1 /* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> 9 * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 13 * as published by the Free Software Foundation. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License along 21 * with this program; if not, write to the Free Software Foundation, Inc., 22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 */ 24 25 /** 26 * @file Control Channel Verification Module OpenSSL backend 27 */ 28 29 30 #ifndef SSL_VERIFY_OPENSSL_H_ 31 #define SSL_VERIFY_OPENSSL_H_ 32 33 #include <openssl/x509.h> 34 35 #ifndef __OPENVPN_X509_CERT_T_DECLARED 36 #define __OPENVPN_X509_CERT_T_DECLARED 37 typedef X509 openvpn_x509_cert_t; 38 #endif 39 40 /** @name Function for authenticating a new connection from a remote OpenVPN peer 41 * @{ */ 42 43 /** 44 * Verify that the remote OpenVPN peer's certificate allows setting up a 45 * VPN tunnel. 46 * @ingroup control_tls 47 * 48 * This callback function is called every time a new TLS session is being 49 * setup to determine whether the remote OpenVPN peer's certificate is 50 * allowed to connect. It is called for once for every certificate in the chain. 51 * The callback functionality is configured in the \c init_ssl() function, which 52 * calls the OpenSSL library's \c SSL_CTX_set_verify() function with \c 53 * verify_callback() as its callback argument. 54 * 55 * It checks preverify_ok, and registers the certificate hash. If these steps 56 * succeed, it calls the \c verify_cert() function, which performs 57 * OpenVPN-specific verification. 58 * 59 * @param preverify_ok - Whether the remote OpenVPN peer's certificate 60 * past verification. A value of 1 means it 61 * verified successfully, 0 means it failed. 62 * @param ctx - The complete context used by the OpenSSL library 63 * to verify the certificate chain. 64 * 65 * @return The return value indicates whether the supplied certificate is 66 * allowed to set up a VPN tunnel. The following values can be 67 * returned: 68 * - \c 0: failure, this certificate is not allowed to connect. 69 * - \c 1: success, this certificate is allowed to connect. 70 */ 71 int verify_callback(int preverify_ok, X509_STORE_CTX *ctx); 72 73 /** @} name Function for authenticating a new connection from a remote OpenVPN peer */ 74 75 #endif /* SSL_VERIFY_OPENSSL_H_ */ 76