7 files changed, 64 insertions, 27 deletions
diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_all.c b/Cryptlib/OpenSSL/crypto/engine/eng_all.c
index d29cd57d..f29c167c 100755
--- a/Cryptlib/OpenSSL/crypto/engine/eng_all.c
+++ b/Cryptlib/OpenSSL/crypto/engine/eng_all.c
@@ -104,7 +104,7 @@ void ENGINE_load_builtin_engines(void)
 #endif
 #endif
 #ifndef OPENSSL_NO_HW
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
+#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
 	ENGINE_load_cryptodev();
 #endif
 #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c b/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c
index 08066cea..95c40700 100755
--- a/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c
+++ b/Cryptlib/OpenSSL/crypto/engine/eng_cnf.c
@@ -95,7 +95,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 	int ret = 0;
 	long do_init = -1;
 	STACK_OF(CONF_VALUE) *ecmds;
-	CONF_VALUE *ecmd;
+	CONF_VALUE *ecmd = NULL;
 	char *ctrlname, *ctrlvalue;
 	ENGINE *e = NULL;
 	int soft = 0;
@@ -157,7 +157,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 					return 1;
 					}
 				if (!e)
-					return 0;
+					goto err;
 				}
 			/* Allow "EMPTY" to mean no value: this allows a valid
 			 * "value" to be passed to ctrls of type NO_INPUT
@@ -186,16 +186,27 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 				}
 			else if (!ENGINE_ctrl_cmd_string(e,
 					ctrlname, ctrlvalue, 0))
-				return 0;
+				goto err;
 			}
 
 
 
 		}
 	if (e && (do_init == -1) && !int_engine_init(e))
+		{
+		ecmd = NULL;
 		goto err;
+		}
 	ret = 1;
 	err:
+	if (ret != 1)
+		{
+		ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_ENGINE_CONFIGURATION_ERROR);
+		if (ecmd)
+			ERR_add_error_data(6, "section=", ecmd->section, 
+						", name=", ecmd->name,
+						", value=", ecmd->value);
+		}
 	if (e)
 		ENGINE_free(e);
 	return ret;
diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c b/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c
index ab38cd52..eef1e2d8 100755
--- a/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c
+++ b/Cryptlib/OpenSSL/crypto/engine/eng_cryptodev.c
@@ -30,9 +30,13 @@
 #include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include <openssl/dh.h>
+#include <openssl/err.h>
 
 #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
-	(defined(OpenBSD) || defined(__FreeBSD_version))
+	(defined(OpenBSD) || defined(__FreeBSD__))
 #include <sys/param.h>
 # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
 #  define HAVE_CRYPTODEV
@@ -79,7 +83,7 @@ static int cryptodev_max_iv(int cipher);
 static int cryptodev_key_length_valid(int cipher, int len);
 static int cipher_nid_to_cryptodev(int nid);
 static int get_cryptodev_ciphers(const int **cnids);
-static int get_cryptodev_digests(const int **cnids);
+/*static int get_cryptodev_digests(const int **cnids);*/
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -100,7 +104,7 @@ static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
 static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
-    RSA *rsa);
+    RSA *rsa, BN_CTX *ctx);
 static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
 static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
@@ -139,6 +143,7 @@ static struct {
 	{ 0,				NID_undef,		0,	 0, },
 };
 
+#if 0
 static struct {
 	int	id;
 	int	nid;
@@ -151,6 +156,7 @@ static struct {
 	{ CRYPTO_SHA1,			NID_undef,		},
 	{ 0,				NID_undef,		},
 };
+#endif
 
 /*
  * Return a fd if /dev/crypto seems usable, 0 otherwise.
@@ -285,6 +291,7 @@ get_cryptodev_ciphers(const int **cnids)
 	return (count);
 }
 
+#if 0  /* unused */
 /*
  * Find out what digests /dev/crypto will let us have a session for.
  * XXX note, that some of these openssl doesn't deal with yet!
@@ -321,6 +328,8 @@ get_cryptodev_digests(const int **cnids)
 	return (count);
 }
 
+#endif
+
 /*
  * Find the useable ciphers|digests from dev/crypto - this is the first
  * thing called by the engine init crud which determines what it
@@ -374,7 +383,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	struct crypt_op cryp;
 	struct dev_crypto_state *state = ctx->cipher_data;
 	struct session_op *sess = &state->d_sess;
-	void *iiv;
+	const void *iiv;
 	unsigned char save_iv[EVP_MAX_IV_LENGTH];
 
 	if (state->d_fd < 0)
@@ -398,7 +407,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	if (ctx->cipher->iv_len) {
 		cryp.iv = (caddr_t) ctx->iv;
 		if (!ctx->encrypt) {
-			iiv = (void *) in + inl - ctx->cipher->iv_len;
+			iiv = in + inl - ctx->cipher->iv_len;
 			memcpy(save_iv, iiv, ctx->cipher->iv_len);
 		}
 	} else
@@ -413,7 +422,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 	if (ctx->cipher->iv_len) {
 		if (ctx->encrypt)
-			iiv = (void *) out + inl - ctx->cipher->iv_len;
+			iiv = out + inl - ctx->cipher->iv_len;
 		else
 			iiv = save_iv;
 		memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
@@ -443,7 +452,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 	if ((state->d_fd = get_dev_crypto()) < 0)
 		return (0);
 
-	sess->key = (unsigned char *)key;
+	sess->key = (char *)key;
 	sess->keylen = ctx->key_len;
 	sess->cipher = cipher;
 
@@ -625,7 +634,7 @@ static int
 bn2crparam(const BIGNUM *a, struct crparam *crp)
 {
 	int i, j, k;
-	ssize_t words, bytes, bits;
+	ssize_t bytes, bits;
 	u_char *b;
 
 	crp->crp_p = NULL;
@@ -638,7 +647,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
 	if (b == NULL)
 		return (1);
 
-	crp->crp_p = b;
+	crp->crp_p = (char *)b;
 	crp->crp_nbits = bits;
 
 	for (i = 0, j = 0; i < a->top; i++) {
@@ -746,24 +755,29 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		goto err;
 	kop.crk_iparams = 3;
 
-	if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
+	if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) {
+		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+		printf("OCF asym process failed, Running in software\n");
+		ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
+
+	} else if (ECANCELED == kop.crk_status) {
 		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+		printf("OCF hardware operation cancelled. Running in Software\n");
 		ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
 	}
+	/* else cryptodev operation worked ok ==> ret = 1*/
+
 err:
 	zapparams(&kop);
 	return (ret);
 }
 
 static int
-cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 {
 	int r;
-	BN_CTX *ctx;
 
-	ctx = BN_CTX_new();
 	r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
-	BN_CTX_free(ctx);
 	return (r);
 }
 
@@ -795,10 +809,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 		goto err;
 	kop.crk_iparams = 6;
 
-	if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
+	if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) {
 		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+		printf("OCF asym process failed, running in Software\n");
+		ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+
+	} else if (ECANCELED == kop.crk_status) {
+		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+		printf("OCF hardware operation cancelled. Running in Software\n");
 		ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
 	}
+	/* else cryptodev operation worked ok ==> ret = 1*/
+
 err:
 	zapparams(&kop);
 	return (ret);
@@ -934,7 +956,8 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
 	kop.crk_iparams = 7;
 
 	if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
-		dsaret = kop.crk_status;
+/*OCF success value is 0, if not zero, change dsaret to fail*/
+		if(0 != kop.crk_status) dsaret  = 0;
 	} else {
 		const DSA_METHOD *meth = DSA_OpenSSL();
 
@@ -994,7 +1017,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 		goto err;
 	kop.crk_iparams = 3;
 
-	kop.crk_param[3].crp_p = key;
+	kop.crk_param[3].crp_p = (char *)key;
 	kop.crk_param[3].crp_nbits = keylen * 8;
 	kop.crk_oparams = 1;
 
diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c b/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c
index 95b6b455..5ce25d92 100755
--- a/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c
+++ b/Cryptlib/OpenSSL/crypto/engine/eng_ctrl.c
@@ -280,7 +280,7 @@ int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
 		}
 	/* Force the result of the control command to 0 or 1, for the reasons
 	 * mentioned before. */
-        if (ENGINE_ctrl(e, num, i, p, f))
+        if (ENGINE_ctrl(e, num, i, p, f) > 0)
                 return 1;
         return 0;
         }
@@ -345,7 +345,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
 		 * usage of these commands is consistent across applications and
 		 * that certain applications don't understand it one way, and
 		 * others another. */
-		if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+		if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0)
 			return 1;
 		return 0;
 		}
@@ -360,7 +360,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
 	if(flags & ENGINE_CMD_FLAG_STRING)
 		{
 		/* Same explanation as above */
-		if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+		if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0)
 			return 1;
 		return 0;
 		}
@@ -383,7 +383,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
 		}
 	/* Force the result of the control command to 0 or 1, for the reasons
 	 * mentioned before. */
-	if(ENGINE_ctrl(e, num, l, NULL, NULL))
+	if(ENGINE_ctrl(e, num, l, NULL, NULL) > 0)
 		return 1;
 	return 0;
 	}
diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_err.c b/Cryptlib/OpenSSL/crypto/engine/eng_err.c
index 574ffbb5..ac74dd12 100755
--- a/Cryptlib/OpenSSL/crypto/engine/eng_err.c
+++ b/Cryptlib/OpenSSL/crypto/engine/eng_err.c
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -124,6 +124,7 @@ static ERR_STRING_DATA ENGINE_str_reasons[]=
 {ERR_REASON(ENGINE_R_DSO_FAILURE)        ,"DSO failure"},
 {ERR_REASON(ENGINE_R_DSO_NOT_FOUND)      ,"dso not found"},
 {ERR_REASON(ENGINE_R_ENGINES_SECTION_ERROR),"engines section error"},
+{ERR_REASON(ENGINE_R_ENGINE_CONFIGURATION_ERROR),"engine configuration error"},
 {ERR_REASON(ENGINE_R_ENGINE_IS_NOT_IN_LIST),"engine is not in the list"},
 {ERR_REASON(ENGINE_R_ENGINE_SECTION_ERROR),"engine section error"},
 {ERR_REASON(ENGINE_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"},
diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_list.c b/Cryptlib/OpenSSL/crypto/engine/eng_list.c
index bd511944..fa2ab973 100755
--- a/Cryptlib/OpenSSL/crypto/engine/eng_list.c
+++ b/Cryptlib/OpenSSL/crypto/engine/eng_list.c
@@ -412,6 +412,7 @@ ENGINE *ENGINE_by_id(const char *id)
 		return iterator;
 		}
 notfound:
+	ENGINE_free(iterator);
 	ENGINEerr(ENGINE_F_ENGINE_BY_ID,ENGINE_R_NO_SUCH_ENGINE);
 	ERR_add_error_data(2, "id=", id);
 	return NULL;
diff --git a/Cryptlib/OpenSSL/crypto/engine/eng_table.c b/Cryptlib/OpenSSL/crypto/engine/eng_table.c
index 8879a267..8fc47b33 100755
--- a/Cryptlib/OpenSSL/crypto/engine/eng_table.c
+++ b/Cryptlib/OpenSSL/crypto/engine/eng_table.c
@@ -237,6 +237,7 @@ ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, in
 #endif
 		return NULL;
 		}
+	ERR_set_mark();
 	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
 	/* Check again inside the lock otherwise we could race against cleanup
 	 * operations. But don't worry about a fprintf(stderr). */
@@ -310,6 +311,6 @@ end:
 	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
 	/* Whatever happened, any failed init()s are not failures in this
 	 * context, so clear our error state. */
-	ERR_clear_error();
+	ERR_pop_to_mark();
 	return ret;
 	}