From patchwork Thu Jan 21 06:25:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 1565 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id UA+aFWa5CWBGIgAAIUCqbw (envelope-from ) for ; Thu, 21 Jan 2021 12:27:02 -0500 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id UOhhFWa5CWARVgAAfY0hYg (envelope-from ) for ; Thu, 21 Jan 2021 12:27:02 -0500 Received: from smtp13.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTPS id UKAgDWa5CWDjYwAARNREpw (envelope-from ) for ; Thu, 21 Jan 2021 12:27:02 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: deafca14-5c0d-11eb-a18c-5254001dfc40-1-1 Received: from [216.105.38.7] ([216.105.38.7:50390] helo=lists.sourceforge.net) by smtp13.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 15/27-17419-569B9006; Thu, 21 Jan 2021 12:27:01 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1l2dib-0000xl-HI; Thu, 21 Jan 2021 17:26:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l2diZ-0000xV-P6 for openvpn-devel@lists.sourceforge.net; Thu, 21 Jan 2021 17:25:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=T2dS2yikzODwKlI/HmqT7CysY57bIKk0MIkk+QS5qNo=; b=j4u1JcN9MvmVkyhfA3Hwp7DQGE nvXpnC5kVff0VasFy2G9Wd5c+oG8nJIEL9LQ8W6FZj5XtrjCmTNMqPttOMm0mS7XpjJiRaJmq2x0l LkFNUJB3uMnkqc8MKS/cMOKnb/596L9V89JO7TV5gNE+6+paZuJc54zTN+kKtYSupzDg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=T2dS2yikzODwKlI/HmqT7CysY57bIKk0MIkk+QS5qNo=; b=A apnTWQDl76eUj/bDtAxsUWI8PcK3Bqj/1Wjqr9SSxGJDlcDQUF3+ZtDnRNcSLAshFd+hkfLAKKRC8 xPRv5W3Eqydhohftz7KyN4MEL2/A0rPKnk/u/E5xle5dtdLNLvzBKL+36tlf4mU34iFxyh/JnvUV+ V0c6rlYBMrSohIwc=; Received: from vmail1.greenie.net ([195.30.8.66]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1l2diQ-003YF7-57 for openvpn-devel@lists.sourceforge.net; Thu, 21 Jan 2021 17:25:59 +0000 Received: from gentoo.ov.greenie.net (gentoo.ov.greenie.net [IPv6:2001:608:0:814:0:0:f000:11]) by vmail1.greenie.net (8.16.1/8.12.11) with SMTP id 10LHPasE048411 for ; Thu, 21 Jan 2021 18:25:36 +0100 (CET) Received: (nullmailer pid 32546 invoked by uid 1000); Thu, 21 Jan 2021 17:25:36 -0000 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 21 Jan 2021 18:25:36 +0100 Message-Id: <20210121172536.32500-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]); Thu, 21 Jan 2021 18:25:36 +0100 (CET) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: muc.de] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1l2diQ-003YF7-57 Subject: [Openvpn-devel] [PATCH] clean up / rewrite sample-plugins/defer/simple.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox If we ship something that we consider a form of documentation "this is how to write an OpenVPN plugin" it should meet our standards for secure and modern code. This plugin did neither. - get rid of system() calls, especially those that enabled a remote-root exploit if this code was used "as is" - change logging from printf() to OpenVPN's plugin_log() - this requires changing to openvpn_plugin_open_v3() to get to the function pointers - change wacky "background and sleep in the shell call" to the double-fork/waitpid model we use in plugins/auth-pam (copy-paste code reuse) - OpenVPN 2.5 and later react badly to OPENVPN_PLUGIN_FUNC_ERROR returns to OPENVPN_PLUGIN_ENABLE_PF calls (SIGSEGV crash), so always return SUCCESS. Only hook ENABLE_PF if that functionality is actually requested ("setenv test_packet_filter NN"). - change deeply-nested functions auth_user_pass_verify() and tls_final() to use early-return style - actually make defered PF setup *work* with recent OpenVPNs (pre-creating temp files broke this, so unlink() the pre-created file in the ENABLE_PF hook, and re-create asyncronously later) - add lots of comments explaining why we do things this way Security issue reported by "oxr463" on HackerOne. Signed-off-by: Gert Doering Acked-By: Arne Schwabe --- sample/sample-plugins/defer/simple.c | 357 ++++++++++++++++++++------- 1 file changed, 265 insertions(+), 92 deletions(-) diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c index 64338b4a..7be1c0a0 100644 --- a/sample/sample-plugins/defer/simple.c +++ b/sample/sample-plugins/defer/simple.c @@ -54,13 +54,16 @@ #include #include #include +#include +#include +#include +#include +#include #include "openvpn-plugin.h" -/* bool definitions */ -#define bool int -#define true 1 -#define false 0 +/* Pointers to functions exported from openvpn */ +static plugin_log_t plugin_log = NULL; /* * Our context, where we keep our state. @@ -76,6 +79,9 @@ struct plugin_per_client_context { bool generated_pf_file; }; +/* module name for plugin_log() */ +static char *MODULE = "defer/simple"; + /* * Given an environmental variable name, search * the envp array for its value, returning it @@ -130,33 +136,46 @@ atoi_null0(const char *str) } } -OPENVPN_EXPORT openvpn_plugin_handle_t -openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[]) +/* use v3 functions so we can use openvpn's logging and base64 etc. */ +OPENVPN_EXPORT int +openvpn_plugin_open_v3(const int v3structver, + struct openvpn_plugin_args_open_in const *args, + struct openvpn_plugin_args_open_return *ret) { + const char **envp = args->envp; /* environment variables */ struct plugin_context *context; - printf("FUNC: openvpn_plugin_open_v1\n"); + /* Check API compatibility -- struct version 5 or higher needed */ + if (v3structver < 5) + { + fprintf(stderr, "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n"); + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + /* Save global pointers to functions exported from openvpn */ + plugin_log = args->callbacks->plugin_log; + + plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_open_v3"); /* * Allocate our context */ context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context)); - if (context == NULL) + if (!context) { - printf("PLUGIN: allocating memory for context failed\n"); - return NULL; + goto error; } context->test_deferred_auth = atoi_null0(get_env("test_deferred_auth", envp)); - printf("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth); + plugin_log(PLOG_NOTE, MODULE, "TEST_DEFERRED_AUTH %d", context->test_deferred_auth); context->test_packet_filter = atoi_null0(get_env("test_packet_filter", envp)); - printf("TEST_PACKET_FILTER %d\n", context->test_packet_filter); + plugin_log(PLOG_NOTE, MODULE, "TEST_PACKET_FILTER %d", context->test_packet_filter); /* * Which callbacks to intercept. */ - *type_mask = + ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP) @@ -166,90 +185,241 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char * |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT) |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL) - |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ENABLE_PF); + |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL); - return (openvpn_plugin_handle_t) context; + /* ENABLE_PF should only be called if we're actually willing to do PF */ + if (context->test_packet_filter) + { + ret->type_mask |= OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ENABLE_PF); + } + + ret->handle = (openvpn_plugin_handle_t *) context; + plugin_log(PLOG_NOTE, MODULE, "initialization succeeded"); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + +error: + if (context) + { + free(context); + } + plugin_log(PLOG_NOTE, MODULE, "initialization failed"); + return OPENVPN_PLUGIN_FUNC_ERROR; } static int -auth_user_pass_verify(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) +auth_user_pass_verify(struct plugin_context *context, + struct plugin_per_client_context *pcc, + const char *argv[], const char *envp[]) { - if (context->test_deferred_auth) + if (!context->test_deferred_auth) { - /* get username/password from envp string array */ - const char *username = get_env("username", envp); - const char *password = get_env("password", envp); + return OPENVPN_PLUGIN_FUNC_SUCCESS; + } + + /* get username/password from envp string array */ + const char *username = get_env("username", envp); + const char *password = get_env("password", envp); - /* get auth_control_file filename from envp string array*/ - const char *auth_control_file = get_env("auth_control_file", envp); + /* get auth_control_file filename from envp string array*/ + const char *auth_control_file = get_env("auth_control_file", envp); - printf("DEFER u='%s' p='%s' acf='%s'\n", + plugin_log(PLOG_NOTE, MODULE, "DEFER u='%s' p='%s' acf='%s'", np(username), np(password), np(auth_control_file)); - /* Authenticate asynchronously in n seconds */ - if (auth_control_file) - { - char buf[256]; - int auth = 2; - sscanf(username, "%d", &auth); - snprintf(buf, sizeof(buf), "( sleep %d ; echo AUTH %s %d ; echo %d >%s ) &", - context->test_deferred_auth, - auth_control_file, - auth, - pcc->n_calls < auth, - auth_control_file); - printf("%s\n", buf); - system(buf); - pcc->n_calls++; - return OPENVPN_PLUGIN_FUNC_DEFERRED; - } - else - { - return OPENVPN_PLUGIN_FUNC_ERROR; - } + /* Authenticate asynchronously in n seconds */ + if (!auth_control_file) + { + return OPENVPN_PLUGIN_FUNC_ERROR; } - else + + /* we do not want to complicate our lives with having to wait() + * for child processes (so they are not zombiefied) *and* we MUST NOT + * fiddle with signal handlers (= shared with openvpn main), so + * we use double-fork() trick. + */ + + /* fork, sleep, succeed (no "real" auth done = always succeed) */ + pid_t p1 = fork(); + if (p1 < 0) /* Fork failed */ { - return OPENVPN_PLUGIN_FUNC_SUCCESS; + return OPENVPN_PLUGIN_FUNC_ERROR; + } + if (p1 > 0) /* parent process */ + { + waitpid(p1, NULL, 0); + return OPENVPN_PLUGIN_FUNC_DEFERRED; + } + + /* first gen child process, fork() again and exit() right away */ + pid_t p2 = fork(); + if (p2 < 0) + { + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); + exit(1); } + + if (p2 != 0) /* new parent: exit right away */ + { + exit(0); + } + + /* (grand-)child process + * - never call "return" now (would mess up openvpn) + * - return status is communicated by file + * - then exit() + */ + + /* do mighty complicated work that will really take time here... */ + plugin_log(PLOG_NOTE, MODULE, "in async/deferred handler, sleep(%d)", context->test_deferred_auth); + sleep(context->test_deferred_auth); + + /* now signal success state to openvpn */ + int fd = open(auth_control_file, O_WRONLY); + if (fd < 0) + { + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", auth_control_file); + exit(1); + } + + plugin_log(PLOG_NOTE, MODULE, "auth_user_pass_verify: done" ); + + if (write(fd, "1", 1) != 1) + { + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", auth_control_file ); + } + close(fd); + + exit(0); } static int tls_final(struct plugin_context *context, struct plugin_per_client_context *pcc, const char *argv[], const char *envp[]) { - if (context->test_packet_filter) + if (!context->test_packet_filter) /* no PF testing, nothing to do */ + { + return OPENVPN_PLUGIN_FUNC_SUCCESS; + } + + if (pcc->generated_pf_file) /* we already have created a file */ + { + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + const char *pff = get_env("pf_file", envp); + const char *cn = get_env("username", envp); + if (!pff || !cn) /* required vars missing */ + { + return OPENVPN_PLUGIN_FUNC_ERROR; + } + + pcc->generated_pf_file = true; + + /* the PF API is, basically + * - OpenVPN sends a filename (pf_file) to the plugin + * - OpenVPN main loop will check every second if that file shows up + * - when it does, it will be read & used for the pf config + * the pre-created file needs to be removed in ...ENABLE_PF + * to make deferred PF setup work + * + * the regular PF hook does not know the client username or CN, so + * this is deferred to the TLS_FINAL hook which knows these things + */ + + /* do the double fork dance (see above for more verbose comments) + */ + pid_t p1 = fork(); + if (p1 < 0) /* Fork failed */ + { + return OPENVPN_PLUGIN_FUNC_ERROR; + } + if (p1 > 0) /* parent process */ + { + waitpid(p1, NULL, 0); + return OPENVPN_PLUGIN_FUNC_SUCCESS; /* no _DEFERRED here! */ + } + + /* first gen child process, fork() again and exit() right away */ + pid_t p2 = fork(); + if (p2 < 0) + { + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed"); + exit(1); + } + + if (p2 != 0) /* new parent: exit right away */ + { + exit(0); + } + + /* (grand-)child process + * - never call "return" now (would mess up openvpn) + * - return status is communicated by file + * - then exit() + */ + + /* at this point, the plugin can take its time, because OpenVPN will + * no longer block waiting for the call to finish + * + * in this example, we build a PF file by copying over a file + * named ".pf" to the OpenVPN-provided pf file name + * + * a real example could do a LDAP lookup, a REST call, ... + */ + plugin_log(PLOG_NOTE, MODULE, "in async/deferred tls_final handler, sleep(%d)", context->test_packet_filter); + sleep(context->test_packet_filter); + + char buf[256]; + snprintf(buf, sizeof(buf), "%s.pf", cn ); + + /* there is a small race condition here - OpenVPN could detect our + * file while we have only written half of it. So "perfect" code + * needs to create this with a temp file name, and then rename() it + * after it has been written. But I am lazy. + */ + + int w_fd = open( pff, O_WRONLY|O_CREAT, 0600 ); + if (w_fd < 0) { - if (!pcc->generated_pf_file) + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "can't write to '%s'", pff); + exit(0); + } + + int r_fd = open( buf, O_RDONLY ); + if (r_fd < 0 ) + { + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "can't read '%s', creating empty pf file", buf); + close(w_fd); + exit(0); + } + + char data[1024]; + + int r; + do + { + r = read(r_fd, data, sizeof(data)); + if (r < 0) { - const char *pff = get_env("pf_file", envp); - const char *cn = get_env("username", envp); - if (pff && cn) - { - char buf[256]; - snprintf(buf, sizeof(buf), "( sleep %d ; echo PF %s/%s ; cp \"%s.pf\" \"%s\" ) &", - context->test_packet_filter, cn, pff, cn, pff); - printf("%s\n", buf); - system(buf); - pcc->generated_pf_file = true; - return OPENVPN_PLUGIN_FUNC_SUCCESS; - } - else - { - return OPENVPN_PLUGIN_FUNC_ERROR; - } + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "error reading '%s'", buf); + close(r_fd); + close(w_fd); + exit(0); } - else + int w = write(w_fd, data, r); + if (w < 0 || w != r) { - return OPENVPN_PLUGIN_FUNC_ERROR; + plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "error writing %d bytes to '%s'", r, pff); + close(r_fd); + close(w_fd); + exit(0); } } - else - { - return OPENVPN_PLUGIN_FUNC_SUCCESS; - } + while( r>0 ); + + plugin_log(PLOG_NOTE, MODULE, "copied PF config from '%s' to '%s', job done", buf, pff); + exit(0); } OPENVPN_EXPORT int @@ -265,58 +435,61 @@ openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, switch (type) { case OPENVPN_PLUGIN_UP: - printf("OPENVPN_PLUGIN_UP\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_UP"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_DOWN: - printf("OPENVPN_PLUGIN_DOWN\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_DOWN"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_ROUTE_UP: - printf("OPENVPN_PLUGIN_ROUTE_UP\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ROUTE_UP"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_IPCHANGE: - printf("OPENVPN_PLUGIN_IPCHANGE\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_IPCHANGE"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_TLS_VERIFY: - printf("OPENVPN_PLUGIN_TLS_VERIFY\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_VERIFY"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY: - printf("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY"); return auth_user_pass_verify(context, pcc, argv, envp); case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: - printf("OPENVPN_PLUGIN_CLIENT_CONNECT_V2\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_CLIENT_DISCONNECT: - printf("OPENVPN_PLUGIN_CLIENT_DISCONNECT\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_LEARN_ADDRESS: - printf("OPENVPN_PLUGIN_LEARN_ADDRESS\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_LEARN_ADDRESS"); return OPENVPN_PLUGIN_FUNC_SUCCESS; case OPENVPN_PLUGIN_TLS_FINAL: - printf("OPENVPN_PLUGIN_TLS_FINAL\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_FINAL"); return tls_final(context, pcc, argv, envp); case OPENVPN_PLUGIN_ENABLE_PF: - printf("OPENVPN_PLUGIN_ENABLE_PF\n"); - if (context->test_packet_filter) - { - return OPENVPN_PLUGIN_FUNC_SUCCESS; - } - else + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ENABLE_PF"); + + /* OpenVPN pre-creates the file, which gets in the way of + * deferred pf setup - so remove it here, and re-create + * it in the background handler (in tls_final()) when ready + */ + const char *pff = get_env("pf_file", envp); + if (pff) { - return OPENVPN_PLUGIN_FUNC_ERROR; + (void) unlink(pff); } + return OPENVPN_PLUGIN_FUNC_SUCCESS; /* must succeed */ default: - printf("OPENVPN_PLUGIN_?\n"); + plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_?"); return OPENVPN_PLUGIN_FUNC_ERROR; } } @@ -324,14 +497,14 @@ openvpn_plugin_func_v2(openvpn_plugin_handle_t handle, OPENVPN_EXPORT void * openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle) { - printf("FUNC: openvpn_plugin_client_constructor_v1\n"); + plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_client_constructor_v1"); return calloc(1, sizeof(struct plugin_per_client_context)); } OPENVPN_EXPORT void openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context) { - printf("FUNC: openvpn_plugin_client_destructor_v1\n"); + plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_client_destructor_v1"); free(per_client_context); } @@ -339,6 +512,6 @@ OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle) { struct plugin_context *context = (struct plugin_context *) handle; - printf("FUNC: openvpn_plugin_close_v1\n"); + plugin_log(PLOG_NOTE, MODULE, "FUNC: openvpn_plugin_close_v1"); free(context); }