1 /* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> 9 * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 13 * as published by the Free Software Foundation. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License along 21 * with this program; if not, write to the Free Software Foundation, Inc., 22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 */ 24 25 /** 26 * @file Control Channel Verification Module mbed TLS backend 27 */ 28 29 #ifndef SSL_VERIFY_MBEDTLS_H_ 30 #define SSL_VERIFY_MBEDTLS_H_ 31 32 #include "syshead.h" 33 #include <mbedtls/x509_crt.h> 34 35 #ifndef __OPENVPN_X509_CERT_T_DECLARED 36 #define __OPENVPN_X509_CERT_T_DECLARED 37 typedef mbedtls_x509_crt openvpn_x509_cert_t; 38 #endif 39 40 /** @name Function for authenticating a new connection from a remote OpenVPN peer 41 * @{ */ 42 43 /** 44 * Verify that the remote OpenVPN peer's certificate allows setting up a 45 * VPN tunnel. 46 * @ingroup control_tls 47 * 48 * This callback function is called when a new TLS session is being setup to 49 * determine whether the remote OpenVPN peer's certificate is allowed to 50 * connect. It is called for once for every certificate in the chain. The 51 * callback functionality is configured in the \c key_state_ssl_init() function, 52 * which calls the mbed TLS library's \c mbedtls_ssl_conf_verify() function with 53 * \c verify_callback() as its callback argument. 54 * 55 * It checks *flags and registers the certificate hash. If these steps succeed, 56 * it calls the \c verify_cert() function, which performs OpenVPN-specific 57 * verification. 58 * 59 * @param session_obj - The OpenVPN \c tls_session associated with this object, 60 * as set during SSL session setup. 61 * @param cert - The certificate used by mbed TLS. 62 * @param cert_depth - The depth of the current certificate in the chain, with 63 * 0 being the actual certificate. 64 * @param flags - Whether the remote OpenVPN peer's certificate 65 * passed verification. A value of 0 means it 66 * verified successfully, any other value means it 67 * failed. \c verify_callback() is considered to have 68 * ok'ed this certificate if flags is 0 when it returns. 69 * 70 * @return The return value is 0 unless a fatal error occurred. 71 */ 72 int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, 73 uint32_t *flags); 74 75 /** @} name Function for authenticating a new connection from a remote OpenVPN peer */ 76 77 #endif /* SSL_VERIFY_MBEDTLS_H_ */ 78