diff -rc stunnel-3.22/configure.ac stunnel-3.22.new/configure.ac *** stunnel-3.22/configure.ac Sun Dec 23 19:51:48 2001 --- stunnel-3.22.new/configure.ac Tue Apr 22 12:16:18 2003 *************** *** 108,113 **** --- 108,122 ---- AC_DEFINE_UNQUOTED(RANDOM_FILE, "$RANDOM_FILE") fi + dnl Use SSL Engine + AC_MSG_CHECKING([whether to build with OpenSSL engine capability]) + AC_ARG_ENABLE(ssl-engine, + [ --enable-ssl-engine Build with OpenSSL engine capability], + [ AC_MSG_RESULT([yes]); AC_DEFINE(SSL_ENGINE) ], + [ AC_MSG_RESULT([no]); ] + ) + + dnl Use SSL certificate defaults? AC_MSG_CHECKING([whether to enable SSL certificate defaults]) AC_ARG_ENABLE(ssllib-cs, diff -rc stunnel-3.22/options.c stunnel-3.22.new/options.c *** stunnel-3.22/options.c Sun Dec 23 20:08:51 2001 --- stunnel-3.22.new/options.c Fri Apr 18 14:23:21 2003 *************** *** 72,77 **** --- 72,80 ---- options.facility=LOG_DAEMON; #endif options.session_timeout=300; + #ifdef SSL_ENGINE + options.hw_engine=NULL; + #endif options.cipher_list=NULL; options.username=NULL; options.protocol=NULL; *************** *** 85,91 **** options.output_file=NULL; options.local_ip=NULL; opterr=0; ! while ((c = getopt(argc, argv, "A:a:cp:v:d:fTl:L:r:s:g:t:u:n:N:hC:D:O:E:R:WB:VP:S:o:I:")) != EOF) switch (c) { case 'A': safecopy(options.cert_file,optarg); --- 88,94 ---- options.output_file=NULL; options.local_ip=NULL; opterr=0; ! while ((c = getopt(argc, argv, "A:a:cp:v:d:fTl:L:r:s:g:t:u:n:N:H:hC:D:O:E:R:WB:VP:S:o:I:")) != EOF) switch (c) { case 'A': safecopy(options.cert_file,optarg); *************** *** 215,220 **** --- 218,230 ---- case 'N': servname_selected=optarg; break; + case 'H': + #ifdef SSL_ENGINE + options.hw_engine=optarg; + #else + log(LOG_ERR, "-H is only support when compiled with -DSSL_ENGINE"); + #endif + break; case 'C': options.cipher_list=optarg; break; *************** *** 323,328 **** --- 333,341 ---- "[-c | -T] " "[-D level] " "[-C cipherlist] " + #ifdef SSL_ENGINE + "[-H ssl_engine]" + #endif "[-p pemfile] " "\n\t" "[-v level] " *************** *** 391,396 **** --- 404,412 ---- "\n -P arg\tspecify pid file { dir/ | filename | none }" #endif "\n -C list\tset permitted SSL ciphers" + #ifdef SSL_ENGINE + "\n -H ssl_engine\tUse openssl engine ssl_engine" + #endif #if SSLEAY_VERSION_NUMBER >= 0x0090581fL "\n -E socket\tpath to Entropy Gathering Daemon socket" #ifdef EGD_SOCKET diff -rc stunnel-3.22/prototypes.h stunnel-3.22.new/prototypes.h *** stunnel-3.22/prototypes.h Sun Nov 11 19:16:01 2001 --- stunnel-3.22.new/prototypes.h Fri Apr 18 14:25:29 2003 *************** *** 98,103 **** --- 98,106 ---- int debug_level; /* debug level for syslog */ int facility; /* debug facility for syslog */ long session_timeout; + #ifdef SSL_ENGINE + char *hw_engine; + #endif char *cipher_list; char *username; char *protocol; diff -rc stunnel-3.22/ssl.c stunnel-3.22.new/ssl.c *** stunnel-3.22/ssl.c Sun Dec 23 19:46:03 2001 --- stunnel-3.22.new/ssl.c Fri Apr 18 14:25:03 2003 *************** *** 46,51 **** --- 46,54 ---- #include #include #include + #ifdef SSL_ENGINE + #include + #endif #else #include #include *************** *** 71,81 **** --- 74,106 ---- SSL_CTX *ctx; /* global SSL context */ void context_init() { /* init SSL */ + #ifdef SSL_ENGINE + ENGINE *e; + #endif if(!init_prng()) log(LOG_INFO, "PRNG seeded successfully"); SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); + + #ifdef SSL_ENGINE + if(options.hw_engine){ + if((e = ENGINE_by_id(options.hw_engine)) == NULL){ + log(LOG_ERR, "Invalid SSL Hardware Engine: %s", options.hw_engine); + sslerror("Invalid Engine."); + exit(1); + } + + if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)){ + log(LOG_ERR, "Problem using specified engine: %s", options.hw_engine); + sslerror("Error using engine."); + exit(1); + } + + log(LOG_INFO, "Using SSL Hardware engine: %s", options.hw_engine); + } + #endif + if(options.option&OPT_CLIENT) { ctx=SSL_CTX_new(SSLv3_client_method()); } else { /* Server mode */ diff -rc stunnel-3.22/stunnel.8 stunnel-3.22.new/stunnel.8 *** stunnel-3.22/stunnel.8 Sun Dec 23 20:11:45 2001 --- stunnel-3.22.new/stunnel.8 Tue Apr 22 15:48:21 2003 *************** *** 191,197 **** stunnel \- universal SSL tunnel .SH "SYNOPSIS" \fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O ! a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user] [\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ dir/\ |\ filename\ |\ none\ } --- 191,197 ---- stunnel \- universal SSL tunnel .SH "SYNOPSIS" \fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O ! a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-H\ engine] [\-p pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user] [\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ dir/\ |\ filename\ |\ none\ } *************** *** 261,266 **** --- 261,268 ---- .Sp A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection. For example \s-1DES\s0\-\s-1CBC3-SHA:IDEA\s0\-\s-1CBC\s0\-\s-1MD5\s0 + .Ip "\fB\-H\fR engine" 4 + Select OpenSSL engine. For example aep .Ip "\fB\-c\fR" 4 client mode (remote service uses \s-1SSL\s0) .Sp *************** *** 528,533 **** --- 530,537 ---- .IX Item "\fB\-C\fR cipherlist" + .IX Item "\fB\-H\fR engine" + .IX Item "\fB\-c\fR" .IX Item "\fB\-T\fR"