports" \
+-module -shared -avoid-version -no-undefined
diff --git a/src/plugins/down-root/README b/src/plugins/down-root/README
deleted file mode 100644
index d337ffe..0000000
--- a/src/plugins/down-root/README
+++ /dev/null
< at >< at > -1,29 +0,0 < at >< at >
-down-root -- an OpenVPN Plugin Module
-
-SYNOPSIS
-
-The down-root module allows an OpenVPN configuration to
-call a down script with root privileges, even when privileges
-have been dropped using --user/--group/--chroot.
-
-This module uses a split privilege execution model which will
-fork() before OpenVPN drops root privileges, at the point where
-the --up script is usually called. The module will then remain
-in a wait state until it receives a message from OpenVPN via
-pipe to execute the down script. Thus, the down script will be
-run in the same execution environment as the up script.
-
-BUILD
-
-Build this module with the "make" command. The plugin
-module will be named openvpn-down-root.so
-
-USAGE
-
-To use this module, add to your OpenVPN config file:
-
- plugin openvpn-down-root.so "command ..."
-
-CAVEATS
-
-This module will only work on *nix systems, not Windows.
diff --git a/src/plugins/down-root/README.down-root b/src/plugins/down-root/README.down-root
new file mode 100644
index 0000000..d337ffe
--- /dev/null
+++ b/src/plugins/down-root/README.down-root
< at >< at > -0,0 +1,29 < at >< at >
+down-root -- an OpenVPN Plugin Module
+
+SYNOPSIS
+
+The down-root module allows an OpenVPN configuration to
+call a down script with root privileges, even when privileges
+have been dropped using --user/--group/--chroot.
+
+This module uses a split privilege execution model which will
+fork() before OpenVPN drops root privileges, at the point where
+the --up script is usually called. The module will then remain
+in a wait state until it receives a message from OpenVPN via
+pipe to execute the down script. Thus, the down script will be
+run in the same execution environment as the up script.
+
+BUILD
+
+Build this module with the "make" command. The plugin
+module will be named openvpn-down-root.so
+
+USAGE
+
+To use this module, add to your OpenVPN config file:
+
+ plugin openvpn-down-root.so "command ..."
+
+CAVEATS
+
+This module will only work on *nix systems, not Windows.
diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c
index fced23b..d51d0e5 100644
--- a/src/plugins/down-root/down-root.c
+++ b/src/plugins/down-root/down-root.c
< at >< at > -26,6 +26,10 < at >< at >
* OpenVPN plugin module to do privileged down-script execution.
*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
#include <stdio.h>
#include <string.h>
#include <unistd.h>
< at >< at > -37,7 +41,7 < at >< at >
#include <signal.h>
#include <syslog.h>
-#include "openvpn-plugin.h"
+#include <openvpn-plugin.h>
#define DEBUG(verb) ((verb) >= 7)
diff --git a/src/plugins/down-root/down-root.exports b/src/plugins/down-root/down-root.exports
new file mode 100644
index 0000000..b07937c
--- /dev/null
+++ b/src/plugins/down-root/down-root.exports
< at >< at > -0,0 +1,4 < at >< at >
+openvpn_plugin_open_v1
+openvpn_plugin_func_v1
+openvpn_plugin_close_v1
+openvpn_plugin_abort_v1
diff --git a/src/plugins/examples/README b/src/plugins/examples/README
deleted file mode 100644
index 4400cd3..0000000
--- a/src/plugins/examples/README
+++ /dev/null
< at >< at > -1,16 +0,0 < at >< at >
-OpenVPN plugin examples.
-
-Examples provided:
-
-simple.c -- using the --auth-user-pass-verify callback, verify
- that the username/password is "foo"/"bar".
-
-To build:
-
- ./build simple (Linux/BSD/etc.)
- ./winbuild simple (MinGW on Windows)
-
-To use in OpenVPN, add to config file:
-
- plugin simple.so (Linux/BSD/etc.)
- plugin simple.dll (MinGW on Windows)
diff --git a/src/plugins/examples/build b/src/plugins/examples/build
deleted file mode 100755
index bbb05f7..0000000
--- a/src/plugins/examples/build
+++ /dev/null
< at >< at > -1,15 +0,0 < at >< at >
-#!/bin/sh
-
-#
-# Build an OpenVPN plugin module on *nix. The argument should
-# be the base name of the C source file (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS="${CPPFLAGS:--I../../..}"
-
-CC="${CC:-gcc}"
-CFLAGS="${CFLAGS:--O2 -Wall -g}"
-
-$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
-$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/src/plugins/examples/log.c b/src/plugins/examples/log.c
deleted file mode 100644
index 1cc4650..0000000
--- a/src/plugins/examples/log.c
+++ /dev/null
< at >< at > -1,184 +0,0 < at >< at >
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
- * This plugin is similar to simple.c, except it also logs extra information
- * to stdout for every plugin method called by OpenVPN.
- *
- * See the README file for build instructions.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "openvpn-plugin.h"
-
-/*
- * Our context, where we keep our state.
- */
-struct plugin_context {
- const char *username;
- const char *password;
-};
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env (const char *name, const char *envp[])
-{
- if (envp)
- {
- int i;
- const int namelen = strlen (name);
- for (i = 0; envp[i]; ++i)
-{
- if (!strncmp (envp[i], name, namelen))
- {
- const char *cp = envp[i] + namelen;
- if (*cp == '=')
-return cp + 1;
- }
-}
- }
- return NULL;
-}
-
-OPENVPN_EXPORT openvpn_plugin_handle_t
-openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
-{
- struct plugin_context *context;
-
- /*
- * Allocate our context
- */
- context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
-
- /*
- * Set the username/password we will require.
- */
- context->username = "foo";
- context->password = "bar";
-
- /*
- * Which callbacks to intercept.
- */
- *type_mask =
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
-
- return (openvpn_plugin_handle_t) context;
-}
-
-void
-show (const int type, const char *argv[], const char *envp[])
-{
- size_t i;
- switch (type)
- {
- case OPENVPN_PLUGIN_UP:
- printf ("OPENVPN_PLUGIN_UP\n");
- break;
- case OPENVPN_PLUGIN_DOWN:
- printf ("OPENVPN_PLUGIN_DOWN\n");
- break;
- case OPENVPN_PLUGIN_ROUTE_UP:
- printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
- break;
- case OPENVPN_PLUGIN_IPCHANGE:
- printf ("OPENVPN_PLUGIN_IPCHANGE\n");
- break;
- case OPENVPN_PLUGIN_TLS_VERIFY:
- printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
- break;
- case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
- printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
- break;
- case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
- printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
- break;
- case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
- printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
- break;
- case OPENVPN_PLUGIN_LEARN_ADDRESS:
- printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
- break;
- case OPENVPN_PLUGIN_TLS_FINAL:
- printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
- break;
- default:
- printf ("OPENVPN_PLUGIN_?\n");
- break;
- }
-
- printf ("ARGV\n");
- for (i = 0; argv[i] != NULL; ++i)
- printf ("%d '%s'\n", (int)i, argv[i]);
-
- printf ("ENVP\n");
- for (i = 0; envp[i] != NULL; ++i)
- printf ("%d '%s'\n", (int)i, envp[i]);
-}
-
-OPENVPN_EXPORT int
-openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
-{
- struct plugin_context *context = (struct plugin_context *) handle;
-
- show (type, argv, envp);
-
- /* check entered username/password against what we require */
- if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
- {
- /* get username/password from envp string array */
- const char *username = get_env ("username", envp);
- const char *password = get_env ("password", envp);
-
- if (username && !strcmp (username, context->username)
- && password && !strcmp (password, context->password))
-return OPENVPN_PLUGIN_FUNC_SUCCESS;
- else
-return OPENVPN_PLUGIN_FUNC_ERROR;
- }
- else
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
-}
-
-OPENVPN_EXPORT void
-openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
-{
- struct plugin_context *context = (struct plugin_context *) handle;
- free (context);
-}
diff --git a/src/plugins/examples/log_v3.c b/src/plugins/examples/log_v3.c
deleted file mode 100644
index 742c756..0000000
--- a/src/plugins/examples/log_v3.c
+++ /dev/null
< at >< at > -1,247 +0,0 < at >< at >
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
- * Copyright (C) 2010 David Sommerseth <dazo< at >users.sourceforge.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
- * This plugin is similar to simple.c, except it also logs extra information
- * to stdout for every plugin method called by OpenVPN. The only difference
- * between this (log_v3.c) and log.c is that this module uses the v3 plug-in
- * API.
- *
- * See the README file for build instructions.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#define ENABLE_SSL
-
-#include "openvpn-plugin.h"
-
-/*
- * Our context, where we keep our state.
- */
-struct plugin_context {
- const char *username;
- const char *password;
-};
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env (const char *name, const char *envp[])
-{
- if (envp)
- {
- int i;
- const int namelen = strlen (name);
- for (i = 0; envp[i]; ++i)
-{
- if (!strncmp (envp[i], name, namelen))
- {
- const char *cp = envp[i] + namelen;
- if (*cp == '=')
-return cp + 1;
- }
-}
- }
- return NULL;
-}
-
-OPENVPN_EXPORT int
-openvpn_plugin_open_v3 (const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
- struct openvpn_plugin_args_open_return *ret)
-{
- struct plugin_context *context = NULL;
-
- /* Check that we are API compatible */
- if( v3structver != OPENVPN_PLUGINv3_STRUCTVER ) {
- return OPENVPN_PLUGIN_FUNC_ERROR;
- }
-
- /* Which callbacks to intercept. */
- ret->type_mask =
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |
- OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);
-
-
- /* Allocate our context */
- context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
-
- /* Set the username/password we will require. */
- context->username = "foo";
- context->password = "bar";
-
- /* Point the global context handle to our newly created context */
- ret->handle = (void *) context;
-
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
-}
-
-void
-show (const int type, const char *argv[], const char *envp[])
-{
- size_t i;
- switch (type)
- {
- case OPENVPN_PLUGIN_UP:
- printf ("OPENVPN_PLUGIN_UP\n");
- break;
- case OPENVPN_PLUGIN_DOWN:
- printf ("OPENVPN_PLUGIN_DOWN\n");
- break;
- case OPENVPN_PLUGIN_ROUTE_UP:
- printf ("OPENVPN_PLUGIN_ROUTE_UP\n");
- break;
- case OPENVPN_PLUGIN_IPCHANGE:
- printf ("OPENVPN_PLUGIN_IPCHANGE\n");
- break;
- case OPENVPN_PLUGIN_TLS_VERIFY:
- printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");
- break;
- case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
- printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
- break;
- case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
- printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");
- break;
- case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
- printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");
- break;
- case OPENVPN_PLUGIN_LEARN_ADDRESS:
- printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");
- break;
- case OPENVPN_PLUGIN_TLS_FINAL:
- printf ("OPENVPN_PLUGIN_TLS_FINAL\n");
- break;
- default:
- printf ("OPENVPN_PLUGIN_?\n");
- break;
- }
-
- printf ("ARGV\n");
- for (i = 0; argv[i] != NULL; ++i)
- printf ("%d '%s'\n", (int)i, argv[i]);
-
- printf ("ENVP\n");
- for (i = 0; envp[i] != NULL; ++i)
- printf ("%d '%s'\n", (int)i, envp[i]);
-}
-
-static void
-x509_print_info (X509 *x509crt)
-{
- int i, n;
- int fn_nid;
- ASN1_OBJECT *fn;
- ASN1_STRING *val;
- X509_NAME *x509_name;
- X509_NAME_ENTRY *ent;
- const char *objbuf;
- unsigned char *buf;
-
- x509_name = X509_get_subject_name (x509crt);
- n = X509_NAME_entry_count (x509_name);
- for (i = 0; i < n; ++i)
- {
- ent = X509_NAME_get_entry (x509_name, i);
- if (!ent)
-continue;
- fn = X509_NAME_ENTRY_get_object (ent);
- if (!fn)
-continue;
- val = X509_NAME_ENTRY_get_data (ent);
- if (!val)
-continue;
- fn_nid = OBJ_obj2nid (fn);
- if (fn_nid == NID_undef)
-continue;
- objbuf = OBJ_nid2sn (fn_nid);
- if (!objbuf)
-continue;
- buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
- if (ASN1_STRING_to_UTF8 (&buf, val) <= 0)
-continue;
-
- printf("X509 %s: %s\n", objbuf, (char *)buf);
- OPENSSL_free (buf);
- }
-}
-
-
-
-OPENVPN_EXPORT int
-openvpn_plugin_func_v3 (const int version,
- struct openvpn_plugin_args_func_in const *args,
- struct openvpn_plugin_args_func_return *retptr)
-{
- struct plugin_context *context = (struct plugin_context *) args->handle;
-
- printf("\nopenvpn_plugin_func_v3() :::::>> ");
- show (args->type, args->argv, args->envp);
-
- /* Dump some X509 information if we're in the TLS_VERIFY phase */
- if ((args->type == OPENVPN_PLUGIN_TLS_VERIFY) && args->current_cert ) {
- printf("---- X509 Subject information ----\n");
- printf("Certificate depth: %i\n", args->current_cert_depth);
- x509_print_info(args->current_cert);
- printf("----------------------------------\n");
- }
-
- /* check entered username/password against what we require */
- if (args->type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
- {
- /* get username/password from envp string array */
- const char *username = get_env ("username", args->envp);
- const char *password = get_env ("password", args->envp);
-
- if (username && !strcmp (username, context->username)
- && password && !strcmp (password, context->password))
-return OPENVPN_PLUGIN_FUNC_SUCCESS;
- else
-return OPENVPN_PLUGIN_FUNC_ERROR;
- }
- else
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
-}
-
-OPENVPN_EXPORT void
-openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
-{
- struct plugin_context *context = (struct plugin_context *) handle;
- free (context);
-}
diff --git a/src/plugins/examples/simple.c b/src/plugins/examples/simple.c
deleted file mode 100644
index f26d89f..0000000
--- a/src/plugins/examples/simple.c
+++ /dev/null
< at >< at > -1,120 +0,0 < at >< at >
-/*
- * OpenVPN -- An application to securely tunnel IP networks
- * over a single TCP/UDP port, with support for SSL/TLS-based
- * session authentication and key exchange,
- * packet encryption, packet authentication, and
- * packet compression.
- *
- * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales< at >openvpn.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
- * This file implements a simple OpenVPN plugin module which
- * will examine the username/password provided by a client,
- * and make an accept/deny determination. Will run
- * on Windows or *nix.
- *
- * See the README file for build instructions.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "openvpn-plugin.h"
-
-/*
- * Our context, where we keep our state.
- */
-struct plugin_context {
- const char *username;
- const char *password;
-};
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env (const char *name, const char *envp[])
-{
- if (envp)
- {
- int i;
- const int namelen = strlen (name);
- for (i = 0; envp[i]; ++i)
-{
- if (!strncmp (envp[i], name, namelen))
- {
- const char *cp = envp[i] + namelen;
- if (*cp == '=')
-return cp + 1;
- }
-}
- }
- return NULL;
-}
-
-OPENVPN_EXPORT openvpn_plugin_handle_t
-openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
-{
- struct plugin_context *context;
-
- /*
- * Allocate our context
- */
- context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
-
- /*
- * Set the username/password we will require.
- */
- context->username = "foo";
- context->password = "bar";
-
- /*
- * We are only interested in intercepting the
- * --auth-user-pass-verify callback.
- */
- *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
-
- return (openvpn_plugin_handle_t) context;
-}
-
-OPENVPN_EXPORT int
-openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
-{
- struct plugin_context *context = (struct plugin_context *) handle;
-
- /* get username/password from envp string array */
- const char *username = get_env ("username", envp);
- const char *password = get_env ("password", envp);
-
- /* check entered username/password against what we require */
- if (username && !strcmp (username, context->username)
- && password && !strcmp (password, context->password))
- return OPENVPN_PLUGIN_FUNC_SUCCESS;
- else
- return OPENVPN_PLUGIN_FUNC_ERROR;
-}
-
-OPENVPN_EXPORT void
-openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
-{
- struct plugin_context *context = (struct plugin_context *) handle;
- free (context);
-}
diff --git a/src/plugins/examples/simple.def b/src/plugins/examples/simple.def
deleted file mode 100755
index a87507d..0000000
--- a/src/plugins/examples/simple.def
+++ /dev/null
< at >< at > -1,6 +0,0 < at >< at >
-LIBRARY OpenVPN_PLUGIN_SAMPLE
-DESCRIPTION "Sample OpenVPN plug-in module."
-EXPORTS
- openvpn_plugin_open_v1 < at >1
- openvpn_plugin_func_v1 < at >2
- openvpn_plugin_close_v1 < at >3
diff --git a/src/plugins/examples/winbuild b/src/plugins/examples/winbuild
deleted file mode 100755
index decf05f..0000000
--- a/src/plugins/examples/winbuild
+++ /dev/null
< at >< at > -1,18 +0,0 < at >< at >
-#
-# Build an OpenVPN plugin module on Windows/MinGW.
-# The argument should be the base name of the C source file
-# (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-INCLUDE="-I../../../include"
-
-CC_FLAGS="-O2 -Wall"
-
-gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c
-gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o
-rm junk.tmp
-dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def
-rm base.tmp
-gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp
-rm temp.exp
</pre>Alon Bar-Lev2012-05-14T22:42:03[PATCH 1/2] cleanup: spec: make space/tab consistent
http://comments.gmane.org/gmane.network.openvpn.devel/6590
<pre>Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
distro/rpm/openvpn.spec.in | 34 +++++++++++++++++-----------------
1 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/distro/rpm/openvpn.spec.in b/distro/rpm/openvpn.spec.in
index a6f31bd..de46f59 100644
--- a/distro/rpm/openvpn.spec.in
+++ b/distro/rpm/openvpn.spec.in
< at >< at > -12,8 +12,8 < at >< at >
# rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
Summary:OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
-Name: < at >PACKAGE< at >
-Version: < at >VERSION< at >
+Name:< at >PACKAGE< at >
+Version:< at >VERSION< at >
Release:1
URL:http://openvpn.net/
Source0:http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz
< at >< at > -30,27 +30,27 < at >< at > BuildRoot:%{_tmppath}/%{name}-%(id -un)
AutoReq: 0
-BuildRequires: openssl-devel >= 0.9.6
-Requires: openssl >= 0.9.6
+BuildRequires:openssl-devel >= 0.9.6
+Requires:openssl >= 0.9.6
%if "%{_vendor}" == "Mandrakesoft"
-%{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07}
-%{!?without_lzo:Requires: liblzo1 >= 1.07}
+%{!?without_lzo:BuildRequires:liblzo1-devel >= 1.07}
+%{!?without_lzo:Requires:liblzo1 >= 1.07}
%else
%if "%{_vendor}" == "MandrakeSoft"
-%{!?without_lzo:BuildRequires: liblzo1-devel >= 1.07}
-%{!?without_lzo:Requires: liblzo1 >= 1.07}
+%{!?without_lzo:BuildRequires:liblzo1-devel >= 1.07}
+%{!?without_lzo:Requires:liblzo1 >= 1.07}
%else
-%{!?without_lzo:BuildRequires: lzo-devel >= 1.07}
-%{!?without_lzo:Requires: lzo >= 1.07}
+%{!?without_lzo:BuildRequires:lzo-devel >= 1.07}
+%{!?without_lzo:Requires:lzo >= 1.07}
%endif
%endif
-%{!?without_pam:BuildRequires: pam-devel}
-%{!?without_pam:Requires: pam}
+%{!?without_pam:BuildRequires:pam-devel}
+%{!?without_pam:Requires:pam}
-%{?with_pkcs11:BuildRequires: pkcs11-helper-devel}
-%{?with_pkcs11:Requires: pkcs11-helper}
+%{?with_pkcs11:BuildRequires:pkcs11-helper-devel}
+%{?with_pkcs11:Requires:pkcs11-helper}
#
# Description
< at >< at > -68,7 +68,7 < at >< at > and portability to most major OS platforms.
%package devel
Summary:OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
Group:Applications/Internet
-Requires: %{name}
+Requires:%{name}
%description devel
Development support for OpenVPN.
< at >< at > -134,10 +134,10 < at >< at > popd
# Install init script
%if "%{VENDOR}" == "SuSE"
%__install -c -d -m 755 "%{buildroot}/etc/init.d"
-%__install -c -m 755 "distro/rpm/%{name}.init.d.suse" "%{buildroot}/etc/init.d/%{name}"
+%__install -c -m 755 "distro/rpm/%{name}.init.d.suse" "%{buildroot}/etc/init.d/%{name}"
%else
%__install -c -d -m 755 "%{buildroot}/etc/rc.d/init.d"
-%__install -c -m 755 distro/rpm/%{name}.init.d.rhel "%{buildroot}/etc/rc.d/init.d/%{name}"
+%__install -c -m 755 distro/rpm/%{name}.init.d.rhel "%{buildroot}/etc/rc.d/init.d/%{name}"
%endif
# Install /etc/openvpn
</pre>Alon Bar-Lev2012-05-14T22:29:39Disable tun-ipv6 warning
http://comments.gmane.org/gmane.network.openvpn.devel/6582
<pre>Hey,
Openvpn will show the following warning, if I enable tun-ipv6 in the
local config and not remote or vice versa:
WARNING: 'tun-ipv6' is present in remote config but missing in local
config, remote='tun-ipv6'
ipv4 only. (On android there is no difference at all). Even without
explicitly stating "tun-ipv6" openvpn will happily configure the ipv6
options. Is there anything this message warns about? (I know the obvious
the configs do not match).
If the server does not push any ipv6 related messages running with
tun-ipv6 works fine, and if the server does push ipv6 messages it works
fine too.
Forgive me if I am missing something obvious.
Arne
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
</pre>Arne Schwabe2012-05-13T22:12:07[V2.4 0/4] tun cleanups
http://comments.gmane.org/gmane.network.openvpn.devel/6557
<pre>Platform independent interface for tun provider.
Split the long tun.c into platform specific files using
tun_engine interface.
Functionality is the same.
Maintenance will be much easier! new options, like stacking
several interfaces and delegate partial control to plugin.
There is more to be done in order to clean up the code,
however this is a good starting point.
Some more minor cleanups.
Tested on Linux, FreeBSD, Windows.
Branch should be merge after syshead[1].
Most probably patch exceeds list limitation, review is available[2].
This is for 2.4, please review quickly this so won't need to rebase.
Special thanks to Eric Crist for his FreeBSD help.
[1] https://github.com/alonbl/openvpn/compare/build...syshead
[2] https://github.com/alonbl/openvpn/compare/syshead...tun
Alon Bar-Lev (4):
cleanup: remove check_subnet_conflict
cleanup: move warn_on_use_of_common_subnets to init.c
cleanup: remove tun_adjust_frame_parameters
cleanup: tun: tun_engine interface
configure.ac | 6 +
src/openvpn/Makefile.am | 12 +
src/openvpn/error.c | 2 +-
src/openvpn/forward.c | 28 +-
src/openvpn/helper.c | 2 +-
src/openvpn/init.c | 61 +-
src/openvpn/multi.c | 2 +-
src/openvpn/options.c | 20 +-
src/openvpn/options.h | 5 +-
src/openvpn/route.c | 2 +-
src/openvpn/sig.c | 4 +-
src/openvpn/syshead.h | 56 -
src/openvpn/tun-engine-common-bsd.c | 103 +
src/openvpn/tun-engine-common-bsd.h | 34 +
src/openvpn/tun-engine-common.c | 518 +++
src/openvpn/tun-engine-common.h | 85 +
src/openvpn/tun-engine-darwin.c | 226 ++
src/openvpn/tun-engine-dragonfly.c | 193 ++
src/openvpn/tun-engine-freebsd.c | 229 ++
src/openvpn/tun-engine-generic.c | 97 +
src/openvpn/tun-engine-linux-options.h | 37 +
src/openvpn/tun-engine-linux.c | 515 +++
src/openvpn/tun-engine-netbsd.c | 318 ++
src/openvpn/tun-engine-openbsd.c | 259 ++
src/openvpn/tun-engine-options.h | 37 +
src/openvpn/tun-engine-solaris.c | 491 +++
src/openvpn/tun-engine-windows-options.h | 92 +
src/openvpn/tun-engine-windows-util.h | 83 +
src/openvpn/tun-engine-windows.c | 2757 ++++++++++++++++
src/openvpn/tun-engine.h | 95 +
src/openvpn/tun.c | 5053 ++----------------------------
src/openvpn/tun.h | 469 +---
32 files changed, 6548 insertions(+), 5343 deletions(-)
create mode 100644 src/openvpn/tun-engine-common-bsd.c
create mode 100644 src/openvpn/tun-engine-common-bsd.h
create mode 100644 src/openvpn/tun-engine-common.c
create mode 100644 src/openvpn/tun-engine-common.h
create mode 100644 src/openvpn/tun-engine-darwin.c
create mode 100644 src/openvpn/tun-engine-dragonfly.c
create mode 100644 src/openvpn/tun-engine-freebsd.c
create mode 100644 src/openvpn/tun-engine-generic.c
create mode 100644 src/openvpn/tun-engine-linux-options.h
create mode 100644 src/openvpn/tun-engine-linux.c
create mode 100644 src/openvpn/tun-engine-netbsd.c
create mode 100644 src/openvpn/tun-engine-openbsd.c
create mode 100644 src/openvpn/tun-engine-options.h
create mode 100644 src/openvpn/tun-engine-solaris.c
create mode 100644 src/openvpn/tun-engine-windows-options.h
create mode 100644 src/openvpn/tun-engine-windows-util.h
create mode 100644 src/openvpn/tun-engine-windows.c
create mode 100644 src/openvpn/tun-engine.h
</pre>Alon Bar-Lev2012-05-12T19:31:41[PATCH 00/16] syshead: cleanups
http://comments.gmane.org/gmane.network.openvpn.devel/6538
<pre>Hello,
This series include some minor syshead.h cleanups, most moved to
build system.
I think these are simple enough to go into 2.3, the risk is minimal
but I don't care if we truly freeze 2.3 and switch master to 2.4
and apply this for 2.4.
This series is on top of my build branch[1], about to merge it too.
[1] https://github.com/alonbl/openvpn/compare/build
Alon Bar-Lev (16):
cleanup: syshead: remove OS_SPECIFIC_DIRSEP in favor of autoconf
PATH_SEPARATOR
cleanup: syshead: move O_BINARY detection to autoconf
cleanup: syshead: remove useless WIN32_0_1
cleanup: syshead: remove useless constant USE_64_BIT_COUNTERS
cleanup: syshead: move apple specific CPPFLAGS out of syshead
clenaup: syshead: remove wait macros wrappers
cleanup: syshead: move likely,unlikely to basic.h
cleanup: syshead: move sleep,random,syshead.h emulation to compat
cleanup: syshead: rename S_ERROR->S_ERRORS to avoid conflict with
stropts.h
cleanup: syshead: split pedantic into pedantic, lint
cleanup: syshead: move _P1003_1B_VISIBLE to autoconf
cleanup: syshead: move socket compat into basic.h
cleanup: syshead: remove dead code
cleanup: syshead: move SOL_IP emulation to autoconf
cleanup: syshead: move ENABLE_MEMSTATS to autoconf
clenaup: syshead: reworder/cleanup includes
configure.ac | 63 ++++++++++-
src/compat/compat.h | 6 +
src/openvpn/basic.h | 40 +++++++
src/openvpn/common.h | 13 +--
src/openvpn/error.h | 2 +-
src/openvpn/misc.c | 6 +-
src/openvpn/openvpn.c | 2 +-
src/openvpn/ssl.c | 16 ++--
src/openvpn/ssl_common.h | 2 +-
src/openvpn/ssl_verify.c | 2 +-
src/openvpn/syshead.h | 270 ++++++----------------------------------------
src/openvpn/tun.c | 12 --
12 files changed, 157 insertions(+), 277 deletions(-)
</pre>Alon Bar-Lev2012-05-12T19:19:33[PATCH] build: insall README* document using buildsystem
http://comments.gmane.org/gmane.network.openvpn.devel/6536
<pre>Purpose: make distro packager task simpler, more flexible to provide
more documentation without changing the packaging script.
Remove installation related documents from rpm as package already
installed when viewed.
+Workaround rpm bug[1].
[1] http://rpm.org/ticket/836
Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
Makefile.am | 3 +++
distro/rpm/openvpn.spec.in | 11 +++++++----
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 33dfcd6..c580579 100644
--- a/Makefile.am
+++ b/Makefile.am
< at >< at > -57,6 +57,9 < at >< at > endif
SUBDIRS = build distro include src sample doc tests
dist_doc_DATA = \
+README \
+README.IPv6 \
+README.polarssl \
COPYRIGHT.GPL \
COPYING
diff --git a/distro/rpm/openvpn.spec.in b/distro/rpm/openvpn.spec.in
index d9158c1..a6f31bd 100644
--- a/distro/rpm/openvpn.spec.in
+++ b/distro/rpm/openvpn.spec.in
< at >< at > -164,6 +164,10 < at >< at > done
%__mv -f src/plugins/README src/plugins/README.plugins
+# Install extra %doc stuff
+cp -r AUTHORS ChangeLog NEWS contrib/ sample/ src/plugins/README.* \
+"%{buildroot}/%{_docdir}/%{name}-%{version}"
+
#
# Clean section
#
< at >< at > -207,13 +211,15 < at >< at > fi
#
# Files section
#
+# don't use %doc as old rpmbuild removes it[1].
+# [1] http://rpm.org/ticket/836
%files
%defattr(-,root,root)
-%doc AUTHORS ChangeLog COPYING COPYRIGHT.GPL INSTALL NEWS PORTS README
%{_mandir}
%{_sbindir}/%{name}
%{_datadir}/%{name}
+%{_docdir}/%{name}-%{version}
%dir /etc/%{name}
%if "%{VENDOR}" == "SuSE"
/etc/init.d/%{name}
< at >< at > -221,9 +227,6 < at >< at > fi
/etc/rc.d/init.d/%{name}
%endif
-# Install extra %doc stuff
-%doc contrib/ sample/ src/plugins/README.*
-
%files devel
%defattr(-,root,root)
%{_includedir}/*
</pre>Alon Bar-Lev2012-05-12T19:03:53[PATCH] Properly detect OpenSSL version stringswith numbers only
http://comments.gmane.org/gmane.network.openvpn.devel/6534
<pre>whichopensslcnf failed to return the right cnf for:
$ openssl version
OpenSSL 1.0.1 14 Mar 2012
Signed-off-by: Simon Deziel <simon.deziel< at >gmail.com>
---
easy-rsa/2.0/whichopensslcnf | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/easy-rsa/2.0/whichopensslcnf b/easy-rsa/2.0/whichopensslcnf
index 2226a8e..ccdaf50 100755
--- a/easy-rsa/2.0/whichopensslcnf
+++ b/easy-rsa/2.0/whichopensslcnf
< at >< at > -3,11 +3,11 < at >< at >
cnf="$1/openssl.cnf"
if [ "$OPENSSL" ]; then
- if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]" > /dev/null; then
+ if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null;
then
cnf="$1/openssl-0.9.6.cnf"
- elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]" >
/dev/null; then
+ elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" >
/dev/null; then
cnf="$1/openssl-0.9.8.cnf"
- elif $OPENSSL version | grep -E "1\.0\.([[:digit:]][[:alnum:]])"
+ elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?"
cnf="$1/openssl-1.0.0.cnf"
else
cnf="$1/openssl.cnf"
</pre>Simon Deziel2012-05-12T15:54:41[PATCH] build: detect sys/wait.h required for *bsd
http://comments.gmane.org/gmane.network.openvpn.devel/6532
<pre>Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
configure.ac | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 901a916..4592727 100644
--- a/configure.ac
+++ b/configure.ac
< at >< at > -374,7 +374,7 < at >< at > AC_CHECK_HEADERS([ \
])
AC_CHECK_HEADERS([ \
sys/time.h sys/ioctl.h sys/stat.h \
-sys/mman.h sys/file.h \
+sys/mman.h sys/file.h sys/wait.h \
unistd.h signal.h libgen.h stropts.h \
syslog.h pwd.h grp.h \
sys/sockio.h sys/uio.h linux/sockios.h \
</pre>Alon Bar-Lev2012-05-12T09:02:18Some openvpn-build issues
http://comments.gmane.org/gmane.network.openvpn.devel/6517
<pre>Hi (Alon),
Just a quick overview of the build issues I ran into while building with
$ cd openvpn-build/windows-nsis
$ ./build-snapshot <signing options>
First, the build_openvpn_gui() fails with
i686-w64-mingw32-gcc -std=gnu99 -municode -pedantic -Wall -Wextra
-mwindows -o openvpn-gui.exe main.o openvpn.o localization.o tray.o
viewlog.o service.o options.o passphrase.o proxy.o registry.o scripts.o
manage.o openvpn_config.o res/openvpn-gui-res.o
-L/home/samuli/opt/openvpn-build/windows-nsis/tmp/image-i686/openvpn/lib
-lcrypto -lws2_32 -lcomctl32
/usr/lib/gcc/i686-w64-mingw32/4.6.1/../../../../i686-w64-mingw32/lib/../lib/libmingwex.a(lib32_libmingwex_a-_wctime32.o):
In function `_wctime32':
/build/buildd/mingw-w64-1.0+20110523/mingw-w64-crt/misc/_wctime32.c:15:
undefined reference to `__imp__wctime'
collect2: ld returned 1
make[1]: *** [openvpn-gui.exe] Error 1
make[1]: leaving directory
"/home/samuli/opt/openvpn-build/windows-nsis/tmp/build-i686/openvpn-gui-1.0.3"
make: *** [install-strip] Error 2
FATAL: make openvpn-gui
FATAL: build i686 >&2
I circumvented this by commenting out openvpn-gui building in
openvpn-build/generic/build main() method:
build_openvpn
#[ -n "${BUILD_FOR_WINDOWS}" ] && build_openvpn_gui
copy_docs
I also had to fix openvpn.nsi or it failed, not finding openvpn-gui.exe
Next "openvpn-build/windows-nsis/build" failed:
unix2dos: converting file tmp/installer/easy-rsa/Windows/init-config.bat
to DOS format ...
unix2dos: converting file tmp/installer/easy-rsa/Windows/revoke-full.bat
to DOS format ...
unix2dos: converting file tmp/installer/easy-rsa/Windows/serial.start to
DOS format ...
unix2dos: converting file tmp/installer/easy-rsa/Windows/vars.bat.sample
to DOS format ...
./build: 5: Bad substitution
FATAL: pack i686 >&2
This was a Dash shell issue, which you apparently fixed. I just didn't
have time yet to test your fix. Switching to /bin/bash helped get around
this.
I also noticed that there's a dependency to osslsigncode 1.4+ due to
missing pkcs12 options in older versions. While it would fairly easy to
adapt the codesign() method to support 1.3 and earlier, I think the 1.4
dependency is fine: not that many people build Windows installers.
I added some comments to the scripts as I went through them. I'll send
in patches next week that clarify how they work, i.e. make them seem
less "magical" :D.
Alon: thanks for work well done! This is way better than what we had
earlier!
</pre>Samuli Seppänen2012-05-11T15:37:20First partially-working snapshot build for Windowsnow available
http://comments.gmane.org/gmane.network.openvpn.devel/6515
<pre>Hi all,
I finally managed to generate fairly crude OpenVPN Windows installers
using Alon's new openvpn-build buildsystem. Due to a build issue
"openvpn-gui" is not included, and the tap-driver is seems to be
unsigned. Regardless, here are the results nevertheless:
<http://build.openvpn.net/downloads/snapshots/openvpn-install-2.3_master-I000_master-i686.exe>
<http://build.openvpn.net/downloads/snapshots/openvpn-install-2.3_master-I000_master-x86_64.exe>
All of the libraries and executables have been signed with a self-signed
test key. This includes openssl libraries and such. If you want Windows
to trust these executables, you need to download this certificate:
<http://build.openvpn.net/downloads/openvpntestca-cert.cer>
Then you need to import it to your "Trusted CA" key store, e.g. with
After this Windows should not complain about an unknown publisher. I'll
try to come up with really usable installer next week.
</pre>Samuli Seppänen2012-05-11T15:26:04Some issues with openvpn-build/windows-nsis
http://comments.gmane.org/gmane.network.openvpn.devel/6487
<pre>Hi,
I tried to generate a Windows installer on Ubuntu 11.10 amd64, but ran
into some issues:
$ cd openvpn-build/windows-nsis
$ ./build-snapshot
--- snip ---
make[3]: Leaving directory
`/home/samuli/opt/openvpn-build/windows-nsis/tmp/build-i686/pkcs11-helper-1.10'
make[2]: Leaving directory
`/home/samuli/opt/openvpn-build/windows-nsis/tmp/build-i686/pkcs11-helper-1.10'
make[1]: Leaving directory
`/home/samuli/opt/openvpn-build/windows-nsis/tmp/build-i686/pkcs11-helper-1.10'
tap-windows
Fixup libtool files
Restore libtool files
ls: cannot access tmp/image-i686/openvpn-i686-*-bin.*: No such file or
directory
The error message seems clear enough, but I'm wondering why the binaries
are not where it looks for them:
$ ls tmp/image-i686
openvpn
$ ls tmp/image-i686/openvpn
bin etc include lib share
</pre>Samuli Seppänen2012-05-10T12:11:15openvpn question
http://comments.gmane.org/gmane.network.openvpn.devel/6478
<pre>
Hi all,
I am new to openvpn. I am using openvpn on my linux machine.
I have a basic question about openvpn.
How openvpn process the incoming packets ?
Is it processing incoming packets one by one, means receive one packet from the kernel, decrypt it and send it back to the kernel then next packet ?
or
whenever a packet comes, openvpn receives and queues it while doing decryption of already received packet ?
Regards
Raj Kumar
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
</pre>Raj Kumar2012-05-10T08:43:03[PATCH] Openvpn for Android 4.0 Changeset
http://comments.gmane.org/gmane.network.openvpn.devel/6460
<pre>Hello,
I have developed the port of openvpn for Android 4.0:
https://play.google.com/store/apps/details?id=de.blinkt.openvpn and
http://code.google.com/p/ics-openvpn/
The API of Android 4.0 requires that openvpn runs as completely
unprivileged process. There all opening of tun, adding of routes,
ifconfig etc. has to be done by another process.
This patch implements an API to allow pushing routes, dns, tun over the
management interface (unix socket). Also on Android 4.0 the connection
for the control has to be protect via an API call from the Java GUI.
Basically I am using the needok feature of the management protocol to
push all relevant information to the GUI or to request information. I
have not split the patch into multiple small patches because it should
be first discussed if this is right architectural way.
Arne
From: Arne Schwabe <arne< at >rfc2549.org>
Date: Tue, 1 May 2012 14:04:22 +0200
Subject: [PATCH] rebase on head
---
src/openvpn/error.c | 86 +++++++++++++++++++++++++++++--------------------
src/openvpn/event.c | 4 ++
src/openvpn/init.c | 10 +++++-
src/openvpn/manage.c | 11 ++++--
src/openvpn/options.c | 7 ++++
src/openvpn/route.c | 7 +++-
src/openvpn/socket.c | 25 ++++++++++++++
src/openvpn/ssl.c | 2 +
src/openvpn/syshead.h | 2 +-
src/openvpn/tun.c | 29 +++++++++++++++-
src/openvpn/tun.h | 22 ++++++++++++-
11 files changed, 160 insertions(+), 45 deletions(-)
diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index d6ad639..6849794 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
< at >< at > -199,6 +199,11 < at >< at > msg_fp(const unsigned int flags)
int x_msg_line_num; /* GLOBAL */
+#include "android/log.h"
+
+
+
+
void x_msg (const unsigned int flags, const char *format, ...)
{
struct gc_arena gc;
< at >< at > -214,6 +219,7 < at >< at > void x_msg (const unsigned int flags, const char *format, ...)
const char *prefix_sep;
void usage_small (void);
+
#ifndef HAVE_VARARG_MACROS
/* the macro has checked this otherwise */
< at >< at > -298,58 +304,65 < at >< at > void x_msg (const unsigned int flags, const char *format, ...)
if (!prefix)
prefix_sep = prefix = "";
+
/* virtual output capability used to copy output to management subsystem */
if (!forked)
{
const struct virtual_output *vo = msg_get_virtual_output ();
+
if (vo)
{
openvpn_snprintf (m2, ERR_BUF_SIZE, "%s%s%s",
prefix,
prefix_sep,
m1);
- virtual_output_print (vo, flags, m2);
+ virtual_output_print (vo, flags, m2);
}
}
- if (!(flags & M_MSG_VIRT_OUT))
+ if (!(flags & M_MSG_VIRT_OUT) )
{
- if (use_syslog && !std_redir && !forked)
-{
+ if (use_syslog && !std_redir && !forked)
+ {
#if SYSLOG_CAPABILITY
- syslog (level, "%s%s%s",
- prefix,
- prefix_sep,
- m1);
+ syslog (level, "%s%s%s",
+ prefix,
+ prefix_sep,
+ m1);
+#endif
+ }
+ else // No Syslog
+ {
+ FILE *fp = msg_fp(flags);
+ const bool show_usec = check_debug_level (DEBUG_LEVEL_USEC_TIME);
+
+ if ((flags & M_NOPREFIX) || suppress_timestamps)
+ {
+ fprintf (fp, "%s%s%s%s",
+ prefix,
+ prefix_sep,
+ m1,
+ (flags&M_NOLF) ? "" : "\n");
+ }
+ else
+ {
+ fprintf (fp, "%s %s%s%s%s",
+ time_string (0, 0, show_usec, &gc),
+ prefix,
+ prefix_sep,
+ m1,
+ (flags&M_NOLF) ? "" : "\n");
+ }
+ fflush(fp);
+ ++x_msg_line_num;
+ }
+#ifdef TARGET_ANDROID
+ android_openvpn_log(prefix,prefix_sep,m1);;
#endif
-}
- else
-{
- FILE *fp = msg_fp(flags);
- const bool show_usec = check_debug_level (DEBUG_LEVEL_USEC_TIME);
-
- if ((flags & M_NOPREFIX) || suppress_timestamps)
- {
- fprintf (fp, "%s%s%s%s",
- prefix,
- prefix_sep,
- m1,
- (flags&M_NOLF) ? "" : "\n");
- }
- else
- {
- fprintf (fp, "%s %s%s%s%s",
- time_string (0, 0, show_usec, &gc),
- prefix,
- prefix_sep,
- m1,
- (flags&M_NOLF) ? "" : "\n");
- }
- fflush(fp);
- ++x_msg_line_num;
-}
}
+
+
if (flags & M_FATAL)
msg (M_INFO, "Exiting due to fatal error");
< at >< at > -701,7 +714,10 < at >< at > openvpn_exit (const int status)
if (status == OPENVPN_EXIT_STATUS_GOOD)
perf_output_results ();
}
-
+#ifdef TARGET_ANDROID
+ android_openvpn_exit(status);
+#endif
+
exit (status);
}
diff --git a/src/openvpn/event.c b/src/openvpn/event.c
index 2a13e1c..0463d98 100644
--- a/src/openvpn/event.c
+++ b/src/openvpn/event.c
< at >< at > -753,6 +753,10 < at >< at > po_wait (struct event_set *es, const struct timeval *tv, struct event_set_return
++out;
++j;
}
+ else if(pfdp->revents==0x0020)
+ {
+ openvpn_exit (OPENVPN_EXIT_STATUS_ERROR);
+ }
else if (pfdp->revents)
{
msg (D_EVENT_ERRORS, "Error: poll: unknown revents=0x%04x", (unsigned int)pfdp->revents);
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 61ced5d..cc94b81 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
< at >< at > -1477,6 +1477,13 < at >< at > do_open_tun (struct context *c)
&gc);
do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
}
+
+ /* possibly add routes */
+ if(ifconfig_order() == ROUTE_BEFORE_TUN) {
+ if (!c->options.route_delay_defined)
+ do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,
+ c->c1.tuntap, c->plugins, c->c2.es);
+ }
/* open the tun device */
open_tun (c->options.dev, c->options.dev_type, c->options.dev_node,
< at >< at > -1509,10 +1516,11 < at >< at > do_open_tun (struct context *c)
c->c2.es);
/* possibly add routes */
+ if(ifconfig_order() == ROUTE_AFTER_TUN) {
if (!c->options.route_delay_defined)
do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,
c->c1.tuntap, c->plugins, c->c2.es);
-
+ }
/*
* Did tun/tap driver give us an MTU?
*/
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 1dddd41..1a6c086 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
< at >< at > -1479,13 +1479,14 < at >< at > man_new_connection_post (struct management *man, const char *description)
#if UNIX_SOCK_SUPPORT
if (man->settings.flags & MF_UNIX_SOCK)
{
- msg (D_MANAGEMENT, "MANAGEMENT: %s %s",
- description,
- sockaddr_unix_name (&man->settings.local_unix, "NULL"));
+ msg (D_MANAGEMENT, "MANAGEMENT(unix): %s %s",
+ description,
+ sockaddr_unix_name (&man->settings.local_unix, "NULL"));
+
}
else
#endif
- msg (D_MANAGEMENT, "MANAGEMENT: %s %s",
+ msg (D_MANAGEMENT, "MANAGEMENT(tcp): %s %s",
description,
print_sockaddr (&man->settings.local, &gc));
< at >< at > -2690,6 +2691,7 < at >< at > management_socket_set (struct management *man,
void
management_io (struct management *man)
{
+ msg(D_MANAGEMENT,"M I/O State %d in",man->connection.state);
switch (man->connection.state)
{
case MS_LISTEN:
< at >< at > -2706,6 +2708,7 < at >< at > management_io (struct management *man)
default:
ASSERT (0);
}
+ msg(D_MANAGEMENT,"M I/O State %d out",man->connection.state);
}
#endif
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7769625..bd6382f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
< at >< at > -564,6 +564,7 < at >< at > static const char usage_message[] =
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
" and CRLs).\n"
#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
+#error WTF!
").\n"
" WARNING: no support of CRL available with this version.\n"
#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
< at >< at > -1140,7 +1141,9 < at >< at > show_tuntap_options (const struct tuntap_options *o)
}
#endif
+#endif
+#if defined(WIN32) || defined(TARGET_ANDROID)
static void
dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
{
< at >< at > -6064,6 +6067,8 < at >< at > add_option (struct options *options,
to->ip_win32_type = index;
to->ip_win32_defined = true;
}
+#endif
+#if defined(WIN32) || defined(TARGET_ANDROID)
else if (streq (p[0], "dhcp-option") && p[1])
{
struct tuntap_options *o = &options->tuntap_options;
< at >< at > -6115,6 +6120,8 < at >< at > add_option (struct options *options,
}
o->dhcp_options = true;
}
+#endif
+#ifdef WIN32
else if (streq (p[0], "show-adapters"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 7c25c77..6c3ad90 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
< at >< at > -1344,6 +1344,11 < at >< at > add_route (struct route *r,
argv_msg (D_ROUTE, &argv);
status = openvpn_execve_check (&argv, es, 0, "ERROR: Linux route add command failed");
+#elif defined (TARGET_ANDROID)
+#include "jniglue.h"
+
+ addRouteInformation(network, netmask, gateway);
+
#elif defined (WIN32)
{
DWORD ai = TUN_ADAPTER_INDEX_INVALID;
< at >< at > -2371,7 +2376,7 < at >< at > show_routes (int msglev)
gc_free (&gc);
}
-#elif defined(TARGET_LINUX)
+#elif defined(TARGET_LINUX) || defined(TARGET_ANDROID)
void
get_default_gateway (struct route_gateway_info *rgi)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 6b1f8d2..364b97e 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
< at >< at > -41,6 +41,11 < at >< at >
#include "memdbg.h"
+#ifdef TARGET_ANDROID
+#include "jniglue.h"
+#endif
+
+
const int proto_overhead[] = { /* indexed by PROTO_x */
0,
IPv4_UDP_HEADER_SIZE, /* IPv4 */
< at >< at > -858,6 +863,11 < at >< at > create_socket_tcp (void)
}
#endif
+#ifdef TARGET_ANDROID
+ /* Protects the socket from being routed via VPN */
+ android_protect_socket(sd);
+#endif
+
return sd;
}
< at >< at > -885,6 +895,12 < at >< at > create_socket_udp (const unsigned int flags)
#endif
}
#endif
+
+#ifdef TARGET_ANDROID
+ /* Protects the socket from being routed via VPN */
+ android_protect_socket(sd);
+#endif
+
return sd;
}
< at >< at > -904,6 +920,11 < at >< at > create_socket_udp6 (const unsigned int flags)
msg(M_SOCKERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO");
}
#endif
+#ifdef TARGET_ANDROID
+ /* Protects the socket from being routed via VPN */
+ android_protect_socket(sd);
+#endif
+
return sd;
}
< at >< at > -922,6 +943,10 < at >< at > create_socket_tcp6 (void)
(void *) &on, sizeof (on)) < 0)
msg (M_SOCKERR, "TCP: Cannot setsockopt SO_REUSEADDR on TCP6 socket");
}
+#ifdef TARGET_ANDROID
+ /* Protects the socket from being routed via VPN */
+ android_protect_socket(sd);
+#endif
return sd;
}
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 19512c0..9f570b9 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
< at >< at > -1650,6 +1650,8 < at >< at > push_peer_info(struct buffer *buf, struct tls_session *session)
buf_printf (&out, "IV_PLAT=netbsd\n");
#elif defined(TARGET_FREEBSD)
buf_printf (&out, "IV_PLAT=freebsd\n");
+#elif defined(TARGET_ANDROID)
+ buf_printf(&out, "IV_PLAT=android\n");
#elif defined(WIN32)
buf_printf (&out, "IV_PLAT=win\n");
#endif
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 3337764..8ce40f7 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
< at >< at > -212,7 +212,7 < at >< at >
#include <net/if_tap.h>
#endif
-#ifdef TARGET_LINUX
+#if defined(TARGET_LINUX) || defined (TARGET_ANDROID)
#if defined(HAVE_NETINET_IF_ETHER_H)
#include <netinet/if_ether.h>
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 633150f..7aa8627 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
< at >< at > -49,6 +49,11 < at >< at >
#include "memdbg.h"
+#ifdef TARGET_ANDROID
+#include "jniglue.h"
+#endif
+
+
#ifdef WIN32
/* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */
< at >< at > -768,6 +773,8 < at >< at > do_ifconfig (struct tuntap *tt,
tt->did_ifconfig = true;
#endif /*ENABLE_IPROUTE*/
+#elif defined(TARGET_ANDROID)
+ addInterfaceInformation(tun_mtu,ifconfig_local, ifconfig_remote_netmask);
#elif defined(TARGET_SOLARIS)
/* Solaris 2.6 (and 7?) cannot set all parameters in one go...
< at >< at > -1365,7 +1372,24 < at >< at > close_tun_generic (struct tuntap *tt)
#endif
-#if defined(TARGET_LINUX)
+#if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
+
+#if defined (TARGET_ANDROID)
+void
+open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
+{
+ struct gc_arena gc = gc_new ();
+ int i;
+ for (i = 0; i < tt->options.dns_len; ++i) {
+ android_set_dns(print_in_addr_t(tt->options.dns[i], 0, &gc));
+ }
+
+ if(tt->options.domain)
+ android_set_domain(tt->options.domain);
+ tt->fd = android_open_tun();
+}
+
+#else
#ifdef HAVE_LINUX_IF_TUN_H/* New driver support */
< at >< at > -1411,7 +1435,7 < at >< at > open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu
if (!tt->ipv6)
ifr.ifr_flags = IFF_NO_PI;
-#if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN)
+#if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN) && !defined(TARGET_ANDROID)
ifr.ifr_flags |= IFF_ONE_QUEUE;
#endif
< at >< at > -1501,6 +1525,7 < at >< at > open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu
}
#endif /* HAVE_LINUX_IF_TUN_H */
+#endif /* TARGET_ANDROID */
#ifdef ENABLE_FEATURE_TUN_PERSIST
diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index 9bd990f..095e77e 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
< at >< at > -38,7 +38,7 < at >< at >
#include "proto.h"
#include "misc.h"
-#ifdef WIN32
+#if defined(WIN32) || defined(TARGET_ANDROID)
#define TUN_ADAPTER_INDEX_INVALID ((DWORD)-1)
< at >< at > -76,6 +76,7 < at >< at > struct tuntap_options {
int netbios_node_type; /* NBT 1,2,4,8 (46) */
+
#define N_DHCP_ADDR 4 /* Max # of addresses allowed for
DNS, WINS, etc. */
< at >< at > -292,11 +293,30 < at >< at > ifconfig_order(void)
return IFCONFIG_AFTER_TUN_OPEN;
#elif defined(WIN32)
return IFCONFIG_BEFORE_TUN_OPEN;
+#elif defined(TARGET_ANDROID)
+ return IFCONFIG_BEFORE_TUN_OPEN;
#else
return IFCONFIG_DEFAULT;
#endif
}
+#define ROUTE_BEFORE_TUN 0
+#define ROUTE_AFTER_TUN 1
+#define ROUTE_ORDER_DEFAULT ROUTE_AFTER_TUN
+
+static inline int
+route_order(void)
+{
+#if defined(TARGET_ANDROID)
+ return ROUTE_BEFORE_TUN;
+#else
+ return ROUTE_ORDER_DEFAULT;
+#endif
+}
+
+
+
+
#ifdef WIN32
#define TUN_PASS_BUFFER
</pre>Arne Schwabe2012-05-09T21:24:49[PATCH] Don't require DAF_INITIAL_AUTH to sendADDRESS/DISCONNECT messages
http://comments.gmane.org/gmane.network.openvpn.devel/6456
<pre>From: Adrien Bustany <adrien.bustany< at >nokia.com>
As discussed in [1], here is a cleaned up version of my patch to fix
the sending of CLIENT:ADDRESS/CLIENT:DISCONNECT message on the
management interface when using password-less TLS certificate
authentication. It seems that DAF_INITIAL_AUTH is now unused, should I
send another patch that removes it altogether?
Adrien Bustany (1):
management: Don't require DAF_INITIAL_AUTH to send ADDRESS/DISCONNECT
messages
src/openvpn/manage.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
</pre>Adrien Bustany2012-05-08T07:30:02OpenVPN in the Hypervisor
http://comments.gmane.org/gmane.network.openvpn.devel/6446
<pre>I had an idea I wanted to run by people and see if its feasible....here
goes.
I've been hearing a lot about "virtualized" networking for VMs and that got
me thinking. It seems like OpenVPN would be a good tool that could join a
group of VMs into their own private LAN, basically segregating them from
the internet even though they're just machines hosted by amazon, rackspace,
or in my own server room. This could all be done now by setting all the VMs
up with the openvpn client and getting them to connect, etc. The down side
is that this is a lot of configuration, and the machines would still be
exposed to the larger network.
The idea I had, and wanted to run by, was if it would be possible to
integrate an openvpn client into the hypervisor's virtual network card.
This would make it so that from the moment the VM boots up, it is only
connected to the private LAN served by the OpenVPN server. The VM would see
just another NIC, but instead of routing the data directly to the
Hypervisor's NIC (tap) or NATing it or whatever, it would go to an OpenVPN
client library (that wouldn't need a tun/tap device on the hypervisor)
which sends the data to the server over the udp connection.
Is this something that would be technically feasible? Practically feasible?
I've only used the binaries before, is the client in a state (is there a
libopenvpn) where it could be plugged into another program like QEMU/KVM?
Thanks for any input,
Tom
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
</pre>Tom Kent2012-05-08T01:03:17A few questions related to the management interface
http://comments.gmane.org/gmane.network.openvpn.devel/6442
<pre>Hi,
I was toying with the management interface of openvpn (on server side),
to monitor the connections/disconnections of my clients. The clients
are authenticated with TLS certificates, without a password. I needed
to
patch two things in order to get things working as I wanted, but since
I'm new to the code base, I'm not sure at all that those patches make
sense, especially the second one. I still attach them to this email,
in the hope that people here will point where I'm wrong :)
Cheers
Adrien
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
</pre>Adrien Bustany2012-05-07T11:58:37[RFC] Split plugins into their own repositories
http://comments.gmane.org/gmane.network.openvpn.devel/6436
<pre>Hello,
Now, I also have the courage to ask one more question regarding build....
We currently have:
- auth-pam
- defer
- down-root
- examples
Distribution wise it will be best to allow admin to install plugins as
own package which requires openvpn, allowing select specific plugins,
while each has own release cycle and versioning.
I already made the openvpn-plugin.h available in /usr/include, so
there is no real reason to keep the plugins in openvpn tree, as they
can be complied using their own separate build system.
for example, if we take RHEL, we can install the following to use the
auth-pam plugin:
openvpn
openvpn-plugin-auth-pam
To build plugin we need openvpn-devel.
What do you say?
BTW: next will be probably to split out the contrib... :)
Alon
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
</pre>Alon Bar-Lev2012-05-06T16:55:06Search EngineSearch the mailing list at Gmanequery
http://search.gmane.org/?group=$group=gmane.network.openvpn.devel