summaryrefslogtreecommitdiff
path: root/app/openvpn/doc/doxygen/doc_data_crypto.h
blob: ee72b8cdd8acbf24b9ef9a24a6483dbca96d95c5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
 *
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program (see the file COPYING included with this
 *  distribution); if not, write to the Free Software Foundation, Inc.,
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

/**
 * @file
 * Data Channel Crypto module documentation file.
 */

/**
 * @addtogroup data_crypto Data Channel Crypto module
 *
 * The Data Channel Crypto Module performs cryptographic operations on
 * data channel packets.
 *
 * @par Security parameters
 * This module is merely the user of a VPN tunnel's security parameters.
 * It does not perform the negotiation and setup of the security
 * parameters, nor the %key generation involved.  These actions are done
 * by the \link control_processor Control Channel Processor\endlink.  This
 * module receives the appropriate security parameters from that module in
 * the form of a \c crypto_options structure when they are necessary for
 * processing a packet.
 *
 * @par Packet processing functions
 * This module receives data channel packets from the \link data_control
 * Data Channel Control module\endlink and processes them according to the
 * security parameters of the packet's VPN tunnel.  The \link data_control
 * Data Channel Control module\endlink uses the following interface
 * functions:
 *  - For packets which will be sent to a remote OpenVPN peer:
 *     - \c tls_pre_encrypt()
 *     - \c openvpn_encrypt()
 *     - \c tls_post_encrypt()
 *  - For packets which have been received from a remote OpenVPN peer:
 *     - \c tls_pre_decrypt() (documented as part of the \link
 *       external_multiplexer External Multiplexer\endlink)
 *     - \c openvpn_decrypt()
 *
 * @par Settings that control this module's activity
 * Whether or not the Data Channel Crypto module is active depends on the
 * compile-time \c ENABLE_CRYPTO and \c ENABLE_SSL preprocessor macros.  How it
 * processes packets received from the \link data_control Data Channel
 * Control module\endlink at runtime depends on the associated \c
 * crypto_options structure.  To perform cryptographic operations, the \c
 * crypto_options.key_ctx_bi must contain the correct cipher and HMAC
 * security parameters for the direction the packet is traveling in.
 *
 * @par Crypto algorithms
 * This module uses the crypto algorithm implementations of the external
 * OpenSSL library.  More precisely, it uses the OpenSSL library's \c
 * EVP_Cipher* and \c HMAC_* set of functions to perform cryptographic
 * operations on data channel packets.
 */