├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── examples └── external_script └── openvpn-plugin-auth-script.c /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | modules.order 49 | Module.symvers 50 | Mkfile.old 51 | dkms.conf 52 | 53 | # YCM Plugin Config Files 54 | .ycm_extra_conf.py 55 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2017 FreeAgent Central Ltd 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | CC ?= cc 2 | CFLAGS ?= -O -Wall -Wextra -Wformat-security -D_FORTIFY_SOURCE=2 3 | CFLAGS += -std=c99 -D_POSIX_C_SOURCE=200809L 4 | LDFLAGS += -fPIC -shared 5 | 6 | # FreeBSD puts the openvpn header in a different location unknown to clang 7 | IPATH_FREEBSD = /usr/local/include/ 8 | 9 | # Add OS Specific build flags 10 | UNAME_S := $(shell uname -s) 11 | ifeq ($(UNAME_S),FreeBSD) 12 | # Add the include path for openvpn-plugin.h 13 | CFLAGS += -I$(IPATH_FREEBSD) 14 | # Ensure the signals we need are visible 15 | CFLAGS += -D_XOPEN_SOURCE=600 16 | 17 | # BSD uses Clang - we need to check for stack-protector-strong flag 18 | STACK_PROTECT := $(shell $(CC) --help | grep stack-protector-strong) 19 | ifneq ($(filter %stack-protector-strong, $(STACK_PROTECT)),) 20 | CFLAGS += -fstack-protector-strong 21 | endif 22 | else 23 | CFLAGS += -fstack-protector-strong 24 | endif 25 | 26 | $(info Building for $(UNAME_S)) 27 | 28 | # Output Files 29 | SRC = $(wildcard *.c) 30 | OUT = $(SRC:%.c=%.so) 31 | 32 | %.so: %.c 33 | $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< 34 | 35 | all: plugin 36 | 37 | plugin: $(OUT) 38 | 39 | clean: 40 | rm -f *.so 41 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenVPN Auth Script Plugin 2 | 3 | Runs an external script to decide whether to authenticate a user or not. Useful for checking 2FA on VPN auth attempts as it doesn't block the main openvpn process, unlike passing the script to `--auth-user-pass-verify` flag. 4 | 5 | The idea of the plugin is to do as little as possible, and let the external binary do all the heavy lifting itself. 6 | 7 | ## Installation 8 | 9 | Compile the shared library with `make plugin` and copy `openvpn-plugin-auth-script.so` into your `lib/openvpn/plugins/` folder. 10 | 11 | Copy your external script onto the machine in a sane place, making sure it's executable by the user openvpn is running as. 12 | 13 | Configure the plugin in your openvpn config, passing the path to the external script as the second argument: 14 | 15 | plugin /path/to/openvpn-plugin-auth-script.so /path/to/external/script.sh 16 | 17 | The plugin will also pass any strings provided after the script name as arguments to the script execution: 18 | 19 | plugin /path/to/openvpn-plugin-auth-script.so /path/to/external/script.sh arg1 arg2 argN 20 | 21 | ## External Script requirements 22 | 23 | The script used to handle authentication has a very specific set of skills it needs, and if you don't provide those it will hunt you down in silence. 24 | 25 | It needs to: 26 | 27 | * Be executable by the user openvpn runs as 28 | * Read `username` and `password` from the `ENV` to check them 29 | * Read `auth_control_file` from the `ENV` and write a single character to that path to signify auth success/failure 30 | * To **allow** authentication, write `1` to the file 31 | * To **block** authentication, write `0` to the file 32 | * Exit with status code 0 33 | * Not depend on `PATH` variable (eg, don't use `/usr/bin/env` in shebang) 34 | 35 | Example env the script is called in: 36 | 37 | PWD=/ 38 | SHLVL=0 39 | auth_control_file=/tmp/openvpn_acf_9090e6750844ee26d7f23efbad0e95c2.tmp 40 | config=/opt/local/etc/openvpn/testvpn.conf 41 | daemon=1 42 | daemon_log_redirect=0 43 | daemon_pid=10502 44 | daemon_start_time=1488892554 45 | dev=tun0 46 | dev_type=tun 47 | ifconfig_local=192.168.2.1 48 | ifconfig_remote=192.168.2.2 49 | link_mtu=1572 50 | local_port_1=1194 51 | password=b 52 | proto_1=tcp-server 53 | redirect_gateway=0 54 | remote_port_1=1194 55 | route_gateway_1=192.168.2.2 56 | route_netmask_1=255.255.255.0 57 | route_network_1=192.168.2.0 58 | route_vpn_gateway=192.168.2.2 59 | script_context=init 60 | tun_mtu=1500 61 | untrusted_ip=192.168.3.4 62 | untrusted_port=54357 63 | username=a 64 | verb=9 65 | 66 | ### Static Challenge 67 | 68 | If you're using `static-challenge`, you might wonder where the response value is in the env hash. See the OpenVPN management-notes docs for more info, but it's passed as part of the password. 69 | 70 | The format in the env password value is `SCRV1::` 71 | 72 | ## License 73 | 74 | See LICENSE. 75 | -------------------------------------------------------------------------------- /examples/external_script: -------------------------------------------------------------------------------- 1 | #!/opt/local/bin/ruby 2 | 3 | AUTH_SUCCESS = "1" 4 | AUTH_FAILURE = "0" 5 | 6 | def respond_with(value, control_path = ENV["auth_control_file"]) 7 | File.open(control_path, "w+") do |f| 8 | f.puts(value) 9 | end 10 | exit 0 11 | end 12 | 13 | username = ENV["username"] 14 | password = ENV["password"] 15 | 16 | if password.start_with?("SCRV1") 17 | # static-challenge password, need to do some more work 18 | require "base64" 19 | 20 | # SCRV1:: 21 | _, password, challenge_response = password.split(":", 3) 22 | password = Base64.decode64(password) 23 | challenge_response = Base64.decode64(challenge_response) 24 | end 25 | 26 | if username == "root" && password == "root" 27 | if defined?(challenge_response) 28 | respond_with(AUTH_SUCCESS) if challenge_response == "root" 29 | else 30 | # No challenge response, we're good to go 31 | respond_with(AUTH_SUCCESS) 32 | end 33 | end 34 | 35 | respond_with(AUTH_FAILURE) 36 | -------------------------------------------------------------------------------- /openvpn-plugin-auth-script.c: -------------------------------------------------------------------------------- 1 | /* 2 | * auth-script OpenVPN plugin 3 | * 4 | * Runs an external script to decide whether to authenticate a user or not. 5 | * Useful for checking 2FA on VPN auth attempts as it doesn't block the main 6 | * openvpn process, unlike passing the script to --auth-user-pass-verify. 7 | * 8 | * Functions required to be a valid OpenVPN plugin: 9 | * openvpn_plugin_open_v3 10 | * openvpn_plugin_func_v3 11 | * openvpn_plugin_close_v1 12 | */ 13 | 14 | /* Required to use strdup */ 15 | #define __EXTENSIONS__ 16 | 17 | /********** Includes */ 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | /********** Constants */ 29 | /* For consistency in log messages */ 30 | #define PLUGIN_NAME "auth-script" 31 | #define OPENVPN_PLUGIN_VERSION_MIN 3 32 | #define SCRIPT_NAME_IDX 0 33 | 34 | /* Where we store our own settings/state */ 35 | struct plugin_context 36 | { 37 | plugin_log_t plugin_log; 38 | const char *argv[]; 39 | }; 40 | 41 | /* Handle an authentication request */ 42 | static int deferred_handler(struct plugin_context *context, 43 | const char *envp[]) 44 | { 45 | plugin_log_t log = context->plugin_log; 46 | pid_t pid; 47 | 48 | log(PLOG_DEBUG, PLUGIN_NAME, 49 | "Deferred handler using script_path=%s", 50 | context->argv[SCRIPT_NAME_IDX]); 51 | 52 | pid = fork(); 53 | 54 | /* Parent - child failed to fork */ 55 | if (pid < 0) { 56 | log(PLOG_ERR, PLUGIN_NAME, 57 | "pid failed < 0 check, got %d", pid); 58 | return OPENVPN_PLUGIN_FUNC_ERROR; 59 | } 60 | 61 | /* Parent - child forked successfully 62 | * 63 | * Here we wait until that child completes before notifying OpenVPN of 64 | * our status. 65 | */ 66 | if (pid > 0) { 67 | pid_t wait_rc; 68 | int wstatus; 69 | 70 | log(PLOG_DEBUG, PLUGIN_NAME, "child pid is %d", pid); 71 | 72 | /* Block until the child returns */ 73 | wait_rc = waitpid(pid, &wstatus, 0); 74 | 75 | /* Values less than 0 indicate no child existed */ 76 | if (wait_rc < 0) { 77 | log(PLOG_ERR, PLUGIN_NAME, 78 | "wait failed for pid %d, waitpid got %d", 79 | pid, wait_rc); 80 | return OPENVPN_PLUGIN_FUNC_ERROR; 81 | } 82 | 83 | /* WIFEXITED will be true if the child exited normally, any 84 | * other return indicates an abnormal termination. 85 | */ 86 | if (WIFEXITED(wstatus)) { 87 | log(PLOG_DEBUG, PLUGIN_NAME, 88 | "child pid %d exited with status %d", 89 | pid, WEXITSTATUS(wstatus)); 90 | return WEXITSTATUS(wstatus); 91 | } 92 | 93 | log(PLOG_ERR, PLUGIN_NAME, 94 | "child pid %d terminated abnormally", 95 | pid); 96 | return OPENVPN_PLUGIN_FUNC_ERROR; 97 | } 98 | 99 | 100 | /* Child Control - Spin off our sucessor */ 101 | pid = fork(); 102 | 103 | /* Notify our parent that our child faild to fork */ 104 | if (pid < 0) 105 | exit(OPENVPN_PLUGIN_FUNC_ERROR); 106 | 107 | /* Let our parent know that our child is working appropriately */ 108 | if (pid > 0) 109 | exit(OPENVPN_PLUGIN_FUNC_DEFERRED); 110 | 111 | /* Child Spawn - This process actually spawns the script */ 112 | 113 | /* Daemonize */ 114 | umask(0); 115 | setsid(); 116 | 117 | /* Close open files and move to root */ 118 | int chdir_rc = chdir("/"); 119 | if (chdir_rc < 0) 120 | log(PLOG_DEBUG, PLUGIN_NAME, 121 | "Error trying to change pwd to \'/\'"); 122 | close(STDIN_FILENO); 123 | close(STDOUT_FILENO); 124 | close(STDERR_FILENO); 125 | 126 | int execve_rc = execve(context->argv[0], 127 | (char *const*)context->argv, 128 | (char *const*)envp); 129 | if ( execve_rc == -1 ) { 130 | switch(errno) { 131 | case E2BIG: 132 | log(PLOG_DEBUG, PLUGIN_NAME, 133 | "Error trying to exec: E2BIG"); 134 | break; 135 | case EACCES: 136 | log(PLOG_DEBUG, PLUGIN_NAME, 137 | "Error trying to exec: EACCES"); 138 | break; 139 | case EAGAIN: 140 | log(PLOG_DEBUG, PLUGIN_NAME, 141 | "Error trying to exec: EAGAIN"); 142 | break; 143 | case EFAULT: 144 | log(PLOG_DEBUG, PLUGIN_NAME, 145 | "Error trying to exec: EFAULT"); 146 | break; 147 | case EINTR: 148 | log(PLOG_DEBUG, PLUGIN_NAME, 149 | "Error trying to exec: EINTR"); 150 | break; 151 | case EINVAL: 152 | log(PLOG_DEBUG, PLUGIN_NAME, 153 | "Error trying to exec: EINVAL"); 154 | break; 155 | case ELOOP: 156 | log(PLOG_DEBUG, PLUGIN_NAME, 157 | "Error trying to exec: ELOOP"); 158 | break; 159 | case ENAMETOOLONG: 160 | log(PLOG_DEBUG, PLUGIN_NAME, 161 | "Error trying to exec: ENAMETOOLONG"); 162 | break; 163 | case ENOENT: 164 | log(PLOG_DEBUG, PLUGIN_NAME, 165 | "Error trying to exec: ENOENT"); 166 | break; 167 | case ENOEXEC: 168 | log(PLOG_DEBUG, PLUGIN_NAME, 169 | "Error trying to exec: ENOEXEC"); 170 | break; 171 | case ENOLINK: 172 | log(PLOG_DEBUG, PLUGIN_NAME, 173 | "Error trying to exec: ENOLINK"); 174 | break; 175 | case ENOMEM: 176 | log(PLOG_DEBUG, PLUGIN_NAME, 177 | "Error trying to exec: ENOMEM"); 178 | break; 179 | case ENOTDIR: 180 | log(PLOG_DEBUG, PLUGIN_NAME, 181 | "Error trying to exec: ENOTDIR"); 182 | break; 183 | case ETXTBSY: 184 | log(PLOG_DEBUG, PLUGIN_NAME, 185 | "Error trying to exec: ETXTBSY"); 186 | break; 187 | default: 188 | log(PLOG_ERR, PLUGIN_NAME, 189 | "Error trying to exec: unknown, errno: %d", 190 | errno); 191 | } 192 | } 193 | exit(EXIT_FAILURE); 194 | } 195 | 196 | /* We require OpenVPN Plugin API v3 */ 197 | OPENVPN_EXPORT int openvpn_plugin_min_version_required_v1() 198 | { 199 | return OPENVPN_PLUGIN_VERSION_MIN; 200 | } 201 | 202 | /* 203 | * Handle plugin initialization 204 | * arguments->argv[0] is path to shared lib 205 | * arguments->argv[1] is expected to be path to script 206 | */ 207 | OPENVPN_EXPORT int openvpn_plugin_open_v3(const int struct_version, 208 | struct openvpn_plugin_args_open_in const *arguments, 209 | struct openvpn_plugin_args_open_return *retptr) 210 | { 211 | plugin_log_t log = arguments->callbacks->plugin_log; 212 | log(PLOG_DEBUG, PLUGIN_NAME, "FUNC: openvpn_plugin_open_v3"); 213 | 214 | struct plugin_context *context = NULL; 215 | 216 | /* Safeguard on openvpn versions */ 217 | if (struct_version < OPENVPN_PLUGINv3_STRUCTVER) { 218 | log(PLOG_ERR, PLUGIN_NAME, 219 | "ERROR: struct version was older than required"); 220 | return OPENVPN_PLUGIN_FUNC_ERROR; 221 | } 222 | 223 | /* Tell OpenVPN we want to handle these calls */ 224 | retptr->type_mask = OPENVPN_PLUGIN_MASK( 225 | OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); 226 | 227 | 228 | /* 229 | * Determine the size of the arguments provided so we can allocate and 230 | * argv array of appropriate length. 231 | */ 232 | size_t arg_size = 0; 233 | for (int arg_idx = 1; arguments->argv[arg_idx]; arg_idx++) 234 | arg_size += strlen(arguments->argv[arg_idx]); 235 | 236 | 237 | /* 238 | * Plugin init will fail unless we create a handler, so we'll store our 239 | * script path and it's arguments there as we have to create it anyway. 240 | */ 241 | context = (struct plugin_context *) malloc( 242 | sizeof(struct plugin_context) + arg_size); 243 | memset(context, 0, sizeof(struct plugin_context) + arg_size); 244 | context->plugin_log = log; 245 | 246 | 247 | /* 248 | * Check we've been handed a script path to call 249 | * This comes directly from openvpn config file: 250 | * plugin /path/to/auth.so /path/to/auth/script.sh 251 | * 252 | * IDX 0 should correspond to the library, IDX 1 should be the 253 | * script, and any subsequent entries should be arguments to the script. 254 | * 255 | * Note that if arg_size is 0 no script argument was included. 256 | */ 257 | if (arg_size > 0) { 258 | memcpy(&context->argv, &arguments->argv[1], arg_size); 259 | 260 | log(PLOG_DEBUG, PLUGIN_NAME, 261 | "script_path=%s", 262 | context->argv[SCRIPT_NAME_IDX]); 263 | } else { 264 | free(context); 265 | log(PLOG_ERR, PLUGIN_NAME, 266 | "ERROR: no script_path specified in config file"); 267 | return OPENVPN_PLUGIN_FUNC_ERROR; 268 | } 269 | 270 | /* Pass state back to OpenVPN so we get handed it back later */ 271 | retptr->handle = (openvpn_plugin_handle_t) context; 272 | 273 | log(PLOG_DEBUG, PLUGIN_NAME, "plugin initialized successfully"); 274 | 275 | return OPENVPN_PLUGIN_FUNC_SUCCESS; 276 | } 277 | 278 | /* Called when we need to handle OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY calls */ 279 | OPENVPN_EXPORT int openvpn_plugin_func_v3(const int struct_version, 280 | struct openvpn_plugin_args_func_in const *arguments, 281 | struct openvpn_plugin_args_func_return *retptr) 282 | { 283 | (void)retptr; /* Squish -Wunused-parameter warning */ 284 | struct plugin_context *context = 285 | (struct plugin_context *) arguments->handle; 286 | plugin_log_t log = context->plugin_log; 287 | 288 | log(PLOG_DEBUG, PLUGIN_NAME, "FUNC: openvpn_plugin_func_v3"); 289 | 290 | /* Safeguard on openvpn versions */ 291 | if (struct_version < OPENVPN_PLUGINv3_STRUCTVER) { 292 | log(PLOG_ERR, PLUGIN_NAME, 293 | "ERROR: struct version was older than required"); 294 | return OPENVPN_PLUGIN_FUNC_ERROR; 295 | } 296 | 297 | if(arguments->type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) { 298 | log(PLOG_DEBUG, PLUGIN_NAME, 299 | "Handling auth with deferred script"); 300 | return deferred_handler(context, arguments->envp); 301 | } else 302 | return OPENVPN_PLUGIN_FUNC_SUCCESS; 303 | } 304 | 305 | OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) 306 | { 307 | struct plugin_context *context = (struct plugin_context *) handle; 308 | free(context); 309 | } 310 | --------------------------------------------------------------------------------