1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 13 * as published by the Free Software Foundation. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with this program (see the file COPYING included with this 22 * distribution); if not, write to the Free Software Foundation, Inc., 23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24 */ 25 26/** 27 * @file Control Channel Verification Module OpenSSL backend 28 */ 29 30 31#ifndef SSL_VERIFY_OPENSSL_H_ 32#define SSL_VERIFY_OPENSSL_H_ 33 34#include <openssl/x509.h> 35 36#ifndef __OPENVPN_X509_CERT_T_DECLARED 37#define __OPENVPN_X509_CERT_T_DECLARED 38typedef X509 openvpn_x509_cert_t; 39#endif 40 41/** @name Function for authenticating a new connection from a remote OpenVPN peer 42 * @{ */ 43 44/** 45 * Verify that the remote OpenVPN peer's certificate allows setting up a 46 * VPN tunnel. 47 * @ingroup control_tls 48 * 49 * This callback function is called every time a new TLS session is being 50 * setup to determine whether the remote OpenVPN peer's certificate is 51 * allowed to connect. It is called for once for every certificate in the chain. 52 * The callback functionality is configured in the \c init_ssl() function, which 53 * calls the OpenSSL library's \c SSL_CTX_set_verify() function with \c 54 * verify_callback() as its callback argument. 55 * 56 * It checks preverify_ok, and registers the certificate hash. If these steps 57 * succeed, it calls the \c verify_cert() function, which performs 58 * OpenVPN-specific verification. 59 * 60 * @param preverify_ok - Whether the remote OpenVPN peer's certificate 61 * past verification. A value of 1 means it 62 * verified successfully, 0 means it failed. 63 * @param ctx - The complete context used by the OpenSSL library 64 * to verify the certificate chain. 65 * 66 * @return The return value indicates whether the supplied certificate is 67 * allowed to set up a VPN tunnel. The following values can be 68 * returned: 69 * - \c 0: failure, this certificate is not allowed to connect. 70 * - \c 1: success, this certificate is allowed to connect. 71 */ 72int verify_callback (int preverify_ok, X509_STORE_CTX * ctx); 73 74/** @} name Function for authenticating a new connection from a remote OpenVPN peer */ 75 76#endif /* SSL_VERIFY_OPENSSL_H_ */ 77