On Sat, Jan 28, 2023 at 05:34:20PM -0500, selva.n...@gmail.com wrote: > From: Selva Nair <selva.n...@gmail.com> > > - Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert > > Note: > Ideally we should also make ENABLE_CRYPTOAPI conditional > on HAVE_XKEY_PROVIDER but that looks hard unless we can agree > to move HAVE_XKEY_PROVIDER to configure/config.h. > Or move ENABLE_CRYPTOAPI out of syshead.h ? > > Signed-off-by: Selva Nair <selva.n...@gmail.com> > --- > src/openvpn/cryptoapi.c | 555 +--------------------------------------- > src/openvpn/options.c | 2 +- > 2 files changed, 11 insertions(+), 546 deletions(-) > > diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c > index e3c0bc99..6ff4fcb5 100644 > --- a/src/openvpn/cryptoapi.c > +++ b/src/openvpn/cryptoapi.c > @@ -55,17 +55,17 @@ > #include "xkey_common.h" > > #ifndef HAVE_XKEY_PROVIDER > -/* index for storing external data in EC_KEY: < 0 means uninitialized */ > -static int ec_data_idx = -1; > > -/* Global EVP_PKEY_METHOD used to override the sign operation */ > -static EVP_PKEY_METHOD *pmethod; > -static int (*default_pkey_sign_init) (EVP_PKEY_CTX *ctx); > -static int (*default_pkey_sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, > - size_t *siglen, const unsigned char *tbs, > size_t tbslen); > -#else /* ifndef HAVE_XKEY_PROVIDER */ > +int > +SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) > +{ > + msg(M_NONFATAL, "ERROR: cryptoapicert not supported in this version");
"in this version" sounds wrong to me. That might indicate to the user that they need a newer or older version of OpenVPN. Maybe "this binary was compiled without cryptoapicert support"? Regards, -- Frank Lichtenheld _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel