#define ENABLE_PLUGIN 1
#define ENABLE_PORT_SHARE 1
#define ENABLE_SOCKS 1
-#define ENABLE_SSL 1
#define HAVE_ERRNO_H 1
#define HAVE_FCNTL_H 1
[enable_crypto_ofb_cfb="yes"]
)
-AC_ARG_ENABLE(
- [ssl],
- [AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based key exchange @<:@default=yes@:>@])],
- ,
- [enable_ssl="yes"]
-)
-
AC_ARG_ENABLE(
[x509-alt-username],
[AS_HELP_STRING([--enable-x509-alt-username], [enable the --x509-username-field feature @<:@default=no@:>@])],
;;
esac
-if test "${enable_ssl}" = "yes"; then
- test "${enable_crypto}" != "yes" && AC_MSG_ERROR([crypto must be enabled for ssl])
- test "${have_crypto_ssl}" != "yes" && AC_MSG_ERROR([${with_ssl_library} ssl is required but missing])
- OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_SSL_CFLAGS}"
- OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_SSL_LIBS}"
- AC_DEFINE([ENABLE_SSL], [1], [Enable ssl library])
-fi
-
if test "${enable_crypto}" = "yes"; then
test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing])
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
- OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS}"
- OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS}"
+ OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS} ${CRYPTO_SSL_CFLAGS}"
+ OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS} ${CRYPTO_SSL_LIBS}"
AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library])
fi
if test "${enable_pkcs11}" = "yes"; then
test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])
- test "${enable_ssl}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled only if SSL is enabled])
+ test "${enable_crypto}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled only if crypto is enabled])
OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"
AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
*
* @par Settings that control this module's activity
* Whether or not the Data Channel Crypto module is active depends on the
- * compile-time \c ENABLE_CRYPTO and \c ENABLE_SSL preprocessor macros. How it
- * processes packets received from the \link data_control Data Channel
- * Control module\endlink at runtime depends on the associated \c
- * crypto_options structure. To perform cryptographic operations, the \c
- * crypto_options.key_ctx_bi must contain the correct cipher and HMAC
- * security parameters for the direction the packet is traveling in.
+ * compile-time \c ENABLE_CRYPTO preprocessor macro. How it processes packets
+ * received from the \link data_control Data Channel Control module\endlink at
+ * runtime depends on the associated \c crypto_options structure. To perform
+ * cryptographic operations, the \c crypto_options.key_ctx_bi must contain the
+ * correct cipher and HMAC security parameters for the direction the packet is
+ * traveling in.
*
* @par Crypto algorithms
* This module uses the crypto algorithm implementations of the external
SEARCH_INCLUDES = YES
INCLUDE_PATH =
INCLUDE_FILE_PATTERNS =
-PREDEFINED = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_SSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY
+PREDEFINED = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY
EXPAND_AS_DEFINED =
SKIP_FUNCTION_MACROS = YES
#---------------------------------------------------------------------------
#define OPENVPN_PLUGIN_VERSION 3
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
#ifdef ENABLE_CRYPTO_POLARSSL
#include <polarssl/x509_crt.h>
#ifndef __OPENVPN_X509_CERT_T_DECLARED
* *per_client_context : the per-client context pointer which was returned by
* openvpn_plugin_client_constructor_v1, if defined.
*
- * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_SSL defined)
+ * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_CRYPTO defined)
*
- * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_SSL defined)
+ * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_CRYPTO defined)
*
*/
struct openvpn_plugin_args_func_in
const char ** const envp;
openvpn_plugin_handle_t handle;
void *per_client_context;
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
int current_cert_depth;
openvpn_x509_cert_t *current_cert;
#else
#include <string.h>
#include <stdlib.h>
-#define ENABLE_SSL
+#define ENABLE_CRYPTO
#include "openvpn-plugin.h"
gc_free (&gc);
}
-#ifdef ENABLE_SSL
-
void
get_tls_handshake_key (const struct key_type *key_type,
struct key_ctx_bi *ctx,
CLEAR (*ctx);
}
}
-#endif
/* header and footer for static key file */
static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----";
return l;
}
-#ifndef ENABLE_SSL
-
-void
-init_ssl_lib (void)
-{
- crypto_init_lib ();
-}
-
-void
-free_ssl_lib (void)
-{
- crypto_uninit_lib ();
- prng_uninit();
-}
-
-#endif /* ENABLE_SSL */
-
/*
* md5 functions
*/
const char* prefix0,
const char* prefix1);
-#ifdef ENABLE_SSL
-
#define GHK_INLINE (1<<0)
void get_tls_handshake_key (const struct key_type *key_type,
struct key_ctx_bi *ctx,
const int key_direction,
const unsigned int flags);
-#else
-
-void init_ssl_lib (void);
-void free_ssl_lib (void);
-
-#endif /* ENABLE_SSL */
-
/*
* md5 functions
*/
void
crypto_init_lib (void)
{
-#ifndef ENABLE_SSL
- /* If SSL is enabled init is taken care of in ssl_openssl.c */
-#ifndef ENABLE_SMALL
- ERR_load_crypto_strings ();
-#endif
- OpenSSL_add_all_algorithms ();
-#endif
-
/*
* If you build the OpenSSL library and OpenVPN with
* CRYPTO_MDEBUG, you will get a listing of OpenSSL
void
crypto_uninit_lib (void)
{
-#ifndef ENABLE_SSL
- /* If SSL is enabled cleanup is taken care of in ssl_openssl.c */
- EVP_cleanup ();
-#ifndef ENABLE_SMALL
- ERR_free_strings ();
-#endif
-#endif
-
#ifdef CRYPTO_MDEBUG
FILE* fp = fopen ("sdlog", "w");
ASSERT (fp);
static inline void
check_tls (struct context *c)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#if defined(ENABLE_CRYPTO)
void check_tls_dowork (struct context *c);
if (c->c2.tls_multi)
check_tls_dowork (c);
static inline void
check_tls_errors (struct context *c)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#if defined(ENABLE_CRYPTO)
void check_tls_errors_co (struct context *c);
void check_tls_errors_nco (struct context *c);
if (c->c2.tls_multi && c->c2.tls_exit_signal)
* traffic on the control-channel.
*
*/
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
void
check_tls_dowork (struct context *c)
{
if (wakeup)
context_reschedule_sec (c, wakeup);
}
-#endif
-
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
void
check_tls_errors_co (struct context *c)
{
register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
}
-
-#endif
+#endif /* ENABLE_CRYPTO */
#if P2MP
bool
send_control_channel_string (struct context *c, const char *str, int msglevel)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi) {
struct gc_arena gc = gc_new ();
bool stat;
gc_free (&gc);
return stat;
}
-#endif
+#endif /* ENABLE_CRYPTO */
return true;
}
}
#ifdef ENABLE_CRYPTO
-#ifdef ENABLE_SSL
/*
* If TLS mode, get the key we will use to encrypt
* the packet.
{
tls_pre_encrypt (c->c2.tls_multi, &c->c2.buf, &c->c2.crypto_options);
}
-#endif
/*
* Encrypt the packet and write an optional
link_socket_get_outgoing_addr (&c->c2.buf, get_link_socket_info (c),
&c->c2.to_link_addr);
#ifdef ENABLE_CRYPTO
-#ifdef ENABLE_SSL
/*
* In TLS mode, prepend the appropriate one-byte opcode
* to the packet which identifies it as a data channel
{
tls_post_encrypt (c->c2.tls_multi, &c->c2.buf);
}
-#endif
#endif
/* if null encryption, copy result to read_tun_buf */
link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from);
#ifdef ENABLE_CRYPTO
-#ifdef ENABLE_SSL
if (c->c2.tls_multi)
{
/*
if (c->c2.context_auth != CAS_SUCCEEDED)
c->c2.buf.len = 0;
#endif
-#endif /* ENABLE_SSL */
/* authenticate and decrypt the incoming packet */
decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, &c->c2.crypto_options, &c->c2.frame);
static void
init_query_passwords (struct context *c)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
/* Certificate password input */
if (c->options.key_pass_file)
pem_password_setup (c->options.key_pass_file);
close_port_share ();
#endif
-#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO)
show_tls_performance_stats ();
#endif
}
*/
#ifdef ENABLE_CRYPTO
if (options->show_ciphers || options->show_digests || options->show_engines
-#ifdef ENABLE_SSL
- || options->show_tls_ciphers || options->show_curves
-#endif
- )
+ || options->show_tls_ciphers || options->show_curves)
{
if (options->show_ciphers)
show_available_ciphers ();
show_available_digests ();
if (options->show_engines)
show_available_engines ();
-#ifdef ENABLE_SSL
if (options->show_tls_ciphers)
show_available_tls_ciphers (options->cipher_list);
if (options->show_curves)
show_available_curves();
-#endif
return true;
}
#endif
|| options->ifconfig_remote_netmask
#ifdef ENABLE_CRYPTO
|| options->shared_secret_file
-#ifdef ENABLE_SSL
|| options->tls_server || options->tls_client
-#endif
#endif
)
msg (M_FATAL|M_OPTERR,
format_common_name (struct context *c, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc (256, gc);
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi)
{
buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));
#ifdef ENABLE_CRYPTO
if (c->options.packet_id_file)
event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);
-#endif
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
/* initialize tmp_int optimization that limits the number of times we call
tls_multi_process in the main event loop */
interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
if (found & OPT_P_SETENV)
msg (D_PUSH, "OPTIONS IMPORT: environment modified");
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
if (found & OPT_P_PEER_ID)
{
msg (D_PUSH, "OPTIONS IMPORT: peer-id set");
{
#ifdef ENABLE_CRYPTO
free_key_ctx_bi (&ks->static_key);
-#ifdef ENABLE_SSL
if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
{
tls_ctx_free (&ks->ssl_ctx);
free_key_ctx_bi (&ks->tls_auth_key);
}
-#endif /* ENABLE_SSL */
#endif /* ENABLE_CRYPTO */
CLEAR (*ks);
}
options->use_iv);
}
-#ifdef ENABLE_SSL
-
/*
* Initialize the persistent component of OpenVPN's TLS mode,
* which is preserved across SIGUSR1 resets.
}
}
-#endif /* ENABLE_SSL */
-#endif /* ENABLE_CRYPTO */
-
-#ifdef ENABLE_CRYPTO
/*
* No encryption or authentication.
*/
#ifdef ENABLE_CRYPTO
if (c->options.shared_secret_file)
do_init_crypto_static (c, flags);
-#ifdef ENABLE_SSL
else if (c->options.tls_server || c->options.tls_client)
do_init_crypto_tls (c, flags);
-#endif
else /* no encryption or authentication. */
do_init_crypto_none (c);
#else /* ENABLE_CRYPTO */
msg (M_WARN,
"******* WARNING *******: " PACKAGE_NAME
- " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
+ " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
#endif /* ENABLE_CRYPTO */
}
if (!o->use_iv)
msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure");
-#ifdef ENABLE_SSL
if (o->tls_server)
warn_on_use_of_common_subnets ();
if (o->tls_client
&& !o->remote_cert_eku)
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
#endif
-#endif
#ifndef CONNECT_NONBLOCK
if (o->ce.connect_timeout_defined)
static void
do_init_frame_tls (struct context *c)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
do_init_finalize_tls_frame (c);
#endif
}
options_string_version (c->c2.options_string_remote, &gc),
md5sum ((uint8_t*)c->c2.options_string_remote,
strlen (c->c2.options_string_remote), 9, &gc));
-#endif
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
if (c->c2.tls_multi)
tls_multi_init_set_options (c->c2.tls_multi,
c->c2.options_string_local,
static void
do_close_tls (struct context *c)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
if (c->c2.tls_multi)
{
tls_multi_free (c->c2.tls_multi, true);
static void
do_signal_on_tls_errors (struct context *c)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
if (c->options.tls_exit)
c->c2.tls_exit_signal = SIGTERM;
else
#ifdef ENABLE_CRYPTO
dest->c1.ks.key_type = src->c1.ks.key_type;
-#ifdef ENABLE_SSL
/* inherit SSL context */
dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
-#endif
#endif
/* options */
/* detach plugins */
dest->plugins_owned = false;
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
dest->c2.tls_multi = NULL;
#endif
static void
man_forget_passwords (struct management *man)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
ssl_purge_auth (false);
msg (M_CLIENT, "SUCCESS: Passwords were forgotten");
#endif
}
if (!exiting)
{
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
if (man->settings.flags & MF_FORGET_DISCONNECT)
ssl_purge_auth (false);
#endif
/* pre-shared static key, read from a file */
struct key_ctx_bi static_key;
-#ifdef ENABLE_SSL
/* our global SSL context */
struct tls_root_ctx ssl_ctx;
/* optional authentication HMAC key for TLS control channel */
struct key_ctx_bi tls_auth_key;
-
-#endif /* ENABLE_SSL */
#else /* ENABLE_CRYPTO */
int dummy;
#endif /* ENABLE_CRYPTO */
/*
* TLS-mode crypto objects.
*/
-#ifdef ENABLE_SSL
-
struct tls_multi *tls_multi; /**< TLS state structure for this VPN
* tunnel. */
/* throw this signal on TLS errors */
int tls_exit_signal;
-#endif /* ENABLE_SSL */
-
struct crypto_options crypto_options;
/**< Security parameters and crypto state
* used by the \link data_crypto Data
* have been compiled in.
*/
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
#define TLS_MODE(c) ((c)->c2.tls_multi != NULL)
#define PROTO_DUMP_FLAGS (check_debug_level (D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)
#define PROTO_DUMP(buf, gc) protocol_dump((buf), \
#endif
" " TARGET_ALIAS
#ifdef ENABLE_CRYPTO
-#ifdef ENABLE_SSL
#if defined(ENABLE_CRYPTO_POLARSSL)
" [SSL (PolarSSL)]"
#elif defined(ENABLE_CRYPTO_OPENSSL)
#else
" [SSL]"
#endif /* defined(ENABLE_CRYPTO_POLARSSL) */
-#else /* ! ENABLE_SSL */
-#if defined(ENABLE_CRYPTO_POLARSSL)
- " [CRYPTO (PolarSSL)]"
-#elif defined(ENABLE_CRYPTO_OPENSSL)
- " [CRYPTO (OpenSSL)]"
-#else
- " [CRYPTO]"
-#endif /* defined(ENABLE_CRYPTO_POLARSSL) */
-#endif /* ENABLE_SSL */
#endif /* ENABLE_CRYPTO */
#ifdef USE_COMP
#ifdef ENABLE_LZO
"--use-prediction-resistance: Enable prediction resistance on the random\n"
" number generator.\n"
#endif
-#ifdef ENABLE_SSL
"\n"
"TLS Key Negotiation Options:\n"
"(These options are meaningful only for TLS-mode)\n"
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
" key usage and extended key usage based on RFC3280 TLS rules.\n"
" t = 'client' | 'server'.\n"
-#endif /* ENABLE_SSL */
#ifdef ENABLE_PKCS11
"\n"
"PKCS#11 Options:\n"
"--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
"--show-digests : Show message digest algorithms to use with --auth option.\n"
"--show-engines : Show hardware crypto accelerator engines (if available).\n"
-#ifdef ENABLE_SSL
"--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
-#endif
#ifdef WIN32
"\n"
"Windows Specific:\n"
#ifdef ENABLE_PREDICTION_RESISTANCE
o->use_prediction_resistance = false;
#endif
-#ifdef ENABLE_SSL
o->key_method = 2;
o->tls_timeout = 2;
o->renegotiate_seconds = 3600;
#ifdef ENABLE_X509ALTUSERNAME
o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
#endif
-#endif /* ENABLE_SSL */
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
o->pkcs11_pin_cache_period = -1;
return ret;
}
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
static uint8_t *
parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
{
SHOW_BOOL (show_digests);
SHOW_BOOL (show_engines);
SHOW_BOOL (genkey);
-#ifdef ENABLE_SSL
SHOW_STR (key_pass_file);
SHOW_BOOL (show_tls_ciphers);
-#endif
#endif
SHOW_INT (connect_retry_max);
SHOW_BOOL (use_prediction_resistance);
#endif
-#ifdef ENABLE_SSL
SHOW_BOOL (tls_server);
SHOW_BOOL (tls_client);
SHOW_INT (key_method);
SHOW_BOOL (tls_exit);
SHOW_STR (tls_auth_file);
-#endif
-#endif
+#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
{
msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
if (options->inetd == INETD_NOWAIT
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
&& !(options->tls_server || options->tls_client)
#endif
)
/*
* SSL/TLS mode sanity checks.
*/
-
-#ifdef ENABLE_SSL
if (options->tls_server + options->tls_client +
(options->shared_secret_file != NULL) > 1)
msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
}
#undef MUST_BE_UNDEF
#endif /* ENABLE_CRYPTO */
-#endif /* ENABLE_SSL */
#if P2MP
if (options->auth_user_pass_file && !options->pull)
{
bool errs = false;
+#ifdef ENABLE_CRYPTO
/* ** SSL/TLS/crypto related files ** */
-#ifdef ENABLE_SSL
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK,
"--tls-auth");
-#endif /* ENABLE_SSL */
-#ifdef ENABLE_CRYPTO
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->shared_secret_file, R_OK,
"--secret");
errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR,
options->packet_id_file, R_OK|W_OK, "--replay-persist");
-#endif /* ENABLE_CRYPTO */
-
/* ** Password files ** */
-#ifdef ENABLE_SSL
errs |= check_file_access (CHKACC_FILE, options->key_pass_file, R_OK,
"--askpass");
-#endif /* ENABLE_SSL */
+#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_MANAGEMENT
errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
options->management_user_pass, R_OK,
R_OK|W_OK, "--status");
/* ** Config related ** */
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
R_OK|W_OK|X_OK, "--tls-export-cert");
-#endif /* ENABLE_SSL */
+#endif /* ENABLE_CRYPTO */
#if P2MP_SERVER
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->client_config_dir,
R_OK|X_OK, "--client-config-dir");
#ifdef ENABLE_CRYPTO
-#ifdef ENABLE_SSL
#define TLS_CLIENT (o->tls_client)
#define TLS_SERVER (o->tls_server)
-#else
-#define TLS_CLIENT (false)
-#define TLS_SERVER (false)
-#endif
/*
* Key direction
#endif
}
-#ifdef ENABLE_SSL
/*
* SSL Options
*/
buf_printf (&out, ",tls-server");
}
}
-#endif /* ENABLE_SSL */
#undef TLS_CLIENT
#undef TLS_SERVER
struct options o;
init_options (&o, true);
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
fprintf (fp, usage_message,
title_string,
o.ce.connect_retry_seconds,
o.replay_window, o.replay_time,
o.tls_timeout, o.renegotiate_seconds,
o.handshake_window, o.transition_window);
-#elif defined(ENABLE_CRYPTO)
- fprintf (fp, usage_message,
- title_string,
- o.ce.connect_retry_seconds,
- o.ce.local_port, o.ce.remote_port,
- TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
- o.verbosity,
- o.authname, o.ciphername,
- o.replay_window, o.replay_time);
#else
fprintf (fp, usage_message,
title_string,
void
show_library_versions(const unsigned int flags)
{
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
#define SSL_LIB_VER_STR get_ssl_library_version()
#else
#define SSL_LIB_VER_STR ""
options->use_prediction_resistance = true;
}
#endif
-#ifdef ENABLE_SSL
else if (streq (p[0], "show-tls"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->x509_username_field = p[1];
}
#endif /* ENABLE_X509ALTUSERNAME */
-#endif /* ENABLE_SSL */
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
else if (streq (p[0], "show-pkcs11-ids"))
bool show_ciphers;
bool show_digests;
bool show_engines;
-#ifdef ENABLE_SSL
bool show_tls_ciphers;
bool show_curves;
-#endif
bool genkey;
#endif
bool use_prediction_resistance;
#endif
-#ifdef ENABLE_SSL
/* TLS (control channel) parms */
bool tls_server;
bool tls_client;
bool tls_exit;
-#endif /* ENABLE_SSL */
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_X509_TRACK
const struct argv *av,
struct openvpn_plugin_string_list **retlist,
const char **envp
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
, int certdepth,
openvpn_x509_cert_t *current_cert
#endif
(const char ** const) envp,
p->plugin_handle,
per_client_context,
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
(current_cert ? certdepth : -1),
current_cert
#else
const struct argv *av,
struct plugin_return *pr,
struct env_set *es
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
, int certdepth,
openvpn_x509_cert_t *current_cert
#endif
av,
pr ? &pr->list[i] : NULL,
envp
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
,certdepth,
current_cert
#endif
const struct argv *av,
struct plugin_return *pr,
struct env_set *es
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
, int current_cert_depth,
openvpn_x509_cert_t *current_cert
#endif
const struct argv *av,
struct plugin_return *pr,
struct env_set *es
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
, int current_cert_depth,
openvpn_x509_cert_t *current_cert
#endif
struct env_set *es)
{
return plugin_call_ssl(pl, type, av, pr, es
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
, -1, NULL
#endif
);
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
#include "buffer.h"
#include "error.h"
#else
static void dummy(void) {}
-#endif /* ENABLE_CRYPTO && ENABLE_SSL*/
+#endif /* ENABLE_CRYPTO */
*/
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
#ifndef RELIABLE_H
#define RELIABLE_H
#endif /* RELIABLE_H */
-#endif /* ENABLE_CRYPTO && ENABLE_SSL */
+#endif /* ENABLE_CRYPTO */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
#include "error.h"
#include "common.h"
#else
static void dummy(void) {}
-#endif /* ENABLE_CRYPTO && ENABLE_SSL*/
+#endif /* ENABLE_CRYPTO */
* negotiated).
*/
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
#ifndef SESSION_ID_H
#define SESSION_ID_H
const char *session_id_print (const struct session_id *sid, struct gc_arena *gc);
#endif /* SESSION_ID_H */
-#endif /* ENABLE_CRYPTO && ENABLE_SSL */
+#endif /* ENABLE_CRYPTO */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#if defined(ENABLE_CRYPTO)
#include "error.h"
#include "common.h"
#else
static void dummy(void) {}
-#endif /* ENABLE_CRYPTO && ENABLE_SSL*/
+#endif /* ENABLE_CRYPTO */
#ifndef OPENVPN_SSL_H
#define OPENVPN_SSL_H
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#if defined(ENABLE_CRYPTO)
#include "basic.h"
#include "common.h"
/*#define EXTRACT_X509_FIELD_TEST*/
void extract_x509_field_test (void);
-#endif /* ENABLE_CRYPTO && ENABLE_SSL */
+#endif /* ENABLE_CRYPTO */
#endif
#include "syshead.h"
-#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
#include "errlevel.h"
#include "buffer.h"
return SSLeay_version(SSLEAY_VERSION);
}
-#endif /* defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL) */
+#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
#include "syshead.h"
-#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL)
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL)
#include "errlevel.h"
#include "ssl_backend.h"
return polar_version;
}
-#endif /* defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) */
+#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) */
#include "syshead.h"
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
#include "misc.h"
#include "manage.h"
gc_free (&gc);
}
}
-#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) */
+#endif /* ENABLE_CRYPTO */
#ifndef SSL_VERIFY_H_
#define SSL_VERIFY_H_
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
#include "syshead.h"
#include "misc.h"
#endif
}
-#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) */
+#endif /* ENABLE_CRYPTO */
#endif /* SSL_VERIFY_H_ */
#include "syshead.h"
-#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
#include "ssl_verify_openssl.h"
return retval;
}
-#endif /* defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL) */
+#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
#include "syshead.h"
-#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL)
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL)
#include "ssl_verify.h"
#include <polarssl/error.h>
return retval;
}
-#endif /* #if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) */
+#endif /* #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) */
* Do we have point-to-multipoint capability?
*/
-#if defined(ENABLE_CLIENT_SERVER) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) && defined(HAVE_GETTIMEOFDAY_NANOSECONDS)
+#if defined(ENABLE_CLIENT_SERVER) && defined(ENABLE_CRYPTO) && defined(HAVE_GETTIMEOFDAY_NANOSECONDS)
#define P2MP 1
#else
#define P2MP 0
/*
* Enable external private key
*/
-#if defined(ENABLE_MANAGEMENT) && defined(ENABLE_SSL)
+#if defined(ENABLE_MANAGEMENT) && defined(ENABLE_CRYPTO)
#define MANAGMENT_EXTERNAL_KEY
#endif
/*
* Do we have CryptoAPI capability?
*/
-#if defined(WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
#define ENABLE_CRYPTOAPI
#endif
/*
* Enable x509-track feature?
*/
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) && defined (ENABLE_CRYPTO_OPENSSL)
+#if defined(ENABLE_CRYPTO) && defined (ENABLE_CRYPTO_OPENSSL)
#define ENABLE_X509_TRACK
#endif
/*
* Do we support pushing peer info?
*/
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#if defined(ENABLE_CRYPTO)
#define ENABLE_PUSH_PEER_INFO
#endif
projects / thirdparty / openvpn.git / commitdiff
