1/*
2 *  OpenVPN -- An application to securely tunnel IP networks
3 *             over a single TCP/UDP port, with support for SSL/TLS-based
4 *             session authentication and key exchange,
5 *             packet encryption, packet authentication, and
6 *             packet compression.
7 *
8 *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *
10 *  This program is free software; you can redistribute it and/or modify
11 *  it under the terms of the GNU General Public License version 2
12 *  as published by the Free Software Foundation.
13 *
14 *  This program is distributed in the hope that it will be useful,
15 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17 *  GNU General Public License for more details.
18 *
19 *  You should have received a copy of the GNU General Public License
20 *  along with this program (see the file COPYING included with this
21 *  distribution); if not, write to the Free Software Foundation, Inc.,
22 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
23 */
24
25
26/**
27 * @file
28 * Interface functions to the internal and external multiplexers.
29 */
30
31
32#ifndef FORWARD_H
33#define FORWARD_H
34
35#include "openvpn.h"
36#include "occ.h"
37#include "ping.h"
38
39#define TUN_OUT(c)      (BLEN(&(c)->c2.to_tun) > 0)
40#define LINK_OUT(c)     (BLEN(&(c)->c2.to_link) > 0)
41#define ANY_OUT(c)      (TUN_OUT(c) || LINK_OUT(c))
42
43#ifdef ENABLE_FRAGMENT
44#define TO_LINK_FRAG(c) ((c)->c2.fragment && fragment_outgoing_defined ((c)->c2.fragment))
45#else
46#define TO_LINK_FRAG(c) (false)
47#endif
48
49#define TO_LINK_DEF(c)  (LINK_OUT(c) || TO_LINK_FRAG(c))
50
51#define IOW_TO_TUN          (1<<0)
52#define IOW_TO_LINK         (1<<1)
53#define IOW_READ_TUN        (1<<2)
54#define IOW_READ_LINK       (1<<3)
55#define IOW_SHAPER          (1<<4)
56#define IOW_CHECK_RESIDUAL  (1<<5)
57#define IOW_FRAG            (1<<6)
58#define IOW_MBUF            (1<<7)
59#define IOW_READ_TUN_FORCE  (1<<8)
60#define IOW_WAIT_SIGNAL     (1<<9)
61
62#define IOW_READ            (IOW_READ_TUN|IOW_READ_LINK)
63
64
65void pre_select (struct context *c);
66void process_io (struct context *c);
67
68const char *wait_status_string (struct context *c, struct gc_arena *gc);
69void show_wait_status (struct context *c);
70
71
72/**********************************************************************/
73/**
74 * Process a data channel packet that will be sent through a VPN tunnel.
75 * @ingroup data_control
76 *
77 * This function controls the processing of a data channel packet which
78 * will be sent through a VPN tunnel to a remote OpenVPN peer.  It's
79 * general structure is as follows:
80 * - Check that the client authentication has succeeded; if not, drop the
81 *   packet.
82 * - If the \a comp_frag argument is true:
83 *   - Call \c lzo_compress() of the \link Data Channel Compression
84 *     module\endlink to (possibly) compress the packet.
85 *   - Call \c fragment_outgoing() of the \link Data Channel Fragmentation
86 *     module\endlink to (possibly) fragment the packet.
87 * - Activate the \link Data Channel Crypto module\endlink to perform
88 *   security operations on the packet.
89 *   - Call \c tls_pre_encrypt() to choose the appropriate security
90 *     parameters for this packet.
91 *   - Call \c openvpn_encrypt() to encrypt and HMAC signed the packet.
92 *   - Call \c tls_post_encrypt() to prepend the one-byte OpenVPN header
93 *     and do some TLS accounting.
94 * - Place the resulting packet in \c c->c2.to_link so that it can be sent
95 *   over the external network interface to its remote destination by the
96 *   \link external_multiplexer External Multiplexer\endlink.
97 *
98 * @param c - The context structure of the VPN tunnel associated with this
99 *     packet.
100 * @param comp_frag - Whether to do packet compression and fragmentation.
101 *     This flag is set to true the first time a packet is processed.  If
102 *     the packet then gets fragmented, this function will be called again
103 *     once for each remaining fragment with this parameter set to false.
104 */
105void encrypt_sign (struct context *c, bool comp_frag);
106
107
108/**********************************************************************/
109/**
110 * Read a packet from the external network interface.
111 * @ingroup external_multiplexer
112 *
113 * The packet read from the external network interface is stored in \c
114 * c->c2.buf and its source address in \c c->c2.from.  If an error
115 * occurred, the length of \c c->c2.buf will be 0.
116 *
117 * OpenVPN running as client or as UDP server only has a single external
118 * network socket, so this function can be called with the single (client
119 * mode) or top level (UDP server) context as its argument. OpenVPN
120 * running as TCP server, on the other hand, has a network socket for each
121 * active VPN tunnel.  In that case this function must be called with the
122 * context associated with the appropriate VPN tunnel for which data is
123 * available to be read.
124 *
125 * @param c - The context structure which contains the external
126 *     network socket from which to read incoming packets.
127 */
128void read_incoming_link (struct context *c);
129
130
131/**
132 * Process a packet read from the external network interface.
133 * @ingroup external_multiplexer
134 *
135 * This function controls the processing of a data channel packet which
136 * has come out of a VPN tunnel.  It's high-level structure is as follows:
137 * - Verify that a nonzero length packet has been received from a valid
138 *   source address for the given context \a c.
139 * - Call \c tls_pre_decrypt(), which splits data channel and control
140 *   channel packets:
141 *   - If a data channel packet, the appropriate security parameters are
142 *     loaded.
143 *   - If a control channel packet, this function process is it and
144 *     afterwards sets the packet's buffer length to 0, so that the data
145 *     channel processing steps below will ignore it.
146 * - Call \c openvpn_decrypt() of the \link data_crypto Data Channel
147 *   Crypto module\endlink to authenticate and decrypt the packet using
148 *   the security parameters loaded by \c tls_pre_decrypt() above.
149 * - Call \c fragment_incoming() of the \link fragmentation Data Channel
150 *   Fragmentation module\endlink to reassemble the packet if it's
151 *   fragmented.
152 * - Call \c lzo_decompress() of the \link compression Data Channel
153 *   Compression module\endlink to decompress the packet if it's
154 *   compressed.
155 * - Place the resulting packet in \c c->c2.to_tun so that it can be sent
156 *   over the virtual tun/tap network interface to its local destination
157 *   by the \link internal_multiplexer Internal Multiplexer\endlink.
158 *
159 * @param c - The context structure of the VPN tunnel associated with the
160 *     packet.
161 */
162void process_incoming_link (struct context *c);
163
164
165/**
166 * Write a packet to the external network interface.
167 * @ingroup external_multiplexer
168 *
169 * This function writes the packet stored in \c c->c2.to_link to the
170 * external network device contained within \c c->c1.link_socket.
171 *
172 * If an error occurs, it is logged and the packet is dropped.
173 *
174 * @param c - The context structure of the VPN tunnel associated with the
175 *     packet.
176 */
177void process_outgoing_link (struct context *c);
178
179
180/**************************************************************************/
181/**
182 * Read a packet from the virtual tun/tap network interface.
183 * @ingroup internal_multiplexer
184 *
185 * This function reads a packet from the virtual tun/tap network device \c
186 * c->c1.tuntap and stores it in \c c->c2.buf.
187 *
188 * If an error occurs, it is logged and the packet is dropped.
189 *
190 * @param c - The context structure in which to store the received
191 *     packet.
192 */
193void read_incoming_tun (struct context *c);
194
195
196/**
197 * Process a packet read from the virtual tun/tap network interface.
198 * @ingroup internal_multiplexer
199 *
200 * This function calls \c encrypt_sign() of the \link data_control Data
201 * Channel Control module\endlink to process the packet.
202 *
203 * If an error occurs, it is logged and the packet is dropped.
204 *
205 * @param c - The context structure of the VPN tunnel associated with the
206 *     packet.
207 */
208void process_incoming_tun (struct context *c);
209
210
211/**
212 * Write a packet to the virtual tun/tap network interface.
213 * @ingroup internal_multiplexer
214 *
215 * This function writes the packet stored in \c c->c2.to_tun to the
216 * virtual tun/tap network device \c c->c1.tuntap.
217 *
218 * If an error occurs, it is logged and the packet is dropped.
219 *
220 * @param c - The context structure of the VPN tunnel associated with
221 *     the packet.
222 */
223void process_outgoing_tun (struct context *c);
224
225
226/**************************************************************************/
227
228bool send_control_channel_string (struct context *c, const char *str, int msglevel);
229
230#define PIPV4_PASSTOS         (1<<0)
231#define PIP_MSSFIX            (1<<1)         /* v4 and v6 */
232#define PIPV4_OUTGOING        (1<<2)
233#define PIPV4_EXTRACT_DHCP_ROUTER (1<<3)
234#define PIPV4_CLIENT_NAT      (1<<4)
235
236void process_ip_header (struct context *c, unsigned int flags, struct buffer *buf);
237
238#if P2MP
239void schedule_exit (struct context *c, const int n_seconds, const int signal);
240#endif
241
242#endif /* FORWARD_H */
243