Apply patch from Toomas Kiisk <vix@cyber.ee> and complete it.
[openssl.git] / crypto / engine / hw_ncipher.c
index 0057ca966c68958828a1a4930997169e1b10629b..8d86ce20bf34e40f51910d8ddc426f06e3594c25 100644 (file)
@@ -4,7 +4,7 @@
  * for the OpenSSL project 2000.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  */
 
 #include <stdio.h>
+#include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include "cryptlib.h"
 #include <openssl/dso.h>
-#include "engine_int.h"
 #include <openssl/engine.h>
+#include <openssl/ui.h>
 
-#ifndef NO_HW
-#ifndef NO_HW_NCIPHER
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_NCIPHER
 
 /* Attribution notice: nCipher have said several times that it's OK for
  * us to implement a general interface to their boxes, and recently declared
 #include "vendor_defns/hwcryptohook.h"
 #endif
 
-static int hwcrhk_init(void);
-static int hwcrhk_finish(void);
-static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)()); 
+static int hwcrhk_destroy(ENGINE *e);
+static int hwcrhk_init(ENGINE *e);
+static int hwcrhk_finish(ENGINE *e);
+static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); 
 
 /* Functions to handle mutexes */
 static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*);
@@ -96,8 +98,10 @@ static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
 static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                const BIGNUM *m, BN_CTX *ctx);
 
+#ifndef OPENSSL_NO_RSA
 /* RSA stuff */
 static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa);
+#endif
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
@@ -113,20 +117,55 @@ static int hwcrhk_rand_bytes(unsigned char *buf, int num);
 static int hwcrhk_rand_status(void);
 
 /* KM stuff */
-static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
-       const char *passphrase);
-static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id,
-       const char *passphrase);
+static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
+       UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
+       UI_METHOD *ui_method, void *callback_data);
 static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
        int ind,long argl, void *argp);
 
 /* Interaction stuff */
+static int hwcrhk_insert_card(const char *prompt_info,
+       const char *wrong_info,
+       HWCryptoHook_PassphraseContext *ppctx,
+       HWCryptoHook_CallerContext *cactx);
 static int hwcrhk_get_pass(const char *prompt_info,
        int *len_io, char *buf,
        HWCryptoHook_PassphraseContext *ppctx,
        HWCryptoHook_CallerContext *cactx);
 static void hwcrhk_log_message(void *logstr, const char *message);
 
+/* The definitions for control commands specific to this engine */
+#define HWCRHK_CMD_SO_PATH             ENGINE_CMD_BASE
+#define HWCRHK_CMD_FORK_CHECK          (ENGINE_CMD_BASE + 1)
+#define HWCRHK_CMD_THREAD_LOCKING      (ENGINE_CMD_BASE + 2)
+#define HWCRHK_CMD_SET_USER_INTERFACE   (ENGINE_CMD_BASE + 3)
+#define HWCRHK_CMD_SET_CALLBACK_DATA    (ENGINE_CMD_BASE + 4)
+static const ENGINE_CMD_DEFN hwcrhk_cmd_defns[] = {
+       {HWCRHK_CMD_SO_PATH,
+               "SO_PATH",
+               "Specifies the path to the 'hwcrhk' shared library",
+               ENGINE_CMD_FLAG_STRING},
+       {HWCRHK_CMD_FORK_CHECK,
+               "FORK_CHECK",
+               "Turns fork() checking on or off (boolean)",
+               ENGINE_CMD_FLAG_NUMERIC},
+       {HWCRHK_CMD_THREAD_LOCKING,
+               "THREAD_LOCKING",
+               "Turns thread-safe locking on or off (boolean)",
+               ENGINE_CMD_FLAG_NUMERIC},
+       {HWCRHK_CMD_SET_USER_INTERFACE,
+               "SET_USER_INTERFACE",
+               "Set the global user interface (internal)",
+               ENGINE_CMD_FLAG_INTERNAL},
+       {HWCRHK_CMD_SET_CALLBACK_DATA,
+               "SET_CALLBACK_DATA",
+               "Set the global user interface extra data (internal)",
+               ENGINE_CMD_FLAG_INTERNAL},
+       {0, NULL, NULL, 0}
+       };
+
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
 static RSA_METHOD hwcrhk_rsa =
        {
@@ -144,7 +183,9 @@ static RSA_METHOD hwcrhk_rsa =
        NULL,
        NULL
        };
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD hwcrhk_dh =
        {
@@ -157,6 +198,7 @@ static DH_METHOD hwcrhk_dh =
        0,
        NULL
        };
+#endif
 
 static RAND_METHOD hwcrhk_rand =
        {
@@ -169,26 +211,94 @@ static RAND_METHOD hwcrhk_rand =
        hwcrhk_rand_status,
        };
 
-/* Our ENGINE structure. */
-static ENGINE engine_hwcrhk =
-        {
-       "chil",
-       "nCipher hardware engine support",
-       &hwcrhk_rsa,
-       NULL,
-       &hwcrhk_dh,
-       &hwcrhk_rand,
-       hwcrhk_mod_exp,
-       NULL,
-       hwcrhk_init,
-       hwcrhk_finish,
-       hwcrhk_ctrl,
-       hwcrhk_load_privkey,
-       hwcrhk_load_pubkey,
-       0, /* no flags */
-       0, 0, /* no references */
-       NULL, NULL /* unlinked */
-        };
+#ifndef OPENSSL_NO_ERR
+/* Error function codes for use in hwcrhk operation */
+#define HWCRHK_F_HWCRHK_INIT                   100
+#define HWCRHK_F_HWCRHK_FINISH                 101
+#define HWCRHK_F_HWCRHK_CTRL                   102
+#define HWCRHK_F_HWCRHK_LOAD_PRIVKEY           103
+#define HWCRHK_F_HWCRHK_LOAD_PUBKEY            104
+#define HWCRHK_F_HWCRHK_MOD_EXP                        105
+#define HWCRHK_F_HWCRHK_RSA_MOD_EXP            106
+#define HWCRHK_F_HWCRHK_RAND_BYTES             107
+#define HWCRHK_F_HWCRHK_GET_PASS               108
+#define HWCRHK_F_HWCRHK_INSERT_CARD            109
+/* Error reason codes */
+#define HWCRHK_R_ALREADY_LOADED                        110
+#define HWCRHK_R_DSO_FAILURE                   111
+#define HWCRHK_R_UNIT_FAILURE                  112
+#define HWCRHK_R_NOT_LOADED                    113
+#define HWCRHK_R_BIO_WAS_FREED                 114
+#define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED  115
+#define HWCRHK_R_NOT_INITIALISED               116
+#define HWCRHK_R_CHIL_ERROR                    117
+#define HWCRHK_R_NO_KEY                                118
+#define HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED 119
+#define HWCRHK_R_REQUEST_FALLBACK              120
+#define HWCRHK_R_REQUEST_FAILED                        121
+#define HWCRHK_R_MISSING_KEY_COMPONENTS                122
+#define HWCRHK_R_NO_CALLBACK                   123
+static ERR_STRING_DATA hwcrhk_str_functs[] =
+       {
+       /* This first element is changed to match the dynamic 'lib' number */
+{ERR_PACK(0,0,0),                              "hwcrhk engine code"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_INIT,0),           "hwcrhk_init"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_FINISH,0),                         ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_CTRL,0),                           ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_LOAD_PRIVKEY,0),                           ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_LOAD_PUBKEY,0),                            ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_MOD_EXP,0),                                ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_RSA_MOD_EXP,0),                            ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_RAND_BYTES,0),                             ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_GET_PASS,0),                               ""},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_INSERT_CARD,0),                            ""},
+/* Error reason codes */
+{HWCRHK_R_ALREADY_LOADED               ,"already loaded"},
+{HWCRHK_R_DSO_FAILURE                  ,"DSO failure"},
+{HWCRHK_R_UNIT_FAILURE                 ,"unit failure"},
+{HWCRHK_R_NOT_LOADED                   ,"not loaded"},
+{HWCRHK_R_BIO_WAS_FREED                        ,"BIO was freed"},
+{HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED ,"ctrl command not implemented"},
+{HWCRHK_R_NOT_INITIALISED              ,"not initialised"},
+{HWCRHK_R_CHIL_ERROR                   ,"'chil' error"},
+{HWCRHK_R_NO_KEY                       ,"no key"},
+{HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED,"private key algorithms disabled"},
+{HWCRHK_R_REQUEST_FALLBACK             ,"request fallback"},
+{HWCRHK_R_REQUEST_FAILED               ,"request failed"},
+{HWCRHK_R_MISSING_KEY_COMPONENTS       ,"missing key components"},
+{HWCRHK_R_NO_CALLBACK                  ,"no callback"},
+{0,NULL}
+       };
+/* The library number we obtain dynamically from the ERR code */
+static int hwcrhk_err_lib = -1;
+#define HWCRHKerr(f,r) ERR_PUT_error(hwcrhk_err_lib,(f),(r),__FILE__,__LINE__)
+static void hwcrhk_load_error_strings(void)
+       {
+       if(hwcrhk_err_lib < 0)
+               {
+               if((hwcrhk_err_lib = ERR_get_next_error_library()) <= 0)
+                       return;
+               hwcrhk_str_functs[0].error = ERR_PACK(hwcrhk_err_lib,0,0);
+               ERR_load_strings(hwcrhk_err_lib, hwcrhk_str_functs);
+               }
+       }
+static void hwcrhk_unload_error_strings(void)
+       {
+       if(hwcrhk_err_lib >= 0)
+               {
+               ERR_unload_strings(hwcrhk_err_lib, hwcrhk_str_functs);
+               hwcrhk_err_lib = -1;
+               }
+       }
+#else
+#define HWCRHKerr(f,r)                                 /* NOP */
+static void hwcrhk_load_error_strings(void) { }                /* NOP */
+static void hwcrhk_unload_error_strings(void) { }      /* NOP */
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_hwcrhk_id = "chil";
+static const char *engine_hwcrhk_name = "nCipher hardware engine support";
 
 /* Internal stuff for HWCryptoHook */
 
@@ -205,7 +315,8 @@ struct HWCryptoHook_MutexValue
    into HWCryptoHook_PassphraseContext */
 struct HWCryptoHook_PassphraseContextValue
        {
-       void *any;
+        UI_METHOD *ui_method;
+       void *callback_data;
        };
 
 /* hwcryptohook.h has some typedefs that turn
@@ -213,7 +324,10 @@ struct HWCryptoHook_PassphraseContextValue
    into HWCryptoHook_CallerContext */
 struct HWCryptoHook_CallerContextValue
        {
-       void *any;
+       pem_password_cb *password_callback; /* Deprecated!  Only present for
+                                               backward compatibility! */
+        UI_METHOD *ui_method;
+       void *callback_data;
        };
 
 /* The MPI structure in HWCryptoHook is pretty compatible with OpenSSL
@@ -223,31 +337,27 @@ struct HWCryptoHook_CallerContextValue
 #define MPI2BN(bn, mp) \
     {mp.size = bn->dmax * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
 
-#if 0 /* Card and password management is not yet supported */
-/* HWCryptoHook callbacks.  insert_card() and get_pass() are not yet
-   defined, because we haven't quite decided on the proper form yet.
-   log_message() just adds an entry in the error stack.  I don't know
-   if that's good or bad...  */
-static int insert_card(const char *prompt_info,
-       const char *wrong_info,
-       HWCryptoHook_PassphraseContext *ppctx,
-       HWCryptoHook_CallerContext *cactx);
-static int get_pass(const char *prompt_info,
-       int *len_io, char *buf,
-       HWCryptoHook_PassphraseContext *ppctx,
-       HWCryptoHook_CallerContext *cactx);
-#endif
-
 static BIO *logstream = NULL;
-static pem_password_cb *password_callback = NULL;
-#if 0
-static void *password_callback_userdata = NULL;
-#endif
 static int disable_mutex_callbacks = 0;
 
+/* One might wonder why these are needed, since one can pass down at least
+   a UI_METHOD and a pointer to callback data to the key-loading functions.
+   The thing is that the ModExp and RSAImmed functions can load keys as well,
+   if the data they get is in a special, nCipher-defined format (hint: if you
+   look at the private exponent of the RSA data as a string, you'll see this
+   string: "nCipher KM tool key id", followed by some bytes, followed a key
+   identity string, followed by more bytes.  This happens when you use "embed"
+   keys instead of "hwcrhk" keys).  Unfortunately, those functions do not take
+   any passphrase or caller context, and our functions can't really take any
+   callback data either.  Still, the "insert_card" and "get_passphrase"
+   callbacks may be called down the line, and will need to know what user
+   interface callbacks to call, and having callback data from the application
+   may be a nice thing as well, so we need to keep track of that globally. */
+static HWCryptoHook_CallerContext password_context = { NULL, NULL, NULL };
+
 /* Stuff to pass to the HWCryptoHook library */
 static HWCryptoHook_InitInfo hwcrhk_globals = {
-       0,                      /* Flags */
+       HWCryptoHook_InitFlags_SimpleForkCheck, /* Flags */
        &logstream,             /* logstream */
        sizeof(BN_ULONG),       /* limbsize */
        0,                      /* mslimb first: false for BNs */
@@ -281,20 +391,42 @@ static HWCryptoHook_InitInfo hwcrhk_globals = {
        0, /* hwcrhk_cv_destroy, */
 
        hwcrhk_get_pass,        /* pass phrase */
-       0, /* insert_card, */   /* insert a card */
+       hwcrhk_insert_card,     /* insert a card */
        hwcrhk_log_message      /* Log message */
 };
 
 
 /* Now, to our own code */
 
-/* As this is only ever called once, there's no need for locking
- * (indeed - the lock will already be held by our caller!!!) */
-ENGINE *ENGINE_ncipher()
+/* This internal function is used by ENGINE_ncipher() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
        {
+#ifndef OPENSSL_NO_RSA
        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
        const DH_METHOD *meth2;
+#endif
+       if(!ENGINE_set_id(e, engine_hwcrhk_id) ||
+                       !ENGINE_set_name(e, engine_hwcrhk_name) ||
+#ifndef OPENSSL_NO_RSA
+                       !ENGINE_set_RSA(e, &hwcrhk_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                       !ENGINE_set_DH(e, &hwcrhk_dh) ||
+#endif
+                       !ENGINE_set_RAND(e, &hwcrhk_rand) ||
+                       !ENGINE_set_destroy_function(e, hwcrhk_destroy) ||
+                       !ENGINE_set_init_function(e, hwcrhk_init) ||
+                       !ENGINE_set_finish_function(e, hwcrhk_finish) ||
+                       !ENGINE_set_ctrl_function(e, hwcrhk_ctrl) ||
+                       !ENGINE_set_load_privkey_function(e, hwcrhk_load_privkey) ||
+                       !ENGINE_set_load_pubkey_function(e, hwcrhk_load_pubkey) ||
+                       !ENGINE_set_cmd_defns(e, hwcrhk_cmd_defns))
+               return 0;
 
+#ifndef OPENSSL_NO_RSA
        /* We know that the "PKCS1_SSLeay()" functions hook properly
         * to the cswift-specific mod_exp and mod_exp_crt so we use
         * those functions. NB: We don't use ENGINE_openssl() or
@@ -307,12 +439,41 @@ ENGINE *ENGINE_ncipher()
        hwcrhk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
        hwcrhk_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
        hwcrhk_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DH
        /* Much the same for Diffie-Hellman */
        meth2 = DH_OpenSSL();
        hwcrhk_dh.generate_key = meth2->generate_key;
        hwcrhk_dh.compute_key = meth2->compute_key;
-       return &engine_hwcrhk;
+#endif
+
+       /* Ensure the hwcrhk error handling is set up */
+       hwcrhk_load_error_strings();
+       return 1;
+       }
+
+static ENGINE *engine_ncipher(void)
+       {
+       ENGINE *ret = ENGINE_new();
+       if(!ret)
+               return NULL;
+       if(!bind_helper(ret))
+               {
+               ENGINE_free(ret);
+               return NULL;
+               }
+       return ret;
+       }
+
+void ENGINE_load_chil(void)
+       {
+       /* Copied from eng_[openssl|dyn].c */
+       ENGINE *toadd = engine_ncipher();
+       if(!toadd) return;
+       ENGINE_add(toadd);
+       ENGINE_free(toadd);
+       ERR_clear_error();
        }
 
 /* This is a process-global DSO handle used for loading and unloading
@@ -322,30 +483,41 @@ ENGINE *ENGINE_ncipher()
  * implicitly. */
 static DSO *hwcrhk_dso = NULL;
 static HWCryptoHook_ContextHandle hwcrhk_context = 0;
-static int hndidx = -1;        /* Index for KM handle.  Not really used yet. */
+#ifndef OPENSSL_NO_RSA
+static int hndidx_rsa = -1;    /* Index for KM handle.  Not really used yet. */
+#endif
 
 /* These are the function pointers that are (un)set when the library has
  * successfully (un)loaded. */
 static HWCryptoHook_Init_t *p_hwcrhk_Init = NULL;
 static HWCryptoHook_Finish_t *p_hwcrhk_Finish = NULL;
 static HWCryptoHook_ModExp_t *p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
 static HWCryptoHook_RSA_t *p_hwcrhk_RSA = NULL;
+#endif
 static HWCryptoHook_RandomBytes_t *p_hwcrhk_RandomBytes = NULL;
+#ifndef OPENSSL_NO_RSA
 static HWCryptoHook_RSALoadKey_t *p_hwcrhk_RSALoadKey = NULL;
 static HWCryptoHook_RSAGetPublicKey_t *p_hwcrhk_RSAGetPublicKey = NULL;
 static HWCryptoHook_RSAUnloadKey_t *p_hwcrhk_RSAUnloadKey = NULL;
+#endif
 static HWCryptoHook_ModExpCRT_t *p_hwcrhk_ModExpCRT = NULL;
 
 /* Used in the DSO operations. */
-static const char *HWCRHK_LIBNAME = "nfhwcrhk";
+static const char def_HWCRHK_LIBNAME[] = "nfhwcrhk";
+static const char *HWCRHK_LIBNAME = def_HWCRHK_LIBNAME;
 static const char *n_hwcrhk_Init = "HWCryptoHook_Init";
 static const char *n_hwcrhk_Finish = "HWCryptoHook_Finish";
 static const char *n_hwcrhk_ModExp = "HWCryptoHook_ModExp";
+#ifndef OPENSSL_NO_RSA
 static const char *n_hwcrhk_RSA = "HWCryptoHook_RSA";
+#endif
 static const char *n_hwcrhk_RandomBytes = "HWCryptoHook_RandomBytes";
+#ifndef OPENSSL_NO_RSA
 static const char *n_hwcrhk_RSALoadKey = "HWCryptoHook_RSALoadKey";
 static const char *n_hwcrhk_RSAGetPublicKey = "HWCryptoHook_RSAGetPublicKey";
 static const char *n_hwcrhk_RSAUnloadKey = "HWCryptoHook_RSAUnloadKey";
+#endif
 static const char *n_hwcrhk_ModExpCRT = "HWCryptoHook_ModExpCRT";
 
 /* HWCryptoHook library functions and mechanics - these are used by the
@@ -354,16 +526,17 @@ static const char *n_hwcrhk_ModExpCRT = "HWCryptoHook_ModExpCRT";
  * called, the checking and error handling is probably down there. */
 
 /* utility function to obtain a context */
-static int get_context(HWCryptoHook_ContextHandle *hac)
+static int get_context(HWCryptoHook_ContextHandle *hac,
+        HWCryptoHook_CallerContext *cac)
        {
        char tempbuf[1024];
        HWCryptoHook_ErrMsgBuf rmsg;
 
        rmsg.buf = tempbuf;
-       rmsg.size = 1024;
+       rmsg.size = sizeof(tempbuf);
 
         *hac = p_hwcrhk_Init(&hwcrhk_globals, sizeof(hwcrhk_globals), &rmsg,
-               NULL);
+               cac);
        if (!*hac)
                 return 0;
         return 1;
@@ -375,29 +548,38 @@ static void release_context(HWCryptoHook_ContextHandle hac)
        p_hwcrhk_Finish(hac);
        }
 
+/* Destructor (complements the "ENGINE_ncipher()" constructor) */
+static int hwcrhk_destroy(ENGINE *e)
+       {
+       hwcrhk_unload_error_strings();
+       return 1;
+       }
+
 /* (de)initialisation functions. */
-static int hwcrhk_init(void)
+static int hwcrhk_init(ENGINE *e)
        {
        HWCryptoHook_Init_t *p1;
        HWCryptoHook_Finish_t *p2;
        HWCryptoHook_ModExp_t *p3;
+#ifndef OPENSSL_NO_RSA
        HWCryptoHook_RSA_t *p4;
        HWCryptoHook_RSALoadKey_t *p5;
        HWCryptoHook_RSAGetPublicKey_t *p6;
        HWCryptoHook_RSAUnloadKey_t *p7;
+#endif
        HWCryptoHook_RandomBytes_t *p8;
        HWCryptoHook_ModExpCRT_t *p9;
 
        if(hwcrhk_dso != NULL)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_ALREADY_LOADED);
+               HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_ALREADY_LOADED);
                goto err;
                }
        /* Attempt to load libnfhwcrhk.so/nfhwcrhk.dll/whatever. */
        hwcrhk_dso = DSO_load(NULL, HWCRHK_LIBNAME, NULL, 0);
        if(hwcrhk_dso == NULL)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_DSO_FAILURE);
+               HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DSO_FAILURE);
                goto err;
                }
        if(!(p1 = (HWCryptoHook_Init_t *)
@@ -406,6 +588,7 @@ static int hwcrhk_init(void)
                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_Finish)) ||
                !(p3 = (HWCryptoHook_ModExp_t *)
                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExp)) ||
+#ifndef OPENSSL_NO_RSA
                !(p4 = (HWCryptoHook_RSA_t *)
                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSA)) ||
                !(p5 = (HWCryptoHook_RSALoadKey_t *)
@@ -414,22 +597,25 @@ static int hwcrhk_init(void)
                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAGetPublicKey)) ||
                !(p7 = (HWCryptoHook_RSAUnloadKey_t *)
                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAUnloadKey)) ||
+#endif
                !(p8 = (HWCryptoHook_RandomBytes_t *)
                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RandomBytes)) ||
                !(p9 = (HWCryptoHook_ModExpCRT_t *)
                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExpCRT)))
                {
-               ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_DSO_FAILURE);
+               HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DSO_FAILURE);
                goto err;
                }
        /* Copy the pointers */
        p_hwcrhk_Init = p1;
        p_hwcrhk_Finish = p2;
        p_hwcrhk_ModExp = p3;
+#ifndef OPENSSL_NO_RSA
        p_hwcrhk_RSA = p4;
        p_hwcrhk_RSALoadKey = p5;
        p_hwcrhk_RSAGetPublicKey = p6;
        p_hwcrhk_RSAUnloadKey = p7;
+#endif
        p_hwcrhk_RandomBytes = p8;
        p_hwcrhk_ModExpCRT = p9;
 
@@ -448,16 +634,18 @@ static int hwcrhk_init(void)
 
        /* Try and get a context - if not, we may have a DSO but no
         * accelerator! */
-       if(!get_context(&hwcrhk_context))
+       if(!get_context(&hwcrhk_context, &password_context))
                {
-               ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_UNIT_FAILURE);
+               HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_UNIT_FAILURE);
                goto err;
                }
        /* Everything's fine. */
-       if (hndidx == -1)
-               hndidx = RSA_get_ex_new_index(0,
+#ifndef OPENSSL_NO_RSA
+       if (hndidx_rsa == -1)
+               hndidx_rsa = RSA_get_ex_new_index(0,
                        "nFast HWCryptoHook RSA key handle",
                        NULL, NULL, hwcrhk_ex_free);
+#endif
        return 1;
 err:
        if(hwcrhk_dso)
@@ -466,28 +654,30 @@ err:
        p_hwcrhk_Init = NULL;
        p_hwcrhk_Finish = NULL;
        p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
        p_hwcrhk_RSA = NULL;
        p_hwcrhk_RSALoadKey = NULL;
        p_hwcrhk_RSAGetPublicKey = NULL;
        p_hwcrhk_RSAUnloadKey = NULL;
+#endif
        p_hwcrhk_ModExpCRT = NULL;
        p_hwcrhk_RandomBytes = NULL;
        return 0;
        }
 
-static int hwcrhk_finish(void)
+static int hwcrhk_finish(ENGINE *e)
        {
        int to_return = 1;
        if(hwcrhk_dso == NULL)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_FINISH,ENGINE_R_NOT_LOADED);
+               HWCRHKerr(HWCRHK_F_HWCRHK_FINISH,HWCRHK_R_NOT_LOADED);
                to_return = 0;
                goto err;
                }
        release_context(hwcrhk_context);
        if(!DSO_free(hwcrhk_dso))
                {
-               ENGINEerr(ENGINE_F_HWCRHK_FINISH,ENGINE_R_DSO_FAILURE);
+               HWCRHKerr(HWCRHK_F_HWCRHK_FINISH,HWCRHK_R_DSO_FAILURE);
                to_return = 0;
                goto err;
                }
@@ -498,21 +688,36 @@ static int hwcrhk_finish(void)
        p_hwcrhk_Init = NULL;
        p_hwcrhk_Finish = NULL;
        p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
        p_hwcrhk_RSA = NULL;
        p_hwcrhk_RSALoadKey = NULL;
        p_hwcrhk_RSAGetPublicKey = NULL;
        p_hwcrhk_RSAUnloadKey = NULL;
+#endif
        p_hwcrhk_ModExpCRT = NULL;
        p_hwcrhk_RandomBytes = NULL;
        return to_return;
        }
 
-static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
+static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
        {
        int to_return = 1;
 
        switch(cmd)
                {
+       case HWCRHK_CMD_SO_PATH:
+               if(hwcrhk_dso)
+                       {
+                       HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,HWCRHK_R_ALREADY_LOADED);
+                       return 0;
+                       }
+               if(p == NULL)
+                       {
+                       HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                       return 0;
+                       }
+               HWCRHK_LIBNAME = (const char *)p;
+               return 1;
        case ENGINE_CTRL_SET_LOGSTREAM:
                {
                BIO *bio = (BIO *)p;
@@ -526,18 +731,31 @@ static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
                if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
                        logstream = bio;
                else
-                       ENGINEerr(ENGINE_F_HWCRHK_CTRL,ENGINE_R_BIO_WAS_FREED);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,HWCRHK_R_BIO_WAS_FREED);
                }
                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
                break;
        case ENGINE_CTRL_SET_PASSWORD_CALLBACK:
                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
-               password_callback = (pem_password_cb *)f;
+               password_context.password_callback = (pem_password_cb *)f;
+               CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+               break;
+       case ENGINE_CTRL_SET_USER_INTERFACE:
+       case HWCRHK_CMD_SET_USER_INTERFACE:
+               CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+               password_context.ui_method = (UI_METHOD *)p;
+               CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+               break;
+       case ENGINE_CTRL_SET_CALLBACK_DATA:
+       case HWCRHK_CMD_SET_CALLBACK_DATA:
+               CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+               password_context.callback_data = p;
                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
                break;
        /* this enables or disables the "SimpleForkCheck" flag used in the
         * initialisation structure. */
        case ENGINE_CTRL_CHIL_SET_FORKCHECK:
+       case HWCRHK_CMD_FORK_CHECK:
                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
                if(i)
                        hwcrhk_globals.flags |=
@@ -557,11 +775,16 @@ static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
                disable_mutex_callbacks = 1;
                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
                break;
+       case HWCRHK_CMD_THREAD_LOCKING:
+               CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+               disable_mutex_callbacks = ((i == 0) ? 0 : 1);
+               CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+               break;
 
        /* The command isn't understood by this engine */
        default:
-               ENGINEerr(ENGINE_F_HWCRHK_CTRL,
-                       ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+               HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,
+                       HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
                to_return = 0;
                break;
                }
@@ -569,44 +792,62 @@ static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
        return to_return;
        }
 
-static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
-       const char *passphrase)
+static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
+       UI_METHOD *ui_method, void *callback_data)
        {
+#ifndef OPENSSL_NO_RSA
        RSA *rtmp = NULL;
+#endif
        EVP_PKEY *res = NULL;
+#ifndef OPENSSL_NO_RSA
        HWCryptoHook_MPI e, n;
        HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
+       char tempbuf[1024];
        HWCryptoHook_ErrMsgBuf rmsg;
+#endif
+       HWCryptoHook_PassphraseContext ppctx;
+
+#if !defined(OPENSSL_NO_RSA)
+       rmsg.buf = tempbuf;
+       rmsg.size = sizeof(tempbuf);
+#endif
 
        if(!hwcrhk_context)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
-                       ENGINE_R_NOT_INITIALISED);
+               HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+                       HWCRHK_R_NOT_INITIALISED);
                goto err;
                }
+#ifndef OPENSSL_NO_RSA
        hptr = OPENSSL_malloc(sizeof(HWCryptoHook_RSAKeyHandle));
        if (!hptr)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
+               HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
                        ERR_R_MALLOC_FAILURE);
                goto err;
                }
+        ppctx.ui_method = ui_method;
+       ppctx.callback_data = callback_data;
        if (p_hwcrhk_RSALoadKey(hwcrhk_context, key_id, hptr,
-               &rmsg, NULL))
+               &rmsg, &ppctx))
                {
-               ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
-                       ENGINE_R_CHIL_ERROR);
+               HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+                       HWCRHK_R_CHIL_ERROR);
                ERR_add_error_data(1,rmsg.buf);
                goto err;
                }
        if (!*hptr)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
-                       ENGINE_R_NO_KEY);
+               HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+                       HWCRHK_R_NO_KEY);
                goto err;
                }
-       rtmp = RSA_new_method(&engine_hwcrhk);
-       RSA_set_ex_data(rtmp, hndidx, (char *)hptr);
+#endif
+#ifndef OPENSSL_NO_RSA
+       rtmp = RSA_new_method(eng);
+       RSA_set_ex_data(rtmp, hndidx_rsa, (char *)hptr);
        rtmp->e = BN_new();
        rtmp->n = BN_new();
        rtmp->flags |= RSA_FLAG_EXT_PKEY;
@@ -615,11 +856,11 @@ static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
        if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg)
                != HWCRYPTOHOOK_ERROR_MPISIZE)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,ENGINE_R_CHIL_ERROR);
+               HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,HWCRHK_R_CHIL_ERROR);
                ERR_add_error_data(1,rmsg.buf);
                goto err;
                }
-                       
+
        bn_expand2(rtmp->e, e.size/sizeof(BN_ULONG));
        bn_expand2(rtmp->n, n.size/sizeof(BN_ULONG));
        MPI2BN(rtmp->e, e);
@@ -627,8 +868,8 @@ static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
 
        if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg))
                {
-               ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
-                       ENGINE_R_CHIL_ERROR);
+               HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
+                       HWCRHK_R_CHIL_ERROR);
                ERR_add_error_data(1,rmsg.buf);
                goto err;
                }
@@ -639,23 +880,37 @@ static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
 
        res = EVP_PKEY_new();
        EVP_PKEY_assign_RSA(res, rtmp);
+#endif
+
+        if (!res)
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
+                        HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED);
 
        return res;
  err:
        if (res)
                EVP_PKEY_free(res);
+#ifndef OPENSSL_NO_RSA
        if (rtmp)
                RSA_free(rtmp);
+#endif
        return NULL;
        }
 
-static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id, const char *passphrase)
+static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
+       UI_METHOD *ui_method, void *callback_data)
        {
-       EVP_PKEY *res = hwcrhk_load_privkey(key_id, passphrase);
+       EVP_PKEY *res = NULL;
+
+#ifndef OPENSSL_NO_RSA
+        res = hwcrhk_load_privkey(eng, key_id,
+                ui_method, callback_data);
+#endif
 
        if (res)
                switch(res->type)
                        {
+#ifndef OPENSSL_NO_RSA
                case EVP_PKEY_RSA:
                        {
                        RSA *rsa = NULL;
@@ -665,12 +920,16 @@ static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id, const char *passphrase)
                        res->pkey.rsa = RSA_new();
                        res->pkey.rsa->n = rsa->n;
                        res->pkey.rsa->e = rsa->e;
+                       rsa->n = NULL;
+                       rsa->e = NULL;
                        CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
                        RSA_free(rsa);
                        }
+                       break;
+#endif
                default:
-                       ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
-                               ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
+                               HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
                        goto err;
                        }
 
@@ -695,11 +954,11 @@ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
  
        to_return = 0; /* expect failure */
        rmsg.buf = tempbuf;
-       rmsg.size = 1024;
+       rmsg.size = sizeof(tempbuf);
 
        if(!hwcrhk_context)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+               HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_NOT_INITIALISED);
                goto err;
                }
        /* Prepare the params */
@@ -723,11 +982,11 @@ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                   might be a good thing. */
                if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                        {
-                       ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_REQUEST_FALLBACK);
                        }
                else
                        {
-                       ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_REQUEST_FAILED);
                        }
                ERR_add_error_data(1,rmsg.buf);
                goto err;
@@ -737,7 +996,8 @@ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 err:
        return to_return;
        }
+
+#ifndef OPENSSL_NO_RSA 
 static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
        {
        char tempbuf[1024];
@@ -745,30 +1005,30 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
        HWCryptoHook_RSAKeyHandle *hptr;
        int to_return = 0, ret;
 
+       rmsg.buf = tempbuf;
+       rmsg.size = sizeof(tempbuf);
+
        if(!hwcrhk_context)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+               HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_NOT_INITIALISED);
                goto err;
                }
 
        /* This provides support for nForce keys.  Since that's opaque data
           all we do is provide a handle to the proper key and let HWCryptoHook
           take care of the rest. */
-       if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx))
+       if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx_rsa))
                != NULL)
                {
                HWCryptoHook_MPI m_a, m_r;
 
                if(!rsa->n)
                        {
-                       ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,
-                               ENGINE_R_MISSING_KEY_COMPONENTS);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                               HWCRHK_R_MISSING_KEY_COMPONENTS);
                        goto err;
                        }
 
-               rmsg.buf = tempbuf;
-               rmsg.size = 1024;
-
                /* Prepare the params */
                bn_expand2(r, rsa->n->top); /* Check for error !! */
                BN2MPI(m_a, I);
@@ -788,11 +1048,13 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
                           might be a good thing. */
                        if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                                {
-                               ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                               HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                       HWCRHK_R_REQUEST_FALLBACK);
                                }
                        else
                                {
-                               ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                               HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                       HWCRHK_R_REQUEST_FAILED);
                                }
                        ERR_add_error_data(1,rmsg.buf);
                        goto err;
@@ -804,14 +1066,11 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 
                if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
                        {
-                       ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,
-                               ENGINE_R_MISSING_KEY_COMPONENTS);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                               HWCRHK_R_MISSING_KEY_COMPONENTS);
                        goto err;
                        }
 
-               rmsg.buf = tempbuf;
-               rmsg.size = 1024;
-
                /* Prepare the params */
                bn_expand2(r, rsa->n->top); /* Check for error !! */
                BN2MPI(m_a, I);
@@ -837,11 +1096,13 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
                           might be a good thing. */
                        if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                                {
-                               ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                               HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                       HWCRHK_R_REQUEST_FALLBACK);
                                }
                        else
                                {
-                               ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                               HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                       HWCRHK_R_REQUEST_FAILED);
                                }
                        ERR_add_error_data(1,rmsg.buf);
                        goto err;
@@ -852,6 +1113,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 err:
        return to_return;
        }
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -877,11 +1139,11 @@ static int hwcrhk_rand_bytes(unsigned char *buf, int num)
        int ret;
 
        rmsg.buf = tempbuf;
-       rmsg.size = 1024;
+       rmsg.size = sizeof(tempbuf);
 
        if(!hwcrhk_context)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED);
+               HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,HWCRHK_R_NOT_INITIALISED);
                goto err;
                }
 
@@ -893,11 +1155,13 @@ static int hwcrhk_rand_bytes(unsigned char *buf, int num)
                   might be a good thing. */
                if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                        {
-                       ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_REQUEST_FALLBACK);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,
+                               HWCRHK_R_REQUEST_FALLBACK);
                        }
                else
                        {
-                       ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_REQUEST_FAILED);
+                       HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,
+                               HWCRHK_R_REQUEST_FAILED);
                        }
                ERR_add_error_data(1,rmsg.buf);
                goto err;
@@ -919,16 +1183,24 @@ static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
 {
        char tempbuf[1024];
        HWCryptoHook_ErrMsgBuf rmsg;
+#ifndef OPENSSL_NO_RSA
        HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
        int ret;
+#endif
 
        rmsg.buf = tempbuf;
-       rmsg.size = 1024;
+       rmsg.size = sizeof(tempbuf);
 
+#ifndef OPENSSL_NO_RSA
        hptr = (HWCryptoHook_RSAKeyHandle *) item;
-       if(!hptr) return;
-       ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
-       OPENSSL_free(hptr);
+       if(hptr)
+                {
+                ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
+                OPENSSL_free(hptr);
+                }
+#endif
 }
 
 /* Mutex calls: since the HWCryptoHook model closely follows the POSIX model
@@ -940,14 +1212,14 @@ static int hwcrhk_mutex_init(HWCryptoHook_Mutex* mt,
        {
        mt->lockid = CRYPTO_get_new_dynlockid();
        if (mt->lockid == 0)
-               return 0;
-       return 1;
+               return 1; /* failure */
+       return 0; /* success */
        }
 
 static int hwcrhk_mutex_lock(HWCryptoHook_Mutex *mt)
        {
        CRYPTO_w_lock(mt->lockid);
-       return 1;
+       return 0;
        }
 
 void hwcrhk_mutex_unlock(HWCryptoHook_Mutex * mt)
@@ -965,43 +1237,139 @@ static int hwcrhk_get_pass(const char *prompt_info,
        HWCryptoHook_PassphraseContext *ppctx,
        HWCryptoHook_CallerContext *cactx)
        {
-       int l = 0;
-       char prompt[1024];
-
-       if (password_callback == NULL)
+       pem_password_cb *callback = NULL;
+       void *callback_data = NULL;
+        UI_METHOD *ui_method = NULL;
+
+        if (cactx)
+                {
+                if (cactx->ui_method)
+                        ui_method = cactx->ui_method;
+               if (cactx->password_callback)
+                       callback = cactx->password_callback;
+               if (cactx->callback_data)
+                       callback_data = cactx->callback_data;
+                }
+       if (ppctx)
                {
-               ENGINEerr(ENGINE_F_HWCRHK_GET_PASS,ENGINE_R_NO_CALLBACK);
-               return -1;
+                if (ppctx->ui_method)
+                        {
+                        ui_method = ppctx->ui_method;
+                        callback = NULL;
+                        }
+               if (ppctx->callback_data)
+                       callback_data = ppctx->callback_data;
                }
-       if (prompt_info)
+       if (callback == NULL && ui_method == NULL)
                {
-               strncpy(prompt, "Card: \"", sizeof(prompt));
-               l += 5;
-               strncpy(prompt + l, prompt_info, sizeof(prompt) - l);
-               l += strlen(prompt_info);
-               if (l + 2 < sizeof(prompt))
-                       {
-                       strncpy(prompt + l, "\"\n", sizeof(prompt) - l);
-                       l += 2;
-                       }
-               }
-       if (l < sizeof(prompt) - 1)
-               {
-               strncpy(prompt, "Enter Passphrase <enter to cancel>:",
-                       sizeof(prompt) - l);
-               l += 35;
+               HWCRHKerr(HWCRHK_F_HWCRHK_GET_PASS,HWCRHK_R_NO_CALLBACK);
+               return -1;
                }
-       prompt[l] = '\0';
 
-       /* I know, passing on the prompt instead of the user data *is*
-          a bad thing.  However, that's all we have right now.
-          --  Richard Levitte */
-       *len_io = password_callback(buf, *len_io, 0, prompt);
+        if (ui_method)
+                {
+                UI *ui = UI_new_method(ui_method);
+                if (ui)
+                        {
+                        int ok;
+                        char *prompt = UI_construct_prompt(ui,
+                                "pass phrase", prompt_info);
+
+                        ok = UI_add_input_string(ui,prompt,
+                                UI_INPUT_FLAG_DEFAULT_PWD,
+                               buf,0,(*len_io) - 1);
+                        UI_add_user_data(ui, callback_data);
+                       UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
+
+                       if (ok >= 0)
+                               do
+                                       {
+                                       ok=UI_process(ui);
+                                       }
+                               while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
+
+                        if (ok >= 0)
+                                *len_io = strlen(buf);
+
+                        UI_free(ui);
+                        OPENSSL_free(prompt);
+                        }
+                }
+        else
+                {
+                *len_io = callback(buf, *len_io, 0, callback_data);
+                }
        if(!*len_io)
                return -1;
        return 0;
        }
 
+static int hwcrhk_insert_card(const char *prompt_info,
+                     const char *wrong_info,
+                     HWCryptoHook_PassphraseContext *ppctx,
+                     HWCryptoHook_CallerContext *cactx)
+        {
+        int ok = -1;
+        UI *ui;
+       void *callback_data = NULL;
+        UI_METHOD *ui_method = NULL;
+
+        if (cactx)
+                {
+                if (cactx->ui_method)
+                        ui_method = cactx->ui_method;
+               if (cactx->callback_data)
+                       callback_data = cactx->callback_data;
+                }
+       if (ppctx)
+               {
+                if (ppctx->ui_method)
+                        ui_method = ppctx->ui_method;
+               if (ppctx->callback_data)
+                       callback_data = ppctx->callback_data;
+               }
+       if (ui_method == NULL)
+               {
+               HWCRHKerr(HWCRHK_F_HWCRHK_INSERT_CARD,
+                       HWCRHK_R_NO_CALLBACK);
+               return -1;
+               }
+
+       ui = UI_new_method(ui_method);
+
+       if (ui)
+               {
+               char answer;
+               char buf[BUFSIZ];
+
+               if (wrong_info)
+                       BIO_snprintf(buf, sizeof(buf)-1,
+                               "Current card: \"%s\"\n", wrong_info);
+               ok = UI_dup_info_string(ui, buf);
+               if (ok >= 0 && prompt_info)
+                       {
+                       BIO_snprintf(buf, sizeof(buf)-1,
+                               "Insert card \"%s\"", prompt_info);
+                       ok = UI_dup_input_boolean(ui, buf,
+                               "\n then hit <enter> or C<enter> to cancel\n",
+                               "\r\n", "Cc", UI_INPUT_FLAG_ECHO, &answer);
+                       }
+               UI_add_user_data(ui, callback_data);
+
+               if (ok >= 0)
+                       ok = UI_process(ui);
+               UI_free(ui);
+
+               if (ok == -2 || (ok >= 0 && answer == 'C'))
+                       ok = 1;
+               else if (ok < 0)
+                       ok = -1;
+               else
+                       ok = 0;
+               }
+       return ok;
+       }
+
 static void hwcrhk_log_message(void *logstr, const char *message)
        {
        BIO *lstream = NULL;
@@ -1016,5 +1384,20 @@ static void hwcrhk_log_message(void *logstr, const char *message)
        CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
        }
 
-#endif /* !NO_HW_NCIPHER */
-#endif /* !NO_HW */
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */     
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+       {
+       if(id && (strcmp(id, engine_hwcrhk_id) != 0))
+               return 0;
+       if(!bind_helper(e))
+               return 0;
+       return 1;
+       }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_NCIPHER */
+#endif /* !OPENSSL_NO_HW */