1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
diff -cr stunnel-3.22/client.c stunnel-3.22.new/client.c
*** stunnel-3.22/client.c Sun Dec 23 11:41:32 2001
--- stunnel-3.22.new/client.c Fri Mar 21 09:50:15 2003
***************
*** 252,257 ****
--- 252,262 ----
c->error=1;
return;
}
+ /* Set blinding iff it's not built into our OpenSSL version */
+ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
+ set_rsa_blinding(c->ssl);
+ #endif
+
#if SSLEAY_VERSION_NUMBER >= 0x0922
SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx));
#endif
***************
*** 939,943 ****
--- 944,980 ----
if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l)))
log_error(LOG_DEBUG, get_last_socket_error(), txt);
}
+
+ int set_rsa_blinding(SSL *ssl) {
+ #ifndef NO_RSA
+
+ /* Turn on blinding iff using RSA */
+
+ RSA *rsa;
+ EVP_PKEY *pkey;
+
+ if ( (pkey = SSL_get_privatekey(ssl)) ) {
+ if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) {
+ if ( RSA_blinding_on(rsa,NULL) ) {
+ log(LOG_DEBUG, "RSA blinding enabled");
+ } else {
+ log(LOG_ERR, "Unable to set RSA blinding");
+ sslerror("RSA_blinding_on");
+ exit(1);
+ }
+ /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */
+ RSA_free(rsa);
+ } else {
+ log(LOG_DEBUG, "Private key is not RSA, no blinding needed");
+ }
+ } else {
+ log(LOG_ERR, "Unable to get access to the SSL private key.");
+ sslerror("SSL_get_privatekey");
+ exit(1);
+ }
+ #endif
+ return(1);
+ }
+
/* End of client.c */
diff -cr stunnel-3.22/prototypes.h stunnel-3.22.new/prototypes.h
*** stunnel-3.22/prototypes.h Sun Nov 11 11:16:01 2001
--- stunnel-3.22.new/prototypes.h Fri Mar 21 09:54:55 2003
***************
*** 43,48 ****
--- 43,50 ----
/* descriptor versions of fprintf/fscanf */
int fdprintf(int, char *, ...);
int fdscanf(int, char *, char *);
+ #include <openssl/ssl.h>
+ int set_rsa_blinding(SSL *);
/* Prototypes for log.c */
diff -cr stunnel-3.22/ssl.c stunnel-3.22.new/ssl.c
*** stunnel-3.22/ssl.c Sun Dec 23 11:46:03 2001
--- stunnel-3.22.new/ssl.c Fri Mar 21 09:57:45 2003
***************
*** 65,71 ****
#endif /* NO_RSA */
static void verify_init();
static int verify_callback(int, X509_STORE_CTX *);
! static void info_callback(SSL *, int, int);
static void print_stats();
SSL_CTX *ctx; /* global SSL context */
--- 65,71 ----
#endif /* NO_RSA */
static void verify_init();
static int verify_callback(int, X509_STORE_CTX *);
! static void info_callback(const SSL *, int, int);
static void print_stats();
SSL_CTX *ctx; /* global SSL context */
***************
*** 328,333 ****
--- 328,334 ----
}
retval=longkey;
}
+
leave_critical_section(CRIT_KEYGEN);
return retval;
}
***************
*** 342,347 ****
--- 343,354 ----
result=RSA_generate_key(keylen, RSA_F4, NULL);
#endif
log(LOG_DEBUG, "Temporary RSA key created");
+
+ /* Set blinding iff it's not built into our OpenSSL version */
+ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
+ RSA_blinding_on(result,NULL);
+ #endif
+
return result;
}
***************
*** 440,446 ****
return 1; /* Accept connection */
}
! static void info_callback(SSL *s, int where, int ret) {
if(where & SSL_CB_LOOP)
log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
--- 447,453 ----
return 1; /* Accept connection */
}
! static void info_callback(const SSL *s, int where, int ret) {
if(where & SSL_CB_LOOP)
log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
|
GitWeb