src - OpenBSD base system

diff options


context:
space:
mode:

author	Markus Friedl <markus@cvs.openbsd.org>	2003-05-11 21:37:00 +0000
committer	Markus Friedl <markus@cvs.openbsd.org>	2003-05-11 21:37:00 +0000
commit	f97744c656f2a5c7d4e42bcaba08dbe146a49425 (patch)
tree	f70a956124df18345d8c6371796ee2fb9c6de43b /lib/libcrypto/engine
parent	784692b39eef33d005d12f2f9e171a4a8a47480d (diff)

import 0.9.7b (without idea and rc5)

Diffstat (limited to 'lib/libcrypto/engine')

-rw-r--r--

lib/libcrypto/engine/hw_sureware.c

1039

-rw-r--r--

lib/libcrypto/engine/vendor_defns/hw_ubsec.h

100

-rw-r--r--

lib/libcrypto/engine/vendor_defns/hwcryptohook.h

486

-rw-r--r--

lib/libcrypto/engine/vendor_defns/sureware.h

239

4 files changed, 1864 insertions, 0 deletions

diff --git a/lib/libcrypto/engine/hw_sureware.c b/lib/libcrypto/engine/hw_sureware.c
new file mode 100644
index 00000000000..fca467e6901
--- /dev/null
+++ b/lib/libcrypto/engine/hw_sureware.c

@@ -0,0 +1,1039 @@

+/* Written by Corinne Dive-Reclus(cdive@baltimore.com)

+* Redistribution and use in source and binary forms, with or without

+* modification, are permitted provided that the following conditions

+* are met:

+* 1. Redistributions of source code must retain the above copyright

+* notice, this list of conditions and the following disclaimer.

+* 2. Redistributions in binary form must reproduce the above copyright

+* notice, this list of conditions and the following disclaimer in

+* the documentation and/or other materials provided with the

+* distribution.

+* 3. All advertising materials mentioning features or use of this

+* software must display the following acknowledgment:

+* "This product includes software developed by the OpenSSL Project

+* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

+* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

+* endorse or promote products derived from this software without

+* prior written permission. For written permission, please contact

+* licensing@OpenSSL.org.

+* 5. Products derived from this software may not be called "OpenSSL"

+* nor may "OpenSSL" appear in their names without prior written

+* permission of the OpenSSL Project.

+* 6. Redistributions of any form whatsoever must retain the following

+* acknowledgment:

+* "This product includes software developed by the OpenSSL Project

+* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

+* Written by Corinne Dive-Reclus(cdive@baltimore.com)

+* Copyright@2001 Baltimore Technologies Ltd.

+* *

+* THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND *

+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *

+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *

+* ARE DISCLAIMED. IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE *

+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *

+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *

+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *

+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *

+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *

+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *

+* SUCH DAMAGE. *

+====================================================================*/

+#include <stdio.h>

+#include "cryptlib.h"

+#include <openssl/crypto.h>

+#include <openssl/pem.h>

+#include <openssl/dso.h>

+#include "eng_int.h"

+#include "engine.h"

+#include <openssl/engine.h>

+#ifndef OPENSSL_NO_HW

+#ifndef OPENSSL_NO_HW_SUREWARE

+#ifdef FLAT_INC

+#include "sureware.h"

+#else

+#include "vendor_defns/sureware.h"

+#endif

+#define SUREWARE_LIB_NAME "sureware engine"

+#include "hw_sureware_err.c"

+static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());

+static int surewarehk_destroy(ENGINE *e);

+static int surewarehk_init(ENGINE *e);

+static int surewarehk_finish(ENGINE *e);

+static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

+ const BIGNUM *m, BN_CTX *ctx);

+/* RSA stuff */

+static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to,

+ RSA *rsa,int padding);

+static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to,

+ RSA *rsa,int padding);

+/* RAND stuff */

+static int surewarehk_rand_bytes(unsigned char *buf, int num);

+static void surewarehk_rand_seed(const void *buf, int num);

+static void surewarehk_rand_add(const void *buf, int num, double entropy);

+/* KM stuff */

+static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id,

+ UI_METHOD *ui_method, void *callback_data);

+static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id,

+ UI_METHOD *ui_method, void *callback_data);

+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,

+ int idx,long argl, void *argp);

+#if 0

+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,

+ int idx,long argl, void *argp);

+#endif

+#ifndef OPENSSL_NO_RSA

+/* This function is aliased to mod_exp (with the mont stuff dropped). */

+static int surewarehk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)

+ return surewarehk_modexp(r, a, p, m, ctx);

+/* Our internal RSA_METHOD that we provide pointers to */

+static RSA_METHOD surewarehk_rsa =

+ {

+ "SureWare RSA method",

+ NULL, /* pub_enc*/

+ NULL, /* pub_dec*/

+ surewarehk_rsa_sign, /* our rsa_sign is OpenSSL priv_enc*/

+ surewarehk_rsa_priv_dec, /* priv_dec*/

+ NULL, /*mod_exp*/

+ surewarehk_mod_exp_mont, /*mod_exp_mongomery*/

+ NULL, /* init*/

+ NULL, /* finish*/

+ 0, /* RSA flag*/

+ NULL,

+ NULL, /* OpenSSL sign*/

+ NULL /* OpenSSL verify*/

+ };

+#endif

+#ifndef OPENSSL_NO_DH

+/* Our internal DH_METHOD that we provide pointers to */

+/* This function is aliased to mod_exp (with the dh and mont dropped). */

+static int surewarehk_modexp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,

+ const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)

+ return surewarehk_modexp(r, a, p, m, ctx);

+static DH_METHOD surewarehk_dh =

+ {

+ "SureWare DH method",

+ NULL,/*gen_key*/

+ NULL,/*agree,*/

+ surewarehk_modexp_dh, /*dh mod exp*/

+ NULL, /* init*/

+ NULL, /* finish*/

+ 0, /* flags*/

+ NULL

+ };

+#endif

+static RAND_METHOD surewarehk_rand =

+ {

+ /* "SureWare RAND method", */

+ surewarehk_rand_seed,

+ surewarehk_rand_bytes,

+ NULL,/*cleanup*/

+ surewarehk_rand_add,

+ surewarehk_rand_bytes,

+ NULL,/*rand_status*/

+ };

+#ifndef OPENSSL_NO_DSA

+/* DSA stuff */

+static DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);

+static int surewarehk_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,

+ BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,

+ BN_CTX *ctx, BN_MONT_CTX *in_mont)

+ BIGNUM t;

+ int to_return = 0;

+ BN_init(&t);

+ /* let rr = a1 ^ p1 mod m */

+ if (!surewarehk_modexp(rr,a1,p1,m,ctx)) goto end;

+ /* let t = a2 ^ p2 mod m */

+ if (!surewarehk_modexp(&t,a2,p2,m,ctx)) goto end;

+ /* let rr = rr * t mod m */

+ if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;

+ to_return = 1;

+end:

+ BN_free(&t);

+ return to_return;

+static DSA_METHOD surewarehk_dsa =

+ {

+ "SureWare DSA method",

+ surewarehk_dsa_do_sign,

+ NULL,/*sign setup*/

+ NULL,/*verify,*/

+ surewarehk_dsa_mod_exp,/*mod exp*/

+ NULL,/*bn mod exp*/

+ NULL, /*init*/

+ NULL,/*finish*/

+ 0,

+ NULL,

+ };

+#endif

+static const char *engine_sureware_id = "sureware";

+static const char *engine_sureware_name = "SureWare hardware engine support";

+/* Now, to our own code */

+/* As this is only ever called once, there's no need for locking

+ * (indeed - the lock will already be held by our caller!!!) */

+static int bind_sureware(ENGINE *e)

+#ifndef OPENSSL_NO_RSA

+ const RSA_METHOD *meth1;

+#endif

+#ifndef OPENSSL_NO_DSA

+ const DSA_METHOD *meth2;

+#endif

+#ifndef OPENSSL_NO_DH

+ const DH_METHOD *meth3;

+#endif

+ if(!ENGINE_set_id(e, engine_sureware_id) ||

+ !ENGINE_set_name(e, engine_sureware_name) ||

+#ifndef OPENSSL_NO_RSA

+ !ENGINE_set_RSA(e, &surewarehk_rsa) ||

+#endif

+#ifndef OPENSSL_NO_DSA

+ !ENGINE_set_DSA(e, &surewarehk_dsa) ||

+#endif

+#ifndef OPENSSL_NO_DH

+ !ENGINE_set_DH(e, &surewarehk_dh) ||

+#endif

+ !ENGINE_set_RAND(e, &surewarehk_rand) ||

+ !ENGINE_set_destroy_function(e, surewarehk_destroy) ||

+ !ENGINE_set_init_function(e, surewarehk_init) ||

+ !ENGINE_set_finish_function(e, surewarehk_finish) ||

+ !ENGINE_set_ctrl_function(e, surewarehk_ctrl) ||

+ !ENGINE_set_load_privkey_function(e, surewarehk_load_privkey) ||

+ !ENGINE_set_load_pubkey_function(e, surewarehk_load_pubkey))

+ return 0;

+#ifndef OPENSSL_NO_RSA

+ /* We know that the "PKCS1_SSLeay()" functions hook properly

+ * to the cswift-specific mod_exp and mod_exp_crt so we use

+ * those functions. NB: We don't use ENGINE_openssl() or

+ * anything "more generic" because something like the RSAref

+ * code may not hook properly, and if you own one of these

+ * cards then you have the right to do RSA operations on it

+ * anyway! */

+ meth1 = RSA_PKCS1_SSLeay();

+ if (meth1)

+ {

+ surewarehk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;

+ surewarehk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;

+ }

+#endif

+#ifndef OPENSSL_NO_DSA

+ /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish

+ * bits. */

+ meth2 = DSA_OpenSSL();

+ if (meth2)

+ {

+ surewarehk_dsa.dsa_do_verify = meth2->dsa_do_verify;

+ }

+#endif

+#ifndef OPENSSL_NO_DH

+ /* Much the same for Diffie-Hellman */

+ meth3 = DH_OpenSSL();

+ if (meth3)

+ {

+ surewarehk_dh.generate_key = meth3->generate_key;

+ surewarehk_dh.compute_key = meth3->compute_key;

+ }

+#endif

+ /* Ensure the sureware error handling is set up */

+ ERR_load_SUREWARE_strings();

+ return 1;

+#ifdef ENGINE_DYNAMIC_SUPPORT

+static int bind_helper(ENGINE *e, const char *id)

+ {

+ if(id && (strcmp(id, engine_sureware_id) != 0))

+ return 0;

+ if(!bind_sureware(e))

+ return 0;

+ return 1;

+ }

+IMPLEMENT_DYNAMIC_CHECK_FN()

+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)

+#else

+static ENGINE *engine_sureware(void)

+ {

+ ENGINE *ret = ENGINE_new();

+ if(!ret)

+ return NULL;

+ if(!bind_sureware(ret))

+ {

+ ENGINE_free(ret);

+ return NULL;

+ }

+ return ret;

+ }

+void ENGINE_load_sureware(void)

+ {

+ /* Copied from eng_[openssl|dyn].c */

+ ENGINE *toadd = engine_sureware();

+ if(!toadd) return;

+ ENGINE_add(toadd);

+ ENGINE_free(toadd);

+ ERR_clear_error();

+ }

+#endif

+/* This is a process-global DSO handle used for loading and unloading

+ * the SureWareHook library. NB: This is only set (or unset) during an

+ * init() or finish() call (reference counts permitting) and they're

+ * operating with global locks, so this should be thread-safe

+ * implicitly. */

+static DSO *surewarehk_dso = NULL;

+#ifndef OPENSSL_NO_RSA

+static int rsaHndidx = -1; /* Index for KM handle. Not really used yet. */

+#endif

+#ifndef OPENSSL_NO_DSA

+static int dsaHndidx = -1; /* Index for KM handle. Not really used yet. */

+#endif

+/* These are the function pointers that are (un)set when the library has

+ * successfully (un)loaded. */

+static SureWareHook_Init_t *p_surewarehk_Init = NULL;

+static SureWareHook_Finish_t *p_surewarehk_Finish = NULL;

+static SureWareHook_Rand_Bytes_t *p_surewarehk_Rand_Bytes = NULL;

+static SureWareHook_Rand_Seed_t *p_surewarehk_Rand_Seed = NULL;

+static SureWareHook_Load_Privkey_t *p_surewarehk_Load_Privkey = NULL;

+static SureWareHook_Info_Pubkey_t *p_surewarehk_Info_Pubkey = NULL;

+static SureWareHook_Load_Rsa_Pubkey_t *p_surewarehk_Load_Rsa_Pubkey = NULL;

+static SureWareHook_Load_Dsa_Pubkey_t *p_surewarehk_Load_Dsa_Pubkey = NULL;

+static SureWareHook_Free_t *p_surewarehk_Free=NULL;

+static SureWareHook_Rsa_Priv_Dec_t *p_surewarehk_Rsa_Priv_Dec=NULL;

+static SureWareHook_Rsa_Sign_t *p_surewarehk_Rsa_Sign=NULL;

+static SureWareHook_Dsa_Sign_t *p_surewarehk_Dsa_Sign=NULL;

+static SureWareHook_Mod_Exp_t *p_surewarehk_Mod_Exp=NULL;

+/* Used in the DSO operations. */

+static const char *surewarehk_LIBNAME = "SureWareHook";

+static const char *n_surewarehk_Init = "SureWareHook_Init";

+static const char *n_surewarehk_Finish = "SureWareHook_Finish";

+static const char *n_surewarehk_Rand_Bytes="SureWareHook_Rand_Bytes";

+static const char *n_surewarehk_Rand_Seed="SureWareHook_Rand_Seed";

+static const char *n_surewarehk_Load_Privkey="SureWareHook_Load_Privkey";

+static const char *n_surewarehk_Info_Pubkey="SureWareHook_Info_Pubkey";

+static const char *n_surewarehk_Load_Rsa_Pubkey="SureWareHook_Load_Rsa_Pubkey";

+static const char *n_surewarehk_Load_Dsa_Pubkey="SureWareHook_Load_Dsa_Pubkey";

+static const char *n_surewarehk_Free="SureWareHook_Free";

+static const char *n_surewarehk_Rsa_Priv_Dec="SureWareHook_Rsa_Priv_Dec";

+static const char *n_surewarehk_Rsa_Sign="SureWareHook_Rsa_Sign";

+static const char *n_surewarehk_Dsa_Sign="SureWareHook_Dsa_Sign";

+static const char *n_surewarehk_Mod_Exp="SureWareHook_Mod_Exp";

+static BIO *logstream = NULL;

+/* SureWareHook library functions and mechanics - these are used by the

+ * higher-level functions further down. NB: As and where there's no

+ * error checking, take a look lower down where these functions are

+ * called, the checking and error handling is probably down there.

+*/

+static int threadsafe=1;

+static int surewarehk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())

+ int to_return = 1;

+ switch(cmd)

+ {

+ case ENGINE_CTRL_SET_LOGSTREAM:

+ {

+ BIO *bio = (BIO *)p;

+ CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);

+ if (logstream)

+ {

+ BIO_free(logstream);

+ logstream = NULL;

+ }

+ if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)

+ logstream = bio;

+ else

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,SUREWARE_R_BIO_WAS_FREED);

+ }

+ CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);

+ break;

+ /* This will prevent the initialisation function from "installing"

+ * the mutex-handling callbacks, even if they are available from

+ * within the library (or were provided to the library from the

+ * calling application). This is to remove any baggage for

+ * applications not using multithreading. */

+ case ENGINE_CTRL_CHIL_NO_LOCKING:

+ CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);

+ threadsafe = 0;

+ CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);

+ break;

+ /* The command isn't understood by this engine */

+ default:

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_CTRL,

+ ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);

+ to_return = 0;

+ break;

+ }

+ return to_return;

+/* Destructor (complements the "ENGINE_surewarehk()" constructor) */

+static int surewarehk_destroy(ENGINE *e)

+ ERR_unload_SUREWARE_strings();

+ return 1;

+/* (de)initialisation functions. */

+static int surewarehk_init(ENGINE *e)

+ char msg[64]="ENGINE_init";

+ SureWareHook_Init_t *p1=NULL;

+ SureWareHook_Finish_t *p2=NULL;

+ SureWareHook_Rand_Bytes_t *p3=NULL;

+ SureWareHook_Rand_Seed_t *p4=NULL;

+ SureWareHook_Load_Privkey_t *p5=NULL;

+ SureWareHook_Load_Rsa_Pubkey_t *p6=NULL;

+ SureWareHook_Free_t *p7=NULL;

+ SureWareHook_Rsa_Priv_Dec_t *p8=NULL;

+ SureWareHook_Rsa_Sign_t *p9=NULL;

+ SureWareHook_Dsa_Sign_t *p12=NULL;

+ SureWareHook_Info_Pubkey_t *p13=NULL;

+ SureWareHook_Load_Dsa_Pubkey_t *p14=NULL;

+ SureWareHook_Mod_Exp_t *p15=NULL;

+ if(surewarehk_dso != NULL)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_ALREADY_LOADED);

+ goto err;

+ }

+ /* Attempt to load libsurewarehk.so/surewarehk.dll/whatever. */

+ surewarehk_dso = DSO_load(NULL, surewarehk_LIBNAME, NULL, 0);

+ if(surewarehk_dso == NULL)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);

+ goto err;

+ }

+ if(!(p1=(SureWareHook_Init_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Init)) ||

+ !(p2=(SureWareHook_Finish_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Finish)) ||

+ !(p3=(SureWareHook_Rand_Bytes_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Bytes)) ||

+ !(p4=(SureWareHook_Rand_Seed_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rand_Seed)) ||

+ !(p5=(SureWareHook_Load_Privkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Privkey)) ||

+ !(p6=(SureWareHook_Load_Rsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Rsa_Pubkey)) ||

+ !(p7=(SureWareHook_Free_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Free)) ||

+ !(p8=(SureWareHook_Rsa_Priv_Dec_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Priv_Dec)) ||

+ !(p9=(SureWareHook_Rsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Rsa_Sign)) ||

+ !(p12=(SureWareHook_Dsa_Sign_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Dsa_Sign)) ||

+ !(p13=(SureWareHook_Info_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Info_Pubkey)) ||

+ !(p14=(SureWareHook_Load_Dsa_Pubkey_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Load_Dsa_Pubkey)) ||

+ !(p15=(SureWareHook_Mod_Exp_t*)DSO_bind_func(surewarehk_dso, n_surewarehk_Mod_Exp)))

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,ENGINE_R_DSO_FAILURE);

+ goto err;

+ }

+ /* Copy the pointers */

+ p_surewarehk_Init = p1;

+ p_surewarehk_Finish = p2;

+ p_surewarehk_Rand_Bytes = p3;

+ p_surewarehk_Rand_Seed = p4;

+ p_surewarehk_Load_Privkey = p5;

+ p_surewarehk_Load_Rsa_Pubkey = p6;

+ p_surewarehk_Free = p7;

+ p_surewarehk_Rsa_Priv_Dec = p8;

+ p_surewarehk_Rsa_Sign = p9;

+ p_surewarehk_Dsa_Sign = p12;

+ p_surewarehk_Info_Pubkey = p13;

+ p_surewarehk_Load_Dsa_Pubkey = p14;

+ p_surewarehk_Mod_Exp = p15;

+ /* Contact the hardware and initialises it. */

+ if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE);

+ goto err;

+ }

+ if(p_surewarehk_Init(msg,threadsafe)==SUREWAREHOOK_ERROR_UNIT_FAILURE)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_INIT,SUREWARE_R_UNIT_FAILURE);

+ goto err;

+ }

+ /* try to load the default private key, if failed does not return a failure but

+ wait for an explicit ENGINE_load_privakey */

+ surewarehk_load_privkey(e,NULL,NULL,NULL);

+ /* Everything's fine. */

+#ifndef OPENSSL_NO_RSA

+ if (rsaHndidx == -1)

+ rsaHndidx = RSA_get_ex_new_index(0,

+ "SureWareHook RSA key handle",

+ NULL, NULL, surewarehk_ex_free);

+#endif

+#ifndef OPENSSL_NO_DSA

+ if (dsaHndidx == -1)

+ dsaHndidx = DSA_get_ex_new_index(0,

+ "SureWareHook DSA key handle",

+ NULL, NULL, surewarehk_ex_free);

+#endif

+ return 1;

+err:

+ if(surewarehk_dso)

+ DSO_free(surewarehk_dso);

+ surewarehk_dso = NULL;

+ p_surewarehk_Init = NULL;

+ p_surewarehk_Finish = NULL;

+ p_surewarehk_Rand_Bytes = NULL;

+ p_surewarehk_Rand_Seed = NULL;

+ p_surewarehk_Load_Privkey = NULL;

+ p_surewarehk_Load_Rsa_Pubkey = NULL;

+ p_surewarehk_Free = NULL;

+ p_surewarehk_Rsa_Priv_Dec = NULL;

+ p_surewarehk_Rsa_Sign = NULL;

+ p_surewarehk_Dsa_Sign = NULL;

+ p_surewarehk_Info_Pubkey = NULL;

+ p_surewarehk_Load_Dsa_Pubkey = NULL;

+ p_surewarehk_Mod_Exp = NULL;

+ return 0;

+static int surewarehk_finish(ENGINE *e)

+ int to_return = 1;

+ if(surewarehk_dso == NULL)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_NOT_LOADED);

+ to_return = 0;

+ goto err;

+ }

+ p_surewarehk_Finish();

+ if(!DSO_free(surewarehk_dso))

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_FINISH,ENGINE_R_DSO_FAILURE);

+ to_return = 0;

+ goto err;

+ }

+ err:

+ if (logstream)

+ BIO_free(logstream);

+ surewarehk_dso = NULL;

+ p_surewarehk_Init = NULL;

+ p_surewarehk_Finish = NULL;

+ p_surewarehk_Rand_Bytes = NULL;

+ p_surewarehk_Rand_Seed = NULL;

+ p_surewarehk_Load_Privkey = NULL;

+ p_surewarehk_Load_Rsa_Pubkey = NULL;

+ p_surewarehk_Free = NULL;

+ p_surewarehk_Rsa_Priv_Dec = NULL;

+ p_surewarehk_Rsa_Sign = NULL;

+ p_surewarehk_Dsa_Sign = NULL;

+ p_surewarehk_Info_Pubkey = NULL;

+ p_surewarehk_Load_Dsa_Pubkey = NULL;

+ p_surewarehk_Mod_Exp = NULL;

+ return to_return;

+static void surewarehk_error_handling(char *const msg,int func,int ret)

+ switch (ret)

+ {

+ case SUREWAREHOOK_ERROR_UNIT_FAILURE:

+ ENGINEerr(func,SUREWARE_R_UNIT_FAILURE);

+ break;

+ case SUREWAREHOOK_ERROR_FALLBACK:

+ ENGINEerr(func,SUREWARE_R_REQUEST_FALLBACK);

+ break;

+ case SUREWAREHOOK_ERROR_DATA_SIZE:

+ ENGINEerr(func,SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);

+ break;

+ case SUREWAREHOOK_ERROR_INVALID_PAD:

+ ENGINEerr(func,RSA_R_PADDING_CHECK_FAILED);

+ break;

+ default:

+ ENGINEerr(func,SUREWARE_R_REQUEST_FAILED);

+ break;

+ case 1:/*nothing*/

+ msg[0]='\0';

+ }

+ if (*msg)

+ {

+ ERR_add_error_data(1,msg);

+ if (logstream)

+ {

+ CRYPTO_w_lock(CRYPTO_LOCK_BIO);

+ BIO_write(logstream, msg, strlen(msg));

+ CRYPTO_w_unlock(CRYPTO_LOCK_BIO);

+ }

+static int surewarehk_rand_bytes(unsigned char *buf, int num)

+ int ret=0;

+ char msg[64]="ENGINE_rand_bytes";

+ if(!p_surewarehk_Rand_Bytes)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED);

+ }

+ else

+ {

+ ret = p_surewarehk_Rand_Bytes(msg,buf, num);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_BYTES,ret);

+ }

+ return ret==1 ? 1 : 0;

+static void surewarehk_rand_seed(const void *buf, int num)

+ int ret=0;

+ char msg[64]="ENGINE_rand_seed";

+ if(!p_surewarehk_Rand_Seed)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_RAND_SEED,ENGINE_R_NOT_INITIALISED);

+ }

+ else

+ {

+ ret = p_surewarehk_Rand_Seed(msg,buf, num);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RAND_SEED,ret);

+ }

+static void surewarehk_rand_add(const void *buf, int num, double entropy)

+ surewarehk_rand_seed(buf,num);

+static EVP_PKEY* sureware_load_public(ENGINE *e,const char *key_id,char *hptr,unsigned long el,char keytype)

+ EVP_PKEY *res = NULL;

+#ifndef OPENSSL_NO_RSA

+ RSA *rsatmp = NULL;

+#endif

+#ifndef OPENSSL_NO_DSA

+ DSA *dsatmp=NULL;

+#endif

+ char msg[64]="sureware_load_public";

+ int ret=0;

+ if(!p_surewarehk_Load_Rsa_Pubkey || !p_surewarehk_Load_Dsa_Pubkey)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED);

+ goto err;

+ }

+ switch (keytype)

+ {

+#ifndef OPENSSL_NO_RSA

+ case 1: /*RSA*/

+ /* set private external reference */

+ rsatmp = RSA_new_method(e);

+ RSA_set_ex_data(rsatmp,rsaHndidx,hptr);

+ rsatmp->flags |= RSA_FLAG_EXT_PKEY;

+ /* set public big nums*/

+ rsatmp->e = BN_new();

+ rsatmp->n = BN_new();

+ bn_expand2(rsatmp->e, el/sizeof(BN_ULONG));

+ bn_expand2(rsatmp->n, el/sizeof(BN_ULONG));

+ if (!rsatmp->e || rsatmp->e->dmax!=(int)(el/sizeof(BN_ULONG))||

+ !rsatmp->n || rsatmp->n->dmax!=(int)(el/sizeof(BN_ULONG)))

+ goto err;

+ ret=p_surewarehk_Load_Rsa_Pubkey(msg,key_id,el,

+ (unsigned long *)rsatmp->n->d,

+ (unsigned long *)rsatmp->e->d);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret);

+ if (ret!=1)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);

+ goto err;

+ }

+ /* normalise pub e and pub n */

+ rsatmp->e->top=el/sizeof(BN_ULONG);

+ bn_fix_top(rsatmp->e);

+ rsatmp->n->top=el/sizeof(BN_ULONG);

+ bn_fix_top(rsatmp->n);

+ /* create an EVP object: engine + rsa key */

+ res = EVP_PKEY_new();

+ EVP_PKEY_assign_RSA(res, rsatmp);

+ break;

+#endif

+#ifndef OPENSSL_NO_DSA

+ case 2:/*DSA*/

+ /* set private/public external reference */

+ dsatmp = DSA_new_method(e);

+ DSA_set_ex_data(dsatmp,dsaHndidx,hptr);

+ /*dsatmp->flags |= DSA_FLAG_EXT_PKEY;*/

+ /* set public key*/

+ dsatmp->pub_key = BN_new();

+ dsatmp->p = BN_new();

+ dsatmp->q = BN_new();

+ dsatmp->g = BN_new();

+ bn_expand2(dsatmp->pub_key, el/sizeof(BN_ULONG));

+ bn_expand2(dsatmp->p, el/sizeof(BN_ULONG));

+ bn_expand2(dsatmp->q, 20/sizeof(BN_ULONG));

+ bn_expand2(dsatmp->g, el/sizeof(BN_ULONG));

+ if (!dsatmp->pub_key || dsatmp->pub_key->dmax!=(int)(el/sizeof(BN_ULONG))||

+ !dsatmp->p || dsatmp->p->dmax!=(int)(el/sizeof(BN_ULONG)) ||

+ !dsatmp->q || dsatmp->q->dmax!=20/sizeof(BN_ULONG) ||

+ !dsatmp->g || dsatmp->g->dmax!=(int)(el/sizeof(BN_ULONG)))

+ goto err;

+ ret=p_surewarehk_Load_Dsa_Pubkey(msg,key_id,el,

+ (unsigned long *)dsatmp->pub_key->d,

+ (unsigned long *)dsatmp->p->d,

+ (unsigned long *)dsatmp->q->d,

+ (unsigned long *)dsatmp->g->d);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ret);

+ if (ret!=1)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);

+ goto err;

+ }

+ /* set parameters */

+ /* normalise pubkey and parameters in case of */

+ dsatmp->pub_key->top=el/sizeof(BN_ULONG);

+ bn_fix_top(dsatmp->pub_key);

+ dsatmp->p->top=el/sizeof(BN_ULONG);

+ bn_fix_top(dsatmp->p);

+ dsatmp->q->top=20/sizeof(BN_ULONG);

+ bn_fix_top(dsatmp->q);

+ dsatmp->g->top=el/sizeof(BN_ULONG);

+ bn_fix_top(dsatmp->g);

+ /* create an EVP object: engine + rsa key */

+ res = EVP_PKEY_new();

+ EVP_PKEY_assign_DSA(res, dsatmp);

+ break;

+#endif

+ default:

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);

+ goto err;

+ }

+ return res;

+ err:

+ if (res)

+ EVP_PKEY_free(res);

+#ifndef OPENSSL_NO_RSA

+ if (rsatmp)

+ RSA_free(rsatmp);

+#endif

+#ifndef OPENSSL_NO_DSA

+ if (dsatmp)

+ DSA_free(dsatmp);

+#endif

+ return NULL;

+static EVP_PKEY *surewarehk_load_privkey(ENGINE *e, const char *key_id,

+ UI_METHOD *ui_method, void *callback_data)

+ EVP_PKEY *res = NULL;

+ int ret=0;

+ unsigned long el=0;

+ char *hptr=NULL;

+ char keytype=0;

+ char msg[64]="ENGINE_load_privkey";

+ if(!p_surewarehk_Load_Privkey)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_NOT_INITIALISED);

+ }

+ else

+ {

+ ret=p_surewarehk_Load_Privkey(msg,key_id,&hptr,&el,&keytype);

+ if (ret!=1)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,ENGINE_R_FAILED_LOADING_PRIVATE_KEY);

+ ERR_add_error_data(1,msg);

+ }

+ else

+ res=sureware_load_public(e,key_id,hptr,el,keytype);

+ }

+ return res;

+static EVP_PKEY *surewarehk_load_pubkey(ENGINE *e, const char *key_id,

+ UI_METHOD *ui_method, void *callback_data)

+ EVP_PKEY *res = NULL;

+ int ret=0;

+ unsigned long el=0;

+ char *hptr=NULL;

+ char keytype=0;

+ char msg[64]="ENGINE_load_pubkey";

+ if(!p_surewarehk_Info_Pubkey)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_NOT_INITIALISED);

+ }

+ else

+ {

+ /* call once to identify if DSA or RSA */

+ ret=p_surewarehk_Info_Pubkey(msg,key_id,&el,&keytype);

+ if (ret!=1)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,ENGINE_R_FAILED_LOADING_PUBLIC_KEY);

+ ERR_add_error_data(1,msg);

+ }

+ else

+ res=sureware_load_public(e,key_id,hptr,el,keytype);

+ }

+ return res;

+/* This cleans up an RSA/DSA KM key(do not destroy the key into the hardware)

+, called when ex_data is freed */

+static void surewarehk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,

+ int idx,long argl, void *argp)

+ if(!p_surewarehk_Free)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED);

+ }

+ else

+ p_surewarehk_Free((char *)item,0);

+#if 0

+/* This cleans up an DH KM key (destroys the key into hardware),

+called when ex_data is freed */

+static void surewarehk_dh_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,

+ int idx,long argl, void *argp)

+ if(!p_surewarehk_Free)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_EX_FREE,ENGINE_R_NOT_INITIALISED);

+ }

+ else

+ p_surewarehk_Free((char *)item,1);

+#endif

+/*

+* return number of decrypted bytes

+*/

+#ifndef OPENSSL_NO_RSA

+static int surewarehk_rsa_priv_dec(int flen,const unsigned char *from,unsigned char *to,

+ RSA *rsa,int padding)

+ int ret=0,tlen;

+ char *buf=NULL,*hptr=NULL;

+ char msg[64]="ENGINE_rsa_priv_dec";

+ if (!p_surewarehk_Rsa_Priv_Dec)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ENGINE_R_NOT_INITIALISED);

+ }

+ /* extract ref to private key */

+ else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,SUREWARE_R_MISSING_KEY_COMPONENTS);

+ goto err;

+ }

+ /* analyse what padding we can do into the hardware */

+ if (padding==RSA_PKCS1_PADDING)

+ {

+ /* do it one shot */

+ ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret);

+ if (ret!=1)

+ goto err;

+ ret=tlen;

+ }

+ else /* do with no padding into hardware */

+ {

+ ret=p_surewarehk_Rsa_Priv_Dec(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_NO_PAD);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ret);

+ if (ret!=1)

+ goto err;

+ /* intermediate buffer for padding */

+ if ((buf=OPENSSL_malloc(tlen)) == NULL)

+ {

+ RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,ERR_R_MALLOC_FAILURE);

+ goto err;

+ }

+ memcpy(buf,to,tlen);/* transfert to into buf */

+ switch (padding) /* check padding in software */

+ {

+#ifndef OPENSSL_NO_SHA

+ case RSA_PKCS1_OAEP_PADDING:

+ ret=RSA_padding_check_PKCS1_OAEP(to,tlen,(unsigned char *)buf,tlen,tlen,NULL,0);

+ break;

+#endif

+ case RSA_SSLV23_PADDING:

+ ret=RSA_padding_check_SSLv23(to,tlen,(unsigned char *)buf,flen,tlen);

+ break;

+ case RSA_NO_PADDING:

+ ret=RSA_padding_check_none(to,tlen,(unsigned char *)buf,flen,tlen);

+ break;

+ default:

+ RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_UNKNOWN_PADDING_TYPE);

+ goto err;

+ }

+ if (ret < 0)

+ RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,RSA_R_PADDING_CHECK_FAILED);

+ }

+err:

+ if (buf)

+ {

+ OPENSSL_cleanse(buf,tlen);

+ OPENSSL_free(buf);

+ }

+ return ret;

+/*

+* Does what OpenSSL rsa_priv_enc does.

+*/

+static int surewarehk_rsa_sign(int flen,const unsigned char *from,unsigned char *to,

+ RSA *rsa,int padding)

+ int ret=0,tlen;

+ char *hptr=NULL;

+ char msg[64]="ENGINE_rsa_sign";

+ if (!p_surewarehk_Rsa_Sign)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ENGINE_R_NOT_INITIALISED);

+ }

+ /* extract ref to private key */

+ else if (!(hptr=RSA_get_ex_data(rsa, rsaHndidx)))

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,SUREWARE_R_MISSING_KEY_COMPONENTS);

+ }

+ else

+ {

+ switch (padding)

+ {

+ case RSA_PKCS1_PADDING: /* do it in one shot */

+ ret=p_surewarehk_Rsa_Sign(msg,flen,(unsigned char *)from,&tlen,to,hptr,SUREWARE_PKCS1_PAD);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,ret);

+ break;

+ case RSA_NO_PADDING:

+ default:

+ RSAerr(SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,RSA_R_UNKNOWN_PADDING_TYPE);

+ }

+ return ret==1 ? tlen : ret;

+#endif

+#ifndef OPENSSL_NO_DSA

+/* DSA sign and verify */

+static DSA_SIG * surewarehk_dsa_do_sign(const unsigned char *from, int flen, DSA *dsa)

+ int ret=0;

+ char *hptr=NULL;

+ DSA_SIG *psign=NULL;

+ char msg[64]="ENGINE_dsa_do_sign";

+ if (!p_surewarehk_Dsa_Sign)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ENGINE_R_NOT_INITIALISED);

+ }

+ /* extract ref to private key */

+ else if (!(hptr=DSA_get_ex_data(dsa, dsaHndidx)))

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,SUREWARE_R_MISSING_KEY_COMPONENTS);

+ }

+ else

+ {

+ if((psign = DSA_SIG_new()) == NULL)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ERR_R_MALLOC_FAILURE);

+ goto err;

+ }

+ psign->r=BN_new();

+ psign->s=BN_new();

+ bn_expand2(psign->r, 20/sizeof(BN_ULONG));

+ bn_expand2(psign->s, 20/sizeof(BN_ULONG));

+ if (!psign->r || psign->r->dmax!=20/sizeof(BN_ULONG) ||

+ !psign->s || psign->s->dmax!=20/sizeof(BN_ULONG))

+ goto err;

+ ret=p_surewarehk_Dsa_Sign(msg,flen,from,

+ (unsigned long *)psign->r->d,

+ (unsigned long *)psign->s->d,

+ hptr);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,ret);

+ }

+ psign->r->top=20/sizeof(BN_ULONG);

+ bn_fix_top(psign->r);

+ psign->s->top=20/sizeof(BN_ULONG);

+ bn_fix_top(psign->s);

+err:

+ if (psign)

+ {

+ DSA_SIG_free(psign);

+ psign=NULL;

+ }

+ return psign;

+#endif

+static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

+ const BIGNUM *m, BN_CTX *ctx)

+ int ret=0;

+ char msg[64]="ENGINE_modexp";

+ if (!p_surewarehk_Mod_Exp)

+ {

+ SUREWAREerr(SUREWARE_F_SUREWAREHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);

+ }

+ else

+ {

+ bn_expand2(r,m->top);

+ if (r && r->dmax==m->top)

+ {

+ /* do it*/

+ ret=p_surewarehk_Mod_Exp(msg,

+ m->top*sizeof(BN_ULONG),

+ (unsigned long *)m->d,

+ p->top*sizeof(BN_ULONG),

+ (unsigned long *)p->d,

+ a->top*sizeof(BN_ULONG),

+ (unsigned long *)a->d,

+ (unsigned long *)r->d);

+ surewarehk_error_handling(msg,SUREWARE_F_SUREWAREHK_MOD_EXP,ret);

+ if (ret==1)

+ {

+ /* normalise result */

+ r->top=m->top;

+ bn_fix_top(r);

+ }

+ return ret;

+#endif /* !OPENSSL_NO_HW_SureWare */

+#endif /* !OPENSSL_NO_HW */

diff --git a/lib/libcrypto/engine/vendor_defns/hw_ubsec.h b/lib/libcrypto/engine/vendor_defns/hw_ubsec.h
new file mode 100644
index 00000000000..b6619d40f2f
--- /dev/null
+++ b/lib/libcrypto/engine/vendor_defns/hw_ubsec.h

@@ -0,0 +1,100 @@

+/******************************************************************************

+ *

+ * Broadcom Corporation

+ * 16215 Alton Parkway

+ * PO Box 57013

+ * Irvine CA 92619-7013

+ *

+ *****************************************************************************/

+/*

+ * Broadcom Corporation uBSec SDK

+ */

+/*

+ * Character device header file.

+ */

+/*

+ * Revision History:

+ *

+ * October 2000 JTT Created.

+ */

+#define MAX_PUBLIC_KEY_BITS (1024)

+#define MAX_PUBLIC_KEY_BYTES (1024/8)

+#define SHA_BIT_SIZE (160)

+#define MAX_CRYPTO_KEY_LENGTH 24

+#define MAX_MAC_KEY_LENGTH 64

+#define UBSEC_CRYPTO_DEVICE_NAME ((unsigned char *)"/dev/ubscrypt")

+#define UBSEC_KEY_DEVICE_NAME ((unsigned char *)"/dev/ubskey")

+/* Math command types. */

+#define UBSEC_MATH_MODADD 0x0001

+#define UBSEC_MATH_MODSUB 0x0002

+#define UBSEC_MATH_MODMUL 0x0004

+#define UBSEC_MATH_MODEXP 0x0008

+#define UBSEC_MATH_MODREM 0x0010

+#define UBSEC_MATH_MODINV 0x0020

+typedef long ubsec_MathCommand_t;

+typedef long ubsec_RNGCommand_t;

+typedef struct ubsec_crypto_context_s {

+ unsigned int flags;

+ unsigned char crypto[MAX_CRYPTO_KEY_LENGTH];

+ unsigned char auth[MAX_MAC_KEY_LENGTH];

+} ubsec_crypto_context_t, *ubsec_crypto_context_p;

+/*

+ * Predeclare the function pointer types that we dynamically load from the DSO.

+ */

+typedef int t_UBSEC_ubsec_bytes_to_bits(unsigned char *n, int bytes);

+typedef int t_UBSEC_ubsec_bits_to_bytes(int bits);

+typedef int t_UBSEC_ubsec_open(unsigned char *device);

+typedef int t_UBSEC_ubsec_close(int fd);

+typedef int t_UBSEC_diffie_hellman_generate_ioctl (int fd,

+ unsigned char *x, int *x_len, unsigned char *y, int *y_len,

+ unsigned char *g, int g_len, unsigned char *m, int m_len,

+ unsigned char *userX, int userX_len, int random_bits);

+typedef int t_UBSEC_diffie_hellman_agree_ioctl (int fd,

+ unsigned char *x, int x_len, unsigned char *y, int y_len,

+ unsigned char *m, int m_len, unsigned char *k, int *k_len);

+typedef int t_UBSEC_rsa_mod_exp_ioctl (int fd,

+ unsigned char *x, int x_len, unsigned char *m, int m_len,

+ unsigned char *e, int e_len, unsigned char *y, int *y_len);

+typedef int t_UBSEC_rsa_mod_exp_crt_ioctl (int fd,

+ unsigned char *x, int x_len, unsigned char *qinv, int qinv_len,

+ unsigned char *edq, int edq_len, unsigned char *q, int q_len,

+ unsigned char *edp, int edp_len, unsigned char *p, int p_len,

+ unsigned char *y, int *y_len);

+typedef int t_UBSEC_dsa_sign_ioctl (int fd,

+ int hash, unsigned char *data, int data_len,

+ unsigned char *rndom, int random_len,

+ unsigned char *p, int p_len, unsigned char *q, int q_len,

+ unsigned char *g, int g_len, unsigned char *key, int key_len,

+ unsigned char *r, int *r_len, unsigned char *s, int *s_len);

+typedef int t_UBSEC_dsa_verify_ioctl (int fd,

+ int hash, unsigned char *data, int data_len,

+ unsigned char *p, int p_len, unsigned char *q, int q_len,

+ unsigned char *g, int g_len, unsigned char *key, int key_len,

+ unsigned char *r, int r_len, unsigned char *s, int s_len,

+ unsigned char *v, int *v_len);

+typedef int t_UBSEC_math_accelerate_ioctl(int fd, ubsec_MathCommand_t command,

+ unsigned char *ModN, int *ModN_len, unsigned char *ExpE, int *ExpE_len,

+ unsigned char *ParamA, int *ParamA_len, unsigned char *ParamB, int *ParamB_len,

+ unsigned char *Result, int *Result_len);

+typedef int t_UBSEC_rng_ioctl(int fd, ubsec_RNGCommand_t command,

+ unsigned char *Result, int *Result_len);

+typedef int t_UBSEC_max_key_len_ioctl(int fd, int *max_key_len);

diff --git a/lib/libcrypto/engine/vendor_defns/hwcryptohook.h b/lib/libcrypto/engine/vendor_defns/hwcryptohook.h
new file mode 100644
index 00000000000..a7864894e2f
--- /dev/null
+++ b/lib/libcrypto/engine/vendor_defns/hwcryptohook.h

@@ -0,0 +1,486 @@

+/*

+ * ModExp / RSA (with/without KM) plugin API

+ *

+ * The application will load a dynamic library which

+ * exports entrypoint(s) defined in this file.

+ *

+ * This set of entrypoints provides only a multithreaded,

+ * synchronous-within-each-thread, facility.

+ *

+ * Redistribution and use in source and binary forms, with opr without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ *

+ * 1. Redistributions of source code must retain the copyright notice,

+ * this list of conditions, and the following disclaimer.

+ *

+ * 2. Redistributions in binary form must reproduce the above

+ * copyright notice, this list of conditions, and the following

+ * disclaimer, in the documentation and/or other materials provided

+ * with the distribution

+ *

+ * IN NO EVENT SHALL NCIPHER CORPORATION LIMITED (`NCIPHER') AND/OR

+ * ANY OTHER AUTHORS OR DISTRIBUTORS OF THIS FILE BE LIABLE for any

+ * damages arising directly or indirectly from this file, its use or

+ * this licence. Without prejudice to the generality of the

+ * foregoing: all liability shall be excluded for direct, indirect,

+ * special, incidental, consequential or other damages or any loss of

+ * profits, business, revenue goodwill or anticipated savings;

+ * liability shall be excluded even if nCipher or anyone else has been

+ * advised of the possibility of damage. In any event, if the

+ * exclusion of liability is not effective, the liability of nCipher

+ * or any author or distributor shall be limited to the lesser of the

+ * price paid and 1,000 pounds sterling. This licence only fails to

+ * exclude or limit liability for death or personal injury arising out

+ * of negligence, and only to the extent that such an exclusion or

+ * limitation is not effective.

+ *

+ * NCIPHER AND THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ALL

+ * AND ANY WARRANTIES (WHETHER EXPRESS OR IMPLIED), including, but not

+ * limited to, any implied warranties of merchantability, fitness for

+ * a particular purpose, satisfactory quality, and/or non-infringement

+ * of any third party rights.

+ *

+ * US Government use: This software and documentation is Commercial

+ * Computer Software and Computer Software Documentation, as defined in

+ * sub-paragraphs (a)(1) and (a)(5) of DFAR 252.227-7014, "Rights in

+ * Noncommercial Computer Software and Noncommercial Computer Software

+ * Documentation." Use, duplication or disclosure by the Government is

+ * subject to the terms and conditions specified here.

+ *

+ * By using or distributing this file you will be accepting these

+ * terms and conditions, including the limitation of liability and

+ * lack of warranty. If you do not wish to accept these terms and

+ * conditions, DO NOT USE THE FILE.

+ *

+ * The actual dynamically loadable plugin, and the library files for

+ * static linking, which are also provided in some distributions, are

+ * not covered by the licence described above. You should have

+ * received a separate licence with terms and conditions for these

+ * library files; if you received the library files without a licence,

+ * please contact nCipher.

+ *

+ * $Id: hwcryptohook.h,v 1.1 2003/05/11 21:35:16 markus Exp $

+ */

+#ifndef HWCRYPTOHOOK_H

+#define HWCRYPTOHOOK_H

+#include <sys/types.h>

+#include <stdio.h>

+#ifndef HWCRYPTOHOOK_DECLARE_APPTYPES

+#define HWCRYPTOHOOK_DECLARE_APPTYPES 1

+#endif

+#define HWCRYPTOHOOK_ERROR_FAILED -1

+#define HWCRYPTOHOOK_ERROR_FALLBACK -2

+#define HWCRYPTOHOOK_ERROR_MPISIZE -3

+#if HWCRYPTOHOOK_DECLARE_APPTYPES

+/* These structs are defined by the application and opaque to the

+ * crypto plugin. The application may define these as it sees fit.

+ * Default declarations are provided here, but the application may

+ * #define HWCRYPTOHOOK_DECLARE_APPTYPES 0

+ * to prevent these declarations, and instead provide its own

+ * declarations of these types. (Pointers to them must still be

+ * ordinary pointers to structs or unions, or the resulting combined

+ * program will have a type inconsistency.)

+ */

+typedef struct HWCryptoHook_MutexValue HWCryptoHook_Mutex;

+typedef struct HWCryptoHook_CondVarValue HWCryptoHook_CondVar;

+typedef struct HWCryptoHook_PassphraseContextValue HWCryptoHook_PassphraseContext;

+typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext;

+#endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */

+/* These next two structs are opaque to the application. The crypto

+ * plugin will return pointers to them; the caller simply manipulates

+ * the pointers.

+ */

+typedef struct HWCryptoHook_Context *HWCryptoHook_ContextHandle;

+typedef struct HWCryptoHook_RSAKey *HWCryptoHook_RSAKeyHandle;

+typedef struct {

+ char *buf;

+ size_t size;

+} HWCryptoHook_ErrMsgBuf;

+/* Used for error reporting. When a HWCryptoHook function fails it

+ * will return a sentinel value (0 for pointer-valued functions, or a

+ * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for

+ * integer-valued ones). It will, if an ErrMsgBuf is passed, also put

+ * an error message there.

+ *

+ * size is the size of the buffer, and will not be modified. If you

+ * pass 0 for size you must pass 0 for buf, and nothing will be

+ * recorded (just as if you passed 0 for the struct pointer).

+ * Messages written to the buffer will always be null-terminated, even

+ * when truncated to fit within size bytes.

+ *

+ * The contents of the buffer are not defined if there is no error.

+ */

+typedef struct HWCryptoHook_MPIStruct {

+ unsigned char *buf;

+ size_t size;

+} HWCryptoHook_MPI;

+/* When one of these is returned, a pointer is passed to the function.

+ * At call, size is the space available. Afterwards it is updated to

+ * be set to the actual length (which may be more than the space available,

+ * if there was not enough room and the result was truncated).

+ * buf (the pointer) is not updated.

+ *

+ * size is in bytes and may be zero at call or return, but must be a

+ * multiple of the limb size. Zero limbs at the MS end are not

+ * permitted.

+ */

+#define HWCryptoHook_InitFlags_FallbackModExp 0x0002UL

+#define HWCryptoHook_InitFlags_FallbackRSAImmed 0x0004UL

+/* Enable requesting fallback to software in case of problems with the

+ * hardware support. This indicates to the crypto provider that the

+ * application is prepared to fall back to software operation if the

+ * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK.

+ * Without this flag those calls will never return

+ * HWCRYPTOHOOK_ERROR_FALLBACK. The flag will also cause the crypto

+ * provider to avoid repeatedly attempting to contact dead hardware

+ * within a short interval, if appropriate.

+ */

+#define HWCryptoHook_InitFlags_SimpleForkCheck 0x0010UL

+/* Without _SimpleForkCheck the library is allowed to assume that the

+ * application will not fork and call the library in the child(ren).

+ *

+ * When it is specified, this is allowed. However, after a fork

+ * neither parent nor child may unload any loaded keys or call

+ * _Finish. Instead, they should call exit (or die with a signal)

+ * without calling _Finish. After all the children have died the

+ * parent may unload keys or call _Finish.

+ *

+ * This flag only has any effect on UN*X platforms.

+ */

+typedef struct {

+ unsigned long flags;

+ void *logstream; /* usually a FILE*. See below. */

+ size_t limbsize; /* bignum format - size of radix type, must be power of 2 */

+ int mslimbfirst; /* 0 or 1 */

+ int msbytefirst; /* 0 or 1; -1 = native */

+ /* All the callback functions should return 0 on success, or a

+ * nonzero integer (whose value will be visible in the error message

+ * put in the buffer passed to the call).

+ *

+ * If a callback is not available pass a null function pointer.

+ *

+ * The callbacks may not call down again into the crypto plugin.

+ */

+ /* For thread-safety. Set everything to 0 if you promise only to be

+ * singlethreaded. maxsimultaneous is the number of calls to

+ * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA. If you don't know what to

+ * put there then say 0 and the hook library will use a default.

+ *

+ * maxmutexes is a small limit on the number of simultaneous mutexes

+ * which will be requested by the library. If there is no small

+ * limit, set it to 0. If the crypto plugin cannot create the

+ * advertised number of mutexes the calls to its functions may fail.

+ * If a low number of mutexes is advertised the plugin will try to

+ * do the best it can. Making larger numbers of mutexes available

+ * may improve performance and parallelism by reducing contention

+ * over critical sections. Unavailability of any mutexes, implying

+ * single-threaded operation, should be indicated by the setting

+ * mutex_init et al to 0.

+ */

+ int maxmutexes;

+ int maxsimultaneous;

+ size_t mutexsize;

+ int (*mutex_init)(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext *cactx);

+ int (*mutex_acquire)(HWCryptoHook_Mutex*);

+ void (*mutex_release)(HWCryptoHook_Mutex*);

+ void (*mutex_destroy)(HWCryptoHook_Mutex*);

+ /* For greater efficiency, can use condition vars internally for

+ * synchronisation. In this case maxsimultaneous is ignored, but

+ * the other mutex stuff must be available. In singlethreaded

+ * programs, set everything to 0.

+ */

+ size_t condvarsize;

+ int (*condvar_init)(HWCryptoHook_CondVar*, HWCryptoHook_CallerContext *cactx);

+ int (*condvar_wait)(HWCryptoHook_CondVar*, HWCryptoHook_Mutex*);

+ void (*condvar_signal)(HWCryptoHook_CondVar*);

+ void (*condvar_broadcast)(HWCryptoHook_CondVar*);

+ void (*condvar_destroy)(HWCryptoHook_CondVar*);

+ /* The semantics of acquiring and releasing mutexes and broadcasting

+ * and waiting on condition variables are expected to be those from

+ * POSIX threads (pthreads). The mutexes may be (in pthread-speak)

+ * fast mutexes, recursive mutexes, or nonrecursive ones.

+ *

+ * The _release/_signal/_broadcast and _destroy functions must

+ * always succeed when given a valid argument; if they are given an

+ * invalid argument then the program (crypto plugin + application)

+ * has an internal error, and they should abort the program.

+ */

+ int (*getpassphrase)(const char *prompt_info,

+ int *len_io, char *buf,

+ HWCryptoHook_PassphraseContext *ppctx,

+ HWCryptoHook_CallerContext *cactx);

+ /* Passphrases and the prompt_info, if they contain high-bit-set

+ * characters, are UTF-8. The prompt_info may be a null pointer if

+ * no prompt information is available (it should not be an empty

+ * string). It will not contain text like `enter passphrase';

+ * instead it might say something like `Operator Card for John

+ * Smith' or `SmartCard in nFast Module #1, Slot #1'.

+ *

+ * buf points to a buffer in which to return the passphrase; on

+ * entry *len_io is the length of the buffer. It should be updated

+ * by the callback. The returned passphrase should not be

+ * null-terminated by the callback.

+ */

+ int (*getphystoken)(const char *prompt_info,

+ const char *wrong_info,

+ HWCryptoHook_PassphraseContext *ppctx,

+ HWCryptoHook_CallerContext *cactx);

+ /* Requests that the human user physically insert a different

+ * smartcard, DataKey, etc. The plugin should check whether the

+ * currently inserted token(s) are appropriate, and if they are it

+ * should not make this call.

+ *

+ * prompt_info is as before. wrong_info is a description of the

+ * currently inserted token(s) so that the user is told what

+ * something is. wrong_info, like prompt_info, may be null, but

+ * should not be an empty string. Its contents should be

+ * syntactically similar to that of prompt_info.

+ */

+ /* Note that a single LoadKey operation might cause several calls to

+ * getpassphrase and/or requestphystoken. If requestphystoken is

+ * not provided (ie, a null pointer is passed) then the plugin may

+ * not support loading keys for which authorisation by several cards

+ * is required. If getpassphrase is not provided then cards with

+ * passphrases may not be supported.

+ *

+ * getpassphrase and getphystoken do not need to check that the

+ * passphrase has been entered correctly or the correct token

+ * inserted; the crypto plugin will do that. If this is not the

+ * case then the crypto plugin is responsible for calling these

+ * routines again as appropriate until the correct token(s) and

+ * passphrase(s) are supplied as required, or until any retry limits

+ * implemented by the crypto plugin are reached.

+ *

+ * In either case, the application must allow the user to say `no'

+ * or `cancel' to indicate that they do not know the passphrase or

+ * have the appropriate token; this should cause the callback to

+ * return nonzero indicating error.

+ */

+ void (*logmessage)(void *logstream, const char *message);

+ /* A log message will be generated at least every time something goes

+ * wrong and an ErrMsgBuf is filled in (or would be if one was

+ * provided). Other diagnostic information may be written there too,

+ * including more detailed reasons for errors which are reported in an

+ * ErrMsgBuf.

+ *

+ * When a log message is generated, this callback is called. It

+ * should write a message to the relevant logging arrangements.

+ *

+ * The message string passed will be null-terminated and may be of arbitrary

+ * length. It will not be prefixed by the time and date, nor by the

+ * name of the library that is generating it - if this is required,

+ * the logmessage callback must do it. The message will not have a

+ * trailing newline (though it may contain internal newlines).

+ *

+ * If a null pointer is passed for logmessage a default function is

+ * used. The default function treats logstream as a FILE* which has

+ * been converted to a void*. If logstream is 0 it does nothing.

+ * Otherwise it prepends the date and time and library name and

+ * writes the message to logstream. Each line will be prefixed by a

+ * descriptive string containing the date, time and identity of the

+ * crypto plugin. Errors on the logstream are not reported

+ * anywhere, and the default function doesn't flush the stream, so

+ * the application must set the buffering how it wants it.

+ *

+ * The crypto plugin may also provide a facility to have copies of

+ * log messages sent elsewhere, and or for adjusting the verbosity

+ * of the log messages; any such facilities will be configured by

+ * external means.

+ */

+} HWCryptoHook_InitInfo;

+typedef

+HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *initinfo,

+ size_t initinfosize,

+ const HWCryptoHook_ErrMsgBuf *errors,

+ HWCryptoHook_CallerContext *cactx);

+extern HWCryptoHook_Init_t HWCryptoHook_Init;

+/* Caller should set initinfosize to the size of the HWCryptoHook struct,

+ * so it can be extended later.

+ *

+ * On success, a message for display or logging by the server,

+ * including the name and version number of the plugin, will be filled

+ * in into *errors; on failure *errors is used for error handling, as

+ * usual.

+ */

+/* All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED

+ * on most failures. HWCRYPTOHOOK_ERROR_MPISIZE means at least one of

+ * the output MPI buffer(s) was too small; the sizes of all have been

+ * set to the desired size (and for those where the buffer was large

+ * enough, the value may have been copied in), and no error message

+ * has been recorded.

+ *

+ * You may pass 0 for the errors struct. In any case, unless you set

+ * _NoStderr at init time then messages may be reported to stderr.

+ */

+/* The RSAImmed* functions (and key managed RSA) only work with

+ * modules which have an RSA patent licence - currently that means KM

+ * units; the ModExp* ones work with all modules, so you need a patent

+ * licence in the software in the US. They are otherwise identical.

+ */

+typedef

+void HWCryptoHook_Finish_t(HWCryptoHook_ContextHandle hwctx);

+extern HWCryptoHook_Finish_t HWCryptoHook_Finish;

+/* You must not have any calls going or keys loaded when you call this. */

+typedef

+int HWCryptoHook_RandomBytes_t(HWCryptoHook_ContextHandle hwctx,

+ unsigned char *buf, size_t len,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_RandomBytes_t HWCryptoHook_RandomBytes;

+typedef

+int HWCryptoHook_ModExp_t(HWCryptoHook_ContextHandle hwctx,

+ HWCryptoHook_MPI a,

+ HWCryptoHook_MPI p,

+ HWCryptoHook_MPI n,

+ HWCryptoHook_MPI *r,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_ModExp_t HWCryptoHook_ModExp;

+typedef

+int HWCryptoHook_RSAImmedPub_t(HWCryptoHook_ContextHandle hwctx,

+ HWCryptoHook_MPI m,

+ HWCryptoHook_MPI e,

+ HWCryptoHook_MPI n,

+ HWCryptoHook_MPI *r,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_RSAImmedPub_t HWCryptoHook_RSAImmedPub;

+typedef

+int HWCryptoHook_ModExpCRT_t(HWCryptoHook_ContextHandle hwctx,

+ HWCryptoHook_MPI a,

+ HWCryptoHook_MPI p,

+ HWCryptoHook_MPI q,

+ HWCryptoHook_MPI dmp1,

+ HWCryptoHook_MPI dmq1,

+ HWCryptoHook_MPI iqmp,

+ HWCryptoHook_MPI *r,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_ModExpCRT_t HWCryptoHook_ModExpCRT;

+typedef

+int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx,

+ HWCryptoHook_MPI m,

+ HWCryptoHook_MPI p,

+ HWCryptoHook_MPI q,

+ HWCryptoHook_MPI dmp1,

+ HWCryptoHook_MPI dmq1,

+ HWCryptoHook_MPI iqmp,

+ HWCryptoHook_MPI *r,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv;

+/* The RSAImmed* and ModExp* functions may return E_FAILED or

+ * E_FALLBACK for failure.

+ *

+ * E_FAILED means the failure is permanent and definite and there

+ * should be no attempt to fall back to software. (Eg, for some

+ * applications, which support only the acceleration-only

+ * functions, the `key material' may actually be an encoded key

+ * identifier, and doing the operation in software would give wrong

+ * answers.)

+ *

+ * E_FALLBACK means that doing the computation in software would seem

+ * reasonable. If an application pays attention to this and is

+ * able to fall back, it should also set the Fallback init flags.

+ */

+typedef

+int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx,

+ const char *key_ident,

+ HWCryptoHook_RSAKeyHandle *keyhandle_r,

+ const HWCryptoHook_ErrMsgBuf *errors,

+ HWCryptoHook_PassphraseContext *ppctx);

+extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey;

+/* The key_ident is a null-terminated string configured by the

+ * user via the application's usual configuration mechanisms.

+ * It is provided to the user by the crypto provider's key management

+ * system. The user must be able to enter at least any string of between

+ * 1 and 1023 characters inclusive, consisting of printable 7-bit

+ * ASCII characters. The provider should avoid using

+ * any characters except alphanumerics and the punctuation

+ * characters _ - + . / @ ~ (the user is expected to be able

+ * to enter these without quoting). The string may be case-sensitive.

+ * The application may allow the user to enter other NULL-terminated strings,

+ * and the provider must cope (returning an error if the string is not

+ * valid).

+ *

+ * If the key does not exist, no error is recorded and 0 is returned;

+ * keyhandle_r will be set to 0 instead of to a key handle.

+ */

+typedef

+int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k,

+ HWCryptoHook_MPI *n,

+ HWCryptoHook_MPI *e,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey;

+/* The crypto plugin will not store certificates.

+ *

+ * Although this function for acquiring the public key value is

+ * provided, it is not the purpose of this API to deal fully with the

+ * handling of the public key.

+ *

+ * It is expected that the crypto supplier's key generation program

+ * will provide general facilities for producing X.509

+ * self-certificates and certificate requests in PEM format. These

+ * will be given to the user so that they can configure them in the

+ * application, send them to CAs, or whatever.

+ *

+ * In case this kind of certificate handling is not appropriate, the

+ * crypto supplier's key generation program should be able to be

+ * configured not to generate such a self-certificate or certificate

+ * request. Then the application will need to do all of this, and

+ * will need to store and handle the public key and certificates

+ * itself.

+ */

+typedef

+int HWCryptoHook_RSAUnloadKey_t(HWCryptoHook_RSAKeyHandle k,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_RSAUnloadKey_t HWCryptoHook_RSAUnloadKey;

+/* Might fail due to locking problems, or other serious internal problems. */

+typedef

+int HWCryptoHook_RSA_t(HWCryptoHook_MPI m,

+ HWCryptoHook_RSAKeyHandle k,

+ HWCryptoHook_MPI *r,

+ const HWCryptoHook_ErrMsgBuf *errors);

+extern HWCryptoHook_RSA_t HWCryptoHook_RSA;

+/* RSA private key operation (sign or decrypt) - raw, unpadded. */

+#endif /*HWCRYPTOHOOK_H*/

diff --git a/lib/libcrypto/engine/vendor_defns/sureware.h b/lib/libcrypto/engine/vendor_defns/sureware.h
new file mode 100644
index 00000000000..1d3789219df
--- /dev/null
+++ b/lib/libcrypto/engine/vendor_defns/sureware.h

@@ -0,0 +1,239 @@