OpenVPN
sample-client-connect.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * This file implements a simple OpenVPN plugin module which
26  * will log the calls made, and send back some config statements
27  * when called on the CLIENT_CONNECT and CLIENT_CONNECT_V2 hooks.
28  *
29  * it can be asked to fail or go to async/deferred mode by setting
30  * environment variables (UV_WANT_CC_FAIL, UV_WANT_CC_ASYNC,
31  * UV_WANT_CC2_ASYNC) - mostly used as a testing vehicle for the
32  * server side code to handle these cases
33  *
34  * See the README file for build instructions and env control variables.
35  */
36 
37 /* strdup() might need special defines to be visible in <string.h> */
38 #include "config.h"
39 
40 #include <stdio.h>
41 #include <string.h>
42 #include <stdlib.h>
43 #include <stdbool.h>
44 #include <unistd.h>
45 #include <fcntl.h>
46 #include <sys/wait.h>
47 
48 #include "openvpn-plugin.h"
49 
50 /* Pointers to functions exported from openvpn */
51 static plugin_log_t plugin_log = NULL;
53 static plugin_base64_decode_t plugin_base64_decode = NULL;
54 
55 /* module name for plugin_log() */
56 static char *MODULE = "sample-cc";
57 
58 /*
59  * Our context, where we keep our state.
60  */
61 
63  int verb; /* logging verbosity */
64 };
65 
66 /* this is used for the CLIENT_CONNECT_V2 async/deferred handler
67  *
68  * the "CLIENT_CONNECT_V2" handler puts per-client information into
69  * this, and the "CLIENT_CONNECT_DEFER_V2" handler looks at it to see
70  * if it's time yet to succeed/fail
71  */
73  time_t sleep_until; /* wakeup time (time() + sleep) */
74  bool want_fail;
76  const char *client_config;
77 };
78 
79 /*
80  * Given an environmental variable name, search
81  * the envp array for its value, returning it
82  * if found or NULL otherwise.
83  */
84 static const char *
85 get_env(const char *name, const char *envp[])
86 {
87  if (envp)
88  {
89  int i;
90  const int namelen = strlen(name);
91  for (i = 0; envp[i]; ++i)
92  {
93  if (!strncmp(envp[i], name, namelen))
94  {
95  const char *cp = envp[i] + namelen;
96  if (*cp == '=')
97  {
98  return cp + 1;
99  }
100  }
101  }
102  }
103  return NULL;
104 }
105 
106 
107 static int
108 atoi_null0(const char *str)
109 {
110  if (str)
111  {
112  return atoi(str);
113  }
114  else
115  {
116  return 0;
117  }
118 }
119 
120 /* use v3 functions so we can use openvpn's logging and base64 etc. */
121 OPENVPN_EXPORT int
122 openvpn_plugin_open_v3(const int v3structver,
123  struct openvpn_plugin_args_open_in const *args,
125 {
126  /* const char **argv = args->argv; */ /* command line arguments (unused) */
127  const char **envp = args->envp; /* environment variables */
128 
129  /* Check API compatibility -- struct version 5 or higher needed */
130  if (v3structver < 5)
131  {
132  fprintf(stderr, "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n");
134  }
135 
136  /*
137  * Allocate our context
138  */
139  struct plugin_context *context = calloc(1, sizeof(struct plugin_context));
140  if (!context)
141  {
142  goto error;
143  }
144 
145  /*
146  * Intercept just about everything...
147  */
148  ret->type_mask =
156  |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)
160 
161  /* Save global pointers to functions exported from openvpn */
164  plugin_base64_decode = args->callbacks->plugin_base64_decode;
165 
166  /*
167  * Get verbosity level from environment
168  */
169  context->verb = atoi_null0(get_env("verb", envp));
170 
171  ret->handle = (openvpn_plugin_handle_t *) context;
172  plugin_log(PLOG_NOTE, MODULE, "initialization succeeded");
174 
175 error:
176  free(context);
178 }
179 
180 
181 /* there are two possible interfaces for an openvpn plugin how
182  * to be called on "client connect", which primarily differ in the
183  * way config options are handed back to the client instance
184  * (see openvpn/multi.c, multi_client_connect_call_plugin_{v1,v2}())
185  *
186  * OPENVPN_PLUGIN_CLIENT_CONNECT
187  * openvpn creates a temp file and passes the name to the plugin
188  * (via argv[1] variable, argv[0] is the name of the plugin)
189  * the plugin can write config statements to that file, and openvpn
190  * reads it in like a "ccd/$cn" per-client config file
191  *
192  * OPENVPN_PLUGIN_CLIENT_CONNECT_V2
193  * the caller passes in a pointer to an "openvpn_plugin_string_list"
194  * (openvpn-plugin.h), which is a linked list of (name,value) pairs
195  *
196  * we fill in one node with name="config" and value="our config"
197  *
198  * both "l" and "l->name" and "l->value" are malloc()ed by the plugin
199  * and free()ed by the caller (openvpn_plugin_string_list_free())
200  */
201 
202 /* helper function to write actual "here are your options" file,
203  * called from sync and sync handler
204  */
205 int
206 write_cc_options_file(const char *name, const char **envp)
207 {
208  if (!name)
209  {
211  }
212 
213  FILE *fp = fopen(name,"w");
214  if (!fp)
215  {
216  plugin_log(PLOG_ERR, MODULE, "fopen('%s') failed", name);
218  }
219 
220  /* config to-be-sent can come from "setenv plugin_cc_config" in openvpn */
221  const char *p = get_env("plugin_cc_config", envp);
222  if (p)
223  {
224  fprintf(fp, "%s\n", p);
225  }
226 
227  /* some generic config snippets so we know it worked */
228  fprintf(fp, "push \"echo sample-cc plugin 1 called\"\n");
229 
230  /* if the caller wants, reject client by means of "disable" option */
231  if (get_env("UV_WANT_CC_DISABLE", envp))
232  {
233  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_DISABLE, reject");
234  fprintf(fp, "disable\n");
235  }
236  fclose(fp);
237 
239 }
240 
241 int
242 cc_handle_deferred_v1(int seconds, const char *name, const char **envp)
243 {
244  const char *ccd_file = get_env("client_connect_deferred_file", envp);
245  if (!ccd_file)
246  {
247  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_ASYNC=%d, but "
248  "'client_connect_deferred_file' not set -> fail", seconds);
250  }
251 
252  /* the CLIENT_CONNECT (v1) API is a bit tricky to work with, because
253  * completition can be signalled both by the "deferred_file" and by
254  * the new ...CLIENT_CONNECT_DEFER API - which is optional.
255  *
256  * For OpenVPN to be able to differenciate, we must create the file
257  * right away if we want to use that for signalling.
258  */
259  int fd = open(ccd_file, O_WRONLY);
260  if (fd < 0)
261  {
262  plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
264  }
265 
266  if (write(fd, "2", 1) != 1)
267  {
268  plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
269  close(fd);
271  }
272  close(fd);
273 
274  /* we do not want to complicate our lives with having to wait()
275  * for child processes (so they are not zombiefied) *and* we MUST NOT
276  * fiddle with signal handlers (= shared with openvpn main), so
277  * we use double-fork() trick.
278  */
279 
280  /* fork, sleep, succeed/fail according to env vars */
281  pid_t p1 = fork();
282  if (p1 < 0) /* Fork failed */
283  {
285  }
286  if (p1 > 0) /* parent process */
287  {
288  waitpid(p1, NULL, 0);
290  }
291 
292  /* first gen child process, fork() again and exit() right away */
293  pid_t p2 = fork();
294  if (p2 < 0)
295  {
296  plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
297  exit(1);
298  }
299  if (p2 > 0) /* new parent: exit right away */
300  {
301  exit(0);
302  }
303 
304  /* (grand-)child process
305  * - never call "return" now (would mess up openvpn)
306  * - return status is communicated by file
307  * - then exit()
308  */
309 
310  /* do mighty complicated work that will really take time here... */
311  plugin_log(PLOG_NOTE, MODULE, "in async/deferred handler, sleep(%d)", seconds);
312  sleep(seconds);
313 
314  /* write config options to openvpn */
315  int ret = write_cc_options_file(name, envp);
316 
317  /* by setting "UV_WANT_CC_FAIL" we can be triggered to fail */
318  const char *p = get_env("UV_WANT_CC_FAIL", envp);
319  if (p)
320  {
321  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_FAIL=%s -> fail", p);
323  }
324 
325  /* now signal success/failure state to openvpn */
326  fd = open(ccd_file, O_WRONLY);
327  if (fd < 0)
328  {
329  plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
330  exit(1);
331  }
332 
333  plugin_log(PLOG_NOTE, MODULE, "cc_handle_deferred_v1: done, signalling %s",
334  (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail" );
335 
336  if (write(fd, (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "1" : "0", 1) != 1)
337  {
338  plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
339  }
340  close(fd);
341 
342  exit(0);
343 }
344 
345 int
347  const char **argv,
348  const char **envp)
349 {
350  /* log environment variables handed to us by OpenVPN, but
351  * only if "setenv verb" is 3 or higher (arbitrary number)
352  */
353  if (context->verb>=3)
354  {
355  for (int i = 0; argv[i]; i++)
356  {
357  plugin_log(PLOG_NOTE, MODULE, "per-client argv: %s", argv[i]);
358  }
359  for (int i = 0; envp[i]; i++)
360  {
361  plugin_log(PLOG_NOTE, MODULE, "per-client env: %s", envp[i]);
362  }
363  }
364 
365  /* by setting "UV_WANT_CC_ASYNC" we go to async/deferred mode */
366  const char *p = get_env("UV_WANT_CC_ASYNC", envp);
367  if (p)
368  {
369  /* the return value will usually be OPENVPN_PLUGIN_FUNC_DEFERRED
370  * ("I will do my job in the background, check the status file!")
371  * but depending on env setup it might be "..._ERRROR"
372  */
373  return cc_handle_deferred_v1(atoi(p), argv[1], envp);
374  }
375 
376  /* -- this is synchronous mode (openvpn waits for us) -- */
377 
378  /* by setting "UV_WANT_CC_FAIL" we can be triggered to fail */
379  p = get_env("UV_WANT_CC_FAIL", envp);
380  if (p)
381  {
382  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_FAIL=%s -> fail", p);
384  }
385 
386  /* does the caller want options? give them some */
387  int ret = write_cc_options_file(argv[1], envp);
388 
389  return ret;
390 }
391 
392 int
394  struct plugin_per_client_context *pcc,
395  const char **envp,
396  struct openvpn_plugin_string_list **return_list)
397 {
398  /* by setting "UV_WANT_CC2_ASYNC" we go to async/deferred mode */
399  const char *want_async = get_env("UV_WANT_CC2_ASYNC", envp);
400  const char *want_fail = get_env("UV_WANT_CC2_FAIL", envp);
401  const char *want_disable = get_env("UV_WANT_CC2_DISABLE", envp);
402 
403  /* config to push towards client - can be controlled by OpenVPN
404  * config ("setenv plugin_cc2_config ...") - mostly useful in a
405  * regression test environment to push stuff like routes which are
406  * then verified by t_client ping tests
407  */
408  const char *client_config = get_env("plugin_cc2_config", envp);
409  if (!client_config)
410  {
411  /* pick something meaningless which can be verified in client log */
412  client_config = "push \"setenv CC2 MOOH\"\n";
413  }
414 
415  if (want_async)
416  {
417  /* we do no really useful work here, so we just tell the
418  * "CLIENT_CONNECT_DEFER_V2" handler that it should sleep
419  * and then "do things" via the per-client-context
420  */
421  pcc->sleep_until = time(NULL) + atoi(want_async);
422  pcc->want_fail = (want_fail != NULL);
423  pcc->want_disable = (want_disable != NULL);
424  pcc->client_config = client_config;
425  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler", want_async);
427  }
428 
429  /* by setting "UV_WANT_CC2_FAIL" we can be triggered to fail here */
430  if (want_fail)
431  {
432  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL=%s -> fail", want_fail);
434  }
435 
436  struct openvpn_plugin_string_list *rl =
437  calloc(1, sizeof(struct openvpn_plugin_string_list));
438  if (!rl)
439  {
440  plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
442  }
443  rl->name = strdup("config");
444  if (want_disable)
445  {
446  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_DISABLE, reject");
447  rl->value = strdup("disable\n");
448  }
449  else
450  {
451  rl->value = strdup(client_config);
452  }
453 
454  if (!rl->name || !rl->value)
455  {
456  plugin_log(PLOG_ERR, MODULE, "malloc(return_list->xx) failed");
458  }
459 
460  *return_list = rl;
461 
463 }
464 
465 int
467  struct plugin_per_client_context *pcc,
469  **return_list)
470 {
471  time_t time_left = pcc->sleep_until - time(NULL);
472  plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d",
473  (int) time_left);
474 
475  /* not yet due? */
476  if (time_left > 0)
477  {
479  }
480 
481  /* client wants fail? */
482  if (pcc->want_fail)
483  {
484  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail" );
486  }
487 
488  /* fill in RL according to with-disable / without-disable */
489 
490  /* TODO: unify this with non-deferred case */
491  struct openvpn_plugin_string_list *rl =
492  calloc(1, sizeof(struct openvpn_plugin_string_list));
493  if (!rl)
494  {
495  plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
497  }
498  rl->name = strdup("config");
499  if (pcc->want_disable)
500  {
501  plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_DISABLE, reject");
502  rl->value = strdup("disable\n");
503  }
504  else
505  {
506  rl->value = strdup(pcc->client_config);
507  }
508 
509  if (!rl->name || !rl->value)
510  {
511  plugin_log(PLOG_ERR, MODULE, "malloc(return_list->xx) failed");
513  }
514 
515  *return_list = rl;
516 
518 }
519 
520 OPENVPN_EXPORT int
522  const int type,
523  const char *argv[],
524  const char *envp[],
525  void *per_client_context,
526  struct openvpn_plugin_string_list **return_list)
527 {
528  struct plugin_context *context = (struct plugin_context *) handle;
529  struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
530 
531  /* for most functions, we just "don't do anything" but log the
532  * event received (so one can follow it in the log and understand
533  * the sequence of events). CONNECT and CONNECT_V2 are handled
534  */
535  switch (type)
536  {
537  case OPENVPN_PLUGIN_UP:
538  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_UP");
539  break;
540 
541  case OPENVPN_PLUGIN_DOWN:
542  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_DOWN");
543  break;
544 
546  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ROUTE_UP");
547  break;
548 
550  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_IPCHANGE");
551  break;
552 
554  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_VERIFY");
555  break;
556 
558  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT");
559  return openvpn_plugin_client_connect(context, argv, envp);
560 
562  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2");
563  return openvpn_plugin_client_connect_v2(context, pcc, envp,
564  return_list);
565 
566  case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2:
567  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
568  return openvpn_plugin_client_connect_defer_v2(context, pcc,
569  return_list);
570 
572  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT");
573  break;
574 
576  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_LEARN_ADDRESS");
577  break;
578 
580  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_FINAL");
581  break;
582 
583  default:
584  plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_? type=%d\n", type);
585  }
587 }
588 
589 OPENVPN_EXPORT void *
591 {
592  printf("FUNC: openvpn_plugin_client_constructor_v1\n");
593  return calloc(1, sizeof(struct plugin_per_client_context));
594 }
595 
596 OPENVPN_EXPORT void
598 {
599  printf("FUNC: openvpn_plugin_client_destructor_v1\n");
600  free(per_client_context);
601 }
602 
603 OPENVPN_EXPORT void
605 {
606  struct plugin_context *context = (struct plugin_context *) handle;
607  printf("FUNC: openvpn_plugin_close_v1\n");
608  free(context);
609 }
Arguments used to transport variables to the plug-in.
static int atoi_null0(const char *str)
int openvpn_plugin_client_connect_defer_v2(struct plugin_context *context, struct plugin_per_client_context *pcc, struct openvpn_plugin_string_list **return_list)
static plugin_base64_decode_t plugin_base64_decode
Contains all state information for one tunnel.
Definition: openvpn.h:461
openvpn_plugin_handle_t * handle
int write_cc_options_file(const char *name, const char **envp)
#define OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_ROUTE_UP
plugin_secure_memzero_t plugin_secure_memzero
static const char * get_env(const char *name, const char *envp[])
#define OPENVPN_EXPORT
#define OPENVPN_PLUGIN_FUNC_SUCCESS
OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
#define OPENVPN_PLUGIN_LEARN_ADDRESS
int openvpn_plugin_client_connect(struct plugin_context *context, const char **argv, const char **envp)
#define OPENVPN_PLUGIN_IPCHANGE
void(*) typedef void(*) typedef void(* plugin_secure_memzero_t)(void *data, size_t len)
Export of secure_memzero() to be used inside plug-ins.
#define OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_TLS_VERIFY
#define OPENVPN_PLUGIN_FUNC_ERROR
static plugin_secure_memzero_t plugin_secure_memzero
#define sleep(x)
Definition: syshead.h:43
OPENVPN_EXPORT int openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[], void *per_client_context, struct openvpn_plugin_string_list **return_list)
#define OPENVPN_PLUGIN_TLS_FINAL
OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context)
void(* plugin_log_t)(openvpn_plugin_log_flags_t flags, const char *plugin_name, const char *format,...) _ovpn_chk_fmt(3
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
OPENVPN_EXPORT int openvpn_plugin_open_v3(const int v3structver, struct openvpn_plugin_args_open_in const *args, struct openvpn_plugin_args_open_return *ret)
void * openvpn_plugin_handle_t
struct openvpn_plugin_callbacks * callbacks
int openvpn_plugin_client_connect_v2(struct plugin_context *context, struct plugin_per_client_context *pcc, const char **envp, struct openvpn_plugin_string_list **return_list)
static char * MODULE
#define OPENVPN_PLUGIN_CLIENT_CONNECT
#define free
Definition: cmocka.c:1850
int cc_handle_deferred_v1(int seconds, const char *name, const char **envp)
Definition: argv.h:35
Arguments used to transport variables from the plug-in back to the OpenVPN process.
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_UP
#define OPENVPN_PLUGIN_MASK(x)
static plugin_log_t plugin_log