Disabled X.509 track and username selection for PolarSSL

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

5 files changed, 20 insertions, 8 deletions

diff --git a/README.polarssl b/README.polarssl
index bd066e4..77a9575 100644
--- a/README.polarssl
+++ b/README.polarssl
@@ -7,17 +7,22 @@ To Build and Install,
 	make
 	make install
 
+This version depends on at least PolarSSL v0.99.
+
 *************************************************************************
 
-The following features are missing in the PolarSSL version of OpenVPN:
+Due to limitations in the PolarSSL library, the following features are missing
+in the PolarSSL version of OpenVPN:
 
- * ca_path support - Loading certificate authorities from a directory
  * PKCS#12 file support
+ * --capath support - Loading certificate authorities from a directory
  * Windows CryptoAPI support
  * Management external key support
- * X509 alternative username fields (must be "CN")
+ * X.509 alternative username fields (must be "CN")
+
+Plugin/Script features:
 
- TODO:
- * serial is in Hex
- * X509 certificate export
- * X.509 tracking
+ * X.509 Serial number is in hex, not decimal as with OpenSSL
+ * X.509 subject line has a different format than the OpenSSL subject line
+ * X.509 certificate export does not work
+ * X.509 certificate tracking
diff --git a/configure.ac b/configure.ac
index bbdd713..a6b3019 100644
--- a/configure.ac
+++ b/configure.ac
@@ -840,6 +840,10 @@ fi
 
 dnl enable --x509-username-field feature if requested
 if test "$X509ALTUSERNAME" = "yes"; then
+   if test "$SSL_LIB" = "polarssl" ; then
+      AC_MSG_ERROR([PolarSSL does not support the --x509-username-field feature])
+   fi
+
    AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature])
 fi
 
diff --git a/openvpn.8 b/openvpn.8
index 12547c4..b8594e1 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -4543,6 +4543,7 @@ to save values from full cert chain.  Values will be encoded
 as X509_<depth>_<attribute>=<value>.  Multiple
 .B \-\-x509-track
 options can be defined to track multiple attributes.
+Not available with PolarSSL.
 .\"*********************************************************
 .TP
 .B \-\-ns-cert-type client|server
diff --git a/options.c b/options.c
index bed6c4b..3985439 100644
--- a/options.c
+++ b/options.c
@@ -604,8 +604,10 @@ static const char usage_message[] =
   "                  of verification.\n"
   "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
   "                  nsCertType designation t = 'client' | 'server'.\n"
+#ifdef ENABLE_X509_TRACK
   "--x509-track x  : Save peer X509 attribute x in environment for use by\n"
   "                  plugins and management interface.\n"
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
   "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
   "                  explicit key usage, you can specify more than one value.\n"
diff --git a/syshead.h b/syshead.h
index 0e8edf3..f3c0ac9 100644
--- a/syshead.h
+++ b/syshead.h
@@ -627,7 +627,7 @@ socket_defined (const socket_descriptor_t sd)
 /*
  * Enable x509-track feature?
  */
-#if defined(USE_CRYPTO) && defined(USE_SSL) && defined USE_OPENSSL
+#if defined(USE_CRYPTO) && defined(USE_SSL) && defined (USE_OPENSSL)
 #define ENABLE_X509_TRACK
 #endif