How to load a strongswan plugin at runtime

Question

We've authored a plugin for libcharon that makes calls to our code. This is creating some unwanted coupling between our application and strongswan, since we're compiling strongswan with this plugin.

Let's call this plugin MyPlugin. It is configured as follows:

$ cat /etc/strongswan/strongswan.d/charon/myplugin.conf
myplugin {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    proxy
    {
        # Should send to proxy
          send_to_proxy = yes
    }
    log
    {
                # Should save to file
                  log_path = /var/log/myplugin.log
                  log_ips = yes
    }
}

We would like to reverse this dependency, by compiling this plugin as a part of our application, implementing strongswan interfaces.

The question is, does strongswan support this? Can a plugin be deployed on a machine where strongswan is already running, and have strongswan load it and work with it? How?

We're running strongswan 5.1.5 on CentOS 6.

Answer 1

Yes, you can do this. However, there are some caveats:

• strongSwan does not provide any stable APIs. So this only works safely if you compile your plugin against the headers of the strongSwan version that's eventually loading the plugin.
• You will need config.h from the build you are compiling against (or of an equivalently configured build for the same platform). When compiling the plugin, you pass the path to it via -include.
• Loading the plugin via config snippet requires an appropriate strongswan.conf file (i.e. enable modular plugin loading and include the config snippets in strongswan.d where you place a snippet for your plugin - the default should work fine).
• There might be licensing issues with third-party plugins, whether out-of-tree or not (strongSwan is licensed under the GPLv2, however, a commercial license is available).

You can find an example of an out-of-tree plugin here.