On Sat, Jan 28, 2023 at 05:34:20PM -0500, selva.n...@gmail.com wrote:
> From: Selva Nair <selva.n...@gmail.com>
>
> - Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert
>
> Note:
> Ideally we should also make ENABLE_CRYPTOAPI conditional
> on HAVE_XKEY_PROVIDER but that looks hard unless we can agree
> to move HAVE_XKEY_PROVIDER to configure/config.h.
> Or move ENABLE_CRYPTOAPI out of syshead.h ?
>
> Signed-off-by: Selva Nair <selva.n...@gmail.com>
> ---
> src/openvpn/cryptoapi.c | 555 +---------------------------------------
> src/openvpn/options.c | 2 +-
> 2 files changed, 11 insertions(+), 546 deletions(-)
>
> diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
> index e3c0bc99..6ff4fcb5 100644
> --- a/src/openvpn/cryptoapi.c
> +++ b/src/openvpn/cryptoapi.c
> @@ -55,17 +55,17 @@
> #include "xkey_common.h"
>
> #ifndef HAVE_XKEY_PROVIDER
> -/* index for storing external data in EC_KEY: < 0 means uninitialized */
> -static int ec_data_idx = -1;
>
> -/* Global EVP_PKEY_METHOD used to override the sign operation */
> -static EVP_PKEY_METHOD *pmethod;
> -static int (*default_pkey_sign_init) (EVP_PKEY_CTX *ctx);
> -static int (*default_pkey_sign) (EVP_PKEY_CTX *ctx, unsigned char *sig,
> - size_t *siglen, const unsigned char *tbs,
> size_t tbslen);
> -#else /* ifndef HAVE_XKEY_PROVIDER */
> +int
> +SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
> +{
> + msg(M_NONFATAL, "ERROR: cryptoapicert not supported in this version");
"in this version" sounds wrong to me. That might indicate to the user that
they need a newer or older version of OpenVPN. Maybe
"this binary was compiled without cryptoapicert support"?
Regards,
--
Frank Lichtenheld
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
