diff -cr stunnel-3.22/client.c stunnel-3.22.new/client.c *** stunnel-3.22/client.c Sun Dec 23 11:41:32 2001 --- stunnel-3.22.new/client.c Fri Mar 21 09:50:15 2003 *************** *** 252,257 **** --- 252,265 ---- c->error=1; return; } + /* Set blinding iff it's not built into our OpenSSL version */ + #if SSLEAY_VERSION_NUMBER <= 0x0090701fL + if (options.option&OPT_CERT) + set_rsa_blinding(c->ssl); + #else + log(LOG_DEBUG, "Relying on OpenSSL RSA Blinding."); + #endif + #if SSLEAY_VERSION_NUMBER >= 0x0922 SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx)); #endif *************** *** 939,943 **** --- 944,980 ---- if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l))) log_error(LOG_DEBUG, get_last_socket_error(), txt); } + + int set_rsa_blinding(SSL *ssl) { + #ifndef NO_RSA + + /* Turn on blinding iff using RSA */ + + RSA *rsa; + EVP_PKEY *pkey; + + if ( (pkey = SSL_get_privatekey(ssl)) ) { + if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) { + if ( RSA_blinding_on(rsa,NULL) ) { + log(LOG_DEBUG, "RSA blinding enabled"); + } else { + log(LOG_ERR, "Unable to set RSA blinding"); + sslerror("RSA_blinding_on"); + exit(1); + } + /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */ + RSA_free(rsa); + } else { + log(LOG_DEBUG, "Private key is not RSA, no blinding needed"); + } + } else { + log(LOG_ERR, "Unable to get access to the SSL private key."); + sslerror("SSL_get_privatekey"); + exit(1); + } + #endif + return(1); + } + /* End of client.c */ diff -cr stunnel-3.22/prototypes.h stunnel-3.22.new/prototypes.h *** stunnel-3.22/prototypes.h Sun Nov 11 11:16:01 2001 --- stunnel-3.22.new/prototypes.h Fri Mar 21 09:54:55 2003 *************** *** 43,48 **** --- 43,50 ---- /* descriptor versions of fprintf/fscanf */ int fdprintf(int, char *, ...); int fdscanf(int, char *, char *); + #include + int set_rsa_blinding(SSL *); /* Prototypes for log.c */ diff -cr stunnel-3.22/ssl.c stunnel-3.22.new/ssl.c *** stunnel-3.22/ssl.c Sun Dec 23 11:46:03 2001 --- stunnel-3.22.new/ssl.c Fri Mar 21 09:57:45 2003 *************** *** 65,71 **** #endif /* NO_RSA */ static void verify_init(); static int verify_callback(int, X509_STORE_CTX *); ! static void info_callback(SSL *, int, int); static void print_stats(); SSL_CTX *ctx; /* global SSL context */ --- 65,71 ---- #endif /* NO_RSA */ static void verify_init(); static int verify_callback(int, X509_STORE_CTX *); ! static void info_callback(const SSL *, int, int); static void print_stats(); SSL_CTX *ctx; /* global SSL context */ *************** *** 328,333 **** --- 328,334 ---- } retval=longkey; } + leave_critical_section(CRIT_KEYGEN); return retval; } *************** *** 342,347 **** --- 343,354 ---- result=RSA_generate_key(keylen, RSA_F4, NULL); #endif log(LOG_DEBUG, "Temporary RSA key created"); + + /* Set blinding iff it's not built into our OpenSSL version */ + #if SSLEAY_VERSION_NUMBER <= 0x0090701fL + RSA_blinding_on(result,NULL); + #endif + return result; } *************** *** 440,446 **** return 1; /* Accept connection */ } ! static void info_callback(SSL *s, int where, int ret) { if(where & SSL_CB_LOOP) log(LOG_DEBUG, "SSL state (%s): %s", where & SSL_ST_CONNECT ? "connect" : --- 447,453 ---- return 1; /* Accept connection */ } ! static void info_callback(const SSL *s, int where, int ret) { if(where & SSL_CB_LOOP) log(LOG_DEBUG, "SSL state (%s): %s", where & SSL_ST_CONNECT ? "connect" :