Disable CryptoAPI when not using OpenSSL, and document that fact.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/cryptoapi.c b/cryptoapi.c
index 3365cd7acad0d6fd35b39ca3fd4174174148be77..a82512617ee2b994dd9aa42e9f56dadfa8a0a925 100644 (file)
--- a/cryptoapi.c
+++ b/cryptoapi.c
@@ -30,7 +30,7 @@
 
 #include "syshead.h"
 
-#if defined(WIN32) && defined(USE_CRYPTO) && defined(USE_SSL)
+#ifdef ENABLE_CRYPTOAPI
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>

diff --git a/openvpn.8 b/openvpn.8
index 4e3b87b272f0be66094f6c1d815ddcad18b1bc49..12547c4ff0290f98f3ab05e1620eeab1493585ac 100644 (file)
--- a/openvpn.8
+++ b/openvpn.8
@@ -4118,7 +4118,7 @@ Mode is encoded as hex number, and can be a mask one of the following:
 .TP
 .B \-\-cryptoapicert select-string
 Load the certificate and private key from the
-Windows Certificate System Store (Windows Only).
+Windows Certificate System Store (Windows/OpenSSL Only).
 
 Use this option instead of
 .B \-\-cert

diff --git a/options.c b/options.c
index 635cef22be106e90cf578a43350537a823c3aca0..8ee24a002e4118e38afd26db3acec8a42695f076 100644 (file)
--- a/options.c
+++ b/options.c
@@ -1562,7 +1562,7 @@ show_settings (const struct options *o)
   SHOW_STR (cert_file);
   SHOW_STR (priv_key_file);
   SHOW_STR (pkcs12_file);
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
   SHOW_STR (cryptoapi_cert);
 #endif
   SHOW_STR (cipher_list);
@@ -2242,14 +2242,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
          msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
        if (options->pkcs12_file)
          msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
        if (options->cryptoapi_cert)
          msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
 #endif
        }
       else
 #endif
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
       if (options->cryptoapi_cert)
        {
          if ((!(options->ca_file)) && (!(options->ca_path)))
@@ -6230,7 +6230,7 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
     }
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
   else if (streq (p[0], "cryptoapicert") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);

diff --git a/options.h b/options.h
index 8532402cd77a4c0ce91a10fba002d94957949d1f..abdddba37ae6f172fe62d0e32903f46309f61921 100644 (file)
--- a/options.h
+++ b/options.h
@@ -555,7 +555,7 @@ struct options
   bool pkcs11_id_management;
 #endif
 
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
   const char *cryptoapi_cert;
 #endif
 

diff --git a/ssl.c b/ssl.c
index 16076300137f55b26975a839f93b146cd172a6be..e2f081079f03236aed95afef738d14f563643cb8 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -336,7 +336,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
        }
     }
 #endif
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
   else if (options->cryptoapi_cert)
     {
       tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);

diff --git a/ssl_backend.h b/ssl_backend.h
index 022e038a35f60a5d982d5546ad5262fde1172577..b67421c560b7ed40b6cd64e8741811c257344241 100644 (file)
--- a/ssl_backend.h
+++ b/ssl_backend.h
@@ -170,7 +170,7 @@ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
  * @param ctx                  TLS context to use
  * @param crypto_api_cert      String representing the certificate to load.
  */
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
 void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
 #endif /* WIN32 */
 

diff --git a/ssl_openssl.c b/ssl_openssl.c
index 35f9b14c0718b907a31e7a4905d7bbd01d45f22c..f36b31943d34b0a0799730300e3a2e0047196d3a 100644 (file)
--- a/ssl_openssl.c
+++ b/ssl_openssl.c
@@ -323,7 +323,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
   return 0;
 }
 
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
 void
 tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
 {

diff --git a/ssl_polarssl.c b/ssl_polarssl.c
index d45156a7bbc5d4ed826d65f50d505274f911afdc..032a3569424c3a95888a8b0a2e5395fb676b2800 100644 (file)
--- a/ssl_polarssl.c
+++ b/ssl_polarssl.c
@@ -223,7 +223,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
   return 0;
 }
 
-#ifdef WIN32
+#ifdef ENABLE_CRYPTOAPI
 void
 tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
 {

diff --git a/syshead.h b/syshead.h
index 56bba0f97998facb960b4d4eca91433ea51db8d2..0addcd7fc63896e97b1c1838c557c46d418e5afe 100644 (file)
--- a/syshead.h
+++ b/syshead.h
@@ -617,6 +617,13 @@ socket_defined (const socket_descriptor_t sd)
 #define ENABLE_PKCS11
 #endif
 
+/*
+ * Do we have CryptoAPI capability?
+ */
+#if defined(WIN32) && defined(USE_CRYPTO) && defined(USE_SSL) && defined(USE_OPENSSL)
+#define ENABLE_CRYPTOAPI
+#endif
+
 /*
  * Enable x509-track feature?
  */