mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
452e016cba
If we ship something that we consider a form of documentation
"this is how to write an OpenVPN plugin" it should meet our standards
for secure and modern code. This plugin did neither.
- get rid of system() calls, especially those that enabled a
remote-root exploit if this code was used "as is"
- change logging from printf() to OpenVPN's plugin_log()
- this requires changing to openvpn_plugin_open_v3() to get
to the function pointers
- change wacky "background and sleep in the shell call" to the
double-fork/waitpid model we use in plugins/auth-pam
(copy-paste code reuse)
- OpenVPN 2.5 and later react badly to OPENVPN_PLUGIN_FUNC_ERROR
returns to OPENVPN_PLUGIN_ENABLE_PF calls (SIGSEGV crash), so
always return SUCCESS. Only hook ENABLE_PF if that functionality
is actually requested ("setenv test_packet_filter NN").
- change deeply-nested functions auth_user_pass_verify() and
tls_final() to use early-return style
- actually make defered PF setup *work* with recent OpenVPNs
(pre-creating temp files broke this, so unlink() the pre-created
file in the ENABLE_PF hook, and re-create asyncronously later)
- add lots of comments explaining why we do things this way
Security issue reported by "oxr463" on HackerOne.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210121172536.32500-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21466.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||
|---|---|---|
| .. | ||
| client-connect | ||
| defer | ||
| keying-material-exporter-demo | ||
| log | ||
| simple | ||
| Makefile.am | ||
| Makefile.plugins | ||
| README | ||
OpenVPN plug-in examples.
Examples provided:
* authentication and logging
simple/simple.c -- using the --auth-user-pass-verify callback, verify
that the username/password is "foo"/"bar".
defer/simple.c -- using the --auth-user-pass-verify callback,
test deferred authentication.
log/log.c -- Extended variant of simple/simple.c which adds more
logging of what is happening inside the plug-in
log/log_v3.c -- A variant of log/log.c, which makes use of the
OpenVPN plug-in v3 API. This will also log even more
information related to certificates in use.
* client-connect (and logging)
client-connect/sample-client-connect -- demonstrate how to use the
CLIENT_CONNECT and CLIENT_CONNECT_V2 hooks to achieve
"per client configuration / logging / ..." actions,
both in synchronous and async/deferred mode
* cryptography related
simple/base64.c -- Example using the OpenVPN exported base64 encode/decode
functions
keying-material-exporter-demo/keyingmaterialexporter.c
-- Example based on TLS Keying Material Exporters over HTTP [RFC-5705]
(openvpn/doc/keying-material-exporter.txt). For more details, see
keying-material-exporter-demo/README
To build on *BSD/Linux platforms (requires GNU Make):
gmake (builds a default set of plug-ins)
gmake simple/simple.so
To build on Windows platform (MinGW):
cd simple; ./winbuild simple.so
To use in OpenVPN, add to config file:
plugin simple.so (Linux/BSD/etc.)
plugin simple.dll