diff -cr stunnel-4.04/src/client.c stunnel-4.04.new/src/client.c *** stunnel-4.04/src/client.c Wed Jan 1 11:04:39 2003 --- stunnel-4.04.new/src/client.c Fri Mar 21 09:21:38 2003 *************** *** 234,239 **** --- 234,246 ---- sslerror("SSL_new"); return -1; } + + /* Set blinding iff it's not built into our OpenSSL version */ + #if SSLEAY_VERSION_NUMBER <= 0x0090701fL + set_rsa_blinding(c->ssl); + #endif + + #if SSLEAY_VERSION_NUMBER >= 0x0922 SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx)); #endif *************** *** 913,917 **** --- 920,957 ---- if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l))) log_error(LOG_DEBUG, get_last_socket_error(), txt); } + + + int set_rsa_blinding(SSL *ssl) { + #ifndef NO_RSA + + /* Turn on blinding iff using RSA */ + + RSA *rsa; + EVP_PKEY *pkey; + + if ( (pkey = SSL_get_privatekey(ssl)) ) { + if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) { + if ( RSA_blinding_on(rsa,NULL) ) { + log(LOG_DEBUG, "RSA blinding enabled"); + } else { + log(LOG_ERR, "Unable to set RSA blinding"); + sslerror("RSA_blinding_on"); + exit(1); + } + /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */ + RSA_free(rsa); + } else { + log(LOG_DEBUG, "Private key is not RSA, no blinding needed"); + } + } else { + log(LOG_ERR, "Unable to get access to the SSL private key."); + sslerror("SSL_get_privatekey"); + exit(1); + } + #endif + return(1); + } + /* End of client.c */ diff -cr stunnel-4.04/src/prototypes.h stunnel-4.04.new/src/prototypes.h *** stunnel-4.04/src/prototypes.h Thu Mar 20 11:55:05 2003 --- stunnel-4.04.new/src/prototypes.h Thu Mar 20 11:55:31 2003 *************** *** 242,247 **** --- 242,248 ---- void *alloc_client_session(LOCAL_OPTIONS *, int, int); void *client(void *); + int set_rsa_blinding(SSL *); /**************************************** Prototype for protocol.c */ diff -cr stunnel-4.04/src/ssl.c stunnel-4.04.new/src/ssl.c *** stunnel-4.04/src/ssl.c Wed Jan 1 06:07:08 2003 --- stunnel-4.04.new/src/ssl.c Fri Mar 21 09:18:28 2003 *************** *** 367,372 **** --- 367,378 ---- result=RSA_generate_key(keylen, RSA_F4, NULL); #endif log(LOG_DEBUG, "Temporary RSA key created"); + + /* Set blinding iff it's not built into our OpenSSL version */ + #if SSLEAY_VERSION_NUMBER <= 0x0090701fL + RSA_blinding_on(result,NULL); + #endif + return result; }