summaryrefslogtreecommitdiffstats
path: root/plugin.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugin.c')
-rw-r--r--plugin.c751
1 files changed, 751 insertions, 0 deletions
diff --git a/plugin.c b/plugin.c
new file mode 100644
index 0000000..769de8d
--- /dev/null
+++ b/plugin.c
@@ -0,0 +1,751 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include "syshead.h"
+
+#ifdef ENABLE_PLUGIN
+
+#include "buffer.h"
+#include "error.h"
+#include "misc.h"
+#include "plugin.h"
+
+#include "memdbg.h"
+
+#define PLUGIN_SYMBOL_REQUIRED (1<<0)
+
+/* used only for program aborts */
+static struct plugin_common *static_plugin_common = NULL; /* GLOBAL */
+
+static void
+plugin_show_string_array (int msglevel, const char *name, const char *array[])
+{
+ int i;
+ for (i = 0; array[i]; ++i)
+ {
+ if (env_safe_to_print (array[i]))
+ msg (msglevel, "%s[%d] = '%s'", name, i, array[i]);
+ }
+}
+
+static void
+plugin_show_args_env (int msglevel, const char *argv[], const char *envp[])
+{
+ if (check_debug_level (msglevel))
+ {
+ plugin_show_string_array (msglevel, "ARGV", argv);
+ plugin_show_string_array (msglevel, "ENVP", envp);
+ }
+}
+
+static const char *
+plugin_type_name (const int type)
+{
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_UP:
+ return "PLUGIN_UP";
+ case OPENVPN_PLUGIN_DOWN:
+ return "PLUGIN_DOWN";
+ case OPENVPN_PLUGIN_ROUTE_UP:
+ return "PLUGIN_ROUTE_UP";
+ case OPENVPN_PLUGIN_IPCHANGE:
+ return "PLUGIN_IPCHANGE";
+ case OPENVPN_PLUGIN_TLS_VERIFY:
+ return "PLUGIN_TLS_VERIFY";
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ return "PLUGIN_AUTH_USER_PASS_VERIFY";
+ case OPENVPN_PLUGIN_CLIENT_CONNECT:
+ return "PLUGIN_CLIENT_CONNECT";
+ case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+ return "PLUGIN_CLIENT_CONNECT";
+ case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+ return "PLUGIN_CLIENT_DISCONNECT";
+ case OPENVPN_PLUGIN_LEARN_ADDRESS:
+ return "PLUGIN_LEARN_ADDRESS";
+ case OPENVPN_PLUGIN_TLS_FINAL:
+ return "PLUGIN_TLS_FINAL";
+ case OPENVPN_PLUGIN_ENABLE_PF:
+ return "OPENVPN_PLUGIN_ENABLE_PF";
+ default:
+ return "PLUGIN_???";
+ }
+}
+
+static const char *
+plugin_mask_string (const unsigned int type_mask, struct gc_arena *gc)
+{
+ struct buffer out = alloc_buf_gc (256, gc);
+ bool first = true;
+ int i;
+
+ for (i = 0; i < OPENVPN_PLUGIN_N; ++i)
+ {
+ if (OPENVPN_PLUGIN_MASK (i) & type_mask)
+ {
+ if (!first)
+ buf_printf (&out, "|");
+ buf_printf (&out, "%s", plugin_type_name (i));
+ first = false;
+ }
+ }
+ return BSTR (&out);
+}
+
+static inline unsigned int
+plugin_supported_types (void)
+{
+ return ((1<<OPENVPN_PLUGIN_N)-1);
+}
+
+struct plugin_option_list *
+plugin_option_list_new (struct gc_arena *gc)
+{
+ struct plugin_option_list *ret;
+ ALLOC_OBJ_CLEAR_GC (ret, struct plugin_option_list, gc);
+ return ret;
+}
+
+bool
+plugin_option_list_add (struct plugin_option_list *list, char **p, struct gc_arena *gc)
+{
+ if (list->n < MAX_PLUGINS)
+ {
+ struct plugin_option *o = &list->plugins[list->n++];
+ o->argv = make_extended_arg_array (p, gc);
+ if (o->argv[0])
+ o->so_pathname = o->argv[0];
+ return true;
+ }
+ else
+ return false;
+}
+
+#ifdef ENABLE_DEBUG
+void
+plugin_option_list_print (const struct plugin_option_list *list, int msglevel)
+{
+ int i;
+ struct gc_arena gc = gc_new ();
+
+ for (i = 0; i < list->n; ++i)
+ {
+ const struct plugin_option *o = &list->plugins[i];
+ msg (msglevel, " plugin[%d] %s '%s'", i, o->so_pathname, print_argv (o->argv, &gc, PA_BRACKET));
+ }
+
+ gc_free (&gc);
+}
+#endif
+
+#if defined(USE_LIBDL)
+
+static void
+libdl_resolve_symbol (void *handle, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags)
+{
+ *dest = dlsym (handle, symbol);
+ if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest)
+ msg (M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin shared object %s: %s", symbol, plugin_name, dlerror());
+}
+
+#elif defined(USE_LOAD_LIBRARY)
+
+static void
+dll_resolve_symbol (HMODULE module, void **dest, const char *symbol, const char *plugin_name, const unsigned int flags)
+{
+ *dest = GetProcAddress (module, symbol);
+ if ((flags & PLUGIN_SYMBOL_REQUIRED) && !*dest)
+ msg (M_FATAL, "PLUGIN: could not find required symbol '%s' in plugin DLL %s", symbol, plugin_name);
+}
+
+#endif
+
+static void
+plugin_init_item (struct plugin *p, const struct plugin_option *o)
+{
+ struct gc_arena gc = gc_new ();
+ bool rel = false;
+
+ p->so_pathname = o->so_pathname;
+ p->plugin_type_mask = plugin_supported_types ();
+
+#if defined(USE_LIBDL)
+
+ p->handle = NULL;
+#if defined(PLUGIN_LIBDIR)
+ if (!absolute_pathname (p->so_pathname))
+ {
+ char full[PATH_MAX];
+
+ openvpn_snprintf (full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname);
+ p->handle = dlopen (full, RTLD_NOW);
+#if defined(ENABLE_PLUGIN_SEARCH)
+ if (!p->handle)
+ {
+ rel = true;
+ p->handle = dlopen (p->so_pathname, RTLD_NOW);
+ }
+#endif
+ }
+ else
+#endif
+ {
+ rel = !absolute_pathname (p->so_pathname);
+ p->handle = dlopen (p->so_pathname, RTLD_NOW);
+ }
+ if (!p->handle)
+ msg (M_ERR, "PLUGIN_INIT: could not load plugin shared object %s: %s", p->so_pathname, dlerror());
+
+# define PLUGIN_SYM(var, name, flags) libdl_resolve_symbol (p->handle, (void*)&p->var, name, p->so_pathname, flags)
+
+#elif defined(USE_LOAD_LIBRARY)
+
+ rel = !absolute_pathname (p->so_pathname);
+ p->module = LoadLibrary (p->so_pathname);
+ if (!p->module)
+ msg (M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname);
+
+# define PLUGIN_SYM(var, name, flags) dll_resolve_symbol (p->module, (void*)&p->var, name, p->so_pathname, flags)
+
+#endif
+
+ PLUGIN_SYM (open1, "openvpn_plugin_open_v1", 0);
+ PLUGIN_SYM (open2, "openvpn_plugin_open_v2", 0);
+ PLUGIN_SYM (func1, "openvpn_plugin_func_v1", 0);
+ PLUGIN_SYM (func2, "openvpn_plugin_func_v2", 0);
+ PLUGIN_SYM (close, "openvpn_plugin_close_v1", PLUGIN_SYMBOL_REQUIRED);
+ PLUGIN_SYM (abort, "openvpn_plugin_abort_v1", 0);
+ PLUGIN_SYM (client_constructor, "openvpn_plugin_client_constructor_v1", 0);
+ PLUGIN_SYM (client_destructor, "openvpn_plugin_client_destructor_v1", 0);
+ PLUGIN_SYM (min_version_required, "openvpn_plugin_min_version_required_v1", 0);
+ PLUGIN_SYM (initialization_point, "openvpn_plugin_select_initialization_point_v1", 0);
+
+ if (!p->open1 && !p->open2)
+ msg (M_FATAL, "PLUGIN: symbol openvpn_plugin_open_vX is undefined in plugin: %s", p->so_pathname);
+
+ if (!p->func1 && !p->func2)
+ msg (M_FATAL, "PLUGIN: symbol openvpn_plugin_func_vX is undefined in plugin: %s", p->so_pathname);
+
+ /*
+ * Verify that we are sufficiently up-to-date to handle the plugin
+ */
+ if (p->min_version_required)
+ {
+ const int plugin_needs_version = (*p->min_version_required)();
+ if (plugin_needs_version > OPENVPN_PLUGIN_VERSION)
+ msg (M_FATAL, "PLUGIN_INIT: plugin needs interface version %d, but this version of OpenVPN only supports version %d: %s",
+ plugin_needs_version,
+ OPENVPN_PLUGIN_VERSION,
+ p->so_pathname);
+ }
+
+ if (p->initialization_point)
+ p->requested_initialization_point = (*p->initialization_point)();
+ else
+ p->requested_initialization_point = OPENVPN_PLUGIN_INIT_PRE_DAEMON;
+
+ if (rel)
+ msg (M_WARN, "WARNING: plugin '%s' specified by a relative pathname -- using an absolute pathname would be more secure", p->so_pathname);
+
+ p->initialized = true;
+
+ gc_free (&gc);
+}
+
+static void
+plugin_open_item (struct plugin *p,
+ const struct plugin_option *o,
+ struct openvpn_plugin_string_list **retlist,
+ const char **envp,
+ const int init_point)
+{
+ ASSERT (p->initialized);
+
+ /* clear return list */
+ if (retlist)
+ *retlist = NULL;
+
+ if (!p->plugin_handle && init_point == p->requested_initialization_point)
+ {
+ struct gc_arena gc = gc_new ();
+
+ dmsg (D_PLUGIN_DEBUG, "PLUGIN_INIT: PRE");
+ plugin_show_args_env (D_PLUGIN_DEBUG, o->argv, envp);
+
+ /*
+ * Call the plugin initialization
+ */
+ if (p->open2)
+ p->plugin_handle = (*p->open2)(&p->plugin_type_mask, o->argv, envp, retlist);
+ else if (p->open1)
+ p->plugin_handle = (*p->open1)(&p->plugin_type_mask, o->argv, envp);
+ else
+ ASSERT (0);
+
+ msg (D_PLUGIN, "PLUGIN_INIT: POST %s '%s' intercepted=%s %s",
+ p->so_pathname,
+ print_argv (o->argv, &gc, PA_BRACKET),
+ plugin_mask_string (p->plugin_type_mask, &gc),
+ (retlist && *retlist) ? "[RETLIST]" : "");
+
+ if ((p->plugin_type_mask | plugin_supported_types()) != plugin_supported_types())
+ msg (M_FATAL, "PLUGIN_INIT: plugin %s expressed interest in unsupported plugin types: [want=0x%08x, have=0x%08x]",
+ p->so_pathname,
+ p->plugin_type_mask,
+ plugin_supported_types());
+
+ if (p->plugin_handle == NULL)
+ msg (M_FATAL, "PLUGIN_INIT: plugin initialization function failed: %s",
+ p->so_pathname);
+
+ gc_free (&gc);
+ }
+}
+
+static int
+plugin_call_item (const struct plugin *p,
+ void *per_client_context,
+ const int type,
+ const struct argv *av,
+ struct openvpn_plugin_string_list **retlist,
+ const char **envp)
+{
+ int status = OPENVPN_PLUGIN_FUNC_SUCCESS;
+
+ /* clear return list */
+ if (retlist)
+ *retlist = NULL;
+
+ if (p->plugin_handle && (p->plugin_type_mask & OPENVPN_PLUGIN_MASK (type)))
+ {
+ struct gc_arena gc = gc_new ();
+ struct argv a = argv_insert_head (av, p->so_pathname);
+
+ dmsg (D_PLUGIN_DEBUG, "PLUGIN_CALL: PRE type=%s", plugin_type_name (type));
+ plugin_show_args_env (D_PLUGIN_DEBUG, (const char **)a.argv, envp);
+
+ /*
+ * Call the plugin work function
+ */
+ if (p->func2)
+ status = (*p->func2)(p->plugin_handle, type, (const char **)a.argv, envp, per_client_context, retlist);
+ else if (p->func1)
+ status = (*p->func1)(p->plugin_handle, type, (const char **)a.argv, envp);
+ else
+ ASSERT (0);
+
+ msg (D_PLUGIN, "PLUGIN_CALL: POST %s/%s status=%d",
+ p->so_pathname,
+ plugin_type_name (type),
+ status);
+
+ if (status == OPENVPN_PLUGIN_FUNC_ERROR)
+ msg (M_WARN, "PLUGIN_CALL: plugin function %s failed with status %d: %s",
+ plugin_type_name (type),
+ status,
+ p->so_pathname);
+
+ argv_reset (&a);
+ gc_free (&gc);
+ }
+ return status;
+}
+
+static void
+plugin_close_item (struct plugin *p)
+{
+ if (p->initialized)
+ {
+ msg (D_PLUGIN, "PLUGIN_CLOSE: %s", p->so_pathname);
+
+ /*
+ * Call the plugin close function
+ */
+ if (p->plugin_handle)
+ (*p->close)(p->plugin_handle);
+
+#if defined(USE_LIBDL)
+ if (dlclose (p->handle))
+ msg (M_WARN, "PLUGIN_CLOSE: dlclose() failed on plugin: %s", p->so_pathname);
+#elif defined(USE_LOAD_LIBRARY)
+ if (!FreeLibrary (p->module))
+ msg (M_WARN, "PLUGIN_CLOSE: FreeLibrary() failed on plugin: %s", p->so_pathname);
+#endif
+
+ p->initialized = false;
+ }
+}
+
+static void
+plugin_abort_item (const struct plugin *p)
+{
+ /*
+ * Call the plugin abort function
+ */
+ if (p->abort)
+ (*p->abort)(p->plugin_handle);
+}
+
+static void
+plugin_per_client_init (const struct plugin_common *pc,
+ struct plugin_per_client *cli,
+ const int init_point)
+{
+ const int n = pc->n;
+ int i;
+
+ for (i = 0; i < n; ++i)
+ {
+ const struct plugin *p = &pc->plugins[i];
+ if (p->plugin_handle
+ && (init_point < 0 || init_point == p->requested_initialization_point)
+ && p->client_constructor)
+ cli->per_client_context[i] = (*p->client_constructor)(p->plugin_handle);
+ }
+}
+
+static void
+plugin_per_client_destroy (const struct plugin_common *pc, struct plugin_per_client *cli)
+{
+ const int n = pc->n;
+ int i;
+
+ for (i = 0; i < n; ++i)
+ {
+ const struct plugin *p = &pc->plugins[i];
+ void *cc = cli->per_client_context[i];
+
+ if (p->client_destructor && cc)
+ (*p->client_destructor)(p->plugin_handle, cc);
+ }
+ CLEAR (*cli);
+}
+
+struct plugin_list *
+plugin_list_inherit (const struct plugin_list *src)
+{
+ struct plugin_list *pl;
+ ALLOC_OBJ_CLEAR (pl, struct plugin_list);
+ pl->common = src->common;
+ ASSERT (pl->common);
+ plugin_per_client_init (pl->common, &pl->per_client, -1);
+ return pl;
+}
+
+static struct plugin_common *
+plugin_common_init (const struct plugin_option_list *list)
+{
+ int i;
+ struct plugin_common *pc;
+
+ ALLOC_OBJ_CLEAR (pc, struct plugin_common);
+
+ for (i = 0; i < list->n; ++i)
+ {
+ plugin_init_item (&pc->plugins[i],
+ &list->plugins[i]);
+ pc->n = i + 1;
+ }
+
+ static_plugin_common = pc;
+ return pc;
+}
+
+static void
+plugin_common_open (struct plugin_common *pc,
+ const struct plugin_option_list *list,
+ struct plugin_return *pr,
+ const struct env_set *es,
+ const int init_point)
+{
+ struct gc_arena gc = gc_new ();
+ int i;
+ const char **envp;
+
+ envp = make_env_array (es, false, &gc);
+
+ if (pr)
+ plugin_return_init (pr);
+
+ for (i = 0; i < pc->n; ++i)
+ {
+ plugin_open_item (&pc->plugins[i],
+ &list->plugins[i],
+ pr ? &pr->list[i] : NULL,
+ envp,
+ init_point);
+ }
+
+ if (pr)
+ pr->n = i;
+
+ gc_free (&gc);
+}
+
+static void
+plugin_common_close (struct plugin_common *pc)
+{
+ static_plugin_common = NULL;
+ if (pc)
+ {
+ int i;
+
+ for (i = 0; i < pc->n; ++i)
+ plugin_close_item (&pc->plugins[i]);
+ free (pc);
+ }
+}
+
+struct plugin_list *
+plugin_list_init (const struct plugin_option_list *list)
+{
+ struct plugin_list *pl;
+ ALLOC_OBJ_CLEAR (pl, struct plugin_list);
+ pl->common = plugin_common_init (list);
+ pl->common_owned = true;
+ return pl;
+}
+
+void
+plugin_list_open (struct plugin_list *pl,
+ const struct plugin_option_list *list,
+ struct plugin_return *pr,
+ const struct env_set *es,
+ const int init_point)
+{
+ plugin_common_open (pl->common, list, pr, es, init_point);
+ plugin_per_client_init (pl->common, &pl->per_client, init_point);
+}
+
+int
+plugin_call (const struct plugin_list *pl,
+ const int type,
+ const struct argv *av,
+ struct plugin_return *pr,
+ struct env_set *es)
+{
+ if (pr)
+ plugin_return_init (pr);
+
+ if (plugin_defined (pl, type))
+ {
+ struct gc_arena gc = gc_new ();
+ int i;
+ const char **envp;
+ const int n = plugin_n (pl);
+ bool success = false;
+ bool error = false;
+ bool deferred = false;
+
+ mutex_lock_static (L_PLUGIN);
+
+ setenv_del (es, "script_type");
+ envp = make_env_array (es, false, &gc);
+
+ for (i = 0; i < n; ++i)
+ {
+ const int status = plugin_call_item (&pl->common->plugins[i],
+ pl->per_client.per_client_context[i],
+ type,
+ av,
+ pr ? &pr->list[i] : NULL,
+ envp);
+ switch (status)
+ {
+ case OPENVPN_PLUGIN_FUNC_SUCCESS:
+ success = true;
+ break;
+ case OPENVPN_PLUGIN_FUNC_DEFERRED:
+ deferred = true;
+ break;
+ default:
+ error = true;
+ break;
+ }
+ }
+
+ if (pr)
+ pr->n = i;
+
+ mutex_unlock_static (L_PLUGIN);
+
+ gc_free (&gc);
+
+ if (type == OPENVPN_PLUGIN_ENABLE_PF && success)
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+ else if (error)
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ else if (deferred)
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+ }
+
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+void
+plugin_list_close (struct plugin_list *pl)
+{
+ if (pl)
+ {
+ if (pl->common)
+ {
+ plugin_per_client_destroy (pl->common, &pl->per_client);
+
+ if (pl->common_owned)
+ plugin_common_close (pl->common);
+ }
+
+ free (pl);
+ }
+}
+
+void
+plugin_abort (void)
+{
+ struct plugin_common *pc = static_plugin_common;
+ static_plugin_common = NULL;
+ if (pc)
+ {
+ int i;
+
+ for (i = 0; i < pc->n; ++i)
+ plugin_abort_item (&pc->plugins[i]);
+ }
+}
+
+bool
+plugin_defined (const struct plugin_list *pl, const int type)
+{
+ bool ret = false;
+
+ if (pl)
+ {
+ const struct plugin_common *pc = pl->common;
+
+ if (pc)
+ {
+ int i;
+ const unsigned int mask = OPENVPN_PLUGIN_MASK (type);
+ for (i = 0; i < pc->n; ++i)
+ {
+ if (pc->plugins[i].plugin_type_mask & mask)
+ {
+ ret = true;
+ break;
+ }
+ }
+ }
+ }
+ return ret;
+}
+
+/*
+ * Plugin return functions
+ */
+
+static void
+openvpn_plugin_string_list_item_free (struct openvpn_plugin_string_list *l)
+{
+ if (l)
+ {
+ free (l->name);
+ string_clear (l->value);
+ free (l->value);
+ free (l);
+ }
+}
+
+static void
+openvpn_plugin_string_list_free (struct openvpn_plugin_string_list *l)
+{
+ struct openvpn_plugin_string_list *next;
+ while (l)
+ {
+ next = l->next;
+ openvpn_plugin_string_list_item_free (l);
+ l = next;
+ }
+}
+
+static struct openvpn_plugin_string_list *
+openvpn_plugin_string_list_find (struct openvpn_plugin_string_list *l, const char *name)
+{
+ while (l)
+ {
+ if (!strcmp (l->name, name))
+ return l;
+ l = l->next;
+ }
+ return NULL;
+}
+
+void
+plugin_return_get_column (const struct plugin_return *src,
+ struct plugin_return *dest,
+ const char *colname)
+{
+ int i;
+
+ dest->n = 0;
+ for (i = 0; i < src->n; ++i)
+ dest->list[i] = openvpn_plugin_string_list_find (src->list[i], colname);
+ dest->n = i;
+}
+
+void
+plugin_return_free (struct plugin_return *pr)
+{
+ int i;
+ for (i = 0; i < pr->n; ++i)
+ openvpn_plugin_string_list_free (pr->list[i]);
+ pr->n = 0;
+}
+
+#ifdef ENABLE_DEBUG
+void
+plugin_return_print (const int msglevel, const char *prefix, const struct plugin_return *pr)
+{
+ int i;
+ msg (msglevel, "PLUGIN_RETURN_PRINT %s", prefix);
+ for (i = 0; i < pr->n; ++i)
+ {
+ struct openvpn_plugin_string_list *l = pr->list[i];
+ int count = 0;
+
+ msg (msglevel, "PLUGIN #%d (%s)", i, prefix);
+ while (l)
+ {
+ msg (msglevel, "[%d] '%s' -> '%s'\n",
+ ++count,
+ l->name,
+ l->value);
+ l = l->next;
+ }
+ }
+}
+#endif
+
+#else
+static void dummy(void) {}
+#endif /* ENABLE_PLUGIN */