*
* @par
* The former role is described below. The latter is described in the
- * documentation for the \c verify_callback() function.
+ * documentation for the verify_callback() function.
*
* @par
* In other words, this module takes care of the confidentiality and
* Because of the one-to-one relationship between control channel TLS
* state and \c key_state structures, the initialization and cleanup of an
* instance of the Control Channel TLS module's state happens within the
- * \c key_state_init() and \c key_state_free() functions. In other words,
+ * key_state_init() and key_state_free() functions. In other words,
* each \c key_state object contains exactly one OpenSSL SSL-BIO object,
* which is initialized and cleaned up together with the rest of the \c
* key_state object.
* @par Packet processing functions
* This object behaves somewhat like a black box with a ciphertext and a
* plaintext I/O port. Its interaction with OpenVPN's control channel
- * during operation takes place within the \c tls_process() function of
+ * during operation takes place within the tls_process() function of
* the \link control_processor Control Channel Processor\endlink. The
* following functions are available for processing packets:
* - If ciphertext received from the remote peer is available in the \link
* reliable Reliability Layer\endlink:
* - Insert it into the ciphertext-side of the SSL-BIO.
- * - Use function: \c key_state_write_ciphertext()
+ * - Use function: key_state_write_ciphertext()
* - If ciphertext can be extracted from the ciphertext-side of the
* SSL-BIO:
* - Pass it to the \link reliable Reliability Layer\endlink for sending
* to the remote peer.
- * - Use function: \c key_state_read_ciphertext()
+ * - Use function: key_state_read_ciphertext()
* - If plaintext can be extracted from the plaintext-side of the SSL-BIO:
* - Pass it on to the \link control_processor Control Channel
* Processor\endlink for local processing.
- * - Use function: \c key_state_read_plaintext()
+ * - Use function: key_state_read_plaintext()
* - If plaintext from the \link control_processor Control Channel
* Processor\endlink is available to be sent to the remote peer:
* - Insert it into the plaintext-side of the SSL-BIO.
- * - Use function: \c key_state_write_plaintext() or \c
+ * - Use function: key_state_write_plaintext() or
* key_state_write_plaintext_const()
*
* @par Transport Layer Security protocol implementation
* @par
* For more information on the OpenSSL library's BIO objects, please see:
* - OpenSSL's generic BIO objects:
- * http://www.openssl.org/docs/crypto/bio.html
+ * https://docs.openssl.org/master/man7/bio/#bio
* - OpenSSL's SSL-BIO object:
- * http://www.openssl.org/docs/crypto/BIO_f_ssl.html
+ * https://docs.openssl.org/master/man3/BIO_f_ssl/#bio_f_ssl
*/
*/
/**
- * @defgroup tls_crypt Control channel encryption (--tls-crypt, --tls-crypt-v2)
+ * @defgroup tls_crypt Control channel encryption (tls-crypt, tls-crypt-v2)
* @ingroup control_tls
* @{
*
- * Control channel encryption uses a pre-shared static key (like the --tls-auth
+ * Control channel encryption uses a pre-shared static key (like the @c --tls-auth
* key) to encrypt control channel packets.
*
* Encrypting control channel packets has three main advantages:
* - It provides "poor-man's" post-quantum security, against attackers who
* will never know the pre-shared key (i.e. no forward secrecy).
*
- * --tls-crypt uses a tls-auth-style group key, where all servers and clients
- * share the same group key. --tls-crypt-v2 adds support for client-specific
+ * @c --tls-crypt uses a tls-auth-style group key, where all servers and clients
+ * share the same group key. @c --tls-crypt-v2 adds support for client-specific
* keys, where all servers share the same client-key encryption key, and each
* clients receives a unique client key, both in plaintext and in encrypted
* form. When connecting to a server, the client sends the encrypted key to
+ sizeof(uint16_t)))
/**
- * Initialize a key_ctx_bi structure for use with --tls-crypt.
+ * Initialize a key_ctx_bi structure for use with @c --tls-crypt.
*
* @param key The key context to initialize
* @param key_file The file to read the key from or the key itself if
* @param dst Any data present in this buffer is first authenticated, then
* the wrapped packet id and data from the src buffer are appended.
* Must have at least tls_crypt_buf_overhead()+BLEN(src) headroom.
- * @param opt The crypto state for this --tls-crypt instance.
+ * @param opt The crypto state for this @c --tls-crypt instance.
*
* @returns true iff wrapping succeeded.
*/
*
* @param src Data to decrypt and authenticate.
* @param dst Returns the decrypted data, if unwrapping was successful.
- * @param opt The crypto state for this --tls-crypt instance.
+ * @param opt The crypto state for this @c --tls-crypt instance.
*
* @returns true iff unwrapping succeeded (data authenticated correctly and was
* no replay).
projects / thirdparty / openvpn.git / commitdiff
