* - \c openvpn_decrypt()
*
* @par Settings that control this module's activity
- * Whether or not the Data Channel Crypto module is active depends on the
- * compile-time \c ENABLE_CRYPTO preprocessor macro. How it processes packets
- * received from the \link data_control Data Channel Control module\endlink at
- * runtime depends on the associated \c crypto_options structure. To perform
- * cryptographic operations, the \c crypto_options.key_ctx_bi must contain the
- * correct cipher and HMAC security parameters for the direction the packet is
- * traveling in.
+ * How the data channel processes packets received from the \link data_control
+ * Data Channel Control module\endlink at runtime depends on the associated
+ * \c crypto_options structure. To perform cryptographic operations, the
+ * \c crypto_options.key_ctx_bi must contain the correct cipher and HMAC
+ * security parameters for the direction the packet is traveling in.
*
* @par Crypto algorithms
* This module uses the crypto algorithm implementations of the external
#define OPENVPN_PLUGIN_VERSION 3
-#ifdef ENABLE_CRYPTO
#ifdef ENABLE_CRYPTO_MBEDTLS
#include <mbedtls/x509_crt.h>
#ifndef __OPENVPN_X509_CERT_T_DECLARED
typedef X509 openvpn_x509_cert_t;
#endif
#endif
-#endif
#include <stdarg.h>
#include <stddef.h>
* *per_client_context : the per-client context pointer which was returned by
* openvpn_plugin_client_constructor_v1, if defined.
*
- * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_CRYPTO defined)
+ * current_cert_depth : Certificate depth of the certificate being passed over
*
- * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_CRYPTO defined)
+ * *current_cert : X509 Certificate object received from the client
*
*/
struct openvpn_plugin_args_func_in
const char **const envp;
openvpn_plugin_handle_t handle;
void *per_client_context;
-#ifdef ENABLE_CRYPTO
int current_cert_depth;
openvpn_x509_cert_t *current_cert;
-#else
- int __current_cert_depth_disabled; /* Unused, for compatibility purposes only */
- void *__current_cert_disabled; /* Unused, for compatibility purposes only */
-#endif
};
#include "syshead.h"
-#ifdef ENABLE_CRYPTO
-
#include "crypto.h"
#include "error.h"
#include "integer.h"
return pair->openvpn_name;
}
-
-#endif /* ENABLE_CRYPTO */
#ifndef CRYPTO_H
#define CRYPTO_H
-#ifdef ENABLE_CRYPTO
-
#include "crypto_backend.h"
#include "basic.h"
#include "buffer.h"
return key->encrypt.cipher || key->encrypt.hmac || key->decrypt.cipher || key->decrypt.hmac;
}
-
-#endif /* ENABLE_CRYPTO */
#endif /* CRYPTO_H */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS)
+#if defined(ENABLE_CRYPTO_MBEDTLS)
#include "errlevel.h"
#include "basic.h"
ASSERT(0 == mbedtls_md_hmac_finish(ctx, dst));
}
-#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_MBEDTLS */
+#endif /* ENABLE_CRYPTO_MBEDTLS */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(ENABLE_CRYPTO_OPENSSL)
#include "basic.h"
#include "buffer.h"
HMAC_Final(ctx, dst, &in_hmac_len);
}
-#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_OPENSSL */
+#endif /* ENABLE_CRYPTO_OPENSSL */
static inline void
check_tls(struct context *c)
{
-#if defined(ENABLE_CRYPTO)
void check_tls_dowork(struct context *c);
if (c->c2.tls_multi)
{
check_tls_dowork(c);
}
-#endif
}
/*
static inline void
check_tls_errors(struct context *c)
{
-#if defined(ENABLE_CRYPTO)
void check_tls_errors_co(struct context *c);
void check_tls_errors_nco(struct context *c);
}
}
}
-#endif /* if defined(ENABLE_CRYPTO) */
}
/*
#endif
-#ifdef ENABLE_CRYPTO
/*
* Should we persist our anti-replay packet ID state to disk?
*/
packet_id_persist_save(&c->c1.pid_persist);
}
}
-#endif
/*
* Set our wakeup to 0 seconds, so we will be rescheduled
* traffic on the control-channel.
*
*/
-#ifdef ENABLE_CRYPTO
void
check_tls_dowork(struct context *c)
{
{
register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
}
-#endif /* ENABLE_CRYPTO */
#if P2MP
bool
send_control_channel_string(struct context *c, const char *str, int msglevel)
{
-#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi)
{
struct gc_arena gc = gc_new();
gc_free(&gc);
return stat;
}
-#endif /* ENABLE_CRYPTO */
return true;
}
#endif
}
-#ifdef ENABLE_CRYPTO
/* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
ASSERT(buf_init(&b->encrypt_buf, FRAME_HEADROOM(&c->c2.frame)));
}
tls_post_encrypt(c->c2.tls_multi, &c->c2.buf);
}
-#endif /* ifdef ENABLE_CRYPTO */
/*
* Get the address we will be sending the packet to.
static void
process_coarse_timers(struct context *c)
{
-#ifdef ENABLE_CRYPTO
/* flush current packet-id to file once per 60
* seconds if --replay-persist was specified */
check_packet_id_persist_flush(c);
-#endif
/* should we update status file? */
check_status_file(c);
link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);
}
-#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi)
{
/*
register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
}
-#else /* ENABLE_CRYPTO */
- decrypt_status = true;
-#endif /* ENABLE_CRYPTO */
}
else
{
register_activity(c, size);
}
-
-#ifdef ENABLE_CRYPTO
/* for unreachable network and "connecting" state switch to the next host */
if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi
&& !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT)
msg(M_INFO, "Network unreachable, restarting");
register_signal(c, SIGUSR1, "network-unreachable");
}
-#endif
}
else
{
void
init_query_passwords(const struct context *c)
{
-#ifdef ENABLE_CRYPTO
/* Certificate password input */
if (c->options.key_pass_file)
{
pem_password_setup(c->options.key_pass_file);
}
-#endif
#if P2MP
/* Auth user/pass input */
{
/* configure_path (); */
-#if defined(ENABLE_CRYPTO) && defined(DMALLOC)
+#if defined(DMALLOC)
crypto_init_dmalloc();
#endif
update_time();
-#ifdef ENABLE_CRYPTO
init_ssl_lib();
/* init PRNG used for IV generation */
/* When forking, copy this to more places in the code to avoid fork
* random-state predictability */
prng_init(NULL, 0);
-#endif
#ifdef PID_TEST
packet_id_interactive_test(); /* test the sequence number code */
void
uninit_static(void)
{
-#ifdef ENABLE_CRYPTO
free_ssl_lib();
-#endif
#ifdef ENABLE_PKCS11
pkcs11_terminate();
close_port_share();
#endif
-#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO)
+#if defined(MEASURE_TLS_HANDSHAKE_STATS)
show_tls_performance_stats();
#endif
}
/*
* OpenSSL info print mode?
*/
-#ifdef ENABLE_CRYPTO
if (options->show_ciphers || options->show_digests || options->show_engines
|| options->show_tls_ciphers || options->show_curves)
{
}
return true;
}
-#endif /* ifdef ENABLE_CRYPTO */
return false;
}
bool
do_genkey(const struct options *options)
{
-#ifdef ENABLE_CRYPTO
if (options->genkey)
{
int nbits_written;
options->shared_secret_file);
return true;
}
-#endif
return false;
}
notnull(options->dev, "TUN/TAP device (--dev)");
if (options->ce.remote || options->ifconfig_local
|| options->ifconfig_remote_netmask
-#ifdef ENABLE_CRYPTO
|| options->shared_secret_file
|| options->tls_server || options->tls_client
-#endif
)
{
msg(M_FATAL|M_OPTERR,
format_common_name(struct context *c, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(256, gc);
-#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi)
{
buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
}
-#endif
return BSTR(&out);
}
#endif
/* initialize packet_id persistence timer */
-#ifdef ENABLE_CRYPTO
if (c->options.packet_id_file)
{
event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
/* initialize tmp_int optimization that limits the number of times we call
* tls_multi_process in the main event loop */
interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
-#endif
}
}
do_uid_gid_chroot(c, true);
-#ifdef ENABLE_CRYPTO
/*
* In some cases (i.e. when receiving auth-token via
* push-reply) the auth-nocache option configured on the
{
delayed_auth_pass_purge();
}
-#endif /* ENABLE_CRYPTO */
/* Test if errors */
if (flags & ISC_ERRORS)
flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
}
-#ifdef ENABLE_CRYPTO
if (c->options.ncp_enabled)
{
flags |= OPT_P_NCP;
}
-#endif
return flags;
}
msg(D_PUSH, "OPTIONS IMPORT: environment modified");
}
-#ifdef ENABLE_CRYPTO
if (found & OPT_P_PEER_ID)
{
msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
return false;
}
}
-#endif /* ifdef ENABLE_CRYPTO */
+
return true;
}
static void
key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
{
-#ifdef ENABLE_CRYPTO
free_key_ctx_bi(&ks->static_key);
if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
{
tls_ctx_free(&ks->ssl_ctx);
free_key_ctx_bi(&ks->tls_wrap_key);
}
-#endif /* ENABLE_CRYPTO */
CLEAR(*ks);
}
-#ifdef ENABLE_CRYPTO
-
static void
init_crypto_pre(struct context *c, const unsigned int flags)
{
"protected against man-in-the-middle changes. "
"PLEASE DO RECONSIDER THIS CONFIGURATION!");
}
-#endif /* ifdef ENABLE_CRYPTO */
static void
do_init_crypto(struct context *c, const unsigned int flags)
{
-#ifdef ENABLE_CRYPTO
if (c->options.shared_secret_file)
{
do_init_crypto_static(c, flags);
{
do_init_crypto_none(c);
}
-#else /* ENABLE_CRYPTO */
- msg(M_WARN,
- "******* WARNING *******: " PACKAGE_NAME
- " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
-#endif /* ENABLE_CRYPTO */
}
static void
#endif /* if P2MP_SERVER */
#endif /* if P2MP */
-#ifdef ENABLE_CRYPTO
if (!o->replay)
{
msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
{
msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
}
-#endif /* ifdef ENABLE_CRYPTO */
/* If a script is used, print appropiate warnings */
if (o->user_script_used)
static void
do_init_frame_tls(struct context *c)
{
-#ifdef ENABLE_CRYPTO
do_init_finalize_tls_frame(c);
-#endif
}
struct context_buffers *
b->aux_buf = alloc_buf(BUF_SIZE(frame));
-#ifdef ENABLE_CRYPTO
b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
-#endif
#ifdef USE_COMP
b->compress_buf = alloc_buf(BUF_SIZE(frame));
free_buf(&b->decompress_buf);
#endif
-#ifdef ENABLE_CRYPTO
free_buf(&b->encrypt_buf);
free_buf(&b->decrypt_buf);
-#endif
free(b);
}
options_string_version(c->c2.options_string_remote, &gc),
c->c2.options_string_remote);
-#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi)
{
tls_multi_init_set_options(c->c2.tls_multi,
c->c2.options_string_local,
c->c2.options_string_remote);
}
-#endif
gc_free(&gc);
}
static void
do_close_tls(struct context *c)
{
-#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi)
{
tls_multi_free(c->c2.tls_multi, true);
}
c->c2.options_string_local = c->c2.options_string_remote = NULL;
#endif
-#endif
}
/*
static void
do_close_packet_id(struct context *c)
{
-#ifdef ENABLE_CRYPTO
packet_id_free(&c->c2.crypto_options.packet_id);
packet_id_persist_save(&c->c1.pid_persist);
if (!(c->sig->signal_received == SIGUSR1))
{
packet_id_persist_close(&c->c1.pid_persist);
}
-#endif
}
#ifdef ENABLE_FRAGMENT
static void
do_signal_on_tls_errors(struct context *c)
{
-#ifdef ENABLE_CRYPTO
if (c->options.tls_exit)
{
c->c2.tls_exit_signal = SIGTERM;
{
c->c2.tls_exit_signal = SIGUSR1;
}
-#endif
}
#ifdef ENABLE_PLUGIN
/* c1 init */
packet_id_persist_init(&dest->c1.pid_persist);
-#ifdef ENABLE_CRYPTO
dest->c1.ks.key_type = src->c1.ks.key_type;
/* inherit SSL context */
dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
dest->c1.ciphername = src->c1.ciphername;
dest->c1.authname = src->c1.authname;
dest->c1.keysize = src->c1.keysize;
-#endif
/* options */
dest->options = src->options;
/* detach plugins */
dest->plugins_owned = false;
-#ifdef ENABLE_CRYPTO
dest->c2.tls_multi = NULL;
-#endif
/* detach c1 ownership */
dest->c1.tuntap_owned = false;
}
}
-#ifdef ENABLE_CRYPTO
-
/*
* Do a loopback test
* on the crypto subsystem.
return NULL;
}
-#endif /* ENABLE_CRYPTO */
-
bool
do_test_crypto(const struct options *o)
{
-#ifdef ENABLE_CRYPTO
if (o->test_crypto)
{
struct context c;
test_crypto_thread((void *) &c);
return true;
}
-#endif
return false;
}
static void
man_forget_passwords(struct management *man)
{
-#ifdef ENABLE_CRYPTO
ssl_purge_auth(false);
msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
-#endif
}
static void
}
if (!exiting)
{
-#ifdef ENABLE_CRYPTO
if (man->settings.flags & MF_FORGET_DISCONNECT)
{
ssl_purge_auth(false);
}
-#endif
+
if (man->settings.flags & MF_SIGNAL)
{
int mysig = man_mod_signal(man, SIGUSR1);
return NULL;
}
-#ifdef ENABLE_CRYPTO
-
/*
* Prepend a random string to hostname to prevent DNS caching.
* For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.
#undef n_rnd_bytes
}
-#else /* ifdef ENABLE_CRYPTO */
-
-const char *
-hostname_randomize(const char *hostname, struct gc_arena *gc)
-{
- msg(M_WARN, "WARNING: hostname randomization disabled when crypto support is not compiled");
- return hostname;
-}
-
-#endif /* ifdef ENABLE_CRYPTO */
-
/*
* Put a directory and filename together.
*/
const char **make_extended_arg_array(char **p, struct gc_arena *gc);
/* an analogue to the random() function, but use OpenSSL functions if available */
-#ifdef ENABLE_CRYPTO
long int get_random(void);
-#else
-#define get_random random
-#endif
-
/* return true if filename can be opened for read */
bool test_file(const char *filename);
/* return true if pathname is absolute */
bool absolute_pathname(const char *pathname);
-/* prepend a random prefix to hostname (need ENABLE_CRYPTO) */
+/* prepend a random prefix to hostname */
const char *hostname_randomize(const char *hostname, struct gc_arena *gc);
/*
struct key_schedule
{
-#ifdef ENABLE_CRYPTO
/* which cipher, HMAC digest, and key sizes are we using? */
struct key_type key_type;
/* optional TLS control channel wrapping */
struct key_type tls_auth_key_type;
struct key_ctx_bi tls_wrap_key;
-#else /* ENABLE_CRYPTO */
- int dummy;
-#endif /* ENABLE_CRYPTO */
};
/*
struct buffer aux_buf;
/* workspace buffers used by crypto routines */
-#ifdef ENABLE_CRYPTO
struct buffer encrypt_buf;
struct buffer decrypt_buf;
-#endif
/* workspace buffers for compression */
#ifdef USE_COMP
int occ_mtu_load_n_tries;
#endif
-#ifdef ENABLE_CRYPTO
-
/*
* TLS-mode crypto objects.
*/
struct event_timeout packet_id_persist_interval;
-#endif /* ENABLE_CRYPTO */
-
#ifdef USE_COMP
struct compress_context *comp_context;
/**< Compression context used by the
* have been compiled in.
*/
-#ifdef ENABLE_CRYPTO
#define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
#define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
#define PROTO_DUMP(buf, gc) protocol_dump((buf), \
|(c->c2.tls_multi ? PD_TLS : 0) \
|(c->options.tls_auth_file ? c->c1.ks.key_type.hmac_length : 0), \
gc)
-#else /* ifdef ENABLE_CRYPTO */
-#define TLS_MODE(c) (false)
-#define PROTO_DUMP(buf, gc) format_hex(BPTR(buf), BLEN(buf), 80, gc)
-#endif
-
-#ifdef ENABLE_CRYPTO
#define MD5SUM(buf, len, gc) md5sum((buf), (len), 0, (gc))
-#else
-#define MD5SUM(buf, len, gc) "[unavailable]"
-#endif
-#ifdef ENABLE_CRYPTO
#define CIPHER_ENABLED(c) (c->c1.ks.key_type.cipher != NULL)
-#else
-#define CIPHER_ENABLED(c) (false)
-#endif
/* this represents "disabled peer-id" */
#define MAX_PEER_ID 0xFFFFFF
" [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
#endif
" " TARGET_ALIAS
-#ifdef ENABLE_CRYPTO
#if defined(ENABLE_CRYPTO_MBEDTLS)
" [SSL (mbed TLS)]"
#elif defined(ENABLE_CRYPTO_OPENSSL)
#else
" [SSL]"
#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
-#endif /* ENABLE_CRYPTO */
#ifdef USE_COMP
#ifdef ENABLE_LZO
" [LZO]"
"--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
" server/remote. n = # of retries, default=1.\n"
#endif
-#ifdef ENABLE_CRYPTO
"\n"
"Data Channel Encryption Options (must be compatible between peers):\n"
"(These options are meaningful for both Static Key & TLS-mode)\n"
"--genkey : Generate a random key to be used as a shared secret,\n"
" for use with the --secret option.\n"
"--secret file : Write key to file.\n"
-#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_FEATURE_TUN_PERSIST
"\n"
"Tun/tap config mode (available with linux 2.4+):\n"
#if P2MP
o->scheduled_exit_interval = 5;
#endif
-#ifdef ENABLE_CRYPTO
o->ciphername = "BF-CBC";
#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
o->ncp_enabled = true;
#ifdef ENABLE_X509ALTUSERNAME
o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
#endif
-#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
o->pkcs11_pin_cache_period = -1;
#endif /* ENABLE_PKCS11 */
return ret;
}
-#ifdef ENABLE_CRYPTO
static uint8_t *
parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
{
}
return ret;
}
-#endif /* ifdef ENABLE_CRYPTO */
#ifdef _WIN32
SHOW_INT(persist_mode);
#endif
-#ifdef ENABLE_CRYPTO
SHOW_BOOL(show_ciphers);
SHOW_BOOL(show_digests);
SHOW_BOOL(show_engines);
SHOW_BOOL(genkey);
SHOW_STR(key_pass_file);
SHOW_BOOL(show_tls_ciphers);
-#endif
SHOW_INT(connect_retry_max);
show_connection_entries(o);
}
#endif
-#ifdef ENABLE_CRYPTO
SHOW_STR(shared_secret_file);
SHOW_INT(key_direction);
SHOW_STR(ciphername);
SHOW_STR(tls_auth_file);
SHOW_STR(tls_crypt_file);
-#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
{
init_options(&defaults, true);
-#ifdef ENABLE_CRYPTO
if (options->test_crypto)
{
notnull(options->shared_secret_file, "key file (--secret)");
}
else
-#endif
- notnull(options->dev, "TUN/TAP device (--dev)");
+ {
+ notnull(options->dev, "TUN/TAP device (--dev)");
+ }
/*
* Get tun/tap/null device type
}
if (options->inetd == INETD_NOWAIT
-#ifdef ENABLE_CRYPTO
- && !(options->tls_server || options->tls_client)
-#endif
- )
+ && !(options->tls_server || options->tls_client))
{
msg(M_USAGE, "--inetd nowait can only be used in TLS mode");
}
}
#endif /* P2MP_SERVER */
-#ifdef ENABLE_CRYPTO
-
if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
{
msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
}
}
#undef MUST_BE_UNDEF
-#endif /* ENABLE_CRYPTO */
#if P2MP
if (options->auth_user_pass_file && !options->pull)
options_postprocess_mutate_ce(o, o->connection_list->array[i]);
}
-#ifdef ENABLE_CRYPTO
if (o->tls_server)
{
/* Check that DH file is specified, or explicitly disabled */
"in P2MP client or server mode" );
o->ncp_enabled = false;
}
-#endif
#if ENABLE_MANAGEMENT
if (o->http_proxy_override)
{
bool errs = false;
-#ifdef ENABLE_CRYPTO
/* ** SSL/TLS/crypto related files ** */
errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
/* ** Password files ** */
errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
options->key_pass_file, R_OK, "--askpass");
-#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_MANAGEMENT
errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
options->management_user_pass, R_OK,
R_OK|W_OK, "--status");
/* ** Config related ** */
-#ifdef ENABLE_CRYPTO
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
R_OK|W_OK|X_OK, "--tls-export-cert");
-#endif /* ENABLE_CRYPTO */
#if P2MP_SERVER
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
R_OK|X_OK, "--client-config-dir");
calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
{
size_t link_mtu = EXPANDED_SIZE(frame);
-#ifdef ENABLE_CRYPTO
+
if (o->pull || o->mode == MODE_SERVER)
{
struct frame fake_frame = *frame;
EXPANDED_SIZE(&fake_frame));
link_mtu = EXPANDED_SIZE(&fake_frame);
}
-#endif
return link_mtu;
}
}
#endif
-#ifdef ENABLE_CRYPTO
-
#define TLS_CLIENT (o->tls_client)
#define TLS_SERVER (o->tls_server)
#undef TLS_CLIENT
#undef TLS_SERVER
-#endif /* ENABLE_CRYPTO */
-
return BSTR(&out);
}
struct options o;
init_options(&o, true);
-#ifdef ENABLE_CRYPTO
fprintf(fp, usage_message,
title_string,
o.ce.connect_retry_seconds,
o.replay_window, o.replay_time,
o.tls_timeout, o.renegotiate_seconds,
o.handshake_window, o.transition_window);
-#else /* ifdef ENABLE_CRYPTO */
- fprintf(fp, usage_message,
- title_string,
- o.ce.connect_retry_seconds,
- o.ce.connect_retry_seconds_max,
- o.ce.local_port, o.ce.remote_port,
- TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
- o.verbosity);
-#endif
fflush(fp);
#endif /* ENABLE_SMALL */
void
show_library_versions(const unsigned int flags)
{
-#ifdef ENABLE_CRYPTO
#define SSL_LIB_VER_STR get_ssl_library_version()
-#else
-#define SSL_LIB_VER_STR ""
-#endif
#ifdef ENABLE_LZO
#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
#else
}
}
#endif /* USE_COMP */
-#ifdef ENABLE_CRYPTO
else if (streq(p[0], "show-ciphers") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->x509_username_field = p[1];
}
#endif /* ENABLE_X509ALTUSERNAME */
-#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
else if (streq(p[0], "show-pkcs11-ids") && !p[3])
{
#include "comp.h"
#include "pushlist.h"
#include "clinat.h"
-#ifdef ENABLE_CRYPTO
#include "crypto_backend.h"
-#endif
/*
};
#endif
-#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
+#if !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS)
#error "At least one of OpenSSL or mbed TLS needs to be defined."
#endif
bool persist_config;
int persist_mode;
-#ifdef ENABLE_CRYPTO
const char *key_pass_file;
bool show_ciphers;
bool show_digests;
bool show_tls_ciphers;
bool show_curves;
bool genkey;
-#endif
/* Networking parms */
int connect_retry_max;
#endif
#endif /* if P2MP */
-#ifdef ENABLE_CRYPTO
/* Cipher parms */
const char *shared_secret_file;
const char *shared_secret_file_inline;
bool tls_exit;
-#endif /* ENABLE_CRYPTO */
-
const struct x509_track *x509_track;
/* special state parms */
#include "syshead.h"
-#ifdef ENABLE_CRYPTO
-
#include "packet_id.h"
#include "misc.h"
#include "integer.h"
packet_id_free(&pid);
}
#endif /* ifdef PID_TEST */
-
-#endif /* ENABLE_CRYPTO */
* attempts to replay them back later.
*/
-#ifdef ENABLE_CRYPTO
-
#ifndef PACKET_ID_H
#define PACKET_ID_H
}
#endif /* PACKET_ID_H */
-#endif /* ENABLE_CRYPTO */
const int type,
const struct argv *av,
struct openvpn_plugin_string_list **retlist,
- const char **envp
-#ifdef ENABLE_CRYPTO
- , int certdepth,
+ const char **envp,
+ int certdepth,
openvpn_x509_cert_t *current_cert
-#endif
)
{
int status = OPENVPN_PLUGIN_FUNC_SUCCESS;
(const char **const) envp,
p->plugin_handle,
per_client_context,
-#ifdef ENABLE_CRYPTO
(current_cert ? certdepth : -1),
current_cert
-#else
- -1,
- NULL
-#endif
};
struct openvpn_plugin_args_func_return retargs;
const int type,
const struct argv *av,
struct plugin_return *pr,
- struct env_set *es
-#ifdef ENABLE_CRYPTO
- , int certdepth,
+ struct env_set *es,
+ int certdepth,
openvpn_x509_cert_t *current_cert
-#endif
)
{
if (pr)
type,
av,
pr ? &pr->list[i] : NULL,
- envp
-#ifdef ENABLE_CRYPTO
- ,certdepth,
+ envp,
+ certdepth,
current_cert
-#endif
);
switch (status)
{
const int type,
const struct argv *av,
struct plugin_return *pr,
- struct env_set *es
-#ifdef ENABLE_CRYPTO
- , int current_cert_depth,
+ struct env_set *es,
+ int current_cert_depth,
openvpn_x509_cert_t *current_cert
-#endif
);
void plugin_list_close(struct plugin_list *pl);
const int type,
const struct argv *av,
struct plugin_return *pr,
- struct env_set *es
-#ifdef ENABLE_CRYPTO
- , int current_cert_depth,
+ struct env_set *es,
+ int current_cert_depth,
openvpn_x509_cert_t *current_cert
-#endif
)
{
return 0;
struct plugin_return *pr,
struct env_set *es)
{
- return plugin_call_ssl(pl, type, av, pr, es
-#ifdef ENABLE_CRYPTO
- , -1, NULL
-#endif
- );
+ return plugin_call_ssl(pl, type, av, pr, es, -1, NULL);
}
#endif /* OPENVPN_PLUGIN_H */
#include "syshead.h"
-#ifdef ENABLE_CRYPTO
-
#include "buffer.h"
#include "error.h"
#include "common.h"
}
#endif /* if 0 */
-
-#else /* ifdef ENABLE_CRYPTO */
-static void
-dummy(void)
-{
-}
-#endif /* ENABLE_CRYPTO */
*/
-#ifdef ENABLE_CRYPTO
-
#ifndef RELIABLE_H
#define RELIABLE_H
#endif /* RELIABLE_H */
-#endif /* ENABLE_CRYPTO */
#include "syshead.h"
-#ifdef ENABLE_CRYPTO
-
#include "error.h"
#include "common.h"
#include "crypto.h"
{
return format_hex(sid->id, SID_SIZE, 0, gc);
}
-
-#else /* ifdef ENABLE_CRYPTO */
-static void
-dummy(void)
-{
-}
-#endif /* ENABLE_CRYPTO */
* negotiated).
*/
-#ifdef ENABLE_CRYPTO
-
#ifndef SESSION_ID_H
#define SESSION_ID_H
const char *session_id_print(const struct session_id *sid, struct gc_arena *gc);
#endif /* SESSION_ID_H */
-#endif /* ENABLE_CRYPTO */
#include "syshead.h"
#include "win32.h"
-#if defined(ENABLE_CRYPTO)
-
#include "error.h"
#include "common.h"
#include "socket.h"
auth_user_pass.wait_for_push = false;
purge_user_pass(&auth_user_pass, false);
}
-
-#else /* if defined(ENABLE_CRYPTO) */
-static void
-dummy(void)
-{
-}
-#endif /* ENABLE_CRYPTO */
#ifndef OPENVPN_SSL_H
#define OPENVPN_SSL_H
-#if defined(ENABLE_CRYPTO)
-
#include "basic.h"
#include "common.h"
#include "crypto.h"
void delayed_auth_pass_purge(void);
-#endif /* ENABLE_CRYPTO */
-
#endif /* ifndef OPENVPN_SSL_H */
*/
int tls_version_max(void);
-#ifdef ENABLE_CRYPTO
-
/**
* Initialise a library-specific TLS context for a server.
*
*/
const char *get_ssl_library_version(void);
-#endif /* ENABLE_CRYPTO */
#endif /* SSL_BACKEND_H_ */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS)
+#if defined(ENABLE_CRYPTO_MBEDTLS)
#include "errlevel.h"
#include "ssl_backend.h"
return mbedtls_version;
}
-#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */
+#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(ENABLE_CRYPTO_OPENSSL)
#include "errlevel.h"
#include "buffer.h"
return SSLeay_version(SSLEAY_VERSION);
}
-#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
+#endif /* defined(ENABLE_CRYPTO_OPENSSL) */
#include "syshead.h"
-#ifdef ENABLE_CRYPTO
-
#include "misc.h"
#include "manage.h"
#include "otime.h"
item = next;
}
}
-
-#endif /* ENABLE_CRYPTO */
#ifndef SSL_VERIFY_H_
#define SSL_VERIFY_H_
-#ifdef ENABLE_CRYPTO
-
#include "syshead.h"
#include "misc.h"
#include "ssl_common.h"
/** Remove any X509_ env variables from env_set es */
void tls_x509_clear_env(struct env_set *es);
-#endif /* ENABLE_CRYPTO */
-
#endif /* SSL_VERIFY_H_ */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS)
+#if defined(ENABLE_CRYPTO_MBEDTLS)
#include "crypto_mbedtls.h"
#include "ssl_verify.h"
return false;
}
-#endif /* #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */
+#endif /* #if defined(ENABLE_CRYPTO_MBEDTLS) */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(ENABLE_CRYPTO_OPENSSL)
#include "ssl_verify_openssl.h"
return true;
}
-#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
+#endif /* defined(ENABLE_CRYPTO_OPENSSL) */
* Do we have point-to-multipoint capability?
*/
-#if defined(ENABLE_CRYPTO) && defined(HAVE_GETTIMEOFDAY_NANOSECONDS)
+#if defined(HAVE_GETTIMEOFDAY_NANOSECONDS)
#define P2MP 1
#else
#define P2MP 0
/*
* Enable external private key
*/
-#if defined(ENABLE_MANAGEMENT) && defined(ENABLE_CRYPTO)
+#if defined(ENABLE_MANAGEMENT)
#define MANAGMENT_EXTERNAL_KEY
#endif
/*
* Should we include NTLM proxy functionality
*/
-#if defined(ENABLE_CRYPTO)
#define NTLM 1
-#else
-#define NTLM 0
-#endif
/*
* Should we include proxy digest auth functionality
*/
-#if defined(ENABLE_CRYPTO)
#define PROXY_DIGEST_AUTH 1
-#else
-#define PROXY_DIGEST_AUTH 0
-#endif
/*
* Do we have CryptoAPI capability?
*/
-#if defined(_WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
#define ENABLE_CRYPTOAPI
#endif
/*
* Do we support pushing peer info?
*/
-#if defined(ENABLE_CRYPTO)
#define ENABLE_PUSH_PEER_INFO
-#endif
/*
* Compression support
#include "syshead.h"
-#ifdef ENABLE_CRYPTO
#include "crypto.h"
#include "session_id.h"
gc_free(&gc);
return false;
}
-
-#endif /* EMABLE_CRYPTO */
#ifndef TLSCRYPT_H
#define TLSCRYPT_H
-#ifdef ENABLE_CRYPTO
-
#include "buffer.h"
#include "crypto.h"
#include "session_id.h"
/** @} */
-#endif /* ENABLE_CRYPTO */
-
#endif /* TLSCRYPT_H */
check_PROGRAMS += argv_testdriver buffer_testdriver
endif
-if ENABLE_CRYPTO
check_PROGRAMS += packet_id_testdriver tls_crypt_testdriver
-endif
TESTS = $(check_PROGRAMS)
#include "config-msvc.h"
#endif
-#ifdef ENABLE_CRYPTO
-
#include "syshead.h"
#include <stdio.h>
return ret;
}
-
-#endif /* ENABLE_CRYPTO */
projects / thirdparty / openvpn.git / commitdiff
