plugin: Extend the plug-in v3 API to identify the SSL implementation used
OpenVPN would segfault unexpectedly if it would be compiled against
PolarSSL
and the plug-in would expect OpenSSL, or vice-versa. This segfault would
not appear before the plug-in would try to access functions which would
be available if the plug-in and OpenVPN uses the same SSL implementation.
This patch adds a member to the plug-in initialisation function, which
identifies the SSL implementation.
The log_v3 plug-in is updated accordingly + a simple fix to make it
buildable again using the ./build script.
A minor documentation error in the openvpn-plugin.h was also
corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of
OPENVPN_PLUGINv3_STRUCTVER.
v2 - add const ovpnSSLAPI ssl_api at the end of
struct openvpn_plugin_args_open_in and not in the "middle"
v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the
args struct sent to the openvpn_plugin_open_v3() function.
v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1372879030-10576-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7754
Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth authored on 2013/07/04 04:17:10Showing 5 changed files
- include/openvpn-plugin.h
- sample/sample-plugins/log/build
- sample/sample-plugins/log/log_v3.c
- src/openvpn/plugin.c
- src/openvpn/ssl_backend.h
| ... | ... |
@@ -201,10 +201,15 @@ struct openvpn_plugin_string_list |
| 201 | 201 |
* |
| 202 | 202 |
* Version Comment |
| 203 | 203 |
* 1 Initial plugin v3 structures providing the same API as |
| 204 |
- * the v2 plugin interface + X509 certificate information. |
|
| 204 |
+ * the v2 plugin interface, X509 certificate information + |
|
| 205 |
+ * a logging API for plug-ins. |
|
| 206 |
+ * |
|
| 207 |
+ * 2 Added ssl_api member in struct openvpn_plugin_args_open_in |
|
| 208 |
+ * which identifies the SSL implementation OpenVPN is compiled |
|
| 209 |
+ * against. |
|
| 205 | 210 |
* |
| 206 | 211 |
*/ |
| 207 |
-#define OPENVPN_PLUGINv3_STRUCTVER 1 |
|
| 212 |
+#define OPENVPN_PLUGINv3_STRUCTVER 2 |
|
| 208 | 213 |
|
| 209 | 214 |
/** |
| 210 | 215 |
* Definitions needed for the plug-in callback functions. |
| ... | ... |
@@ -260,6 +265,18 @@ struct openvpn_plugin_callbacks |
| 260 | 260 |
}; |
| 261 | 261 |
|
| 262 | 262 |
/** |
| 263 |
+ * Used by the openvpn_plugin_open_v3() function to indicate to the |
|
| 264 |
+ * plug-in what kind of SSL implementation OpenVPN uses. This is |
|
| 265 |
+ * to avoid SEGV issues when OpenVPN is complied against PolarSSL |
|
| 266 |
+ * and the plug-in against OpenSSL. |
|
| 267 |
+ */ |
|
| 268 |
+typedef enum {
|
|
| 269 |
+ SSLAPI_NONE, |
|
| 270 |
+ SSLAPI_OPENSSL, |
|
| 271 |
+ SSLAPI_POLARSSL |
|
| 272 |
+} ovpnSSLAPI; |
|
| 273 |
+ |
|
| 274 |
+/** |
|
| 263 | 275 |
* Arguments used to transport variables to the plug-in. |
| 264 | 276 |
* The struct openvpn_plugin_args_open_in is only used |
| 265 | 277 |
* by the openvpn_plugin_open_v3() function. |
| ... | ... |
@@ -286,6 +303,7 @@ struct openvpn_plugin_args_open_in |
| 286 | 286 |
const char ** const argv; |
| 287 | 287 |
const char ** const envp; |
| 288 | 288 |
struct openvpn_plugin_callbacks *callbacks; |
| 289 |
+ const ovpnSSLAPI ssl_api; |
|
| 289 | 290 |
}; |
| 290 | 291 |
|
| 291 | 292 |
|
| ... | ... |
@@ -557,7 +575,8 @@ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2) |
| 557 | 557 |
* ARGUMENTS |
| 558 | 558 |
* |
| 559 | 559 |
* version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in |
| 560 |
- * should validate that this value is matching the OPENVPN_PLUGIN_VERSION value. |
|
| 560 |
+ * should validate that this value is matching the OPENVPN_PLUGINv3_STRUCTVER |
|
| 561 |
+ * value. |
|
| 561 | 562 |
* |
| 562 | 563 |
* arguments : Structure with all arguments available to the plug-in. |
| 563 | 564 |
* |
| ... | ... |
@@ -85,6 +85,11 @@ openvpn_plugin_open_v3 (const int v3structver, |
| 85 | 85 |
return OPENVPN_PLUGIN_FUNC_ERROR; |
| 86 | 86 |
} |
| 87 | 87 |
|
| 88 |
+ if( args->ssl_api != SSLAPI_OPENSSL ) {
|
|
| 89 |
+ printf("This plug-in can only be used against OpenVPN with OpenSSL\n");
|
|
| 90 |
+ return OPENVPN_PLUGIN_FUNC_ERROR; |
|
| 91 |
+ } |
|
| 92 |
+ |
|
| 88 | 93 |
/* Which callbacks to intercept. */ |
| 89 | 94 |
ret->type_mask = |
| 90 | 95 |
OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) | |
| ... | ... |
@@ -40,8 +40,8 @@ |
| 40 | 40 |
#include "error.h" |
| 41 | 41 |
#include "misc.h" |
| 42 | 42 |
#include "plugin.h" |
| 43 |
+#include "ssl_backend.h" |
|
| 43 | 44 |
#include "win32.h" |
| 44 |
- |
|
| 45 | 45 |
#include "memdbg.h" |
| 46 | 46 |
|
| 47 | 47 |
#define PLUGIN_SYMBOL_REQUIRED (1<<0) |
| ... | ... |
@@ -374,7 +374,8 @@ plugin_open_item (struct plugin *p, |
| 374 | 374 |
struct openvpn_plugin_args_open_in args = { p->plugin_type_mask,
|
| 375 | 375 |
(const char ** const) o->argv, |
| 376 | 376 |
(const char ** const) envp, |
| 377 |
- &callbacks }; |
|
| 377 |
+ &callbacks, |
|
| 378 |
+ SSLAPI }; |
|
| 378 | 379 |
struct openvpn_plugin_args_open_return retargs; |
| 379 | 380 |
|
| 380 | 381 |
CLEAR(retargs); |
| ... | ... |
@@ -36,10 +36,17 @@ |
| 36 | 36 |
#ifdef ENABLE_CRYPTO_OPENSSL |
| 37 | 37 |
#include "ssl_openssl.h" |
| 38 | 38 |
#include "ssl_verify_openssl.h" |
| 39 |
+#define SSLAPI SSLAPI_OPENSSL |
|
| 39 | 40 |
#endif |
| 40 | 41 |
#ifdef ENABLE_CRYPTO_POLARSSL |
| 41 | 42 |
#include "ssl_polarssl.h" |
| 42 | 43 |
#include "ssl_verify_polarssl.h" |
| 44 |
+#define SSLAPI SSLAPI_POLARSSL |
|
| 45 |
+#endif |
|
| 46 |
+ |
|
| 47 |
+/* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */ |
|
| 48 |
+#ifndef SSLAPI |
|
| 49 |
+#define SSLAPI SSLAPI_NONE |
|
| 43 | 50 |
#endif |
| 44 | 51 |
|
| 45 | 52 |
/** |