release/src/router/openvpn/src/openvpn/ssl_verify_polarssl.h

   1 /*
   2  *  OpenVPN -- An application to securely tunnel IP networks
   3  *             over a single TCP/UDP port, with support for SSL/TLS-based
   4  *             session authentication and key exchange,
   5  *             packet encryption, packet authentication, and
   6  *             packet compression.
   7  *
   8  *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
   9  *  Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
  10  *
  11  *  This program is free software; you can redistribute it and/or modify
  12  *  it under the terms of the GNU General Public License version 2
  13  *  as published by the Free Software Foundation.
  14  *
  15  *  This program is distributed in the hope that it will be useful,
  16  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  *  GNU General Public License for more details.
  19  *
  20  *  You should have received a copy of the GNU General Public License
  21  *  along with this program (see the file COPYING included with this
  22  *  distribution); if not, write to the Free Software Foundation, Inc.,
  23  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  24  */
  25
  26 /**
  27  * @file Control Channel Verification Module PolarSSL backend
  28  */
  29
  30 #ifndef SSL_VERIFY_POLARSSL_H_
  31 #define SSL_VERIFY_POLARSSL_H_
  32
  33 #include "syshead.h"
  34 #include "misc.h"
  35 #include "manage.h"
  36 #include <polarssl/x509.h>
  37
  38 #ifndef __OPENVPN_X509_CERT_T_DECLARED
  39 #define __OPENVPN_X509_CERT_T_DECLARED
  40 typedef x509_cert openvpn_x509_cert_t;
  41 #endif
  42
  43 /** @name Function for authenticating a new connection from a remote OpenVPN peer
  44  *  @{ */
  45
  46 /**
  47  * Verify that the remote OpenVPN peer's certificate allows setting up a
  48  * VPN tunnel.
  49  * @ingroup control_tls
  50  *
  51  * This callback function is called when a new TLS session is being setup to
  52  * determine whether the remote OpenVPN peer's certificate is allowed to
  53  * connect. It is called for once for every certificate in the chain. The
  54  * callback functionality is configured in the \c init_ssl() function, which
  55  * calls the PolarSSL library's \c ssl_set_verify_callback() function with \c
  56  * verify_callback() as its callback argument.
  57  *
  58  * It checks *flags and registers the certificate hash. If these steps succeed,
  59  * it calls the \c verify_cert() function, which performs OpenVPN-specific
  60  * verification.
  61  *
  62  * @param session_obj  - The OpenVPN \c tls_session associated with this object,
  63  *                       as set during SSL session setup.
  64  * @param cert         - The certificate used by PolarSSL.
  65  * @param cert_depth   - The depth of the current certificate in the chain, with
  66  *                       0 being the actual certificate.
  67  * @param flags        - Whether the remote OpenVPN peer's certificate
  68  *                       passed verification.  A value of 0 means it
  69  *                       verified successfully, any other value means it
  70  *                       failed. \c verify_callback() is considered to have
  71  *                       ok'ed this certificate if flags is 0 when it returns.
  72  *
  73  * @return The return value is 0 unless a fatal error occurred.
  74  */
  75 int verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
  76     int *flags);
  77
  78 /** @} name Function for authenticating a new connection from a remote OpenVPN peer */
  79
  80 #endif /* SSL_VERIFY_POLARSSL_H_ */