summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/plugin_loader.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins/plugin_loader.c')
-rw-r--r--src/libstrongswan/plugins/plugin_loader.c27
1 files changed, 23 insertions, 4 deletions
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index ad5a9e240..459ba9ba9 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -22,6 +22,7 @@
#include <stdio.h>
#include <debug.h>
+#include <integrity_checker.h>
#include <utils/linked_list.h>
#include <plugins/plugin.h>
@@ -61,27 +62,45 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
+ if (lib->integrity)
+ {
+ if (!lib->integrity->check_file(lib->integrity, name, file))
+ {
+ DBG1("plugin '%s': failed file integrity test of '%s'", name, file);
+ return NULL;
+ }
+ }
handle = dlopen(file, RTLD_LAZY);
if (handle == NULL)
{
- DBG1("loading plugin '%s' failed: %s", name, dlerror());
+ DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror());
return NULL;
}
constructor = dlsym(handle, "plugin_create");
if (constructor == NULL)
{
- DBG1("loading plugin '%s' failed: no plugin_create() function", name);
+ DBG1("plugin '%s': failed to load - no plugin_create() function", name);
dlclose(handle);
return NULL;
}
+ if (lib->integrity)
+ {
+ if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+ {
+ DBG1("plugin '%s': failed segment integrity test", name);
+ dlclose(handle);
+ return NULL;
+ }
+ DBG1("plugin '%s': passed file and segment integrity tests", name);
+ }
plugin = constructor();
if (plugin == NULL)
{
- DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name);
+ DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name);
dlclose(handle);
return NULL;
}
- DBG2("plugin '%s' loaded successfully", name);
+ DBG2("plugin '%s': loaded successfully", name);
/* we do not store or free dlopen() handles, leak_detective requires
* the modules to keep loaded until leak report */