OpenVPN
openvpn-plugin.h
Go to the documentation of this file.
1 /* include/openvpn-plugin.h. Generated from openvpn-plugin.h.in by configure. */
2 /*
3  * OpenVPN -- An application to securely tunnel IP networks
4  * over a single TCP/UDP port, with support for SSL/TLS-based
5  * session authentication and key exchange,
6  * packet encryption, packet authentication, and
7  * packet compression.
8  *
9  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 #ifndef OPENVPN_PLUGIN_H_
26 #define OPENVPN_PLUGIN_H_
27 
28 #define OPENVPN_PLUGIN_VERSION 3
29 
30 #ifdef ENABLE_CRYPTO_MBEDTLS
31 #include <mbedtls/x509_crt.h>
32 #ifndef __OPENVPN_X509_CERT_T_DECLARED
33 #define __OPENVPN_X509_CERT_T_DECLARED
34 typedef mbedtls_x509_crt openvpn_x509_cert_t;
35 #endif
36 #else /* ifdef ENABLE_CRYPTO_MBEDTLS */
37 #include <openssl/x509.h>
38 #ifndef __OPENVPN_X509_CERT_T_DECLARED
39 #define __OPENVPN_X509_CERT_T_DECLARED
40 typedef X509 openvpn_x509_cert_t;
41 #endif
42 #endif
43 
44 #include <stdarg.h>
45 #include <stddef.h>
46 
47 #ifdef __cplusplus
48 extern "C" {
49 #endif
50 
51 /* Provide some basic version information to plug-ins at OpenVPN compile time
52  * This is will not be the complete version
53  */
54 #define OPENVPN_VERSION_MAJOR 2
55 #define OPENVPN_VERSION_MINOR 5
56 #define OPENVPN_VERSION_PATCH "_git"
57 
58 /*
59  * Plug-in types. These types correspond to the set of script callbacks
60  * supported by OpenVPN.
61  *
62  * This is the general call sequence to expect when running in server mode:
63  *
64  * Initial Server Startup:
65  *
66  * FUNC: openvpn_plugin_open_v1
67  * FUNC: openvpn_plugin_client_constructor_v1 (this is the top-level "generic"
68  * client template)
69  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_UP
70  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ROUTE_UP
71  *
72  * New Client Connection:
73  *
74  * FUNC: openvpn_plugin_client_constructor_v1
75  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF
76  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert
77  * in the server chain)
78  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
79  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL
80  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_IPCHANGE
81  *
82  * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED,
83  * we don't proceed until authentication is verified via auth_control_file]
84  *
85  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_CONNECT_V2
86  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_LEARN_ADDRESS
87  *
88  * [Client session ensues]
89  *
90  * For each "TLS soft reset", according to reneg-sec option (or similar):
91  *
92  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_ENABLE_PF
93  *
94  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_VERIFY (called once for every cert
95  * in the server chain)
96  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
97  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_TLS_FINAL
98  *
99  * [If OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY returned OPENVPN_PLUGIN_FUNC_DEFERRED,
100  * we expect that authentication is verified via auth_control_file within
101  * the number of seconds defined by the "hand-window" option. Data channel traffic
102  * will continue to flow uninterrupted during this period.]
103  *
104  * [Client session continues]
105  *
106  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_CLIENT_DISCONNECT
107  * FUNC: openvpn_plugin_client_destructor_v1
108  *
109  * [ some time may pass ]
110  *
111  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_LEARN_ADDRESS (this coincides with a
112  * lazy free of initial
113  * learned addr object)
114  * Server Shutdown:
115  *
116  * FUNC: openvpn_plugin_func_v1 OPENVPN_PLUGIN_DOWN
117  * FUNC: openvpn_plugin_client_destructor_v1 (top-level "generic" client)
118  * FUNC: openvpn_plugin_close_v1
119  */
120 #define OPENVPN_PLUGIN_UP 0
121 #define OPENVPN_PLUGIN_DOWN 1
122 #define OPENVPN_PLUGIN_ROUTE_UP 2
123 #define OPENVPN_PLUGIN_IPCHANGE 3
124 #define OPENVPN_PLUGIN_TLS_VERIFY 4
125 #define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5
126 #define OPENVPN_PLUGIN_CLIENT_CONNECT 6
127 #define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7
128 #define OPENVPN_PLUGIN_LEARN_ADDRESS 8
129 #define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9
130 #define OPENVPN_PLUGIN_TLS_FINAL 10
131 #define OPENVPN_PLUGIN_ENABLE_PF 11
132 #define OPENVPN_PLUGIN_ROUTE_PREDOWN 12
133 #define OPENVPN_PLUGIN_N 13
134 
135 /*
136  * Build a mask out of a set of plug-in types.
137  */
138 #define OPENVPN_PLUGIN_MASK(x) (1<<(x))
139 
140 /*
141  * A pointer to a plugin-defined object which contains
142  * the object state.
143  */
145 
146 /*
147  * Return value for openvpn_plugin_func_v1 function
148  */
149 #define OPENVPN_PLUGIN_FUNC_SUCCESS 0
150 #define OPENVPN_PLUGIN_FUNC_ERROR 1
151 #define OPENVPN_PLUGIN_FUNC_DEFERRED 2
152 
153 /*
154  * For Windows (needs to be modified for MSVC)
155  */
156 #if defined(_WIN32) && !defined(OPENVPN_PLUGIN_H)
157 #define OPENVPN_EXPORT __declspec(dllexport)
158 #else
159 #define OPENVPN_EXPORT
160 #endif
161 
162 /*
163  * If OPENVPN_PLUGIN_H is defined, we know that we are being
164  * included in an OpenVPN compile, rather than a plugin compile.
165  */
166 #ifdef OPENVPN_PLUGIN_H
167 
168 /*
169  * We are compiling OpenVPN.
170  */
171 #define OPENVPN_PLUGIN_DEF typedef
172 #define OPENVPN_PLUGIN_FUNC(name) (*name)
173 
174 #else /* ifdef OPENVPN_PLUGIN_H */
175 
176 /*
177  * We are compiling plugin.
178  */
179 #define OPENVPN_PLUGIN_DEF OPENVPN_EXPORT
180 #define OPENVPN_PLUGIN_FUNC(name) name
181 
182 #endif
183 
184 /*
185  * Used by openvpn_plugin_func to return structured
186  * data. The plugin should allocate all structure
187  * instances, name strings, and value strings with
188  * malloc, since OpenVPN will assume that it
189  * can free the list by calling free() over the same.
190  */
192 {
194  char *name;
195  char *value;
196 };
197 
198 
199 /* openvpn_plugin_{open,func}_v3() related structs */
200 
224 #define OPENVPN_PLUGINv3_STRUCTVER 4
225 
229 typedef enum
230 {
231  PLOG_ERR = (1 << 0),/* Error condition message */
232  PLOG_WARN = (1 << 1),/* General warning message */
233  PLOG_NOTE = (1 << 2),/* Informational message */
234  PLOG_DEBUG = (1 << 3),/* Debug message, displayed if verb >= 7 */
235 
236  PLOG_ERRNO = (1 << 8),/* Add error description to message */
237  PLOG_NOMUTE = (1 << 9), /* Mute setting does not apply for message */
238 
240 
241 
242 #ifdef __GNUC__
243 #if __USE_MINGW_ANSI_STDIO
244 #define _ovpn_chk_fmt(a, b) __attribute__ ((format(gnu_printf, (a), (b))))
245 #else
246 #define _ovpn_chk_fmt(a, b) __attribute__ ((format(__printf__, (a), (b))))
247 #endif
248 #else /* ifdef __GNUC__ */
249 #define _ovpn_chk_fmt(a, b)
250 #endif
251 
253  const char *plugin_name,
254  const char *format, ...) _ovpn_chk_fmt (3, 4);
255 
257  const char *plugin_name,
258  const char *format,
259  va_list arglist) _ovpn_chk_fmt (3, 0);
260 /* #undef _ovpn_chk_fmt */
261 
269 typedef void (*plugin_secure_memzero_t)(void *data, size_t len);
270 
271 
289 {
293 };
294 
301 typedef enum {
305 } ovpnSSLAPI;
306 
329 {
330  const int type_mask;
331  const char **const argv;
332  const char **const envp;
334  const ovpnSSLAPI ssl_api;
335  const char *ovpn_version;
336  const unsigned int ovpn_version_major;
337  const unsigned int ovpn_version_minor;
338  const char *const ovpn_version_patch;
339 };
340 
341 
364 {
366  openvpn_plugin_handle_t *handle;
368 };
369 
399 {
400  const int type;
401  const char **const argv;
402  const char **const envp;
403  openvpn_plugin_handle_t handle;
407 };
408 
409 
422 {
424 };
425 
426 /*
427  * Multiple plugin modules can be cascaded, and modules can be
428  * used in tandem with scripts. The order of operation is that
429  * the module func() functions are called in the order that
430  * the modules were specified in the config file. If a script
431  * was specified as well, it will be called last. If the
432  * return code of the module/script controls an authentication
433  * function (such as tls-verify or auth-user-pass-verify), then
434  * every module and script must return success (0) in order for
435  * the connection to be authenticated.
436  *
437  * Notes:
438  *
439  * Plugins which use a privilege-separation model (by forking in
440  * their initialization function before the main OpenVPN process
441  * downgrades root privileges and/or executes a chroot) must
442  * daemonize after a fork if the "daemon" environmental variable is
443  * set. In addition, if the "daemon_log_redirect" variable is set,
444  * the plugin should preserve stdout/stderr across the daemon()
445  * syscall. See the daemonize() function in plugin/auth-pam/auth-pam.c
446  * for an example.
447  */
448 
449 /*
450  * Prototypes for functions which OpenVPN plug-ins must define.
451  */
452 
453 /*
454  * FUNCTION: openvpn_plugin_open_v2
455  *
456  * REQUIRED: YES
457  *
458  * Called on initial plug-in load. OpenVPN will preserve plug-in state
459  * across SIGUSR1 restarts but not across SIGHUP restarts. A SIGHUP reset
460  * will cause the plugin to be closed and reopened.
461  *
462  * ARGUMENTS
463  *
464  * *type_mask : Set by OpenVPN to the logical OR of all script
465  * types which this version of OpenVPN supports. The plug-in
466  * should set this value to the logical OR of all script types
467  * which the plug-in wants to intercept. For example, if the
468  * script wants to intercept the client-connect and
469  * client-disconnect script types:
470  *
471  * *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT)
472  * | OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
473  *
474  * argv : a NULL-terminated array of options provided to the OpenVPN
475  * "plug-in" directive. argv[0] is the dynamic library pathname.
476  *
477  * envp : a NULL-terminated array of OpenVPN-set environmental
478  * variables in "name=value" format. Note that for security reasons,
479  * these variables are not actually written to the "official"
480  * environmental variable store of the process.
481  *
482  * return_list : used to return data back to OpenVPN.
483  *
484  * RETURN VALUE
485  *
486  * An openvpn_plugin_handle_t value on success, NULL on failure
487  */
489  (unsigned int *type_mask,
490  const char *argv[],
491  const char *envp[],
492  struct openvpn_plugin_string_list **return_list);
493 
494 /*
495  * FUNCTION: openvpn_plugin_func_v2
496  *
497  * Called to perform the work of a given script type.
498  *
499  * REQUIRED: YES
500  *
501  * ARGUMENTS
502  *
503  * handle : the openvpn_plugin_handle_t value which was returned by
504  * openvpn_plugin_open.
505  *
506  * type : one of the PLUGIN_x types
507  *
508  * argv : a NULL-terminated array of "command line" options which
509  * would normally be passed to the script. argv[0] is the dynamic
510  * library pathname.
511  *
512  * envp : a NULL-terminated array of OpenVPN-set environmental
513  * variables in "name=value" format. Note that for security reasons,
514  * these variables are not actually written to the "official"
515  * environmental variable store of the process.
516  *
517  * per_client_context : the per-client context pointer which was returned by
518  * openvpn_plugin_client_constructor_v1, if defined.
519  *
520  * return_list : used to return data back to OpenVPN.
521  *
522  * RETURN VALUE
523  *
524  * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure
525  *
526  * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by
527  * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous
528  * authentication where the plugin (or one of its agents) may indicate
529  * authentication success/failure some number of seconds after the return
530  * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single
531  * char to the file named by auth_control_file in the environmental variable
532  * list (envp).
533  *
534  * first char of auth_control_file:
535  * '0' -- indicates auth failure
536  * '1' -- indicates auth success
537  *
538  * OpenVPN will delete the auth_control_file after it goes out of scope.
539  *
540  * If an OPENVPN_PLUGIN_ENABLE_PF handler is defined and returns success
541  * for a particular client instance, packet filtering will be enabled for that
542  * instance. OpenVPN will then attempt to read the packet filter configuration
543  * from the temporary file named by the environmental variable pf_file. This
544  * file may be generated asynchronously and may be dynamically updated during the
545  * client session, however the client will be blocked from sending or receiving
546  * VPN tunnel packets until the packet filter file has been generated. OpenVPN
547  * will periodically test the packet filter file over the life of the client
548  * instance and reload when modified. OpenVPN will delete the packet filter file
549  * when the client instance goes out of scope.
550  *
551  * Packet filter file grammar:
552  *
553  * [CLIENTS DROP|ACCEPT]
554  * {+|-}common_name1
555  * {+|-}common_name2
556  * . . .
557  * [SUBNETS DROP|ACCEPT]
558  * {+|-}subnet1
559  * {+|-}subnet2
560  * . . .
561  * [END]
562  *
563  * Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS
564  *
565  * CLIENTS refers to the set of clients (by their common-name) which
566  * this instance is allowed ('+') to connect to, or is excluded ('-')
567  * from connecting to. Note that in the case of client-to-client
568  * connections, such communication must be allowed by the packet filter
569  * configuration files of both clients.
570  *
571  * SUBNETS refers to IP addresses or IP address subnets which this
572  * instance may connect to ('+') or is excluded ('-') from connecting
573  * to.
574  *
575  * DROP or ACCEPT defines default policy when there is no explicit match
576  * for a common-name or subnet. The [END] tag must exist. A special
577  * purpose tag called [KILL] will immediately kill the client instance.
578  * A given client or subnet rule applies to both incoming and outgoing
579  * packets.
580  *
581  * See plugin/defer/simple.c for an example on using asynchronous
582  * authentication and client-specific packet filtering.
583  */
585  (openvpn_plugin_handle_t handle,
586  const int type,
587  const char *argv[],
588  const char *envp[],
589  void *per_client_context,
590  struct openvpn_plugin_string_list **return_list);
591 
592 
593 /*
594  * FUNCTION: openvpn_plugin_open_v3
595  *
596  * REQUIRED: YES
597  *
598  * Called on initial plug-in load. OpenVPN will preserve plug-in state
599  * across SIGUSR1 restarts but not across SIGHUP restarts. A SIGHUP reset
600  * will cause the plugin to be closed and reopened.
601  *
602  * ARGUMENTS
603  *
604  * version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in
605  * should validate that this value is matching the OPENVPN_PLUGINv3_STRUCTVER
606  * value.
607  *
608  * arguments : Structure with all arguments available to the plug-in.
609  *
610  * retptr : used to return data back to OpenVPN.
611  *
612  * RETURN VALUE
613  *
614  * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure
615  */
617  (const int version,
618  struct openvpn_plugin_args_open_in const *arguments,
619  struct openvpn_plugin_args_open_return *retptr);
620 
621 /*
622  * FUNCTION: openvpn_plugin_func_v3
623  *
624  * Called to perform the work of a given script type.
625  *
626  * REQUIRED: YES
627  *
628  * ARGUMENTS
629  *
630  * version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in
631  * should validate that this value is matching the OPENVPN_PLUGIN_VERSION value.
632  *
633  * handle : the openvpn_plugin_handle_t value which was returned by
634  * openvpn_plugin_open.
635  *
636  * return_list : used to return data back to OpenVPN.
637  *
638  * RETURN VALUE
639  *
640  * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure
641  *
642  * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by
643  * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous
644  * authentication where the plugin (or one of its agents) may indicate
645  * authentication success/failure some number of seconds after the return
646  * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single
647  * char to the file named by auth_control_file in the environmental variable
648  * list (envp).
649  *
650  * first char of auth_control_file:
651  * '0' -- indicates auth failure
652  * '1' -- indicates auth success
653  *
654  * OpenVPN will delete the auth_control_file after it goes out of scope.
655  *
656  * If an OPENVPN_PLUGIN_ENABLE_PF handler is defined and returns success
657  * for a particular client instance, packet filtering will be enabled for that
658  * instance. OpenVPN will then attempt to read the packet filter configuration
659  * from the temporary file named by the environmental variable pf_file. This
660  * file may be generated asynchronously and may be dynamically updated during the
661  * client session, however the client will be blocked from sending or receiving
662  * VPN tunnel packets until the packet filter file has been generated. OpenVPN
663  * will periodically test the packet filter file over the life of the client
664  * instance and reload when modified. OpenVPN will delete the packet filter file
665  * when the client instance goes out of scope.
666  *
667  * Packet filter file grammar:
668  *
669  * [CLIENTS DROP|ACCEPT]
670  * {+|-}common_name1
671  * {+|-}common_name2
672  * . . .
673  * [SUBNETS DROP|ACCEPT]
674  * {+|-}subnet1
675  * {+|-}subnet2
676  * . . .
677  * [END]
678  *
679  * Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS
680  *
681  * CLIENTS refers to the set of clients (by their common-name) which
682  * this instance is allowed ('+') to connect to, or is excluded ('-')
683  * from connecting to. Note that in the case of client-to-client
684  * connections, such communication must be allowed by the packet filter
685  * configuration files of both clients.
686  *
687  * SUBNETS refers to IP addresses or IP address subnets which this
688  * instance may connect to ('+') or is excluded ('-') from connecting
689  * to.
690  *
691  * DROP or ACCEPT defines default policy when there is no explicit match
692  * for a common-name or subnet. The [END] tag must exist. A special
693  * purpose tag called [KILL] will immediately kill the client instance.
694  * A given client or subnet rule applies to both incoming and outgoing
695  * packets.
696  *
697  * See plugin/defer/simple.c for an example on using asynchronous
698  * authentication and client-specific packet filtering.
699  */
701  (const int version,
702  struct openvpn_plugin_args_func_in const *arguments,
703  struct openvpn_plugin_args_func_return *retptr);
704 
705 /*
706  * FUNCTION: openvpn_plugin_close_v1
707  *
708  * REQUIRED: YES
709  *
710  * ARGUMENTS
711  *
712  * handle : the openvpn_plugin_handle_t value which was returned by
713  * openvpn_plugin_open.
714  *
715  * Called immediately prior to plug-in unload.
716  */
718  (openvpn_plugin_handle_t handle);
719 
720 /*
721  * FUNCTION: openvpn_plugin_abort_v1
722  *
723  * REQUIRED: NO
724  *
725  * ARGUMENTS
726  *
727  * handle : the openvpn_plugin_handle_t value which was returned by
728  * openvpn_plugin_open.
729  *
730  * Called when OpenVPN is in the process of aborting due to a fatal error.
731  * Will only be called on an open context returned by a prior successful
732  * openvpn_plugin_open callback.
733  */
735  (openvpn_plugin_handle_t handle);
736 
737 /*
738  * FUNCTION: openvpn_plugin_client_constructor_v1
739  *
740  * Called to allocate a per-client memory region, which
741  * is then passed to the openvpn_plugin_func_v2 function.
742  * This function is called every time the OpenVPN server
743  * constructs a client instance object, which normally
744  * occurs when a session-initiating packet is received
745  * by a new client, even before the client has authenticated.
746  *
747  * This function should allocate the private memory needed
748  * by the plugin to track individual OpenVPN clients, and
749  * return a void * to this memory region.
750  *
751  * REQUIRED: NO
752  *
753  * ARGUMENTS
754  *
755  * handle : the openvpn_plugin_handle_t value which was returned by
756  * openvpn_plugin_open.
757  *
758  * RETURN VALUE
759  *
760  * void * pointer to plugin's private per-client memory region, or NULL
761  * if no memory region is required.
762  */
764  (openvpn_plugin_handle_t handle);
765 
766 /*
767  * FUNCTION: openvpn_plugin_client_destructor_v1
768  *
769  * This function is called on client instance object destruction.
770  *
771  * REQUIRED: NO
772  *
773  * ARGUMENTS
774  *
775  * handle : the openvpn_plugin_handle_t value which was returned by
776  * openvpn_plugin_open.
777  *
778  * per_client_context : the per-client context pointer which was returned by
779  * openvpn_plugin_client_constructor_v1, if defined.
780  */
782  (openvpn_plugin_handle_t handle, void *per_client_context);
783 
784 /*
785  * FUNCTION: openvpn_plugin_select_initialization_point_v1
786  *
787  * Several different points exist in OpenVPN's initialization sequence where
788  * the openvpn_plugin_open function can be called. While the default is
789  * OPENVPN_PLUGIN_INIT_PRE_DAEMON, this function can be used to select a
790  * different initialization point. For example, if your plugin needs to
791  * return configuration parameters to OpenVPN, use
792  * OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE.
793  *
794  * REQUIRED: NO
795  *
796  * RETURN VALUE:
797  *
798  * An OPENVPN_PLUGIN_INIT_x value.
799  */
800 #define OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE 1
801 #define OPENVPN_PLUGIN_INIT_PRE_DAEMON 2 /* default */
802 #define OPENVPN_PLUGIN_INIT_POST_DAEMON 3
803 #define OPENVPN_PLUGIN_INIT_POST_UID_CHANGE 4
804 
806  (void);
807 
808 /*
809  * FUNCTION: openvpn_plugin_min_version_required_v1
810  *
811  * This function is called by OpenVPN to query the minimum
812  * plugin interface version number required by the plugin.
813  *
814  * REQUIRED: NO
815  *
816  * RETURN VALUE
817  *
818  * The minimum OpenVPN plugin interface version number necessary to support
819  * this plugin.
820  */
822  (void);
823 
824 /*
825  * Deprecated functions which are still supported for backward compatibility.
826  */
827 
829  (unsigned int *type_mask,
830  const char *argv[],
831  const char *envp[]);
832 
834  (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]);
835 
836 #ifdef __cplusplus
837 }
838 #endif
839 
840 #endif /* OPENVPN_PLUGIN_H_ */
Arguments used to transport variables to the plug-in.
openvpn_x509_cert_t * current_cert
OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC() openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
This cleans up the last part of the plug-in, allows it to shut down cleanly and release the plug-in g...
Definition: simple.c:334
struct openvpn_plugin_string_list ** return_list
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC() openvpn_plugin_func_v3(const int version, struct openvpn_plugin_args_func_in const *arguments, struct openvpn_plugin_args_func_return *retptr)
#define OPENVPN_PLUGIN_FUNC(name)
openvpn_plugin_handle_t * handle
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC() openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
This function is called by OpenVPN each time the OpenVPN reaches a point where plug-in calls should h...
Definition: log.c:167
X509 openvpn_x509_cert_t
plugin_secure_memzero_t plugin_secure_memzero
struct openvpn_plugin_string_list * next
const unsigned int ovpn_version_minor
OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC() openvpn_plugin_open_v2(unsigned int *type_mask, const char *argv[], const char *envp[], struct openvpn_plugin_string_list **return_list)
#define OPENVPN_PLUGIN_DEF
OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC() openvpn_plugin_abort_v1(openvpn_plugin_handle_t handle)
Definition: auth-pam.c:579
ovpnSSLAPI
Used by the openvpn_plugin_open_v3() function to indicate to the plug-in what kind of SSL implementat...
list flags
openvpn_plugin_log_flags_t
Definitions needed for the plug-in callback functions.
OPENVPN_PLUGIN_DEF void OPENVPN_PLUGIN_FUNC() openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context)
Definition: simple.c:327
void(*) typedef void(*) typedef void(* plugin_secure_memzero_t)(void *data, size_t len)
Export of secure_memzero() to be used inside plug-ins.
OPENVPN_PLUGIN_DEF void *OPENVPN_PLUGIN_FUNC() openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
Definition: simple.c:320
Arguments used to transport variables to and from the plug-in.
#define _ovpn_chk_fmt(a, b)
openvpn_plugin_handle_t handle
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC() openvpn_plugin_min_version_required_v1(void)
const unsigned int ovpn_version_major
void(* plugin_log_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format,...) _ovpn_chk_fmt(3
OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC() openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[])
Definition: simple.c:134
void * openvpn_plugin_handle_t
Arguments used to transport variables to and from the plug-in.
struct openvpn_plugin_callbacks * callbacks
struct openvpn_plugin_string_list ** return_list
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC() openvpn_plugin_open_v3(const int version, struct openvpn_plugin_args_open_in const *arguments, struct openvpn_plugin_args_open_return *retptr)
This function is called when OpenVPN loads the plug-in.
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC() openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[], void *per_client_context, struct openvpn_plugin_string_list **return_list)
Definition: simple.c:251
Definition: argv.h:35
Arguments used to transport variables from the plug-in back to the OpenVPN process.
OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC() openvpn_plugin_select_initialization_point_v1(void)
Used by the openvpn_plugin_open_v3() function to pass callback function pointers to the plug-in...
const char *const ovpn_version_patch
void(*) typedef void(* plugin_vlog_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format, va_list arglist) _ovpn_chk_fmt(3