disable access to the crypto(4) device from userland; ok deraadt

2 files changed, 10 insertions, 4 deletions

diff --git a/sys/crypto/cryptodev.c b/sys/crypto/cryptodev.c
index f94eff769b5..ca54d1df247 100644
--- a/sys/crypto/cryptodev.c
+++ b/sys/crypto/cryptodev.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cryptodev.c,v 1.74 2010/10/06 22:19:20 mikeb Exp $	*/
+/*	$OpenBSD: cryptodev.c,v 1.75 2010/12/14 20:26:44 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2001 Theo de Raadt
@@ -114,8 +114,8 @@ int	cryptodev_dokey(struct crypt_kop *kop, struct crparam kvp[]);
 int	cryptodev_cb(struct cryptop *);
 int	cryptodevkey_cb(struct cryptkop *);
 
-int	usercrypto = 1;		/* userland may do crypto requests */
-int	userasymcrypto = 1;	/* userland may do asymmetric crypto reqs */
+int	usercrypto = 0;		/* userland may do crypto requests */
+int	userasymcrypto = 0;	/* userland may do asymmetric crypto reqs */
 int	cryptodevallowsoft = 0;	/* only use hardware crypto */
 
 /* ARGSUSED */
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 0ebcf20cbeb..3d9e103cc8f 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sysctl.c,v 1.195 2010/11/19 18:35:16 mikeb Exp $	*/
+/*	$OpenBSD: kern_sysctl.c,v 1.196 2010/12/14 20:26:44 mikeb Exp $	*/
 /*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/
 
 /*-
@@ -511,11 +511,17 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
 #endif
 #ifdef CRYPTO
 	case KERN_USERCRYPTO:
+		if (newp && newlen)
+			return (EINVAL);
 		return (sysctl_int(oldp, oldlenp, newp, newlen, &usercrypto));
 	case KERN_USERASYMCRYPTO:
+		if (newp && newlen)
+			return (EINVAL);
 		return (sysctl_int(oldp, oldlenp, newp, newlen,
 			    &userasymcrypto));
 	case KERN_CRYPTODEVALLOWSOFT:
+		if (newp && newlen)
+			return (EINVAL);
 		return (sysctl_int(oldp, oldlenp, newp, newlen,
 			    &cryptodevallowsoft));
 #endif