@@ -194,6 +194,27 @@ AC_ARG_ENABLE(

 )

 AC_ARG_ENABLE(

+	[plugin-auth-pam],

+	[AS_HELP_STRING([--disable-plugin-auth-pam], [disable auth-pam plugin @<:@default=yes@:>@])],

+	,

+	[enable_plugin_auth_pam="yes"]

+)

+

+AC_ARG_ENABLE(

+	[plugin-down-root],

+	[AS_HELP_STRING([--disable-plugin-down-root], [disable down-root plugin @<:@default=yes@:>@])],

+	,

+	[enable_plugin_down_root="yes"]

+)

+

+AC_ARG_ENABLE(

+	[pam-dlopen],

+	[AS_HELP_STRING([--enable-pam-dlopen], [dlopen libpam @<:@default=no@:>@])],

+	,

+	[enable_pam_dlopen="no"]

+)

+

+AC_ARG_ENABLE(

 	[strict],

 	[AS_HELP_STRING([--enable-strict], [enable strict compiler warnings (debugging option) @<:@default=no@:>@])],

 	,

@@ -258,6 +279,14 @@ AC_ARG_WITH(

 	[with_crypto_library="openssl"]

 )

+AC_ARG_WITH(

+	[plugindir],

+	[AS_HELP_STRING([--with-plugindir], [plugin directory @<:@default=LIBDIR/openvpn@:>@])],

+	,

+	[with_plugindir="\$(libdir)/openvpn/plugins"]

+)

+

+

 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host])

 case "$host" in

 	*-*-linux*)

@@ -624,6 +653,16 @@ AC_CHECK_LIB(

 )

 AC_SUBST([SELINUX_LIBS])

+AC_ARG_VAR([LIBPAM_CFLAGS], [C compiler flags for libpam])

+AC_ARG_VAR([LIBPAM_LIBS], [linker flags for libpam])

+if test -z "${LIBPAM_LIBS}"; then

+	AC_CHECK_LIB(

+		[pam],

+		[pam_start],

+		[LIBPAM_LIBS="-lpam"]

+	)

+fi

+

 case "${with_mem_check}" in

 	valgrind)

 		AC_CHECK_HEADER(

@@ -894,6 +933,9 @@ if test "${enable_plugins}" = "yes"; then

 	OPTIONAL_DL_LIBS="${DL_LIBS}"

 	AC_DEFINE([ENABLE_PLUGIN], [1], [Enable systemd support])

 	test "${enable_eurephia}" = "yes" && AC_DEFINE([ENABLE_EUREPHIA], [1], [Enable support for the eurephia plug-in])

+else

+	enable_plugin_auth_pam="no"

+	enable_plugin_down_root="no"

 fi

 if test "${enable_iproute2}" = "yes"; then

@@ -945,6 +987,17 @@ if test "${WIN32}" = "yes"; then

 	test -z "${MAN2HTML}" && AC_MSG_ERROR([man2html is required for win32])

 fi

+if test "${enable_plugin_auth_pam}" = "yes"; then

+	PLUGIN_AUTH_PAM_CFLAGS="${LIBPAM_CFLAGS}"

+	if test "${enable_pam_dlopen}" = "yes"; then

+		AC_DEFINE([USE_PAM_DLOPEN], [1], [dlopen libpam])

+		PLUGIN_AUTH_PAM_LIBS="${DL_LIBS}"

+	else

+		test -z "${LIBPAM_LIBS}" && AC_MSG_ERROR([libpam required but missing])

+		PLUGIN_AUTH_PAM_LIBS="${LIBPAM_LIBS}"

+	fi

+fi

+

 CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"

 AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings])

@@ -967,10 +1020,17 @@ AC_SUBST([OPTIONAL_LZO_LIBS])

 AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])

 AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])

+AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS])

+AC_SUBST([PLUGIN_AUTH_PAM_LIBS])

+

 AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])

 AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])

+AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"])

+AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"])

+plugindir="${with_plugindir}"

 sampledir="\$(docdir)/sample"

+AC_SUBST([plugindir])

 AC_SUBST([sampledir])

 AC_CONFIG_FILES([

@@ -987,6 +1047,9 @@ AC_CONFIG_FILES([

 	src/compat/Makefile

 	src/openvpn/Makefile

 	src/openvpnserv/Makefile

+	src/plugins/Makefile

+	src/plugins/auth-pam/Makefile

+	src/plugins/down-root/Makefile

 	tests/Makefile

 	sample/Makefile

 	doc/Makefile

@@ -83,13 +83,6 @@ Development support for OpenVPN.

 %endif

 #

-# Should we build the auth-pam module?

-#

-

-%define build_auth_pam 1

-%{?without_pam:%define build_auth_pam 0}

-

-#

 # Other definitions

 #

@@ -108,20 +101,9 @@ Development support for OpenVPN.

 	--docdir="%{_docdir}/%{name}-%{version}" \

 	%{?with_password_save:--enable-password-save} \

 	%{!?without_lzo:--enable-lzo} \

-	%{?with_pkcs11:--enable-pkcs11}

-%__make

-

-# Build down-root plugin

-pushd src/plugins/down-root

+	%{?with_pkcs11:--enable-pkcs11} \

+	%{?without_pam:--disable-plugin-auth-pam}

 %__make

-popd

-

-# Build auth-pam plugin

-%if %{build_auth_pam}

-pushd src/plugins/auth-pam

-%__make

-popd

-%endif

 #

 # Installation section

@@ -143,29 +125,8 @@ popd

 # Install /etc/openvpn

 %__install -c -d -m 755 "%{buildroot}/etc/%{name}"

-#

-# Build /usr/share/openvpn

-#

-

-%__mkdir_p %{buildroot}%{_datadir}/%{name}

-

-#

-# Install the plugins

-#

-

-%__mkdir_p "%{buildroot}%{_datadir}/%{name}/plugins/lib"

-

-for pi in auth-pam down-root; do

-  %__mv -f src/plugins/$pi/README src/plugins/README.$pi

-  if [ -e src/plugins/$pi/openvpn-$pi.so ]; then

-    %__install -c -m 755 src/plugins/$pi/openvpn-$pi.so "%{buildroot}%{_datadir}/openvpn/plugins/lib/openvpn-$pi.so"

-  fi

-done

-

-%__mv -f src/plugins/README src/plugins/README.plugins

-

 # Install extra %doc stuff

-cp -r AUTHORS ChangeLog NEWS contrib/ sample/ src/plugins/README.* \

+cp -r AUTHORS ChangeLog NEWS contrib/ sample/ \

 	"%{buildroot}/%{_docdir}/%{name}-%{version}"

 #

@@ -218,7 +179,7 @@ fi

 %defattr(-,root,root)

 %{_mandir}

 %{_sbindir}/%{name}

-%{_datadir}/%{name}

+%{_libdir}/%{name}

 %{_docdir}/%{name}-%{version}

 %dir /etc/%{name}

 %if "%{VENDOR}" == "SuSE"

@@ -17,8 +17,11 @@ CLEANFILES = openvpn.8.html

 dist_doc_DATA = \

 	management-notes.txt

+dist_noinst_DATA = \

+	README.plugins

+

 if WIN32

-dist_noinst_DATA = openvpn.8

+dist_noinst_DATA += openvpn.8

 nodist_html_DATA = openvpn.8.html

 openvpn.8.html: $(srcdir)/openvpn.8

 	$(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html

new file mode 100644

@@ -0,0 +1,47 @@

+OpenVPN Plugins

+---------------

+

+Starting with OpenVPN 2.0-beta17, compiled plugin modules are

+supported on any *nix OS which includes libdl or on Windows.

+One or more modules may be loaded into OpenVPN using

+the --plugin directive, and each plugin module is capable of

+intercepting any of the script callbacks which OpenVPN supports:

+

+(1) up

+(2) down

+(3) route-up

+(4) ipchange

+(5) tls-verify

+(6) auth-user-pass-verify

+(7) client-connect

+(8) client-disconnect

+(9) learn-address

+

+See the openvpn-plugin.h file in the top-level directory of the

+OpenVPN source distribution for more detailed information

+on the plugin interface.

+

+Included Plugins

+----------------

+

+auth-pam -- Authenticate using PAM and a split privilege

+            execution model which functions even if

+            root privileges or the execution environment

+            have been altered with --user/--group/--chroot.

+            Tested on Linux only.

+

+down-root -- Enable the running of down scripts with root privileges

+             even if --user/--group/--chroot have been used

+             to drop root privileges or change the execution

+             environment.  Not applicable on Windows.

+

+examples -- A simple example that demonstrates a portable

+            plugin, i.e. one which can be built for *nix

+            or Windows from the same source.

+

+Building Plugins

+----------------

+

+cd to the top-level directory of a plugin, and use the

+"make" command to build it.  The examples plugin is

+built using a build script, not a makefile.

@@ -13,6 +13,7 @@ MAINTAINERCLEANFILES = \

 	$(srcdir)/Makefile.in

 EXTRA_DIST = \

+	sample-plugins \

 	sample-config-files \

 	sample-windows \

 	sample-keys \

new file mode 100644

@@ -0,0 +1,16 @@

+OpenVPN plugin examples.

+

+Examples provided:

+

+simple.c -- using the --auth-user-pass-verify callback,

+            test deferred authentication.

+

+To build:

+

+  ./build simple (Linux/BSD/etc.)

+  ./winbuild simple (MinGW on Windows)

+

+To use in OpenVPN, add to config file:

+

+  plugin simple.so (Linux/BSD/etc.)

+  plugin simple.dll (MinGW on Windows)

new file mode 100755

@@ -0,0 +1,15 @@

+#!/bin/sh

+

+#

+# Build an OpenVPN plugin module on *nix.  The argument should

+# be the base name of the C source file (without the .c).

+#

+

+# This directory is where we will look for openvpn-plugin.h

+CPPFLAGS="${CPPFLAGS:--I../../../include}"

+

+CC="${CC:-gcc}"

+CFLAGS="${CFLAGS:--O2 -Wall -g}"

+

+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \

+$CC $CFLAGS -fPIC -shared ${LDFLAS} -Wl,-soname,$1.so -o $1.so $1.o -lc

new file mode 100644

@@ -0,0 +1,305 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+

+/*

+ * This file implements a simple OpenVPN plugin module which

+ * will test deferred authentication and packet filtering.

+ * 

+ * Will run on Windows or *nix.

+ *

+ * Sample usage:

+ *

+ * setenv test_deferred_auth 20

+ * setenv test_packet_filter 10

+ * plugin plugin/defer/simple.so

+ *

+ * This will enable deferred authentication to occur 20

+ * seconds after the normal TLS authentication process,

+ * and will cause a packet filter file to be generated 10

+ * seconds after the initial TLS negotiation, using

+ * {common-name}.pf as the source.

+ *

+ * Sample packet filter configuration:

+ *

+ * [CLIENTS DROP]

+ * +otherclient

+ * [SUBNETS DROP]

+ * +10.0.0.0/8

+ * -10.10.0.8

+ * [END]

+ *

+ * See the README file for build instructions.

+ */

+

+#include <stdio.h>

+#include <string.h>

+#include <stdlib.h>

+

+#include "openvpn-plugin.h"

+

+/* bool definitions */

+#define bool int

+#define true 1

+#define false 0

+

+/*

+ * Our context, where we keep our state.

+ */

+

+struct plugin_context {

+  int test_deferred_auth;

+  int test_packet_filter;

+};

+

+struct plugin_per_client_context {

+  int n_calls;

+  bool generated_pf_file;

+};

+

+/*

+ * Given an environmental variable name, search

+ * the envp array for its value, returning it

+ * if found or NULL otherwise.

+ */

+static const char *

+get_env (const char *name, const char *envp[])

+{

+  if (envp)

+    {

+      int i;

+      const int namelen = strlen (name);

+      for (i = 0; envp[i]; ++i)

+	{

+	  if (!strncmp (envp[i], name, namelen))

+	    {

+	      const char *cp = envp[i] + namelen;

+	      if (*cp == '=')

+		return cp + 1;

+	    }

+	}

+    }

+  return NULL;

+}

+

+/* used for safe printf of possible NULL strings */

+static const char *

+np (const char *str)

+{

+  if (str)

+    return str;

+  else

+    return "[NULL]";

+}

+

+static int

+atoi_null0 (const char *str)

+{

+  if (str)

+    return atoi (str);

+  else

+    return 0;

+}

+

+OPENVPN_EXPORT openvpn_plugin_handle_t

+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])

+{

+  struct plugin_context *context;

+

+  printf ("FUNC: openvpn_plugin_open_v1\n");

+

+  /*

+   * Allocate our context

+   */

+  context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));

+

+  context->test_deferred_auth = atoi_null0 (get_env ("test_deferred_auth", envp));

+  printf ("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth);

+

+  context->test_packet_filter = atoi_null0 (get_env ("test_packet_filter", envp));

+  printf ("TEST_PACKET_FILTER %d\n", context->test_packet_filter);

+

+  /*

+   * Which callbacks to intercept.

+   */

+  *type_mask =

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ENABLE_PF);

+

+  return (openvpn_plugin_handle_t) context;

+}

+

+static int

+auth_user_pass_verify (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])

+{

+  if (context->test_deferred_auth)

+    {

+      /* get username/password from envp string array */

+      const char *username = get_env ("username", envp);

+      const char *password = get_env ("password", envp);

+

+      /* get auth_control_file filename from envp string array*/

+      const char *auth_control_file = get_env ("auth_control_file", envp);

+

+      printf ("DEFER u='%s' p='%s' acf='%s'\n",

+	      np(username),

+	      np(password),

+	      np(auth_control_file));

+

+      /* Authenticate asynchronously in n seconds */

+      if (auth_control_file)

+	{

+	  char buf[256];

+	  int auth = 2;

+	  sscanf (username, "%d", &auth);

+	  snprintf (buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &",

+		    context->test_deferred_auth,

+		    auth_control_file,

+		    auth,

+		    pcc->n_calls < auth,

+		    auth_control_file);

+	  printf ("%s\n", buf);

+	  system (buf);

+	  pcc->n_calls++;

+	  return OPENVPN_PLUGIN_FUNC_DEFERRED;

+	}

+      else

+	return OPENVPN_PLUGIN_FUNC_ERROR;

+    }

+  else

+    return OPENVPN_PLUGIN_FUNC_SUCCESS;

+}

+

+static int

+tls_final (struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[])

+{

+  if (context->test_packet_filter)

+    {

+      if (!pcc->generated_pf_file)

+	{

+	  const char *pff = get_env ("pf_file", envp);

+	  const char *cn = get_env ("username", envp);

+	  if (pff && cn)

+	    {

+	      char buf[256];

+	      snprintf (buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &",

+			context->test_packet_filter, cn, pff, cn, pff);

+	      printf ("%s\n", buf);

+	      system (buf);

+	      pcc->generated_pf_file = true;

+	      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+	    }

+	  else

+	    return OPENVPN_PLUGIN_FUNC_ERROR;

+	}

+      else

+	return OPENVPN_PLUGIN_FUNC_ERROR;

+    }

+  else

+    return OPENVPN_PLUGIN_FUNC_SUCCESS;

+}

+

+OPENVPN_EXPORT int

+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,

+			const int type,

+			const char *argv[],

+			const char *envp[],

+			void *per_client_context,

+			struct openvpn_plugin_string_list **return_list)

+{

+  struct plugin_context *context = (struct plugin_context *) handle;

+  struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;

+  switch (type)

+    {

+    case OPENVPN_PLUGIN_UP:

+      printf ("OPENVPN_PLUGIN_UP\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_DOWN:

+      printf ("OPENVPN_PLUGIN_DOWN\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_ROUTE_UP:

+      printf ("OPENVPN_PLUGIN_ROUTE_UP\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_IPCHANGE:

+      printf ("OPENVPN_PLUGIN_IPCHANGE\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_TLS_VERIFY:

+      printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:

+      printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");

+      return auth_user_pass_verify (context, pcc, argv, envp);

+    case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:

+      printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_CLIENT_DISCONNECT:

+      printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_LEARN_ADDRESS:

+      printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");

+      return OPENVPN_PLUGIN_FUNC_SUCCESS;

+    case OPENVPN_PLUGIN_TLS_FINAL:

+      printf ("OPENVPN_PLUGIN_TLS_FINAL\n");

+      return tls_final (context, pcc, argv, envp);

+    case OPENVPN_PLUGIN_ENABLE_PF:

+      printf ("OPENVPN_PLUGIN_ENABLE_PF\n");

+      if (context->test_packet_filter)

+	return OPENVPN_PLUGIN_FUNC_SUCCESS;

+      else

+	return OPENVPN_PLUGIN_FUNC_ERROR;

+    default:

+      printf ("OPENVPN_PLUGIN_?\n");

+      return OPENVPN_PLUGIN_FUNC_ERROR;

+    }

+}

+

+OPENVPN_EXPORT void *

+openvpn_plugin_client_constructor_v1 (openvpn_plugin_handle_t handle)

+{

+  printf ("FUNC: openvpn_plugin_client_constructor_v1\n");

+  return calloc (1, sizeof (struct plugin_per_client_context));

+}

+

+OPENVPN_EXPORT void

+openvpn_plugin_client_destructor_v1 (openvpn_plugin_handle_t handle, void *per_client_context)

+{

+  printf ("FUNC: openvpn_plugin_client_destructor_v1\n");

+  free (per_client_context);

+}

+

+OPENVPN_EXPORT void

+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)

+{

+  struct plugin_context *context = (struct plugin_context *) handle;

+  printf ("FUNC: openvpn_plugin_close_v1\n");

+  free (context);

+}

new file mode 100755

@@ -0,0 +1,6 @@

+LIBRARY   OpenVPN_PLUGIN_SAMPLE

+DESCRIPTION "Sample OpenVPN plug-in module."

+EXPORTS

+   openvpn_plugin_open_v1   @1

+   openvpn_plugin_func_v1   @2

+   openvpn_plugin_close_v1  @3

new file mode 100755

@@ -0,0 +1,18 @@

+#

+# Build an OpenVPN plugin module on Windows/MinGW.

+# The argument should be the base name of the C source file

+# (without the .c).

+#

+

+# This directory is where we will look for openvpn-plugin.h

+INCLUDE="-I../../../build"

+

+CC_FLAGS="-O2 -Wall"

+

+gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c

+gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o

+rm junk.tmp

+dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def

+rm base.tmp

+gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp

+rm temp.exp

new file mode 100755

@@ -0,0 +1,15 @@

+#!/bin/sh

+

+#

+# Build an OpenVPN plugin module on *nix.  The argument should

+# be the base name of the C source file (without the .c).

+#

+

+# This directory is where we will look for openvpn-plugin.h

+CPPFLAGS="${CPPFLAGS:--I../../..}"

+

+CC="${CC:-gcc}"

+CFLAGS="${CFLAGS:--O2 -Wall -g}"

+

+$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \

+$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc

new file mode 100644

@@ -0,0 +1,184 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program (see the file COPYING included with this

+ *  distribution); if not, write to the Free Software Foundation, Inc.,

+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+ */

+

+/*

+ * This plugin is similar to simple.c, except it also logs extra information

+ * to stdout for every plugin method called by OpenVPN.

+ *

+ * See the README file for build instructions.

+ */

+

+#include <stdio.h>

+#include <string.h>

+#include <stdlib.h>

+

+#include "openvpn-plugin.h"

+

+/*

+ * Our context, where we keep our state.

+ */

+struct plugin_context {

+  const char *username;

+  const char *password;

+};

+

+/*

+ * Given an environmental variable name, search

+ * the envp array for its value, returning it

+ * if found or NULL otherwise.

+ */

+static const char *

+get_env (const char *name, const char *envp[])

+{

+  if (envp)

+    {

+      int i;

+      const int namelen = strlen (name);

+      for (i = 0; envp[i]; ++i)

+	{

+	  if (!strncmp (envp[i], name, namelen))

+	    {

+	      const char *cp = envp[i] + namelen;

+	      if (*cp == '=')

+		return cp + 1;

+	    }

+	}

+    }

+  return NULL;

+}

+

+OPENVPN_EXPORT openvpn_plugin_handle_t

+openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])

+{

+  struct plugin_context *context;

+

+  /*

+   * Allocate our context

+   */

+  context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));

+

+  /*

+   * Set the username/password we will require.

+   */

+  context->username = "foo";

+  context->password = "bar";

+

+  /*

+   * Which callbacks to intercept.

+   */

+  *type_mask =

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_DOWN) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_ROUTE_UP) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_IPCHANGE) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_VERIFY) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_CLIENT_DISCONNECT) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_LEARN_ADDRESS) |

+    OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_TLS_FINAL);

+

+  return (openvpn_plugin_handle_t) context;

+}

+

+void

+show (const int type, const char *argv[], const char *envp[])

+{

+  size_t i;

+  switch (type)

+    {

+    case OPENVPN_PLUGIN_UP:

+      printf ("OPENVPN_PLUGIN_UP\n");

+      break;

+    case OPENVPN_PLUGIN_DOWN:

+      printf ("OPENVPN_PLUGIN_DOWN\n");

+      break;

+    case OPENVPN_PLUGIN_ROUTE_UP:

+      printf ("OPENVPN_PLUGIN_ROUTE_UP\n");

+      break;

+    case OPENVPN_PLUGIN_IPCHANGE:

+      printf ("OPENVPN_PLUGIN_IPCHANGE\n");

+      break;

+    case OPENVPN_PLUGIN_TLS_VERIFY:

+      printf ("OPENVPN_PLUGIN_TLS_VERIFY\n");

+      break;

+    case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:

+      printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");

+      break;

+    case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:

+      printf ("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n");

+      break;

+    case OPENVPN_PLUGIN_CLIENT_DISCONNECT:

+      printf ("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n");

+      break;

+    case OPENVPN_PLUGIN_LEARN_ADDRESS:

+      printf ("OPENVPN_PLUGIN_LEARN_ADDRESS\n");

+      break;

+    case OPENVPN_PLUGIN_TLS_FINAL:

+      printf ("OPENVPN_PLUGIN_TLS_FINAL\n");

+      break;

+    default:

+      printf ("OPENVPN_PLUGIN_?\n");

+      break;

+    }

+

+  printf ("ARGV\n");

+  for (i = 0; argv[i] != NULL; ++i)

+    printf ("%d '%s'\n", (int)i, argv[i]);

+

+  printf ("ENVP\n");

+  for (i = 0; envp[i] != NULL; ++i)

+    printf ("%d '%s'\n", (int)i, envp[i]);

+}

+

+OPENVPN_EXPORT int

+openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])

+{

+  struct plugin_context *context = (struct plugin_context *) handle;

+

+  show (type, argv, envp);

+

+  /* check entered username/password against what we require */

+  if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)

+    {

+      /* get username/password from envp string array */

+      const char *username = get_env ("username", envp);

+      const char *password = get_env ("password", envp);

+

+      if (username && !strcmp (username, context->username)

+	  && password && !strcmp (password, context->password))

+	return OPENVPN_PLUGIN_FUNC_SUCCESS;

+      else

+	return OPENVPN_PLUGIN_FUNC_ERROR;

+    }

+  else

+    return OPENVPN_PLUGIN_FUNC_SUCCESS;

+}

+

+OPENVPN_EXPORT void

+openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)

+{

+  struct plugin_context *context = (struct plugin_context *) handle;

+  free (context);

+}

new file mode 100644

@@ -0,0 +1,247 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single TCP/UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>

+ *  Copyright (C) 2010 David Sommerseth <dazo@users.sourceforge.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *