@@ -18,7 +18,6 @@

 #define ENABLE_PLUGIN 1

 #define ENABLE_PORT_SHARE 1

 #define ENABLE_SOCKS 1

-#define ENABLE_SSL 1

 #define HAVE_ERRNO_H 1

 #define HAVE_FCNTL_H 1

@@ -79,13 +79,6 @@ AC_ARG_ENABLE(

 )

 AC_ARG_ENABLE(

-	[ssl],

-	[AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based key exchange @<:@default=yes@:>@])],

-	,

-	[enable_ssl="yes"]

-)

-

-AC_ARG_ENABLE(

 	[x509-alt-username],

 	[AS_HELP_STRING([--enable-x509-alt-username], [enable the --x509-username-field feature @<:@default=no@:>@])],

 	,

@@ -1080,19 +1073,11 @@ case "${with_crypto_library}" in

 		;;

 esac

-if test "${enable_ssl}" = "yes"; then

-	test "${enable_crypto}" != "yes" && AC_MSG_ERROR([crypto must be enabled for ssl])

-	test "${have_crypto_ssl}" != "yes" && AC_MSG_ERROR([${with_ssl_library} ssl is required but missing])

-	OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_SSL_CFLAGS}"

-	OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_SSL_LIBS}"

-	AC_DEFINE([ENABLE_SSL], [1], [Enable ssl library])

-fi

-

 if test "${enable_crypto}" = "yes"; then

 	test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing])

 	test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])

-	OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS}"

-	OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS}"

+	OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS} ${CRYPTO_SSL_CFLAGS}"

+	OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS} ${CRYPTO_SSL_LIBS}"

 	AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library])

 fi

@@ -1135,7 +1120,7 @@ fi

 if test "${enable_pkcs11}" = "yes"; then

 	test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])

-	test "${enable_ssl}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled only if SSL is enabled])

+	test "${enable_crypto}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled only if crypto is enabled])

 	OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"

 	OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"

 	AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])

@@ -60,12 +60,12 @@

  *

  * @par Settings that control this module's activity

  * Whether or not the Data Channel Crypto module is active depends on the

- * compile-time \c ENABLE_CRYPTO and \c ENABLE_SSL preprocessor macros.  How it

- * processes packets received from the \link data_control Data Channel

- * Control module\endlink at runtime depends on the associated \c

- * crypto_options structure.  To perform cryptographic operations, the \c

- * crypto_options.key_ctx_bi must contain the correct cipher and HMAC

- * security parameters for the direction the packet is traveling in.

+ * compile-time \c ENABLE_CRYPTO preprocessor macro.  How it processes packets

+ * received from the \link data_control Data Channel Control module\endlink at

+ * runtime depends on the associated \c crypto_options structure.  To perform

+ * cryptographic operations, the \c crypto_options.key_ctx_bi must contain the

+ * correct cipher and HMAC security parameters for the direction the packet is

+ * traveling in.

  *

  * @par Crypto algorithms

  * This module uses the crypto algorithm implementations of the external

@@ -235,7 +235,7 @@ EXPAND_ONLY_PREDEF     = NO

 SEARCH_INCLUDES        = YES

 INCLUDE_PATH           =

 INCLUDE_FILE_PATTERNS  =

-PREDEFINED             = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_SSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY

+PREDEFINED             = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY

 EXPAND_AS_DEFINED      =

 SKIP_FUNCTION_MACROS   = YES

 #---------------------------------------------------------------------------

@@ -27,7 +27,7 @@

 #define OPENVPN_PLUGIN_VERSION 3

-#ifdef ENABLE_SSL

+#ifdef ENABLE_CRYPTO

 #ifdef ENABLE_CRYPTO_POLARSSL

 #include <polarssl/x509_crt.h>

 #ifndef __OPENVPN_X509_CERT_T_DECLARED

@@ -358,9 +358,9 @@ struct openvpn_plugin_args_open_return

  * *per_client_context : the per-client context pointer which was returned by

  *        openvpn_plugin_client_constructor_v1, if defined.

  *

- * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_SSL defined)

+ * current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_CRYPTO defined)

  *

- * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_SSL defined)

+ * *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_CRYPTO defined)

  *

  */

 struct openvpn_plugin_args_func_in

@@ -370,7 +370,7 @@ struct openvpn_plugin_args_func_in

   const char ** const envp;

   openvpn_plugin_handle_t handle;

   void *per_client_context;

-#ifdef ENABLE_SSL

+#ifdef ENABLE_CRYPTO

   int current_cert_depth;

   openvpn_x509_cert_t *current_cert;

 #else

@@ -36,7 +36,7 @@

 #include <string.h>

 #include <stdlib.h>

-#define ENABLE_SSL

+#define ENABLE_CRYPTO

 #include "openvpn-plugin.h"

@@ -726,8 +726,6 @@ test_crypto (const struct crypto_options *co, struct frame* frame)

   gc_free (&gc);

 }

-#ifdef ENABLE_SSL

-

 void

 get_tls_handshake_key (const struct key_type *key_type,

 		       struct key_ctx_bi *ctx,

@@ -799,7 +797,6 @@ get_tls_handshake_key (const struct key_type *key_type,

       CLEAR (*ctx);

     }

 }

-#endif

 /* header and footer for static key file */

 static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----";

@@ -1322,23 +1319,6 @@ get_random()

   return l;

 }

-#ifndef ENABLE_SSL

-

-void

-init_ssl_lib (void)

-{

-  crypto_init_lib ();

-}

-

-void

-free_ssl_lib (void)

-{

-  crypto_uninit_lib ();

-  prng_uninit();

-}

-

-#endif /* ENABLE_SSL */

-

 /*

  * md5 functions

  */

@@ -413,8 +413,6 @@ void key2_print (const struct key2* k,

 		 const char* prefix0,

 		 const char* prefix1);

-#ifdef ENABLE_SSL

-

 #define GHK_INLINE  (1<<0)

 void get_tls_handshake_key (const struct key_type *key_type,

 			    struct key_ctx_bi *ctx,

@@ -422,13 +420,6 @@ void get_tls_handshake_key (const struct key_type *key_type,

 			    const int key_direction,

 			    const unsigned int flags);

-#else

-

-void init_ssl_lib (void);

-void free_ssl_lib (void);

-

-#endif /* ENABLE_SSL */

-

 /*

  * md5 functions

  */

@@ -145,14 +145,6 @@ crypto_init_lib_engine (const char *engine_name)

 void

 crypto_init_lib (void)

 {

-#ifndef ENABLE_SSL

-  /* If SSL is enabled init is taken care of in ssl_openssl.c */

-#ifndef ENABLE_SMALL

-  ERR_load_crypto_strings ();

-#endif

-  OpenSSL_add_all_algorithms ();

-#endif

-

   /*

    * If you build the OpenSSL library and OpenVPN with

    * CRYPTO_MDEBUG, you will get a listing of OpenSSL

@@ -167,14 +159,6 @@ crypto_init_lib (void)

 void

 crypto_uninit_lib (void)

 {

-#ifndef ENABLE_SSL

-  /* If SSL is enabled cleanup is taken care of in ssl_openssl.c */

-  EVP_cleanup ();

-#ifndef ENABLE_SMALL

-  ERR_free_strings ();

-#endif

-#endif

-

 #ifdef CRYPTO_MDEBUG

   FILE* fp = fopen ("sdlog", "w");

   ASSERT (fp);

@@ -35,7 +35,7 @@

 static inline void

 check_tls (struct context *c)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#if defined(ENABLE_CRYPTO)

   void check_tls_dowork (struct context *c);

   if (c->c2.tls_multi)

     check_tls_dowork (c);

@@ -49,7 +49,7 @@ check_tls (struct context *c)

 static inline void

 check_tls_errors (struct context *c)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#if defined(ENABLE_CRYPTO)

   void check_tls_errors_co (struct context *c);

   void check_tls_errors_nco (struct context *c);

   if (c->c2.tls_multi && c->c2.tls_exit_signal)

@@ -88,7 +88,7 @@ show_wait_status (struct context *c)

  * traffic on the control-channel.

  *

  */

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

 void

 check_tls_dowork (struct context *c)

 {

@@ -117,9 +117,6 @@ check_tls_dowork (struct context *c)

   if (wakeup)

     context_reschedule_sec (c, wakeup);

 }

-#endif

-

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

 void

 check_tls_errors_co (struct context *c)

@@ -133,8 +130,7 @@ check_tls_errors_nco (struct context *c)

 {

   register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */

 }

-

-#endif

+#endif /* ENABLE_CRYPTO */

 #if P2MP

@@ -239,7 +235,7 @@ check_connection_established_dowork (struct context *c)

 bool

 send_control_channel_string (struct context *c, const char *str, int msglevel)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   if (c->c2.tls_multi) {

     struct gc_arena gc = gc_new ();

     bool stat;

@@ -264,7 +260,7 @@ send_control_channel_string (struct context *c, const char *str, int msglevel)

     gc_free (&gc);

     return stat;

   }

-#endif

+#endif /* ENABLE_CRYPTO */

   return true;

 }

@@ -457,7 +453,6 @@ encrypt_sign (struct context *c, bool comp_frag)

     }

 #ifdef ENABLE_CRYPTO

-#ifdef ENABLE_SSL

   /*

    * If TLS mode, get the key we will use to encrypt

    * the packet.

@@ -466,7 +461,6 @@ encrypt_sign (struct context *c, bool comp_frag)

     {

       tls_pre_encrypt (c->c2.tls_multi, &c->c2.buf, &c->c2.crypto_options);

     }

-#endif

   /*

    * Encrypt the packet and write an optional

@@ -480,7 +474,6 @@ encrypt_sign (struct context *c, bool comp_frag)

   link_socket_get_outgoing_addr (&c->c2.buf, get_link_socket_info (c),

 				 &c->c2.to_link_addr);

 #ifdef ENABLE_CRYPTO

-#ifdef ENABLE_SSL

   /*

    * In TLS mode, prepend the appropriate one-byte opcode

    * to the packet which identifies it as a data channel

@@ -493,7 +486,6 @@ encrypt_sign (struct context *c, bool comp_frag)

       tls_post_encrypt (c->c2.tls_multi, &c->c2.buf);

     }

 #endif

-#endif

   /* if null encryption, copy result to read_tun_buf */

   buffer_turnover (orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);

@@ -783,7 +775,6 @@ process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, bo

 	link_socket_bad_incoming_addr (&c->c2.buf, lsi, &c->c2.from);

 #ifdef ENABLE_CRYPTO

-#ifdef ENABLE_SSL

       if (c->c2.tls_multi)

 	{

 	  /*

@@ -813,7 +804,6 @@ process_incoming_link_part1 (struct context *c, struct link_socket_info *lsi, bo

       if (c->c2.context_auth != CAS_SUCCEEDED)

 	c->c2.buf.len = 0;

 #endif

-#endif /* ENABLE_SSL */

       /* authenticate and decrypt the incoming packet */

       decrypt_status = openvpn_decrypt (&c->c2.buf, c->c2.buffers->decrypt_buf, &c->c2.crypto_options, &c->c2.frame);

@@ -410,7 +410,7 @@ next_connection_entry (struct context *c)

 static void

 init_query_passwords (struct context *c)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   /* Certificate password input */

   if (c->options.key_pass_file)

     pem_password_setup (c->options.key_pass_file);

@@ -792,7 +792,7 @@ uninit_static (void)

   close_port_share ();

 #endif

-#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO)

   show_tls_performance_stats ();

 #endif

 }

@@ -835,10 +835,7 @@ print_openssl_info (const struct options *options)

    */

 #ifdef ENABLE_CRYPTO

   if (options->show_ciphers || options->show_digests || options->show_engines

-#ifdef ENABLE_SSL

-      || options->show_tls_ciphers || options->show_curves

-#endif

-    )

+      || options->show_tls_ciphers || options->show_curves)

     {

       if (options->show_ciphers)

 	show_available_ciphers ();

@@ -846,12 +843,10 @@ print_openssl_info (const struct options *options)

 	show_available_digests ();

       if (options->show_engines)

 	show_available_engines ();

-#ifdef ENABLE_SSL

       if (options->show_tls_ciphers)

 	show_available_tls_ciphers (options->cipher_list);

       if (options->show_curves)

 	show_available_curves();

-#endif

       return true;

     }

 #endif

@@ -901,10 +896,8 @@ do_persist_tuntap (const struct options *options)

 	  || options->ifconfig_remote_netmask

 #ifdef ENABLE_CRYPTO

 	  || options->shared_secret_file

-#ifdef ENABLE_SSL

 	  || options->tls_server || options->tls_client

 #endif

-#endif

 	)

 	msg (M_FATAL|M_OPTERR,

 	     "options --mktun or --rmtun should only be used together with --dev");

@@ -1012,7 +1005,7 @@ const char *

 format_common_name (struct context *c, struct gc_arena *gc)

 {

   struct buffer out = alloc_buf_gc (256, gc);

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   if (c->c2.tls_multi)

     {

       buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));

@@ -1102,9 +1095,7 @@ do_init_timers (struct context *c, bool deferred)

 #ifdef ENABLE_CRYPTO

       if (c->options.packet_id_file)

 	event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);

-#endif

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

       /* initialize tmp_int optimization that limits the number of times we call

 	 tls_multi_process in the main event loop */

       interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);

@@ -1797,7 +1788,7 @@ do_deferred_options (struct context *c, const unsigned int found)

   if (found & OPT_P_SETENV)

     msg (D_PUSH, "OPTIONS IMPORT: environment modified");

-#ifdef ENABLE_SSL

+#ifdef ENABLE_CRYPTO

   if (found & OPT_P_PEER_ID)

     {

       msg (D_PUSH, "OPTIONS IMPORT: peer-id set");

@@ -1928,13 +1919,11 @@ key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)

 {

 #ifdef ENABLE_CRYPTO

   free_key_ctx_bi (&ks->static_key);

-#ifdef ENABLE_SSL

   if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)

     {

       tls_ctx_free (&ks->ssl_ctx);

       free_key_ctx_bi (&ks->tls_auth_key);

     }

-#endif /* ENABLE_SSL */

 #endif /* ENABLE_CRYPTO */

   CLEAR (*ks);

 }

@@ -2054,8 +2043,6 @@ do_init_crypto_static (struct context *c, const unsigned int flags)

 			       options->use_iv);

 }

-#ifdef ENABLE_SSL

-

 /*

  * Initialize the persistent component of OpenVPN's TLS mode,

  * which is preserved across SIGUSR1 resets.

@@ -2303,10 +2290,6 @@ do_init_finalize_tls_frame (struct context *c)

     }

 }

-#endif /* ENABLE_SSL */

-#endif /* ENABLE_CRYPTO */

-

-#ifdef ENABLE_CRYPTO

 /*

  * No encryption or authentication.

  */

@@ -2325,16 +2308,14 @@ do_init_crypto (struct context *c, const unsigned int flags)

 #ifdef ENABLE_CRYPTO

   if (c->options.shared_secret_file)

     do_init_crypto_static (c, flags);

-#ifdef ENABLE_SSL

   else if (c->options.tls_server || c->options.tls_client)

     do_init_crypto_tls (c, flags);

-#endif

   else				/* no encryption or authentication. */

     do_init_crypto_none (c);

 #else /* ENABLE_CRYPTO */

   msg (M_WARN,

        "******* WARNING *******: " PACKAGE_NAME

-       " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");

+       " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");

 #endif /* ENABLE_CRYPTO */

 }

@@ -2503,7 +2484,6 @@ do_option_warnings (struct context *c)

   if (!o->use_iv)

     msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure");

-#ifdef ENABLE_SSL

   if (o->tls_server)

     warn_on_use_of_common_subnets ();

   if (o->tls_client

@@ -2513,7 +2493,6 @@ do_option_warnings (struct context *c)

       && !o->remote_cert_eku)

     msg (M_WARN, "WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.");

 #endif

-#endif

 #ifndef CONNECT_NONBLOCK

   if (o->ce.connect_timeout_defined)

@@ -2535,7 +2514,7 @@ do_option_warnings (struct context *c)

 static void

 do_init_frame_tls (struct context *c)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   do_init_finalize_tls_frame (c);

 #endif

 }

@@ -2733,9 +2712,7 @@ do_compute_occ_strings (struct context *c)

        options_string_version (c->c2.options_string_remote, &gc),

        md5sum ((uint8_t*)c->c2.options_string_remote,

 	       strlen (c->c2.options_string_remote), 9, &gc));

-#endif

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

   if (c->c2.tls_multi)

     tls_multi_init_set_options (c->c2.tls_multi,

 				c->c2.options_string_local,

@@ -2821,7 +2798,7 @@ do_close_free_buf (struct context *c)

 static void

 do_close_tls (struct context *c)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   if (c->c2.tls_multi)

     {

       tls_multi_free (c->c2.tls_multi, true);

@@ -3072,7 +3049,7 @@ do_setup_fast_io (struct context *c)

 static void

 do_signal_on_tls_errors (struct context *c)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   if (c->options.tls_exit)

     c->c2.tls_exit_signal = SIGTERM;

   else

@@ -3624,12 +3601,10 @@ inherit_context_child (struct context *dest,

 #ifdef ENABLE_CRYPTO

   dest->c1.ks.key_type = src->c1.ks.key_type;

-#ifdef ENABLE_SSL

   /* inherit SSL context */

   dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;

   dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;

 #endif

-#endif

   /* options */

   dest->options = src->options;

@@ -3701,7 +3676,7 @@ inherit_context_top (struct context *dest,

   /* detach plugins */

   dest->plugins_owned = false;

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   dest->c2.tls_multi = NULL;

 #endif

@@ -701,7 +701,7 @@ man_query_need_str (struct management *man, const char *type, const char *action

 static void

 man_forget_passwords (struct management *man)

 {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   ssl_purge_auth (false);

   msg (M_CLIENT, "SUCCESS: Passwords were forgotten");

 #endif

@@ -1695,7 +1695,7 @@ man_reset_client_socket (struct management *man, const bool exiting)

     }

   if (!exiting)

     {

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

       if (man->settings.flags & MF_FORGET_DISCONNECT)

 	ssl_purge_auth (false);

 #endif

@@ -62,14 +62,11 @@ struct key_schedule

   /* pre-shared static key, read from a file */

   struct key_ctx_bi static_key;

-#ifdef ENABLE_SSL

   /* our global SSL context */

   struct tls_root_ctx ssl_ctx;

   /* optional authentication HMAC key for TLS control channel */

   struct key_ctx_bi tls_auth_key;

-

-#endif				/* ENABLE_SSL */

 #else				/* ENABLE_CRYPTO */

   int dummy;

 #endif				/* ENABLE_CRYPTO */

@@ -335,8 +332,6 @@ struct context_2

   /*

    * TLS-mode crypto objects.

    */

-#ifdef ENABLE_SSL

-

   struct tls_multi *tls_multi;  /**< TLS state structure for this VPN

                                  *   tunnel. */

@@ -357,8 +352,6 @@ struct context_2

   /* throw this signal on TLS errors */

   int tls_exit_signal;

-#endif /* ENABLE_SSL */

-

   struct crypto_options crypto_options;

                                 /**< Security parameters and crypto state

                                  *   used by the \link data_crypto Data

@@ -566,7 +559,7 @@ struct context

  * have been compiled in.

  */

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

 #define TLS_MODE(c) ((c)->c2.tls_multi != NULL)

 #define PROTO_DUMP_FLAGS (check_debug_level (D_LINK_RW_VERBOSE) ? (PD_SHOW_DATA|PD_VERBOSE) : 0)

 #define PROTO_DUMP(buf, gc) protocol_dump((buf), \

@@ -68,7 +68,6 @@ const char title_string[] =

 #endif

   " " TARGET_ALIAS

 #ifdef ENABLE_CRYPTO

-#ifdef ENABLE_SSL

 #if defined(ENABLE_CRYPTO_POLARSSL)

   " [SSL (PolarSSL)]"

 #elif defined(ENABLE_CRYPTO_OPENSSL)

@@ -76,15 +75,6 @@ const char title_string[] =

 #else

   " [SSL]"

 #endif /* defined(ENABLE_CRYPTO_POLARSSL) */

-#else /* ! ENABLE_SSL */

-#if defined(ENABLE_CRYPTO_POLARSSL)

-  " [CRYPTO (PolarSSL)]"

-#elif defined(ENABLE_CRYPTO_OPENSSL)

-  " [CRYPTO (OpenSSL)]"

-#else

-  " [CRYPTO]"

-#endif /* defined(ENABLE_CRYPTO_POLARSSL) */

-#endif /* ENABLE_SSL */

 #endif /* ENABLE_CRYPTO */

 #ifdef USE_COMP

 #ifdef ENABLE_LZO

@@ -548,7 +538,6 @@ static const char usage_message[] =

   "--use-prediction-resistance: Enable prediction resistance on the random\n"

   "                             number generator.\n"

 #endif

-#ifdef ENABLE_SSL

   "\n"

   "TLS Key Negotiation Options:\n"

   "(These options are meaningful only for TLS-mode)\n"

@@ -633,7 +622,6 @@ static const char usage_message[] =

   "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"

   "                  key usage and extended key usage based on RFC3280 TLS rules.\n"

   "                  t = 'client' | 'server'.\n"

-#endif				/* ENABLE_SSL */

 #ifdef ENABLE_PKCS11

   "\n"

   "PKCS#11 Options:\n"

@@ -658,9 +646,7 @@ static const char usage_message[] =

   "--show-ciphers  : Show cipher algorithms to use with --cipher option.\n"

   "--show-digests  : Show message digest algorithms to use with --auth option.\n"

   "--show-engines  : Show hardware crypto accelerator engines (if available).\n"

-#ifdef ENABLE_SSL

   "--show-tls      : Show all TLS ciphers (TLS used only as a control channel).\n"

-#endif

 #ifdef WIN32

   "\n"

   "Windows Specific:\n"

@@ -846,7 +832,6 @@ init_options (struct options *o, const bool init_gc)

 #ifdef ENABLE_PREDICTION_RESISTANCE

   o->use_prediction_resistance = false;

 #endif

-#ifdef ENABLE_SSL

   o->key_method = 2;

   o->tls_timeout = 2;

   o->renegotiate_seconds = 3600;

@@ -856,7 +841,6 @@ init_options (struct options *o, const bool init_gc)

 #ifdef ENABLE_X509ALTUSERNAME

   o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;

 #endif

-#endif /* ENABLE_SSL */

 #endif /* ENABLE_CRYPTO */

 #ifdef ENABLE_PKCS11

   o->pkcs11_pin_cache_period = -1;

@@ -1047,7 +1031,7 @@ string_substitute (const char *src, int from, int to, struct gc_arena *gc)

   return ret;

 }

-#ifdef ENABLE_SSL

+#ifdef ENABLE_CRYPTO

 static uint8_t *

 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)

 {

@@ -1430,11 +1414,9 @@ show_settings (const struct options *o)

   SHOW_BOOL (show_digests);

   SHOW_BOOL (show_engines);

   SHOW_BOOL (genkey);

-#ifdef ENABLE_SSL

   SHOW_STR (key_pass_file);

   SHOW_BOOL (show_tls_ciphers);

 #endif

-#endif

   SHOW_INT (connect_retry_max);

   show_connection_entries (o);

@@ -1588,7 +1570,6 @@ show_settings (const struct options *o)

   SHOW_BOOL (use_prediction_resistance);

 #endif

-#ifdef ENABLE_SSL

   SHOW_BOOL (tls_server);

   SHOW_BOOL (tls_client);

   SHOW_INT (key_method);

@@ -1640,8 +1621,7 @@ show_settings (const struct options *o)

   SHOW_BOOL (tls_exit);

   SHOW_STR (tls_auth_file);

-#endif

-#endif

+#endif /* ENABLE_CRYPTO */

 #ifdef ENABLE_PKCS11

   {

@@ -1857,7 +1837,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

     msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");

   if (options->inetd == INETD_NOWAIT

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

       && !(options->tls_server || options->tls_client)

 #endif

       )

@@ -2150,8 +2130,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

   /*

    * SSL/TLS mode sanity checks.

    */

-

-#ifdef ENABLE_SSL

   if (options->tls_server + options->tls_client +

       (options->shared_secret_file != NULL) > 1)

     msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");

@@ -2328,7 +2306,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

     }

 #undef MUST_BE_UNDEF

 #endif /* ENABLE_CRYPTO */

-#endif /* ENABLE_SSL */

 #if P2MP

   if (options->auth_user_pass_file && !options->pull)

@@ -2707,8 +2684,8 @@ options_postprocess_filechecks (struct options *options)

 {

   bool errs = false;

+#ifdef ENABLE_CRYPTO

   /* ** SSL/TLS/crypto related files ** */

-#ifdef ENABLE_SSL

   errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");

   errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");

   errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");

@@ -2732,20 +2709,15 @@ options_postprocess_filechecks (struct options *options)

   errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK,

                              "--tls-auth");

-#endif /* ENABLE_SSL */

-#ifdef ENABLE_CRYPTO

   errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->shared_secret_file, R_OK,

                              "--secret");

   errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR,

                              options->packet_id_file, R_OK|W_OK, "--replay-persist");

-#endif /* ENABLE_CRYPTO */

-

   /* ** Password files ** */

-#ifdef ENABLE_SSL

   errs |= check_file_access (CHKACC_FILE, options->key_pass_file, R_OK,

                              "--askpass");

-#endif /* ENABLE_SSL */

+#endif /* ENABLE_CRYPTO */

 #ifdef ENABLE_MANAGEMENT

   errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,

                              options->management_user_pass, R_OK,

@@ -2768,10 +2740,10 @@ options_postprocess_filechecks (struct options *options)

                              R_OK|W_OK, "--status");

   /* ** Config related ** */

-#ifdef ENABLE_SSL

+#ifdef ENABLE_CRYPTO

   errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tls_export_cert,

                              R_OK|W_OK|X_OK, "--tls-export-cert");

-#endif /* ENABLE_SSL */

+#endif /* ENABLE_CRYPTO */

 #if P2MP_SERVER

   errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->client_config_dir,

                              R_OK|X_OK, "--client-config-dir");

@@ -3000,13 +2972,8 @@ options_string (const struct options *o,

 #ifdef ENABLE_CRYPTO

-#ifdef ENABLE_SSL

 #define TLS_CLIENT (o->tls_client)

 #define TLS_SERVER (o->tls_server)

-#else

-#define TLS_CLIENT (false)

-#define TLS_SERVER (false)

-#endif

   /*

    * Key direction

@@ -3049,7 +3016,6 @@ options_string (const struct options *o,

 #endif

       }

-#ifdef ENABLE_SSL

   /*

    * SSL Options

    */

@@ -3078,7 +3044,6 @@ options_string (const struct options *o,

 	  buf_printf (&out, ",tls-server");

       }

   }

-#endif /* ENABLE_SSL */

 #undef TLS_CLIENT

 #undef TLS_SERVER

@@ -3401,7 +3366,7 @@ usage (void)

   struct options o;

   init_options (&o, true);

-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)

+#ifdef ENABLE_CRYPTO

   fprintf (fp, usage_message,

 	   title_string,

 	   o.ce.connect_retry_seconds,

@@ -3412,15 +3377,6 @@ usage (void)

            o.replay_window, o.replay_time,

 	   o.tls_timeout, o.renegotiate_seconds,

 	   o.handshake_window, o.transition_window);

-#elif defined(ENABLE_CRYPTO)

-  fprintf (fp, usage_message,

-	   title_string,

-	   o.ce.connect_retry_seconds,

-	   o.ce.local_port, o.ce.remote_port,

-	   TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,

-	   o.verbosity,

-	   o.authname, o.ciphername,

-           o.replay_window, o.replay_time);

 #else

   fprintf (fp, usage_message,

 	   title_string,

@@ -3446,7 +3402,7 @@ usage_small (void)

 void

 show_library_versions(const unsigned int flags)

 {

-#ifdef ENABLE_SSL

+#ifdef ENABLE_CRYPTO

 #define SSL_LIB_VER_STR get_ssl_library_version()

 #else

 #define SSL_LIB_VER_STR ""

@@ -6517,7 +6473,6 @@ add_option (struct options *options,

       options->use_prediction_resistance = true;

     }

 #endif

-#ifdef ENABLE_SSL

   else if (streq (p[0], "show-tls"))

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

@@ -6954,7 +6909,6 @@ add_option (struct options *options,

       options->x509_username_field = p[1];

     }

 #endif /* ENABLE_X509ALTUSERNAME */

-#endif /* ENABLE_SSL */

 #endif /* ENABLE_CRYPTO */

 #ifdef ENABLE_PKCS11

   else if (streq (p[0], "show-pkcs11-ids"))

@@ -195,10 +195,8 @@ struct options

   bool show_ciphers;

   bool show_digests;

   bool show_engines;

-#ifdef ENABLE_SSL

   bool show_tls_ciphers;

   bool show_curves;

-#endif

   bool genkey;

 #endif

@@ -500,7 +498,6 @@ struct options

   bool use_prediction_resistance;

 #endif

-#ifdef ENABLE_SSL

   /* TLS (control channel) parms */

   bool tls_server;

   bool tls_client;

@@ -582,7 +579,6 @@ struct options

   bool tls_exit;

-#endif /* ENABLE_SSL */

 #endif /* ENABLE_CRYPTO */

 #ifdef ENABLE_X509_TRACK

@@ -420,7 +420,7 @@ plugin_call_item (const struct plugin *p,

 		  const struct argv *av,