@@ -228,19 +228,6 @@ AC_ARG_ENABLE(

 )

 AC_ARG_WITH(

-	[ssl-headers],

-	[AS_HELP_STRING([--with-ssl-headers=DIR], [Crypto/SSL Include files location])],

-	[CS_HDR_DIR="$withval"]

-	[CPPFLAGS="$CPPFLAGS -I$withval"] 

-)

-

-AC_ARG_WITH(

-	[ssl-lib],

-	[AS_HELP_STRING([--with-ssl-lib=DIR], [Crypto/SSL Library location])],

-	[LDFLAGS="$LDFLAGS -L$withval"] 

-)

-

-AC_ARG_WITH(

 	[mem-check],

 	[AS_HELP_STRING([--with-mem-check=TYPE], [build with debug memory checking, TYPE=dmalloc|valgrind|ssl])],

 	[

@@ -253,15 +240,15 @@ AC_ARG_WITH(

 )

 AC_ARG_WITH(

-	[ssl-type],

-	[AS_HELP_STRING([--with-ssl-type=TYPE], [build with the given SSL library, TYPE = openssl or polarssl])],

+	[crypto-library],

+	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|polarssl @<:@default=openssl@:>@])],

 	[

 		case "${withval}" in 

 			openssl|polarssl) ;;

-			*) AC_MSG_ERROR([bad value ${withval} for --with-ssl-type]) ;;

+			*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;

 		esac

 	],

-	[with_ssl_type="openssl"]

+	[with_crypto_library="openssl"]

 )

 AC_DEFINE_UNQUOTED(TARGET_ALIAS, "${host}", [A string representing our host])

@@ -651,6 +638,76 @@ case "${with_mem_check}" in

 		;;

 esac

+PKG_CHECK_MODULES(

+	[OPENSSL_CRYPTO],

+	[libcrypto >= 0.9.6],

+	[have_openssl_crypto="yes"],

+	[AC_CHECK_LIB(

+		[crypto],

+		[RSA_new],

+		[

+			have_openssl_crypto="yes"

+			OPENSSL_CRYPTO_LIBS="-lcrypto"

+		]

+	)]

+)

+

+PKG_CHECK_MODULES(

+	[OPENSSL_SSL],

+	[libssl >= 0.9.6],

+	[have_openssl_ssl="yes"],

+	[AC_CHECK_LIB(

+		[ssl],

+		[SSL_CTX_new],

+		[

+			have_openssl_ssl="yes"

+			OPENSSL_SSL_LIBS="-lssl"

+		]

+	)]

+)

+

+if test "${have_openssl_crypto}" = "yes"; then

+	saved_CFLAGS="${CFLAGS}"

+	saved_LIBS="${LIBS}"

+	CFLAGS="${CFLAGS} ${OPENSSL_CRYPTO_CFLAGS}"

+	LIBS="${LIBS} ${OPENSSL_CRYPTO_LIBS}"

+	AC_CHECK_FUNCS([EVP_CIPHER_CTX_set_key_length])

+	have_openssl_engine="yes"

+	AC_CHECK_FUNCS(

+		[ \

+			ENGINE_load_builtin_engines \

+			ENGINE_register_all_complete \

+			ENGINE_cleanup \

+		],

+		,

+		[have_openssl_engine="no"; break]

+	)

+

+	CFLAGS="${saved_CFLAGS}"

+	LIBS="${saved_LIBS}"

+fi

+

+AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl])

+AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl])

+have_polarssl_ssl="yes"

+have_polarssl_crypto="yes"

+if test -z "${POLARSSL_LIBS}"; then

+	AC_CHECK_LIB(

+		[polarssl],

+		[ssl_init],

+		[POLARSSL_LIBS="-lpolarssl"],

+		[

+			have_polarssl_ssl="no"

+			AC_CHECK_LIB(

+				[polarssl],

+				[aes_crypt_cbc],

+				,

+				[have_polarssl_crypto="no"]

+			)

+		]

+	)

+fi

+

 AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo])

 AC_ARG_VAR([LZO_LIBS], [linker flags for lzo])

 have_lzo="yes"

@@ -698,103 +755,6 @@ PKG_CHECK_MODULES(

 	[]

 )

-dnl

-dnl check for SSL-crypto library

-dnl

-if test "${enable_crypto}" = "yes"; then

-   if test "${with_ssl_type}" = "openssl"; then  

-       AC_CHECKING([for OpenSSL Crypto Library and Header files])

-       AC_CHECK_HEADER(openssl/evp.h,,

-	       [AC_MSG_ERROR([OpenSSL Crypto headers not found.])])

-

-       for lib in crypto eay32; do

-          AC_CHECK_LIB($lib, EVP_CIPHER_CTX_init,

-                [

-            		cryptofound=1

-			LIBS="${LIBS} -l$lib"

-    	        ]

-          )

-       done

-       test -n "$cryptofound" || AC_MSG_ERROR([OpenSSL Crypto library not found.])

-

-       AC_MSG_CHECKING([that OpenSSL Library is at least version 0.9.6])

-       AC_EGREP_CPP(yes,

-         [

-           #include <openssl/evp.h>

-           #if SSLEAY_VERSION_NUMBER >= 0x00906000L

-    	       yes

-           #endif

-         ],

-         [

-           AC_MSG_RESULT([yes])

-           AC_DEFINE(USE_CRYPTO, 1, [Use crypto library])

-           AC_DEFINE(USE_OPENSSL, 1, [Use OpenSSL library])

-           AC_CHECK_FUNCS(EVP_CIPHER_CTX_set_key_length)

-    

-           dnl check for OpenSSL crypto acceleration capability

-           AC_CHECK_HEADERS(openssl/engine.h)

-           AC_CHECK_FUNCS(ENGINE_load_builtin_engines)

-           AC_CHECK_FUNCS(ENGINE_register_all_complete)

-           AC_CHECK_FUNCS(ENGINE_cleanup)

-         ],

-         [AC_MSG_ERROR([OpenSSL crypto Library is too old.])]

-       )

-   fi

-   if test "${with_ssl_type}" = "polarssl"; then

-        AC_CHECKING([for PolarSSL Crypto Library and Header files])

-        AC_CHECK_HEADER(polarssl/aes.h,

-            [AC_CHECK_LIB(polarssl, aes_crypt_cbc,

-                [

-		    LIBS="${LIBS} -lpolarssl"

-                    AC_DEFINE(USE_CRYPTO, 1, [Use crypto library])

-                    AC_DEFINE(USE_POLARSSL, 1, [Use PolarSSL library])

-                ],

-                [AC_MSG_ERROR([PolarSSL Crypto library not found.])]

-            )],

-            [AC_MSG_ERROR([PolarSSL Crypto headers not found.])]

-        )

-    fi

-   dnl

-   dnl check for OpenSSL-SSL library

-   dnl

-

-   if test "${enable_ssl}" = "yes"; then

-      if test "${with_ssl_type}" = "openssl"; then  

-         AC_CHECKING([for OpenSSL SSL Library and Header files])

-         AC_CHECK_HEADER(openssl/ssl.h,,

-	      [AC_MSG_ERROR([OpenSSL SSL headers not found.])]

-         )

-

-         for lib in ssl ssl32; do

-	     AC_CHECK_LIB($lib, SSL_CTX_new,

-		   [

-			   sslfound=1

-			   LIBS="${LIBS} -l$lib"

-		   ]

-	     )

-         done

-

-         test -n "${sslfound}" || AC_MSG_ERROR([OpenSSL SSL library not found.])

-

-         AC_DEFINE(USE_SSL, 1, [Use OpenSSL SSL library])

-      fi

-      if test "${with_ssl_type}" = "polarssl"; then

-         AC_CHECKING([for PolarSSL SSL Library and Header files])

-         AC_CHECK_HEADER(polarssl/ssl.h,

-              [AC_CHECK_LIB(polarssl, ssl_init,

-              [

-		  LIBS="${LIBS} -lpolarssl"

-                  AC_DEFINE(USE_SSL, 1, [Use SSL library])

-                  AC_DEFINE(USE_POLARSSL, 1, [Use PolarSSL library])

-              ],

-              [AC_MSG_ERROR([PolarSSL SSL library not found.])]

-          )],

-              [AC_MSG_ERROR([PolarSSL SSL headers not found.])]

-          )

-       fi

-   fi

-fi

-

 if test -n "${SP_PLATFORM_WINDOWS}"; then

 	AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #"

 	AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator]) #"

@@ -805,7 +765,7 @@ fi

 dnl enable --x509-username-field feature if requested

 if test "${enable_x509_alt_username}" = "yes"; then

-	if test "${with_ssl_type}" = "polarssl" ; then

+	if test "${with_crypto_library}" = "polarssl" ; then

 		AC_MSG_ERROR([PolarSSL does not support the --x509-username-field feature])

 	fi

@@ -829,6 +789,41 @@ test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHEC

 test "${enable_password_save}" = "yes" && AC_DEFINE([ENABLE_PASSWORD_SAVE], [1], [Allow --askpass and --auth-user-pass passwords to be read from a file])

 test "${enable_systemd}" = "yes" && AC_DEFINE([ENABLE_SYSTEMD], [1], [Enable systemd support])

+case "${with_crypto_library}" in

+	openssl)

+		have_crypto_crypto="${have_openssl_crypto}"

+		have_crypto_ssl="${have_openssl_ssl}"

+		CRYPTO_CRYPTO_CFLAGS="${OPENSSL_CRYPTO_CFLAGS}"

+		CRYPTO_CRYPTO_LIBS="${OPENSSL_CRYPTO_LIBS}"

+		CRYPTO_SSL_CFLAGS="${OPENSSL_SSL_CFLAGS}"

+		CRYPTO_SSL_LIBS="${OPENSSL_SSL_LIBS}"

+		AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library])

+		test "${have_openssl_engine}" = "yes" && AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [Use crypto library])

+		;;

+	polarssl)

+		have_crypto_crypto="${have_polarssl_crypto}"

+		have_crypto_ssl="${have_polarssl_ssl}"

+		CRYPTO_CRYPTO_CFLAGS="${POLARSSL_CRYPTO_CFLAGS}"

+		CRYPTO_CRYPTO_LIBS="${POLARSSL_LIBS}"

+		AC_DEFINE([ENABLE_CRYPTO_POLARSSL], [1], [Use PolarSSL library])

+		;;

+esac

+

+if test "${enable_ssl}" = "yes"; then

+	test "${enable_crypto}" != "yes" && AC_MSG_ERROR([crypto must be enabled for ssl])

+	test "${have_crypto_ssl}" != "yes" && AC_MSG_ERROR([${with_ssl_library} ssl is required but missing])

+	OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_SSL_CFLAGS}"

+	OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_SSL_LIBS}"

+	AC_DEFINE([ENABLE_SSL], [1], [Enable ssl library])

+fi

+

+if test "${enable_crypto}" = "yes"; then

+	test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crytpo is required but missing])

+	OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS}"

+	OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS}"

+	AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library])

+fi

+

 if test "${enable_plugins}" = "yes"; then

 	test "${WIN32}" != "yes" -a -z "${DL_LIBS}" && AC_MSG_ERROR([libdl is required for plugins])

 	OPTIONAL_DL_LIBS="${DL_LIBS}"

@@ -899,6 +894,8 @@ AC_SUBST([TAP_WIN_MIN_MINOR])

 AC_SUBST([OPTIONAL_DL_LIBS])

 AC_SUBST([OPTIONAL_SELINUX_LIBS])

+AC_SUBST([OPTIONAL_CRYPTO_CFLAGS])

+AC_SUBST([OPTIONAL_CRYPTO_LIBS])

 AC_SUBST([OPTIONAL_LZO_CFLAGS])

 AC_SUBST([OPTIONAL_LZO_LIBS])

 AC_SUBST([OPTIONAL_PKCS11_HELPER_CFLAGS])

@@ -10,9 +10,6 @@

 #

 # Allow passwords to be read from files

 #   rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'

-#

-# Use this on RH9 and RHEL3

-#   rpmbuild -tb [openvpn.x.tar.gz] --define 'with_kerberos 1'

 Summary:	OpenVPN is a robust and highly flexible VPN daemon by James Yonan.

 Name:           @PACKAGE@

@@ -111,8 +108,7 @@ Development support for OpenVPN.

 	--docdir="%{_docdir}/%{name}-%{version}" \

 	%{?with_password_save:--enable-password-save} \

 	%{!?without_lzo:--enable-lzo} \

-	%{?with_pkcs11:--enable-pkcs11} \

-	%{?with_kerberos:--with-ssl-headers=/usr/kerberos/include}

+	%{?with_pkcs11:--enable-pkcs11}

 %__make

 # Build down-root plugin

@@ -60,7 +60,7 @@

  *

  * @par Settings that control this module's activity

  * Whether or not the Data Channel Crypto module is active depends on the

- * compile-time \c USE_CRYPTO and \c USE_SSL preprocessor macros.  How it

+ * compile-time \c ENABLE_CRYPTO and \c ENABLE_SSL preprocessor macros.  How it

  * processes packets received from the \link data_control Data Channel

  * Control module\endlink at runtime depends on the associated \c

  * crypto_options structure.  To perform cryptographic operations, the \c

@@ -24,16 +24,25 @@

 #ifndef OPENVPN_PLUGIN_H_

 #define OPENVPN_PLUGIN_H_

-#ifdef USE_SSL

-#  if defined(SSL_VERIFY_OPENSSL_H_) || defined(SSL_VERIFY_POLARSSL_H_)

-#    define ENABLE_SSL_PLUGIN

-#  else

-#    warning "Neither OpenSSL or PoLarSSL headers included, disabling plugin's SSL support"

-#  endif

-#endif /*USE_SSL*/

 #define OPENVPN_PLUGIN_VERSION 3

+#ifdef ENABLE_SSL

+#ifdef ENABLE_CRYPTO_POLARSSL

+#include <polarssl/x509.h>

+#ifndef __OPENVPN_X509_CERT_T_DECLARED

+#define __OPENVPN_X509_CERT_T_DECLARED

+typedef x509_cert openvpn_x509_cert_t;

+#endif

+#else

+#include <openssl/x509.h>

+#ifndef __OPENVPN_X509_CERT_T_DECLARED

+#define __OPENVPN_X509_CERT_T_DECLARED

+typedef X509 openvpn_x509_cert_t;

+#endif

+#endif

+#endif

+

 /*

  * Plug-in types.  These types correspond to the set of script callbacks

  * supported by OpenVPN.

@@ -268,9 +277,9 @@ struct openvpn_plugin_args_open_return

  * *per_client_context : the per-client context pointer which was returned by

  *        openvpn_plugin_client_constructor_v1, if defined.

  *

- * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with USE_SSL defined)

+ * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_SSL defined)

  *

- * *current_cert : X509 Certificate object received from the client (only if compiled with USE_SSL defined)

+ * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_SSL defined)

  *

  */

 struct openvpn_plugin_args_func_in

@@ -280,9 +289,9 @@ struct openvpn_plugin_args_func_in

   const char ** const envp;

   openvpn_plugin_handle_t handle;

   void *per_client_context;

-#ifdef ENABLE_SSL_PLUGIN

+#ifdef ENABLE_SSL

   int current_cert_depth;

-  x509_cert_t *current_cert;

+  openvpn_x509_cert_t *current_cert;

 #else

   int __current_cert_depth_disabled; /* Unused, for compatibility purposes only */

   void *__current_cert_disabled; /* Unused, for compatibility purposes only */

@@ -17,6 +17,7 @@ MAINTAINERCLEANFILES = \

 INCLUDES = -I$(top_srcdir)/include

 AM_CFLAGS = \

+	$(OPTIONAL_CRYPTO_CFLAGS) \

 	$(OPTIONAL_LZO_CFLAGS) \

 	$(OPTIONAL_PKCS11_HELPER_CFLAGS)

@@ -103,6 +104,7 @@ openvpn_LDADD = \

 	$(SOCKETS_LIBS) \

 	$(OPTIONAL_LZO_LIBS) \

 	$(OPTIONAL_PKCS11_HELPER_LIBS) \

+	$(OPTIONAL_CRYPTO_LIBS) \

 	$(OPTIONAL_SELINUX_LIBS) \

 	$(OPTIONAL_DL_LIBS)

 if WIN32

@@ -25,7 +25,7 @@

 #include "syshead.h"

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

 #include "crypto.h"

 #include "error.h"

@@ -712,7 +712,7 @@ test_crypto (const struct crypto_options *co, struct frame* frame)

   gc_free (&gc);

 }

-#ifdef USE_SSL

+#ifdef ENABLE_SSL

 void

 get_tls_handshake_key (const struct key_type *key_type,

@@ -1373,7 +1373,7 @@ get_random()

   return l;

 }

-#ifndef USE_SSL

+#ifndef ENABLE_SSL

 void

 init_ssl_lib (void)

@@ -1392,7 +1392,7 @@ free_ssl_lib (void)

   ERR_free_strings ();

 }

-#endif /* USE_SSL */

+#endif /* ENABLE_SSL */

 /*

  * md5 functions

@@ -1452,4 +1452,4 @@ md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2)

   return memcmp(d1->digest, d2->digest, MD5_DIGEST_LENGTH) == 0;

 }

-#endif /* USE_CRYPTO */

+#endif /* ENABLE_CRYPTO */

@@ -30,7 +30,7 @@

 #ifndef CRYPTO_H

 #define CRYPTO_H

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

 #define ALLOW_NON_CBC_CIPHERS

@@ -347,7 +347,7 @@ void key2_print (const struct key2* k,

 		 const char* prefix0,

 		 const char* prefix1);

-#ifdef USE_SSL

+#ifdef ENABLE_SSL

 #define GHK_INLINE  (1<<0)

 void get_tls_handshake_key (const struct key_type *key_type,

@@ -361,7 +361,7 @@ void get_tls_handshake_key (const struct key_type *key_type,

 void init_ssl_lib (void);

 void free_ssl_lib (void);

-#endif /* USE_SSL */

+#endif /* ENABLE_SSL */

 /*

  * md5 functions

@@ -394,5 +394,5 @@ key_ctx_bi_defined(const struct key_ctx_bi* key)

 }

-#endif /* USE_CRYPTO */

+#endif /* ENABLE_CRYPTO */

 #endif /* CRYPTO_H */

@@ -32,10 +32,10 @@

 #include "config.h"

-#ifdef USE_OPENSSL

+#ifdef ENABLE_CRYPTO_OPENSSL

 #include "crypto_openssl.h"

 #endif

-#ifdef USE_POLARSSL

+#ifdef ENABLE_CRYPTO_POLARSSL

 #include "crypto_polarssl.h"

 #endif

 #include "basic.h"

@@ -29,7 +29,7 @@

 #include "syshead.h"

-#if defined(USE_CRYPTO) && defined(USE_OPENSSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)

 #include "basic.h"

 #include "buffer.h"

@@ -104,19 +104,7 @@ cipher_ok (const char* name)

 #define EVP_MD_name(e)			OBJ_nid2sn(EVP_MD_type(e))

 #endif

-/*

- *

- * OpenSSL engine support. Allows loading/unloading of engines.

- *

- */

-

-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_BUILTIN_ENGINES) && defined(HAVE_ENGINE_REGISTER_ALL_COMPLETE) && defined(HAVE_ENGINE_CLEANUP)

-#define CRYPTO_ENGINE 1

-#else

-#define CRYPTO_ENGINE 0

-#endif

-

-#if CRYPTO_ENGINE

+#if HAVE_OPENSSL_ENGINE

 #include <openssl/engine.h>

 static bool engine_initialized = false; /* GLOBAL */

@@ -173,12 +161,12 @@ setup_engine (const char *engine)

   return e;

 }

-#endif /* CRYPTO_ENGINE */

+#endif /* HAVE_OPENSSL_ENGINE */

 void

 crypto_init_lib_engine (const char *engine_name)

 {

-#if CRYPTO_ENGINE

+#if HAVE_OPENSSL_ENGINE

   if (!engine_initialized)

     {

       ASSERT (engine_name);

@@ -220,7 +208,7 @@ crypto_uninit_lib (void)

   fclose (fp);

 #endif

-#if CRYPTO_ENGINE

+#if HAVE_OPENSSL_ENGINE

   if (engine_initialized)

     {

       ENGINE_cleanup ();

@@ -335,7 +323,7 @@ show_available_digests ()

 void

 show_available_engines ()

 {

-#if CRYPTO_ENGINE /* Only defined for OpenSSL */

+#if HAVE_OPENSSL_ENGINE /* Only defined for OpenSSL */

   ENGINE *e;

   printf ("OpenSSL Crypto Engines\n\n");

@@ -741,4 +729,4 @@ hmac_ctx_final (HMAC_CTX *ctx, uint8_t *dst)

   HMAC_Final (ctx, dst, &in_hmac_len);

 }

-#endif /* USE_CRYPTO && USE_OPENSSL */

+#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_OPENSSL */

@@ -29,7 +29,7 @@

 #include "syshead.h"

-#if defined(USE_CRYPTO) && defined(USE_POLARSSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL)

 #include "errlevel.h"

 #include "basic.h"

@@ -557,4 +557,4 @@ hmac_ctx_final (md_context_t *ctx, uint8_t *dst)

   ASSERT(0 == md_hmac_finish(ctx, dst));

 }

-#endif /* USE_CRYPTO && USE_POLARSSL */

+#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_POLARSSL */

@@ -37,8 +37,8 @@

 #include "ps.h"

 #include "mstats.h"

-#ifdef USE_CRYPTO

-#ifdef USE_OPENSSL

+#ifdef ENABLE_CRYPTO

+#ifdef ENABLE_CRYPTO_OPENSSL

 #include <openssl/err.h>

 #endif

 #endif

@@ -246,8 +246,8 @@ void x_msg (const unsigned int flags, const char *format, ...)

       SWAP;

     }

-#ifdef USE_CRYPTO

-#ifdef USE_OPENSSL

+#ifdef ENABLE_CRYPTO

+#ifdef ENABLE_CRYPTO_OPENSSL

   if (flags & M_SSL)

     {

       int nerrs = 0;

@@ -96,7 +96,7 @@ extern int x_msg_line_num;

 #define M_ERRNO           (1<<8)	 /* show errno description */

 #define M_ERRNO_SOCK      (1<<9)	 /* show socket errno description */

-#ifdef USE_OPENSSL

+#ifdef ENABLE_CRYPTO_OPENSSL

 #  define M_SSL             (1<<10)	 /* show SSL error */

 #endif

@@ -35,7 +35,7 @@

 static inline void

 check_tls (struct context *c)

 {

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

   void check_tls_dowork (struct context *c);

   if (c->c2.tls_multi)

     check_tls_dowork (c);

@@ -49,7 +49,7 @@ check_tls (struct context *c)

 static inline void

 check_tls_errors (struct context *c)

 {

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

   void check_tls_errors_co (struct context *c);

   void check_tls_errors_nco (struct context *c);

   if (c->c2.tls_multi && c->c2.tls_exit_signal)

@@ -189,7 +189,7 @@ check_push_request (struct context *c)

 #endif

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

 /*

  * Should we persist our anti-replay packet ID state to disk?

  */

@@ -81,7 +81,7 @@ show_wait_status (struct context *c)

  * traffic on the control-channel.

  *

  */

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

 void

 check_tls_dowork (struct context *c)

 {

@@ -112,7 +112,7 @@ check_tls_dowork (struct context *c)

 }

 #endif

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

 void

 check_tls_errors_co (struct context *c)

@@ -232,7 +232,7 @@ check_connection_established_dowork (struct context *c)

 bool

 send_control_channel_string (struct context *c, const char *str, int msglevel)

 {

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

   if (c->c2.tls_multi) {

     struct gc_arena gc = gc_new ();

     bool stat;

@@ -449,8 +449,8 @@ encrypt_sign (struct context *c, bool comp_frag)

 #endif

     }

-#ifdef USE_CRYPTO

-#ifdef USE_SSL

+#ifdef ENABLE_CRYPTO

+#ifdef ENABLE_SSL

   /*

    * If TLS mode, get the key we will use to encrypt

    * the packet.

@@ -472,8 +472,8 @@ encrypt_sign (struct context *c, bool comp_frag)

    */

   link_socket_get_outgoing_addr (&c->c2.buf, get_link_socket_info (c),

 				 &c->c2.to_link_addr);

-#ifdef USE_CRYPTO

-#ifdef USE_SSL

+#ifdef ENABLE_CRYPTO

+#ifdef ENABLE_SSL

   /*

    * In TLS mode, prepend the appropriate one-byte opcode

    * to the packet which identifies it as a data channel

@@ -498,7 +498,7 @@ encrypt_sign (struct context *c, bool comp_frag)

 static void

 process_coarse_timers (struct context *c)

 {

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

   /* flush current packet-id to file once per 60

      seconds if --replay-persist was specified */

   check_packet_id_persist_flush (c);

@@ -789,8 +789,8 @@ process_incoming_link (struct context *c)

       if (!link_socket_verify_incoming_addr (&c->c2.buf, lsi, &c->c2.from))

 	link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from);

-#ifdef USE_CRYPTO

-#ifdef USE_SSL

+#ifdef ENABLE_CRYPTO

+#ifdef ENABLE_SSL

       if (c->c2.tls_multi)

 	{

 	  /*

@@ -820,7 +820,7 @@ process_incoming_link (struct context *c)

       if (c->c2.context_auth != CAS_SUCCEEDED)

 	c->c2.buf.len = 0;

 #endif

-#endif /* USE_SSL */

+#endif /* ENABLE_SSL */

       /* authenticate and decrypt the incoming packet */

       decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, &c->c2.crypto_options, &c->c2.frame);

@@ -833,7 +833,7 @@ process_incoming_link (struct context *c)

 	  goto done;

 	}

-#endif /* USE_CRYPTO */

+#endif /* ENABLE_CRYPTO */

 #ifdef ENABLE_FRAGMENT

       if (c->c2.fragment)

@@ -428,7 +428,7 @@ next_connection_entry (struct context *c)

 static void

 init_query_passwords (struct context *c)

 {

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

   /* Certificate password input */

   if (c->options.key_pass_file)

     pem_password_setup (c->options.key_pass_file);

@@ -629,7 +629,7 @@ init_static (void)

 {

   /* configure_path (); */

-#if defined(USE_CRYPTO) && defined(DMALLOC)

+#if defined(ENABLE_CRYPTO) && defined(DMALLOC)

   crypto_init_dmalloc();

 #endif

@@ -652,7 +652,7 @@ init_static (void)

   update_time ();

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

   init_ssl_lib ();

   /* init PRNG used for IV generation */

@@ -838,7 +838,7 @@ init_static (void)

 void

 uninit_static (void)

 {

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

   free_ssl_lib ();

 #endif

@@ -850,7 +850,7 @@ uninit_static (void)

   close_port_share ();

 #endif

-#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

   show_tls_performance_stats ();

 #endif

 }

@@ -891,9 +891,9 @@ print_openssl_info (const struct options *options)

   /*

    * OpenSSL info print mode?

    */

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

   if (options->show_ciphers || options->show_digests || options->show_engines

-#ifdef USE_SSL

+#ifdef ENABLE_SSL

       || options->show_tls_ciphers

 #endif

     )

@@ -904,7 +904,7 @@ print_openssl_info (const struct options *options)

 	show_available_digests ();

       if (options->show_engines)

 	show_available_engines ();

-#ifdef USE_SSL

+#ifdef ENABLE_SSL

       if (options->show_tls_ciphers)

 	show_available_tls_ciphers ();

 #endif

@@ -920,7 +920,7 @@ print_openssl_info (const struct options *options)

 bool

 do_genkey (const struct options * options)

 {

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

   if (options->genkey)

     {

       int nbits_written;

@@ -955,9 +955,9 @@ do_persist_tuntap (const struct options *options)

       notnull (options->dev, "TUN/TAP device (--dev)");

       if (options->ce.remote || options->ifconfig_local

 	  || options->ifconfig_remote_netmask

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

 	  || options->shared_secret_file

-#ifdef USE_SSL

+#ifdef ENABLE_SSL

 	  || options->tls_server || options->tls_client

 #endif

 #endif

@@ -1068,7 +1068,7 @@ const char *

 format_common_name (struct context *c, struct gc_arena *gc)

 {

   struct buffer out = alloc_buf_gc (256, gc);

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

   if (c->c2.tls_multi)

     {

       buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));

@@ -1155,12 +1155,12 @@ do_init_timers (struct context *c, bool deferred)

 #endif

       /* initialize packet_id persistence timer */

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

       if (c->options.packet_id_file)

 	event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);

 #endif

-#if defined(USE_CRYPTO) && defined(USE_SSL)

+#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

       /* initialize tmp_int optimization that limits the number of times we call

 	 tls_multi_process in the main event loop */

       interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);

@@ -1967,20 +1967,20 @@ frame_finalize_options (struct context *c, const struct options *o)

 static void

 key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)

 {

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

   free_key_ctx_bi (&ks->static_key);

-#ifdef USE_SSL

+#ifdef ENABLE_SSL

   if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)

     {

       tls_ctx_free (&ks->ssl_ctx);

       free_key_ctx_bi (&ks->tls_auth_key);

     }

-#endif /* USE_SSL */

-#endif /* USE_CRYPTO */

+#endif /* ENABLE_SSL */

+#endif /* ENABLE_CRYPTO */

   CLEAR (*ks);

 }

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

 static void

 init_crypto_pre (struct context *c, const unsigned int flags)

@@ -2091,7 +2091,7 @@ do_init_crypto_static (struct context *c, const unsigned int flags)

 			       options->use_iv);

 }

-#ifdef USE_SSL

+#ifdef ENABLE_SSL

 /*

  * Initialize the persistent component of OpenVPN's TLS mode,

@@ -2332,10 +2332,10 @@ do_init_finalize_tls_frame (struct context *c)

     }

 }

-#endif /* USE_SSL */

-#endif /* USE_CRYPTO */

+#endif /* ENABLE_SSL */

+#endif /* ENABLE_CRYPTO */

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

 /*

  * No encryption or authentication.

  */

@@ -2351,20 +2351,20 @@ do_init_crypto_none (const struct context *c)

 static void

 do_init_crypto (struct context *c, const unsigned int flags)

 {

-#ifdef USE_CRYPTO

+#ifdef ENABLE_CRYPTO

   if (c->options.shared_secret_file)

     do_init_crypto_static (c, flags);