@@ -58,13 +58,11 @@

  *     - \c openvpn_decrypt()

  *

  * @par Settings that control this module's activity

- * Whether or not the Data Channel Crypto module is active depends on the

- * compile-time \c ENABLE_CRYPTO preprocessor macro.  How it processes packets

- * received from the \link data_control Data Channel Control module\endlink at

- * runtime depends on the associated \c crypto_options structure.  To perform

- * cryptographic operations, the \c crypto_options.key_ctx_bi must contain the

- * correct cipher and HMAC security parameters for the direction the packet is

- * traveling in.

+ * How the data channel processes packets received from the \link data_control

+ * Data Channel Control module\endlink at runtime depends on the associated

+ * \c crypto_options structure.  To perform cryptographic operations, the

+ * \c crypto_options.key_ctx_bi must contain the correct cipher and HMAC

+ * security parameters for the direction the packet is traveling in.

  *

  * @par Crypto algorithms

  * This module uses the crypto algorithm implementations of the external

@@ -26,7 +26,6 @@

 #define OPENVPN_PLUGIN_VERSION 3

-#ifdef ENABLE_CRYPTO

 #ifdef ENABLE_CRYPTO_MBEDTLS

 #include <mbedtls/x509_crt.h>

 #ifndef __OPENVPN_X509_CERT_T_DECLARED

@@ -40,7 +39,6 @@ typedef mbedtls_x509_crt openvpn_x509_cert_t;

 typedef X509 openvpn_x509_cert_t;

 #endif

 #endif

-#endif

 #include <stdarg.h>

 #include <stddef.h>

@@ -391,9 +389,9 @@ struct openvpn_plugin_args_open_return

  * *per_client_context : the per-client context pointer which was returned by

  *        openvpn_plugin_client_constructor_v1, if defined.

  *

- * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_CRYPTO defined)

+ * current_cert_depth : Certificate depth of the certificate being passed over

  *

- * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_CRYPTO defined)

+ * *current_cert : X509 Certificate object received from the client

  *

  */

 struct openvpn_plugin_args_func_in

@@ -403,13 +401,8 @@ struct openvpn_plugin_args_func_in

     const char **const envp;

     openvpn_plugin_handle_t handle;

     void *per_client_context;

-#ifdef ENABLE_CRYPTO

     int current_cert_depth;

     openvpn_x509_cert_t *current_cert;

-#else

-    int __current_cert_depth_disabled; /* Unused, for compatibility purposes only */

-    void *__current_cert_disabled; /* Unused, for compatibility purposes only */

-#endif

 };

@@ -30,8 +30,6 @@

 #include "syshead.h"

-#ifdef ENABLE_CRYPTO

-

 #include "crypto.h"

 #include "error.h"

 #include "integer.h"

@@ -1842,5 +1840,3 @@ translate_cipher_name_to_openvpn(const char *cipher_name)

     return pair->openvpn_name;

 }

-

-#endif /* ENABLE_CRYPTO */

@@ -122,8 +122,6 @@

 #ifndef CRYPTO_H

 #define CRYPTO_H

-#ifdef ENABLE_CRYPTO

-

 #include "crypto_backend.h"

 #include "basic.h"

 #include "buffer.h"

@@ -513,6 +511,4 @@ key_ctx_bi_defined(const struct key_ctx_bi *key)

     return key->encrypt.cipher || key->encrypt.hmac || key->decrypt.cipher || key->decrypt.hmac;

 }

-

-#endif /* ENABLE_CRYPTO */

 #endif /* CRYPTO_H */

@@ -34,7 +34,7 @@

 #include "syshead.h"

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS)

+#if defined(ENABLE_CRYPTO_MBEDTLS)

 #include "errlevel.h"

 #include "basic.h"

@@ -903,4 +903,4 @@ hmac_ctx_final(mbedtls_md_context_t *ctx, uint8_t *dst)

     ASSERT(0 == mbedtls_md_hmac_finish(ctx, dst));

 }

-#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_MBEDTLS */

+#endif /* ENABLE_CRYPTO_MBEDTLS */

@@ -34,7 +34,7 @@

 #include "syshead.h"

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)

+#if defined(ENABLE_CRYPTO_OPENSSL)

 #include "basic.h"

 #include "buffer.h"

@@ -969,4 +969,4 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst)

     HMAC_Final(ctx, dst, &in_hmac_len);

 }

-#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_OPENSSL */

+#endif /* ENABLE_CRYPTO_OPENSSL */

@@ -34,14 +34,12 @@

 static inline void

 check_tls(struct context *c)

 {

-#if defined(ENABLE_CRYPTO)

     void check_tls_dowork(struct context *c);

     if (c->c2.tls_multi)

     {

         check_tls_dowork(c);

     }

-#endif

 }

 /*

@@ -51,7 +49,6 @@ check_tls(struct context *c)

 static inline void

 check_tls_errors(struct context *c)

 {

-#if defined(ENABLE_CRYPTO)

     void check_tls_errors_co(struct context *c);

     void check_tls_errors_nco(struct context *c);

@@ -73,7 +70,6 @@ check_tls_errors(struct context *c)

             }

         }

     }

-#endif /* if defined(ENABLE_CRYPTO) */

 }

 /*

@@ -220,7 +216,6 @@ check_push_request(struct context *c)

 #endif

-#ifdef ENABLE_CRYPTO

 /*

  * Should we persist our anti-replay packet ID state to disk?

  */

@@ -233,7 +228,6 @@ check_packet_id_persist_flush(struct context *c)

         packet_id_persist_save(&c->c1.pid_persist);

     }

 }

-#endif

 /*

  * Set our wakeup to 0 seconds, so we will be rescheduled

@@ -87,7 +87,6 @@ show_wait_status(struct context *c)

  * traffic on the control-channel.

  *

  */

-#ifdef ENABLE_CRYPTO

 void

 check_tls_dowork(struct context *c)

 {

@@ -131,7 +130,6 @@ check_tls_errors_nco(struct context *c)

 {

     register_signal(c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */

 }

-#endif /* ENABLE_CRYPTO */

 #if P2MP

@@ -248,7 +246,6 @@ check_connection_established_dowork(struct context *c)

 bool

 send_control_channel_string(struct context *c, const char *str, int msglevel)

 {

-#ifdef ENABLE_CRYPTO

     if (c->c2.tls_multi)

     {

         struct gc_arena gc = gc_new();

@@ -274,7 +271,6 @@ send_control_channel_string(struct context *c, const char *str, int msglevel)

         gc_free(&gc);

         return stat;

     }

-#endif /* ENABLE_CRYPTO */

     return true;

 }

@@ -485,7 +481,6 @@ encrypt_sign(struct context *c, bool comp_frag)

 #endif

     }

-#ifdef ENABLE_CRYPTO

     /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */

     ASSERT(buf_init(&b->encrypt_buf, FRAME_HEADROOM(&c->c2.frame)));

@@ -518,7 +513,6 @@ encrypt_sign(struct context *c, bool comp_frag)

         }

         tls_post_encrypt(c->c2.tls_multi, &c->c2.buf);

     }

-#endif /* ifdef ENABLE_CRYPTO */

     /*

      * Get the address we will be sending the packet to.

@@ -536,11 +530,9 @@ encrypt_sign(struct context *c, bool comp_frag)

 static void

 process_coarse_timers(struct context *c)

 {

-#ifdef ENABLE_CRYPTO

     /* flush current packet-id to file once per 60

      * seconds if --replay-persist was specified */

     check_packet_id_persist_flush(c);

-#endif

     /* should we update status file? */

     check_status_file(c);

@@ -852,7 +844,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo

             link_socket_bad_incoming_addr(&c->c2.buf, lsi, &c->c2.from);

         }

-#ifdef ENABLE_CRYPTO

         if (c->c2.tls_multi)

         {

             /*

@@ -909,9 +900,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo

             register_signal(c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */

             msg(D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");

         }

-#else /* ENABLE_CRYPTO */

-        decrypt_status = true;

-#endif /* ENABLE_CRYPTO */

     }

     else

     {

@@ -1426,8 +1414,6 @@ process_outgoing_link(struct context *c)

             register_activity(c, size);

         }

-

-#ifdef ENABLE_CRYPTO

         /* for unreachable network and "connecting" state switch to the next host */

         if (size < 0 && ENETUNREACH == error_code && c->c2.tls_multi

             && !tls_initial_packet_received(c->c2.tls_multi) && c->options.mode == MODE_POINT_TO_POINT)

@@ -1435,7 +1421,6 @@ process_outgoing_link(struct context *c)

             msg(M_INFO, "Network unreachable, restarting");

             register_signal(c, SIGUSR1, "network-unreachable");

         }

-#endif

     }

     else

     {

@@ -529,13 +529,11 @@ next_connection_entry(struct context *c)

 void

 init_query_passwords(const struct context *c)

 {

-#ifdef ENABLE_CRYPTO

     /* Certificate password input */

     if (c->options.key_pass_file)

     {

         pem_password_setup(c->options.key_pass_file);

     }

-#endif

 #if P2MP

     /* Auth user/pass input */

@@ -704,7 +702,7 @@ init_static(void)

 {

     /* configure_path (); */

-#if defined(ENABLE_CRYPTO) && defined(DMALLOC)

+#if defined(DMALLOC)

     crypto_init_dmalloc();

 #endif

@@ -741,14 +739,12 @@ init_static(void)

     update_time();

-#ifdef ENABLE_CRYPTO

     init_ssl_lib();

     /* init PRNG used for IV generation */

     /* When forking, copy this to more places in the code to avoid fork

      * random-state predictability */

     prng_init(NULL, 0);

-#endif

 #ifdef PID_TEST

     packet_id_interactive_test();       /* test the sequence number code */

@@ -942,9 +938,7 @@ init_static(void)

 void

 uninit_static(void)

 {

-#ifdef ENABLE_CRYPTO

     free_ssl_lib();

-#endif

 #ifdef ENABLE_PKCS11

     pkcs11_terminate();

@@ -954,7 +948,7 @@ uninit_static(void)

     close_port_share();

 #endif

-#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO)

+#if defined(MEASURE_TLS_HANDSHAKE_STATS)

     show_tls_performance_stats();

 #endif

 }

@@ -998,7 +992,6 @@ print_openssl_info(const struct options *options)

     /*

      * OpenSSL info print mode?

      */

-#ifdef ENABLE_CRYPTO

     if (options->show_ciphers || options->show_digests || options->show_engines

         || options->show_tls_ciphers || options->show_curves)

     {

@@ -1025,7 +1018,6 @@ print_openssl_info(const struct options *options)

         }

         return true;

     }

-#endif /* ifdef ENABLE_CRYPTO */

     return false;

 }

@@ -1035,7 +1027,6 @@ print_openssl_info(const struct options *options)

 bool

 do_genkey(const struct options *options)

 {

-#ifdef ENABLE_CRYPTO

     if (options->genkey)

     {

         int nbits_written;

@@ -1055,7 +1046,6 @@ do_genkey(const struct options *options)

             options->shared_secret_file);

         return true;

     }

-#endif

     return false;

 }

@@ -1071,10 +1061,8 @@ do_persist_tuntap(const struct options *options)

         notnull(options->dev, "TUN/TAP device (--dev)");

         if (options->ce.remote || options->ifconfig_local

             || options->ifconfig_remote_netmask

-#ifdef ENABLE_CRYPTO

             || options->shared_secret_file

             || options->tls_server || options->tls_client

-#endif

             )

         {

             msg(M_FATAL|M_OPTERR,

@@ -1226,12 +1214,10 @@ const char *

 format_common_name(struct context *c, struct gc_arena *gc)

 {

     struct buffer out = alloc_buf_gc(256, gc);

-#ifdef ENABLE_CRYPTO

     if (c->c2.tls_multi)

     {

         buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));

     }

-#endif

     return BSTR(&out);

 }

@@ -1333,7 +1319,6 @@ do_init_timers(struct context *c, bool deferred)

 #endif

         /* initialize packet_id persistence timer */

-#ifdef ENABLE_CRYPTO

         if (c->options.packet_id_file)

         {

             event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);

@@ -1342,7 +1327,6 @@ do_init_timers(struct context *c, bool deferred)

         /* initialize tmp_int optimization that limits the number of times we call

          * tls_multi_process in the main event loop */

         interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);

-#endif

     }

 }

@@ -1485,7 +1469,6 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)

     do_uid_gid_chroot(c, true);

-#ifdef ENABLE_CRYPTO

     /*

      * In some cases (i.e. when receiving auth-token via

      * push-reply) the auth-nocache option configured on the

@@ -1497,7 +1480,6 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)

     {

         delayed_auth_pass_purge();

     }

-#endif /* ENABLE_CRYPTO */

     /* Test if errors */

     if (flags & ISC_ERRORS)

@@ -2136,12 +2118,10 @@ pull_permission_mask(const struct context *c)

         flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);

     }

-#ifdef ENABLE_CRYPTO

     if (c->options.ncp_enabled)

     {

         flags |= OPT_P_NCP;

     }

-#endif

     return flags;

 }

@@ -2230,7 +2210,6 @@ do_deferred_options(struct context *c, const unsigned int found)

         msg(D_PUSH, "OPTIONS IMPORT: environment modified");

     }

-#ifdef ENABLE_CRYPTO

     if (found & OPT_P_PEER_ID)

     {

         msg(D_PUSH, "OPTIONS IMPORT: peer-id set");

@@ -2271,7 +2250,7 @@ do_deferred_options(struct context *c, const unsigned int found)

             return false;

         }

     }

-#endif /* ifdef ENABLE_CRYPTO */

+

     return true;

 }

@@ -2423,19 +2402,15 @@ frame_finalize_options(struct context *c, const struct options *o)

 static void

 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)

 {

-#ifdef ENABLE_CRYPTO

     free_key_ctx_bi(&ks->static_key);

     if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)

     {

         tls_ctx_free(&ks->ssl_ctx);

         free_key_ctx_bi(&ks->tls_wrap_key);

     }

-#endif /* ENABLE_CRYPTO */

     CLEAR(*ks);

 }

-#ifdef ENABLE_CRYPTO

-

 static void

 init_crypto_pre(struct context *c, const unsigned int flags)

 {

@@ -2880,12 +2855,10 @@ do_init_crypto_none(const struct context *c)

         "protected against man-in-the-middle changes. "

         "PLEASE DO RECONSIDER THIS CONFIGURATION!");

 }

-#endif /* ifdef ENABLE_CRYPTO */

 static void

 do_init_crypto(struct context *c, const unsigned int flags)

 {

-#ifdef ENABLE_CRYPTO

     if (c->options.shared_secret_file)

     {

         do_init_crypto_static(c, flags);

@@ -2898,11 +2871,6 @@ do_init_crypto(struct context *c, const unsigned int flags)

     {

         do_init_crypto_none(c);

     }

-#else /* ENABLE_CRYPTO */

-    msg(M_WARN,

-        "******* WARNING *******: " PACKAGE_NAME

-        " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");

-#endif /* ENABLE_CRYPTO */

 }

 static void

@@ -3101,7 +3069,6 @@ do_option_warnings(struct context *c)

 #endif /* if P2MP_SERVER */

 #endif /* if P2MP */

-#ifdef ENABLE_CRYPTO

     if (!o->replay)

     {

         msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");

@@ -3123,7 +3090,6 @@ do_option_warnings(struct context *c)

     {

         msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.");

     }

-#endif /* ifdef ENABLE_CRYPTO */

     /* If a script is used, print appropiate warnings */

     if (o->user_script_used)

@@ -3146,9 +3112,7 @@ do_option_warnings(struct context *c)

 static void

 do_init_frame_tls(struct context *c)

 {

-#ifdef ENABLE_CRYPTO

     do_init_finalize_tls_frame(c);

-#endif

 }

 struct context_buffers *

@@ -3163,10 +3127,8 @@ init_context_buffers(const struct frame *frame)

     b->aux_buf = alloc_buf(BUF_SIZE(frame));

-#ifdef ENABLE_CRYPTO

     b->encrypt_buf = alloc_buf(BUF_SIZE(frame));

     b->decrypt_buf = alloc_buf(BUF_SIZE(frame));

-#endif

 #ifdef USE_COMP

     b->compress_buf = alloc_buf(BUF_SIZE(frame));

@@ -3190,10 +3152,8 @@ free_context_buffers(struct context_buffers *b)

         free_buf(&b->decompress_buf);

 #endif

-#ifdef ENABLE_CRYPTO

         free_buf(&b->encrypt_buf);

         free_buf(&b->decrypt_buf);

-#endif

         free(b);

     }

@@ -3329,14 +3289,12 @@ do_compute_occ_strings(struct context *c)

         options_string_version(c->c2.options_string_remote, &gc),

         c->c2.options_string_remote);

-#ifdef ENABLE_CRYPTO

     if (c->c2.tls_multi)

     {

         tls_multi_init_set_options(c->c2.tls_multi,

                                    c->c2.options_string_local,

                                    c->c2.options_string_remote);

     }

-#endif

     gc_free(&gc);

 }

@@ -3410,7 +3368,6 @@ do_close_free_buf(struct context *c)

 static void

 do_close_tls(struct context *c)

 {

-#ifdef ENABLE_CRYPTO

     if (c->c2.tls_multi)

     {

         tls_multi_free(c->c2.tls_multi, true);

@@ -3429,7 +3386,6 @@ do_close_tls(struct context *c)

     }

     c->c2.options_string_local = c->c2.options_string_remote = NULL;

 #endif

-#endif

 }

 /*

@@ -3494,14 +3450,12 @@ do_close_link_socket(struct context *c)

 static void

 do_close_packet_id(struct context *c)

 {

-#ifdef ENABLE_CRYPTO

     packet_id_free(&c->c2.crypto_options.packet_id);

     packet_id_persist_save(&c->c1.pid_persist);

     if (!(c->sig->signal_received == SIGUSR1))

     {

         packet_id_persist_close(&c->c1.pid_persist);

     }

-#endif

 }

 #ifdef ENABLE_FRAGMENT

@@ -3680,7 +3634,6 @@ do_setup_fast_io(struct context *c)

 static void

 do_signal_on_tls_errors(struct context *c)

 {

-#ifdef ENABLE_CRYPTO

     if (c->options.tls_exit)

     {

         c->c2.tls_exit_signal = SIGTERM;

@@ -3689,7 +3642,6 @@ do_signal_on_tls_errors(struct context *c)

     {

         c->c2.tls_exit_signal = SIGUSR1;

     }

-#endif

 }

 #ifdef ENABLE_PLUGIN

@@ -4369,7 +4321,6 @@ inherit_context_child(struct context *dest,

     /* c1 init */

     packet_id_persist_init(&dest->c1.pid_persist);

-#ifdef ENABLE_CRYPTO

     dest->c1.ks.key_type = src->c1.ks.key_type;

     /* inherit SSL context */

     dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;

@@ -4379,7 +4330,6 @@ inherit_context_child(struct context *dest,

     dest->c1.ciphername = src->c1.ciphername;

     dest->c1.authname = src->c1.authname;

     dest->c1.keysize = src->c1.keysize;

-#endif

     /* options */

     dest->options = src->options;

@@ -4453,9 +4403,7 @@ inherit_context_top(struct context *dest,

     /* detach plugins */

     dest->plugins_owned = false;

-#ifdef ENABLE_CRYPTO

     dest->c2.tls_multi = NULL;

-#endif

     /* detach c1 ownership */

     dest->c1.tuntap_owned = false;

@@ -4513,8 +4461,6 @@ close_context(struct context *c, int sig, unsigned int flags)

     }

 }

-#ifdef ENABLE_CRYPTO

-

 /*

  * Do a loopback test

  * on the crypto subsystem.

@@ -4542,12 +4488,9 @@ test_crypto_thread(void *arg)

     return NULL;

 }

-#endif /* ENABLE_CRYPTO */

-

 bool

 do_test_crypto(const struct options *o)

 {

-#ifdef ENABLE_CRYPTO

     if (o->test_crypto)

     {

         struct context c;

@@ -4562,6 +4505,5 @@ do_test_crypto(const struct options *o)

         test_crypto_thread((void *) &c);

         return true;

     }

-#endif

     return false;

 }

@@ -762,10 +762,8 @@ man_query_need_str(struct management *man, const char *type, const char *action)

 static void

 man_forget_passwords(struct management *man)

 {

-#ifdef ENABLE_CRYPTO

     ssl_purge_auth(false);

     msg(M_CLIENT, "SUCCESS: Passwords were forgotten");

-#endif

 }

 static void

@@ -1918,12 +1916,11 @@ man_reset_client_socket(struct management *man, const bool exiting)

     }

     if (!exiting)

     {

-#ifdef ENABLE_CRYPTO

         if (man->settings.flags & MF_FORGET_DISCONNECT)

         {

             ssl_purge_auth(false);

         }

-#endif

+

         if (man->settings.flags & MF_SIGNAL)

         {

             int mysig = man_mod_signal(man, SIGUSR1);

@@ -770,8 +770,6 @@ create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)

     return NULL;

 }

-#ifdef ENABLE_CRYPTO

-

 /*

  * Prepend a random string to hostname to prevent DNS caching.

  * For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.

@@ -793,17 +791,6 @@ hostname_randomize(const char *hostname, struct gc_arena *gc)

 #undef n_rnd_bytes

 }

-#else  /* ifdef ENABLE_CRYPTO */

-

-const char *

-hostname_randomize(const char *hostname, struct gc_arena *gc)

-{

-    msg(M_WARN, "WARNING: hostname randomization disabled when crypto support is not compiled");

-    return hostname;

-}

-

-#endif /* ifdef ENABLE_CRYPTO */

-

 /*

  * Put a directory and filename together.

  */

@@ -143,13 +143,8 @@ const char **make_arg_array(const char *first, const char *parms, struct gc_aren

 const char **make_extended_arg_array(char **p, struct gc_arena *gc);

 /* an analogue to the random() function, but use OpenSSL functions if available */

-#ifdef ENABLE_CRYPTO

 long int get_random(void);

-#else

-#define get_random random

-#endif

-

 /* return true if filename can be opened for read */

 bool test_file(const char *filename);

@@ -162,7 +157,7 @@ const char *gen_path(const char *directory, const char *filename, struct gc_aren

 /* return true if pathname is absolute */

 bool absolute_pathname(const char *pathname);

-/* prepend a random prefix to hostname (need ENABLE_CRYPTO) */

+/* prepend a random prefix to hostname */

 const char *hostname_randomize(const char *hostname, struct gc_arena *gc);

 /*

@@ -54,7 +54,6 @@

 struct key_schedule

 {

-#ifdef ENABLE_CRYPTO

     /* which cipher, HMAC digest, and key sizes are we using? */

     struct key_type key_type;

@@ -67,9 +66,6 @@ struct key_schedule

     /* optional TLS control channel wrapping */

     struct key_type tls_auth_key_type;

     struct key_ctx_bi tls_wrap_key;

-#else                           /* ENABLE_CRYPTO */

-    int dummy;

-#endif                          /* ENABLE_CRYPTO */

 };

 /*

@@ -96,10 +92,8 @@ struct context_buffers

     struct buffer aux_buf;

     /* workspace buffers used by crypto routines */

-#ifdef ENABLE_CRYPTO

     struct buffer encrypt_buf;

     struct buffer decrypt_buf;

-#endif

     /* workspace buffers for compression */

 #ifdef USE_COMP

@@ -334,8 +328,6 @@ struct context_2

     int occ_mtu_load_n_tries;

 #endif

-#ifdef ENABLE_CRYPTO

-

     /*

      * TLS-mode crypto objects.

      */

@@ -367,8 +359,6 @@ struct context_2

     struct event_timeout packet_id_persist_interval;

-#endif /* ENABLE_CRYPTO */

-

 #ifdef USE_COMP

     struct compress_context *comp_context;

     /**< Compression context used by the

@@ -566,7 +556,6 @@ struct context

  * have been compiled in.

  */

-#ifdef ENABLE_CRYPTO

 #define TLS_MODE(c) ((c)->c2.tls_multi != NULL)

 #define PROTO_DUMP_FLAGS (check_debug_level(D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)

 #define PROTO_DUMP(buf, gc) protocol_dump((buf), \

@@ -574,22 +563,9 @@ struct context

                                           |(c->c2.tls_multi ? PD_TLS : 0)   \

                                           |(c->options.tls_auth_file ? c->c1.ks.key_type.hmac_length : 0), \

                                           gc)

-#else  /* ifdef ENABLE_CRYPTO */

-#define TLS_MODE(c) (false)

-#define PROTO_DUMP(buf, gc) format_hex(BPTR(buf), BLEN(buf), 80, gc)

-#endif

-

-#ifdef ENABLE_CRYPTO

 #define MD5SUM(buf, len, gc) md5sum((buf), (len), 0, (gc))

-#else

-#define MD5SUM(buf, len, gc) "[unavailable]"

-#endif

-#ifdef ENABLE_CRYPTO

 #define CIPHER_ENABLED(c) (c->c1.ks.key_type.cipher != NULL)

-#else

-#define CIPHER_ENABLED(c) (false)

-#endif

 /* this represents "disabled peer-id" */

 #define MAX_PEER_ID 0xFFFFFF

@@ -67,7 +67,6 @@ const char title_string[] =

     " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"

 #endif

     " " TARGET_ALIAS

-#ifdef ENABLE_CRYPTO

 #if defined(ENABLE_CRYPTO_MBEDTLS)

     " [SSL (mbed TLS)]"

 #elif defined(ENABLE_CRYPTO_OPENSSL)

@@ -75,7 +74,6 @@ const char title_string[] =

 #else

     " [SSL]"

 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */

-#endif /* ENABLE_CRYPTO */

 #ifdef USE_COMP

 #ifdef ENABLE_LZO

     " [LZO]"

@@ -518,7 +516,6 @@ static const char usage_message[] =

     "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"

     "                  server/remote. n = # of retries, default=1.\n"

 #endif

-#ifdef ENABLE_CRYPTO

     "\n"

     "Data Channel Encryption Options (must be compatible between peers):\n"

     "(These options are meaningful for both Static Key & TLS-mode)\n"

@@ -748,7 +745,6 @@ static const char usage_message[] =

     "--genkey        : Generate a random key to be used as a shared secret,\n"

     "                  for use with the --secret option.\n"

     "--secret file   : Write key to file.\n"

-#endif                          /* ENABLE_CRYPTO */

 #ifdef ENABLE_FEATURE_TUN_PERSIST

     "\n"

     "Tun/tap config mode (available with linux 2.4+):\n"

@@ -852,7 +848,6 @@ init_options(struct options *o, const bool init_gc)

 #if P2MP

     o->scheduled_exit_interval = 5;

 #endif

-#ifdef ENABLE_CRYPTO

     o->ciphername = "BF-CBC";

 #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */

     o->ncp_enabled = true;

@@ -882,7 +877,6 @@ init_options(struct options *o, const bool init_gc)

 #ifdef ENABLE_X509ALTUSERNAME

     o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;

 #endif

-#endif /* ENABLE_CRYPTO */

 #ifdef ENABLE_PKCS11

     o->pkcs11_pin_cache_period = -1;

 #endif                  /* ENABLE_PKCS11 */

@@ -1146,7 +1140,6 @@ string_substitute(const char *src, int from, int to, struct gc_arena *gc)

     return ret;

 }

-#ifdef ENABLE_CRYPTO

 static uint8_t *

 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)

 {

@@ -1188,7 +1181,6 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren

     }

     return ret;

 }

-#endif /* ifdef ENABLE_CRYPTO */

 #ifdef _WIN32

@@ -1560,14 +1552,12 @@ show_settings(const struct options *o)

     SHOW_INT(persist_mode);

 #endif

-#ifdef ENABLE_CRYPTO

     SHOW_BOOL(show_ciphers);

     SHOW_BOOL(show_digests);

     SHOW_BOOL(show_engines);

     SHOW_BOOL(genkey);

     SHOW_STR(key_pass_file);

     SHOW_BOOL(show_tls_ciphers);

-#endif

     SHOW_INT(connect_retry_max);

     show_connection_entries(o);

@@ -1702,7 +1692,6 @@ show_settings(const struct options *o)

     }

 #endif