1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 13 * as published by the Free Software Foundation. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with this program (see the file COPYING included with this 22 * distribution); if not, write to the Free Software Foundation, Inc., 23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24 */ 25 26/** 27 * @file Control Channel Verification Module PolarSSL backend 28 */ 29 30#ifndef SSL_VERIFY_POLARSSL_H_ 31#define SSL_VERIFY_POLARSSL_H_ 32 33#include "syshead.h" 34#include "misc.h" 35#include "manage.h" 36#include <polarssl/x509.h> 37 38#ifndef __OPENVPN_X509_CERT_T_DECLARED 39#define __OPENVPN_X509_CERT_T_DECLARED 40typedef x509_cert openvpn_x509_cert_t; 41#endif 42 43/** @name Function for authenticating a new connection from a remote OpenVPN peer 44 * @{ */ 45 46/** 47 * Verify that the remote OpenVPN peer's certificate allows setting up a 48 * VPN tunnel. 49 * @ingroup control_tls 50 * 51 * This callback function is called when a new TLS session is being setup to 52 * determine whether the remote OpenVPN peer's certificate is allowed to 53 * connect. It is called for once for every certificate in the chain. The 54 * callback functionality is configured in the \c init_ssl() function, which 55 * calls the PolarSSL library's \c ssl_set_verify_callback() function with \c 56 * verify_callback() as its callback argument. 57 * 58 * It checks *flags and registers the certificate hash. If these steps succeed, 59 * it calls the \c verify_cert() function, which performs OpenVPN-specific 60 * verification. 61 * 62 * @param session_obj - The OpenVPN \c tls_session associated with this object, 63 * as set during SSL session setup. 64 * @param cert - The certificate used by PolarSSL. 65 * @param cert_depth - The depth of the current certificate in the chain, with 66 * 0 being the actual certificate. 67 * @param flags - Whether the remote OpenVPN peer's certificate 68 * passed verification. A value of 0 means it 69 * verified successfully, any other value means it 70 * failed. \c verify_callback() is considered to have 71 * ok'ed this certificate if flags is 0 when it returns. 72 * 73 * @return The return value is 0 unless a fatal error occurred. 74 */ 75int verify_callback (void *session_obj, x509_cert *cert, int cert_depth, 76 int *flags); 77 78/** @} name Function for authenticating a new connection from a remote OpenVPN peer */ 79 80#endif /* SSL_VERIFY_POLARSSL_H_ */ 81