1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24
25 /**
26 * @file
27 * Interface functions to the internal and external multiplexers.
28 */
29
30
31 #ifndef FORWARD_H
32 #define FORWARD_H
33
34 /* the following macros must be defined before including any other header
35 * file
36 */
37
38 #define TUN_OUT(c) (BLEN(&(c)->c2.to_tun) > 0)
39 #define LINK_OUT(c) (BLEN(&(c)->c2.to_link) > 0)
40 #define ANY_OUT(c) (TUN_OUT(c) || LINK_OUT(c))
41
42 #ifdef ENABLE_FRAGMENT
43 #define TO_LINK_FRAG(c) ((c)->c2.fragment && fragment_outgoing_defined((c)->c2.fragment))
44 #else
45 #define TO_LINK_FRAG(c) (false)
46 #endif
47
48 #define TO_LINK_DEF(c) (LINK_OUT(c) || TO_LINK_FRAG(c))
49
50 #include "openvpn.h"
51 #include "occ.h"
52 #include "ping.h"
53
54 #define IOW_TO_TUN (1<<0)
55 #define IOW_TO_LINK (1<<1)
56 #define IOW_READ_TUN (1<<2)
57 #define IOW_READ_LINK (1<<3)
58 #define IOW_SHAPER (1<<4)
59 #define IOW_CHECK_RESIDUAL (1<<5)
60 #define IOW_FRAG (1<<6)
61 #define IOW_MBUF (1<<7)
62 #define IOW_READ_TUN_FORCE (1<<8)
63 #define IOW_WAIT_SIGNAL (1<<9)
64
65 #define IOW_READ (IOW_READ_TUN|IOW_READ_LINK)
66
67 extern counter_type link_read_bytes_global;
68
69 extern counter_type link_write_bytes_global;
70
71 void io_wait_dowork(struct context *c, const unsigned int flags);
72
73 void pre_select(struct context *c);
74
75 void process_io(struct context *c);
76
77 /**********************************************************************/
78 /**
79 * Process a data channel packet that will be sent through a VPN tunnel.
80 * @ingroup data_control
81 *
82 * This function controls the processing of a data channel packet which
83 * will be sent through a VPN tunnel to a remote OpenVPN peer. It's
84 * general structure is as follows:
85 * - Check that the client authentication has succeeded; if not, drop the
86 * packet.
87 * - If the \a comp_frag argument is true:
88 * - Call \c lzo_compress() of the \link Data Channel Compression
89 * module\endlink to (possibly) compress the packet.
90 * - Call \c fragment_outgoing() of the \link Data Channel Fragmentation
91 * module\endlink to (possibly) fragment the packet.
92 * - Activate the \link Data Channel Crypto module\endlink to perform
93 * security operations on the packet.
94 * - Call \c tls_pre_encrypt() to choose the appropriate security
95 * parameters for this packet.
96 * - Call \c openvpn_encrypt() to encrypt and HMAC signed the packet.
97 * - Call \c tls_post_encrypt() to prepend the one-byte OpenVPN header
98 * and do some TLS accounting.
99 * - Place the resulting packet in \c c->c2.to_link so that it can be sent
100 * over the external network interface to its remote destination by the
101 * \link external_multiplexer External Multiplexer\endlink.
102 *
103 * @param c - The context structure of the VPN tunnel associated with this
104 * packet.
105 * @param comp_frag - Whether to do packet compression and fragmentation.
106 * This flag is set to true the first time a packet is processed. If
107 * the packet then gets fragmented, this function will be called again
108 * once for each remaining fragment with this parameter set to false.
109 */
110 void encrypt_sign(struct context *c, bool comp_frag);
111
112 int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout);
113
114 /**********************************************************************/
115 /**
116 * Read a packet from the external network interface.
117 * @ingroup external_multiplexer
118 *
119 * The packet read from the external network interface is stored in \c
120 * c->c2.buf and its source address in \c c->c2.from. If an error
121 * occurred, the length of \c c->c2.buf will be 0.
122 *
123 * OpenVPN running as client or as UDP server only has a single external
124 * network socket, so this function can be called with the single (client
125 * mode) or top level (UDP server) context as its argument. OpenVPN
126 * running as TCP server, on the other hand, has a network socket for each
127 * active VPN tunnel. In that case this function must be called with the
128 * context associated with the appropriate VPN tunnel for which data is
129 * available to be read.
130 *
131 * @param c - The context structure which contains the external
132 * network socket from which to read incoming packets.
133 */
134 void read_incoming_link(struct context *c);
135
136 /**
137 * Starts processing a packet read from the external network interface.
138 * @ingroup external_multiplexer
139 *
140 * This function starts the processing of a data channel packet which
141 * has come out of a VPN tunnel. It's high-level structure is as follows:
142 * - Verify that a nonzero length packet has been received from a valid
143 * source address for the given context \a c.
144 * - Call \c tls_pre_decrypt(), which splits data channel and control
145 * channel packets:
146 * - If a data channel packet, the appropriate security parameters are
147 * loaded.
148 * - If a control channel packet, this function process is it and
149 * afterwards sets the packet's buffer length to 0, so that the data
150 * channel processing steps below will ignore it.
151 * - Call \c openvpn_decrypt() of the \link data_crypto Data Channel
152 * Crypto module\endlink to authenticate and decrypt the packet using
153 * the security parameters loaded by \c tls_pre_decrypt() above.
154 *
155 * @param c - The context structure of the VPN tunnel associated with the
156 * packet.
157 * @param lsi - link_socket_info obtained from context before processing.
158 * @param floated - Flag indicates that peer has floated.
159 *
160 * @return true if packet is authenticated, false otherwise.
161 */
162 bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated);
163
164 /**
165 * Continues processing a packet read from the external network interface.
166 * @ingroup external_multiplexer
167 *
168 * This function continues the processing of a data channel packet which
169 * has come out of a VPN tunnel. It must be called after
170 * \c process_incoming_link_part1() function.
171 *
172 * It's high-level structure is as follows:
173 * - Call \c fragment_incoming() of the \link fragmentation Data Channel
174 * Fragmentation module\endlink to reassemble the packet if it's
175 * fragmented.
176 * - Call \c lzo_decompress() of the \link compression Data Channel
177 * Compression module\endlink to decompress the packet if it's
178 * compressed.
179 * - Place the resulting packet in \c c->c2.to_tun so that it can be sent
180 * over the virtual tun/tap network interface to its local destination
181 * by the \link internal_multiplexer Internal Multiplexer\endlink.
182 *
183 * @param c - The context structure of the VPN tunnel associated with the
184 * packet.
185 * @param lsi - link_socket_info obtained from context before processing.
186 * @param orig_buf - Pointer to a buffer data.
187 *
188 */
189 void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
190
191 /**
192 * Write a packet to the external network interface.
193 * @ingroup external_multiplexer
194 *
195 * This function writes the packet stored in \c c->c2.to_link to the
196 * external network device contained within \c c->c1.link_socket.
197 *
198 * If an error occurs, it is logged and the packet is dropped.
199 *
200 * @param c - The context structure of the VPN tunnel associated with the
201 * packet.
202 */
203 void process_outgoing_link(struct context *c);
204
205
206 /**************************************************************************/
207 /**
208 * Read a packet from the virtual tun/tap network interface.
209 * @ingroup internal_multiplexer
210 *
211 * This function reads a packet from the virtual tun/tap network device \c
212 * c->c1.tuntap and stores it in \c c->c2.buf.
213 *
214 * If an error occurs, it is logged and the packet is dropped.
215 *
216 * @param c - The context structure in which to store the received
217 * packet.
218 */
219 void read_incoming_tun(struct context *c);
220
221
222 /**
223 * Process a packet read from the virtual tun/tap network interface.
224 * @ingroup internal_multiplexer
225 *
226 * This function calls \c encrypt_sign() of the \link data_control Data
227 * Channel Control module\endlink to process the packet.
228 *
229 * If an error occurs, it is logged and the packet is dropped.
230 *
231 * @param c - The context structure of the VPN tunnel associated with the
232 * packet.
233 */
234 void process_incoming_tun(struct context *c);
235
236
237 /**
238 * Write a packet to the virtual tun/tap network interface.
239 * @ingroup internal_multiplexer
240 *
241 * This function writes the packet stored in \c c->c2.to_tun to the
242 * virtual tun/tap network device \c c->c1.tuntap.
243 *
244 * If an error occurs, it is logged and the packet is dropped.
245 *
246 * @param c - The context structure of the VPN tunnel associated with
247 * the packet.
248 */
249 void process_outgoing_tun(struct context *c);
250
251
252 /**************************************************************************/
253
254 /*
255 * Send a string to remote over the TLS control channel.
256 * Used for push/pull messages, passing username/password,
257 * etc.
258 * @param c - The context structure of the VPN tunnel associated with
259 * the packet.
260 * @param str - The message to be sent
261 * @param msglevel - Message level to use for logging
262 */
263 bool
264 send_control_channel_string(struct context *c, const char *str, int msglevel);
265
266 /*
267 * Send a string to remote over the TLS control channel.
268 * Used for push/pull messages, passing username/password,
269 * etc.
270 *
271 * This variant does not schedule the actual sending of the message
272 * The caller needs to ensure that it is scheduled or call
273 * send_control_channel_string
274 *
275 * @param multi - The tls_multi structure of the VPN tunnel associated
276 * with the packet.
277 * @param str - The message to be sent
278 * @param msglevel - Message level to use for logging
279 */
280
281 bool
282 send_control_channel_string_dowork(struct tls_multi *multi,
283 const char *str, int msglevel);
284
285
286 /**
287 * Reschedule tls_multi_process.
288 * NOTE: in multi-client mode, usually calling the function is
289 * insufficient to reschedule the client instance object unless
290 * multi_schedule_context_wakeup(m, mi) is also called.
291 */
292 void reschedule_multi_process(struct context *c);
293
294 #define PIPV4_PASSTOS (1<<0)
295 #define PIP_MSSFIX (1<<1) /* v4 and v6 */
296 #define PIP_OUTGOING (1<<2)
297 #define PIPV4_EXTRACT_DHCP_ROUTER (1<<3)
298 #define PIPV4_CLIENT_NAT (1<<4)
299 #define PIPV6_IMCP_NOHOST_CLIENT (1<<5)
300 #define PIPV6_IMCP_NOHOST_SERVER (1<<6)
301
302 void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
303
304 void schedule_exit(struct context *c, const int n_seconds, const int signal);
305
306 static inline struct link_socket_info *
get_link_socket_info(struct context * c)307 get_link_socket_info(struct context *c)
308 {
309 if (c->c2.link_socket_info)
310 {
311 return c->c2.link_socket_info;
312 }
313 else
314 {
315 return &c->c2.link_socket->info;
316 }
317 }
318
319 static inline void
register_activity(struct context * c,const int size)320 register_activity(struct context *c, const int size)
321 {
322 if (c->options.inactivity_timeout)
323 {
324 c->c2.inactivity_bytes += size;
325 if (c->c2.inactivity_bytes >= c->options.inactivity_minimum_bytes)
326 {
327 c->c2.inactivity_bytes = 0;
328 event_timeout_reset(&c->c2.inactivity_interval);
329 }
330 }
331 }
332
333 /*
334 * Return the io_wait() flags appropriate for
335 * a point-to-point tunnel.
336 */
337 static inline unsigned int
p2p_iow_flags(const struct context * c)338 p2p_iow_flags(const struct context *c)
339 {
340 unsigned int flags = (IOW_SHAPER|IOW_CHECK_RESIDUAL|IOW_FRAG|IOW_READ|IOW_WAIT_SIGNAL);
341 if (c->c2.to_link.len > 0)
342 {
343 flags |= IOW_TO_LINK;
344 }
345 if (c->c2.to_tun.len > 0)
346 {
347 flags |= IOW_TO_TUN;
348 }
349 #ifdef _WIN32
350 if (tuntap_ring_empty(c->c1.tuntap))
351 {
352 flags &= ~IOW_READ_TUN;
353 }
354 #endif
355 return flags;
356 }
357
358 /*
359 * This is the core I/O wait function, used for all I/O waits except
360 * for TCP in server mode.
361 */
362 static inline void
io_wait(struct context * c,const unsigned int flags)363 io_wait(struct context *c, const unsigned int flags)
364 {
365 if (c->c2.fast_io && (flags & (IOW_TO_TUN|IOW_TO_LINK|IOW_MBUF)))
366 {
367 /* fast path -- only for TUN/TAP/UDP writes */
368 unsigned int ret = 0;
369 if (flags & IOW_TO_TUN)
370 {
371 ret |= TUN_WRITE;
372 }
373 if (flags & (IOW_TO_LINK|IOW_MBUF))
374 {
375 ret |= SOCKET_WRITE;
376 }
377 c->c2.event_set_status = ret;
378 }
379 else
380 {
381 #ifdef _WIN32
382 bool skip_iowait = flags & IOW_TO_TUN;
383 if (flags & IOW_READ_TUN)
384 {
385 /*
386 * don't read from tun if we have pending write to link,
387 * since every tun read overwrites to_link buffer filled
388 * by previous tun read
389 */
390 skip_iowait = !(flags & IOW_TO_LINK);
391 }
392 if (tuntap_is_wintun(c->c1.tuntap) && skip_iowait)
393 {
394 unsigned int ret = 0;
395 if (flags & IOW_TO_TUN)
396 {
397 ret |= TUN_WRITE;
398 }
399 if (flags & IOW_READ_TUN)
400 {
401 ret |= TUN_READ;
402 }
403 c->c2.event_set_status = ret;
404 }
405 else
406 #endif /* ifdef _WIN32 */
407 {
408 /* slow path */
409 io_wait_dowork(c, flags);
410 }
411 }
412 }
413
414 #define CONNECTION_ESTABLISHED(c) (get_link_socket_info(c)->connection_established)
415
416 #endif /* FORWARD_H */
417