search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dnsmasq: Update to v2.67test14.
[tomato.git] / release / src / router / vsftpd / ssl.c
blob4ee972b49290419b464d960c15f80040ff7b5647
1 /*
2 * Part of Very Secure FTPd
3 * Licence: GPL v2. Note that this code interfaces with with the OpenSSL
4 * libraries, so please read LICENSE where I give explicit permission to link
5 * against the OpenSSL libraries.
6 * Author: Chris Evans
7 * ssl.c
8 *
9 * Routines to handle a SSL/TLS-based implementation of RFC 2228, i.e.
10 * encryption.
11 */
12
13 #include "ssl.h"
14 #include "session.h"
15 #include "ftpcodes.h"
16 #include "ftpcmdio.h"
17 #include "defs.h"
18 #include "str.h"
19 #include "sysutil.h"
20 #include "tunables.h"
21 #include "utility.h"
22 #include "builddefs.h"
23 #include "logging.h"
24
25 #ifdef VSF_BUILD_SSL
26
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
29 #include <openssl/rand.h>
30 #include <openssl/bio.h>
31 #include <errno.h>
32 #include <limits.h>
33
34 static char* get_ssl_error();
35 static SSL* get_ssl(struct vsf_session* p_sess, int fd);
36 static int ssl_session_init(struct vsf_session* p_sess);
37 static void setup_bio_callbacks();
38 static long bio_callback(
39 BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
40 static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
41 static int ssl_cert_digest(
42 SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
43 static void maybe_log_shutdown_state(struct vsf_session* p_sess);
44 static void maybe_log_ssl_error_state(struct vsf_session* p_sess, int ret);
45 static int ssl_read_common(struct vsf_session* p_sess,
46 SSL* p_ssl,
47 char* p_buf,
48 unsigned int len,
49 int (*p_ssl_func)(SSL*, void*, int));
50
51 static int ssl_inited;
52 static struct mystr debug_str;
53
54 void
55 ssl_init(struct vsf_session* p_sess)
56 {
57 if (!ssl_inited)
58 {
59 SSL_CTX* p_ctx;
60 long options;
61 int verify_option = 0;
62 SSL_library_init();
63 p_ctx = SSL_CTX_new(SSLv23_server_method());
64 if (p_ctx == NULL)
65 {
66 die("SSL: could not allocate SSL context");
67 }
68 options = SSL_OP_ALL;
69 if (!tunable_sslv2)
70 {
71 options |= SSL_OP_NO_SSLv2;
72 }
73 if (!tunable_sslv3)
74 {
75 options |= SSL_OP_NO_SSLv3;
76 }
77 if (!tunable_tlsv1)
78 {
79 options |= SSL_OP_NO_TLSv1;
80 }
81 SSL_CTX_set_options(p_ctx, options);
82 if (tunable_rsa_cert_file)
83 {
84 const char* p_key = tunable_rsa_private_key_file;
85 if (!p_key)
86 {
87 p_key = tunable_rsa_cert_file;
88 }
89 if (SSL_CTX_use_certificate_chain_file(p_ctx, tunable_rsa_cert_file) != 1)
90 {
91 die("SSL: cannot load RSA certificate");
92 }
93 if (SSL_CTX_use_PrivateKey_file(p_ctx, p_key, X509_FILETYPE_PEM) != 1)
94 {
95 die("SSL: cannot load RSA private key");
96 }
97 }
98 if (tunable_dsa_cert_file)
99 {
100 const char* p_key = tunable_dsa_private_key_file;
101 if (!p_key)
102 {
103 p_key = tunable_dsa_cert_file;
104 }
105 if (SSL_CTX_use_certificate_chain_file(p_ctx, tunable_dsa_cert_file) != 1)
106 {
107 die("SSL: cannot load DSA certificate");
108 }
109 if (SSL_CTX_use_PrivateKey_file(p_ctx, p_key, X509_FILETYPE_PEM) != 1)
110 {
111 die("SSL: cannot load DSA private key");
112 }
113 }
114 if (tunable_ssl_ciphers &&
115 SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
116 {
117 die("SSL: could not set cipher list");
118 }
119 if (RAND_status() != 1)
120 {
121 die("SSL: RNG is not seeded");
122 }
123 if (tunable_ssl_request_cert)
124 {
125 verify_option |= SSL_VERIFY_PEER;
126 }
127 if (tunable_require_cert)
128 {
129 verify_option |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
130 }
131 if (verify_option)
132 {
133 SSL_CTX_set_verify(p_ctx, verify_option, ssl_verify_callback);
134 if (tunable_ca_certs_file)
135 {
136 STACK_OF(X509_NAME)* p_names;
137 if (!SSL_CTX_load_verify_locations(p_ctx, tunable_ca_certs_file, NULL))
138 {
139 die("SSL: could not load verify file");
140 }
141 p_names = SSL_load_client_CA_file(tunable_ca_certs_file);
142 if (!p_names)
143 {
144 die("SSL: could not load client certs file");
145 }
146 SSL_CTX_set_client_CA_list(p_ctx, p_names);
147 }
148 }
149 {
150 static const char* p_ctx_id = "vsftpd";
151 SSL_CTX_set_session_id_context(p_ctx, (void*) p_ctx_id,
152 vsf_sysutil_strlen(p_ctx_id));
153 }
154 if (tunable_require_ssl_reuse)
155 {
156 /* Ensure cached session doesn't expire */
157 SSL_CTX_set_timeout(p_ctx, INT_MAX);
158 }
159 p_sess->p_ssl_ctx = p_ctx;
160 ssl_inited = 1;
161 }
162 }
163
164 void
165 ssl_control_handshake(struct vsf_session* p_sess)
166 {
167 if (!ssl_session_init(p_sess))
168 {
169 struct mystr err_str = INIT_MYSTR;
170 str_alloc_text(&err_str, "Negotiation failed: ");
171 /* Technically, we shouldn't leak such detailed error messages. */
172 str_append_text(&err_str, get_ssl_error());
173 vsf_cmdio_write_str(p_sess, FTP_TLS_FAIL, &err_str);
174 vsf_sysutil_exit(0);
175 }
176 p_sess->control_use_ssl = 1;
177 }
178
179 void
180 handle_auth(struct vsf_session* p_sess)
181 {
182 str_upper(&p_sess->ftp_arg_str);
183 if (str_equal_text(&p_sess->ftp_arg_str, "TLS") ||
184 str_equal_text(&p_sess->ftp_arg_str, "TLS-C") ||
185 str_equal_text(&p_sess->ftp_arg_str, "SSL") ||
186 str_equal_text(&p_sess->ftp_arg_str, "TLS-P"))
187 {
188 vsf_cmdio_write(p_sess, FTP_AUTHOK, "Proceed with negotiation.");
189 ssl_control_handshake(p_sess);
190 if (str_equal_text(&p_sess->ftp_arg_str, "SSL") ||
191 str_equal_text(&p_sess->ftp_arg_str, "TLS-P"))
192 {
193 p_sess->data_use_ssl = 1;
194 }
195 }
196 else
197 {
198 vsf_cmdio_write(p_sess, FTP_BADAUTH, "Unknown AUTH type.");
199 }
200 }
201
202 void
203 handle_pbsz(struct vsf_session* p_sess)
204 {
205 if (!p_sess->control_use_ssl)
206 {
207 vsf_cmdio_write(p_sess, FTP_BADPBSZ, "PBSZ needs a secure connection.");
208 }
209 else
210 {
211 vsf_cmdio_write(p_sess, FTP_PBSZOK, "PBSZ set to 0.");
212 }
213 }
214
215 void
216 handle_prot(struct vsf_session* p_sess)
217 {
218 str_upper(&p_sess->ftp_arg_str);
219 if (!p_sess->control_use_ssl)
220 {
221 vsf_cmdio_write(p_sess, FTP_BADPROT, "PROT needs a secure connection.");
222 }
223 else if (str_equal_text(&p_sess->ftp_arg_str, "C"))
224 {
225 p_sess->data_use_ssl = 0;
226 vsf_cmdio_write(p_sess, FTP_PROTOK, "PROT now Clear.");
227 }
228 else if (str_equal_text(&p_sess->ftp_arg_str, "P"))
229 {
230 p_sess->data_use_ssl = 1;
231 vsf_cmdio_write(p_sess, FTP_PROTOK, "PROT now Private.");
232 }
233 else if (str_equal_text(&p_sess->ftp_arg_str, "S") ||
234 str_equal_text(&p_sess->ftp_arg_str, "E"))
235 {
236 vsf_cmdio_write(p_sess, FTP_NOHANDLEPROT, "PROT not supported.");
237 }
238 else
239 {
240 vsf_cmdio_write(p_sess, FTP_NOSUCHPROT, "PROT not recognized.");
241 }
242 }
243
244 int
245 ssl_read(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
246 {
247 return ssl_read_common(p_sess, (SSL*) p_ssl, p_buf, len, SSL_read);
248 }
249
250 int
251 ssl_peek(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
252 {
253 return ssl_read_common(p_sess, (SSL*) p_ssl, p_buf, len, SSL_peek);
254 }
255
256 static int
257 ssl_read_common(struct vsf_session* p_sess,
258 SSL* p_void_ssl,
259 char* p_buf,
260 unsigned int len,
261 int (*p_ssl_func)(SSL*, void*, int))
262 {
263 int retval;
264 int err;
265 SSL* p_ssl = (SSL*) p_void_ssl;
266 do
267 {
268 retval = (*p_ssl_func)(p_ssl, p_buf, len);
269 err = SSL_get_error(p_ssl, retval);
270 }
271 while (retval < 0 && (err == SSL_ERROR_WANT_READ ||
272 err == SSL_ERROR_WANT_WRITE));
273 /* If we hit an EOF, make sure it was from the peer, not injected by the
274 * attacker.
275 */
276 if (retval == 0 && SSL_get_shutdown(p_ssl) != SSL_RECEIVED_SHUTDOWN)
277 {
278 str_alloc_text(&debug_str, "Connection terminated without SSL shutdown "
279 "- buggy client?");
280 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
281 if (tunable_strict_ssl_read_eof)
282 {
283 return -1;
284 }
285 }
286 return retval;
287 }
288
289 int
290 ssl_write(void* p_ssl, const char* p_buf, unsigned int len)
291 {
292 int retval;
293 int err;
294 do
295 {
296 retval = SSL_write((SSL*) p_ssl, p_buf, len);
297 err = SSL_get_error((SSL*) p_ssl, retval);
298 }
299 while (retval < 0 && (err == SSL_ERROR_WANT_READ ||
300 err == SSL_ERROR_WANT_WRITE));
301 return retval;
302 }
303
304 int
305 ssl_write_str(void* p_ssl, const struct mystr* p_str)
306 {
307 unsigned int len = str_getlen(p_str);
308 int ret = SSL_write((SSL*) p_ssl, str_getbuf(p_str), len);
309 if ((unsigned int) ret != len)
310 {
311 return -1;
312 }
313 return 0;
314 }
315
316 int
317 ssl_read_into_str(struct vsf_session* p_sess, void* p_ssl, struct mystr* p_str)
318 {
319 unsigned int len = str_getlen(p_str);
320 int ret = ssl_read(p_sess, p_ssl, (char*) str_getbuf(p_str), len);
321 if (ret >= 0)
322 {
323 str_trunc(p_str, (unsigned int) ret);
324 }
325 else
326 {
327 str_empty(p_str);
328 }
329 return ret;
330 }
331
332 static void
333 maybe_log_shutdown_state(struct vsf_session* p_sess)
334 {
335 if (tunable_debug_ssl)
336 {
337 int ret = SSL_get_shutdown(p_sess->p_data_ssl);
338 str_alloc_text(&debug_str, "SSL shutdown state is: ");
339 if (ret == 0)
340 {
341 str_append_text(&debug_str, "NONE");
342 }
343 else if (ret == SSL_SENT_SHUTDOWN)
344 {
345 str_append_text(&debug_str, "SSL_SENT_SHUTDOWN");
346 }
347 else if (ret == SSL_RECEIVED_SHUTDOWN)
348 {
349 str_append_text(&debug_str, "SSL_RECEIVED_SHUTDOWN");
350 }
351 else
352 {
353 str_append_ulong(&debug_str, ret);
354 }
355 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
356 }
357 }
358
359 static void
360 maybe_log_ssl_error_state(struct vsf_session* p_sess, int ret)
361 {
362 if (tunable_debug_ssl)
363 {
364 str_alloc_text(&debug_str, "SSL ret: ");
365 str_append_ulong(&debug_str, ret);
366 str_append_text(&debug_str, ", SSL error: ");
367 str_append_text(&debug_str, get_ssl_error());
368 str_append_text(&debug_str, ", errno: ");
369 str_append_ulong(&debug_str, errno);
370 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
371 }
372 }
373
374 int
375 ssl_data_close(struct vsf_session* p_sess)
376 {
377 int success = 1;
378 SSL* p_ssl = p_sess->p_data_ssl;
379 if (p_ssl)
380 {
381 int ret;
382 maybe_log_shutdown_state(p_sess);
383 /* This is a mess. Ideally, when we're the sender, we'd like to get to the
384 * SSL_RECEIVED_SHUTDOWN state to get a cryptographic guarantee that the
385 * peer received all the data and shut the connection down cleanly. It
386 * doesn't matter hugely apart from logging, but it's a nagging detail.
387 * Unfortunately, no FTP client I found was able to get sends into that
388 * state, so the best we can do is issue SSL_shutdown but not check the
389 * errors / returns. At least this enables the receiver to be sure of the
390 * integrity of the send in terms of unwanted truncation.
391 */
392 ret = SSL_shutdown(p_ssl);
393 maybe_log_shutdown_state(p_sess);
394 if (ret == 0)
395 {
396 ret = SSL_shutdown(p_ssl);
397 maybe_log_shutdown_state(p_sess);
398 if (ret != 1)
399 {
400 if (tunable_strict_ssl_write_shutdown)
401 {
402 success = 0;
403 }
404 maybe_log_shutdown_state(p_sess);
405 maybe_log_ssl_error_state(p_sess, ret);
406 }
407 }
408 else if (ret < 0)
409 {
410 if (tunable_strict_ssl_write_shutdown)
411 {
412 success = 0;
413 }
414 maybe_log_ssl_error_state(p_sess, ret);
415 }
416 SSL_free(p_ssl);
417 p_sess->p_data_ssl = NULL;
418 }
419 return success;
420 }
421
422 int
423 ssl_accept(struct vsf_session* p_sess, int fd)
424 {
425 /* SECURITY: data SSL connections don't have any auth on them as part of the
426 * protocol. If a client sends an unfortunately optional client cert then
427 * we can check for a match between the control and data connections.
428 */
429 SSL* p_ssl;
430 int reused;
431 if (p_sess->p_data_ssl != NULL)
432 {
433 die("p_data_ssl should be NULL.");
434 }
435 p_ssl = get_ssl(p_sess, fd);
436 if (p_ssl == NULL)
437 {
438 return 0;
439 }
440 p_sess->p_data_ssl = p_ssl;
441 setup_bio_callbacks(p_ssl);
442 reused = SSL_session_reused(p_ssl);
443 if (tunable_require_ssl_reuse && !reused)
444 {
445 str_alloc_text(&debug_str, "No SSL session reuse on data channel.");
446 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
447 ssl_data_close(p_sess);
448 return 0;
449 }
450 if (str_getlen(&p_sess->control_cert_digest) > 0)
451 {
452 static struct mystr data_cert_digest;
453 if (!ssl_cert_digest(p_ssl, p_sess, &data_cert_digest))
454 {
455 str_alloc_text(&debug_str, "Missing cert on data channel.");
456 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
457 ssl_data_close(p_sess);
458 return 0;
459 }
460 if (str_strcmp(&p_sess->control_cert_digest, &data_cert_digest))
461 {
462 str_alloc_text(&debug_str, "DIFFERENT cert on data channel.");
463 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
464 ssl_data_close(p_sess);
465 return 0;
466 }
467 if (tunable_debug_ssl)
468 {
469 str_alloc_text(&debug_str, "Matching cert on data channel.");
470 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
471 }
472 }
473 return 1;
474 }
475
476 void
477 ssl_comm_channel_init(struct vsf_session* p_sess)
478 {
479 if (p_sess->ssl_consumer_fd != -1)
480 {
481 bug("ssl_consumer_fd active");
482 }
483 if (p_sess->ssl_slave_fd != -1)
484 {
485 bug("ssl_slave_fd active");
486 }
487 const struct vsf_sysutil_socketpair_retval retval =
488 vsf_sysutil_unix_stream_socketpair();
489 p_sess->ssl_consumer_fd = retval.socket_one;
490 p_sess->ssl_slave_fd = retval.socket_two;
491 }
492
493 void
494 ssl_comm_channel_set_consumer_context(struct vsf_session* p_sess)
495 {
496 if (p_sess->ssl_slave_fd == -1)
497 {
498 bug("ssl_slave_fd already closed");
499 }
500 vsf_sysutil_close(p_sess->ssl_slave_fd);
501 p_sess->ssl_slave_fd = -1;
502 }
503
504 void
505 ssl_comm_channel_set_producer_context(struct vsf_session* p_sess)
506 {
507 if (p_sess->ssl_consumer_fd == -1)
508 {
509 bug("ssl_consumer_fd already closed");
510 }
511 vsf_sysutil_close(p_sess->ssl_consumer_fd);
512 p_sess->ssl_consumer_fd = -1;
513 }
514
515 static SSL*
516 get_ssl(struct vsf_session* p_sess, int fd)
517 {
518 SSL* p_ssl = SSL_new(p_sess->p_ssl_ctx);
519 if (p_ssl == NULL)
520 {
521 if (tunable_debug_ssl)
522 {
523 str_alloc_text(&debug_str, "SSL_new failed");
524 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
525 }
526 return NULL;
527 }
528 if (!SSL_set_fd(p_ssl, fd))
529 {
530 if (tunable_debug_ssl)
531 {
532 str_alloc_text(&debug_str, "SSL_set_fd failed");
533 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
534 }
535 SSL_free(p_ssl);
536 return NULL;
537 }
538 if (SSL_accept(p_ssl) != 1)
539 {
540 const char* p_err = get_ssl_error();
541 if (tunable_debug_ssl)
542 {
543 str_alloc_text(&debug_str, "SSL_accept failed: ");
544 str_append_text(&debug_str, p_err);
545 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
546 }
547 /* The RFC is quite clear that we can just close the control channel
548 * here.
549 */
550 die(p_err);
551 }
552 if (tunable_debug_ssl)
553 {
554 const char* p_ssl_version = SSL_get_cipher_version(p_ssl);
555 SSL_CIPHER* p_ssl_cipher = SSL_get_current_cipher(p_ssl);
556 const char* p_cipher_name = SSL_CIPHER_get_name(p_ssl_cipher);
557 X509* p_ssl_cert = SSL_get_peer_certificate(p_ssl);
558 int reused = SSL_session_reused(p_ssl);
559 str_alloc_text(&debug_str, "SSL version: ");
560 str_append_text(&debug_str, p_ssl_version);
561 str_append_text(&debug_str, ", SSL cipher: ");
562 str_append_text(&debug_str, p_cipher_name);
563 if (reused)
564 {
565 str_append_text(&debug_str, ", reused");
566 }
567 else
568 {
569 str_append_text(&debug_str, ", not reused");
570 }
571 if (p_ssl_cert != NULL)
572 {
573 str_append_text(&debug_str, ", CERT PRESENTED");
574 X509_free(p_ssl_cert);
575 }
576 else
577 {
578 str_append_text(&debug_str, ", no cert");
579 }
580 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
581 }
582 return p_ssl;
583 }
584
585 static int
586 ssl_session_init(struct vsf_session* p_sess)
587 {
588 SSL* p_ssl = get_ssl(p_sess, VSFTP_COMMAND_FD);
589 if (p_ssl == NULL)
590 {
591 return 0;
592 }
593 p_sess->p_control_ssl = p_ssl;
594 (void) ssl_cert_digest(p_ssl, p_sess, &p_sess->control_cert_digest);
595 setup_bio_callbacks(p_ssl);
596 return 1;
597 }
598
599 static int
600 ssl_cert_digest(SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str)
601 {
602 X509* p_cert = SSL_get_peer_certificate(p_ssl);
603 unsigned int num_bytes = 0;
604 if (p_cert == NULL)
605 {
606 return 0;
607 }
608 str_reserve(p_str, EVP_MAX_MD_SIZE);
609 str_empty(p_str);
610 str_rpad(p_str, EVP_MAX_MD_SIZE);
611 if (!X509_digest(p_cert, EVP_sha256(), (unsigned char*) str_getbuf(p_str),
612 &num_bytes))
613 {
614 die("X509_digest failed");
615 }
616 X509_free(p_cert);
617 if (tunable_debug_ssl)
618 {
619 unsigned int i;
620 str_alloc_text(&debug_str, "Cert digest:");
621 for (i = 0; i < num_bytes; ++i)
622 {
623 str_append_char(&debug_str, ' ');
624 str_append_ulong(
625 &debug_str, (unsigned long) (unsigned char) str_get_char_at(p_str, i));
626 }
627 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
628 }
629 str_trunc(p_str, num_bytes);
630 return 1;
631 }
632
633 static char*
634 get_ssl_error()
635 {
636 SSL_load_error_strings();
637 return ERR_error_string(ERR_get_error(), NULL);
638 }
639
640 static void setup_bio_callbacks(SSL* p_ssl)
641 {
642 BIO* p_bio = SSL_get_rbio(p_ssl);
643 BIO_set_callback(p_bio, bio_callback);
644 p_bio = SSL_get_wbio(p_ssl);
645 BIO_set_callback(p_bio, bio_callback);
646 }
647
648 static long
649 bio_callback(
650 BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret)
651 {
652 int retval = 0;
653 int fd = 0;
654 (void) p_arg;
655 (void) argi;
656 (void) argl;
657 if (oper == (BIO_CB_READ | BIO_CB_RETURN) ||
658 oper == (BIO_CB_WRITE | BIO_CB_RETURN))
659 {
660 retval = (int) ret;
661 fd = BIO_get_fd(p_bio, NULL);
662 }
663 vsf_sysutil_check_pending_actions(kVSFSysUtilIO, retval, fd);
664 return ret;
665 }
666
667 static int
668 ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
669 {
670 (void) p_ctx;
671 if (tunable_validate_cert)
672 {
673 return verify_ok;
674 }
675 return 1;
676 }
677
678 void
679 ssl_add_entropy(struct vsf_session* p_sess)
680 {
681 /* Although each child does seem to have its different pool of entropy, I
682 * don't trust the interaction of OpenSSL's opaque RAND API and fork(). So
683 * throw a bit more in (only works on systems with /dev/urandom for now).
684 */
685 int ret = RAND_load_file("/dev/urandom", 16);
686 if (ret != 16)
687 {
688 str_alloc_text(&debug_str, "Couldn't add extra OpenSSL entropy: ");
689 str_append_ulong(&debug_str, (unsigned long) ret);
690 vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
691 }
692 }
693
694 #else /* VSF_BUILD_SSL */
695
696 void
697 ssl_init(struct vsf_session* p_sess)
698 {
699 (void) p_sess;
700 die("SSL: ssl_enable is set but SSL support not compiled in");
701 }
702
703 void
704 ssl_control_handshake(struct vsf_session* p_sess)
705 {
706 (void) p_sess;
707 }
708
709 void
710 handle_auth(struct vsf_session* p_sess)
711 {
712 (void) p_sess;
713 }
714
715 void
716 handle_pbsz(struct vsf_session* p_sess)
717 {
718 (void) p_sess;
719 }
720
721 void
722 handle_prot(struct vsf_session* p_sess)
723 {
724 (void) p_sess;
725 }
726
727 int
728 ssl_read(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
729 {
730 (void) p_sess;
731 (void) p_ssl;
732 (void) p_buf;
733 (void) len;
734 return -1;
735 }
736
737 int
738 ssl_peek(struct vsf_session* p_sess, void* p_ssl, char* p_buf, unsigned int len)
739 {
740 (void) p_sess;
741 (void) p_ssl;
742 (void) p_buf;
743 (void) len;
744 return -1;
745 }
746
747 int
748 ssl_write(void* p_ssl, const char* p_buf, unsigned int len)
749 {
750 (void) p_ssl;
751 (void) p_buf;
752 (void) len;
753 return -1;
754 }
755
756 int
757 ssl_write_str(void* p_ssl, const struct mystr* p_str)
758 {
759 (void) p_ssl;
760 (void) p_str;
761 return -1;
762 }
763
764 int
765 ssl_accept(struct vsf_session* p_sess, int fd)
766 {
767 (void) p_sess;
768 (void) fd;
769 return -1;
770 }
771
772 int
773 ssl_data_close(struct vsf_session* p_sess)
774 {
775 (void) p_sess;
776 return 1;
777 }
778
779 void
780 ssl_comm_channel_init(struct vsf_session* p_sess)
781 {
782 (void) p_sess;
783 }
784
785 void
786 ssl_comm_channel_set_consumer_context(struct vsf_session* p_sess)
787 {
788 (void) p_sess;
789 }
790
791 void
792 ssl_comm_channel_set_producer_context(struct vsf_session* p_sess)
793 {
794 (void) p_sess;
795 }
796
797 void
798 ssl_add_entropy(struct vsf_session* p_sess)
799 {
800 (void) p_sess;
801 }
802
803 int
804 ssl_read_into_str(struct vsf_session* p_sess, void* p_ssl, struct mystr* p_str)
805 {
806 (void) p_sess;
807 (void) p_ssl;
808 (void) p_str;
809 return -1;
810 }
811
812 #endif /* VSF_BUILD_SSL */
813
Tomato firmware and modifications.