It makes much more sense and is much more consistent with the rest of

OpenSSL to have to opt out hardware support instead of having to opt
it in.  And since the hardware support modules are self-contained and
actually check that the vendor stuff is loadable, it still works as
expected, or at least, so I think...

Configure

@@ -10,7 +10,7 @@ use strict;
 
 # see INSTALL for instructions.
 
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [hw-xxx] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
 
 # Options:
 #
@@ -23,11 +23,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 #               default).  This needn't be set in advance, you can
 #               just as well use "make INSTALL_PREFIX=/whatever install".
 #
-# hw-xxx        compile support for specific crypto hardware. Generic
-#               OpenSSL-style methods relating to this support are
-#               always compiled but return NULL if the hardware support
-#               isn't compiled. Currently, hw-cswift is the only support
-#               of this form.
+# no-hw-xxx     do not compile support for specific crypto hardware.
+#               Generic OpenSSL-style methods relating to this support
+#               are always compiled but return NULL if the hardware
+#               support isn't compiled.
 # rsaref        use RSAref
 # [no-]threads  [don't] try to create a library that is suitable for
 #               multithreaded applications (default is "threads" if we
@@ -475,12 +474,12 @@ foreach (@ARGV)
 			$openssl_algorithm_defines .= "#define NO_MDC2\n";
 			}
 		}
-	elsif (/^hw-(.+)$/)
+	elsif (/^no-hw-(.+)$/)
 		{
 		my $hw=$1;
 		$hw =~ tr/[a-z]/[A-Z]/;
-		$flags .= "-DHW_$hw ";
-		$openssl_other_defines .= "#define HW_$hw\n";
+		$flags .= "-DNO_HW_$hw ";
+		$openssl_other_defines .= "#define NO_HW_$hw\n";
 		}
 	elsif (/^386$/)
 		{ $processor=386; }

crypto/engine/engine_int.h

@@ -130,21 +130,21 @@ typedef struct engine_st
 /* Returns a structure of software only methods (the default). */
 ENGINE *ENGINE_openssl();
 
-#ifdef HW_CSWIFT
+#ifndef NO_HW_CSWIFT
 /* Returns a structure of cswift methods ... NB: This can exist and be
  * "used" even on non-cswift systems because the "init" will fail if the
  * card/library are not found. */
 ENGINE *ENGINE_cswift();
-#endif /* HW_CSWIFT */
+#endif /* !NO_HW_CSWIFT */
 
-#ifdef HW_NCIPHER
+#ifndef NO_HW_NCIPHER
 ENGINE *ENGINE_ncipher();
-#endif /* HW_NCIPHER */
+#endif /* !NO_HW_NCIPHER */
 
-#ifdef HW_ATALLA
+#ifndef NO_HW_ATALLA
 /* Returns a structure of atalla methods. */
 ENGINE *ENGINE_atalla();
-#endif /* HW_ATALLA */
+#endif /* !NO_HW_ATALLA */
 
 #ifdef  __cplusplus
 }

crypto/engine/engine_list.c

@@ -185,18 +185,18 @@ static int engine_internal_check(void)
 	 * with our statically compiled-in engines. */
 	if(!engine_list_add(ENGINE_openssl()))
 		return 0;
-#ifdef HW_CSWIFT
+#ifndef NO_HW_CSWIFT
 	if(!engine_list_add(ENGINE_cswift()))
 		return 0;
-#endif /* HW_CSWIFT */
-#ifdef HW_NCIPHER
+#endif /* !NO_HW_CSWIFT */
+#ifndef NO_HW_NCIPHER
 	if(!engine_list_add(ENGINE_ncipher()))
 		return 0;
-#endif /* HW_CSWIFT */
-#ifdef HW_ATALLA
+#endif /* !NO_HW_NCIPHER */
+#ifndef NO_HW_ATALLA
 	if(!engine_list_add(ENGINE_atalla()))
 		return 0;
-#endif /* HW_CSWIFT */
+#endif /* !NO_HW_ATALLA */
 	engine_list_flag = 1;
 	return 1;
 	}

crypto/engine/hw_atalla.c

@@ -63,7 +63,7 @@
 #include "engine_int.h"
 #include <openssl/engine.h>
 
-#ifdef HW_ATALLA
+#ifndef NO_HW_ATALLA
 
 #include "vendor_defns/atalla.h"
 
@@ -153,6 +153,7 @@ static ENGINE engine_atalla =
 	NULL,
 	atalla_init,
 	atalla_finish,
+	NULL, /* no ctrl() */
 	0, /* no flags */
 	0, 0, /* no references */
 	NULL, NULL /* unlinked */
@@ -432,4 +433,4 @@ static int atalla_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 	return atalla_mod_exp(r, a, p, m, ctx);
 	}
 
-#endif /* HW_ATALLA */
+#endif /* !NO_HW_ATALLA */

crypto/engine/hw_cswift.c

@@ -63,7 +63,7 @@
 #include "engine_int.h"
 #include <openssl/engine.h>
 
-#ifdef HW_CSWIFT
+#ifndef NO_HW_CSWIFT
 
 /* Attribution notice: Rainbow have generously allowed me to reproduce
  * the necessary definitions here from their API. This means the support
@@ -729,5 +729,4 @@ static int cswift_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 	return cswift_mod_exp(r, a, p, m, ctx);
 	}
 
-#endif /* HW_CSWIFT */
-
+#endif /* !NO_HW_CSWIFT */

crypto/engine/hw_ncipher.c

@@ -64,7 +64,7 @@
 #include "engine_int.h"
 #include <openssl/engine.h>
 
-#ifdef HW_NCIPHER
+#ifndef NO_HW_NCIPHER
 
 /* Attribution notice: nCipher har said several times that it's OK for
  * us to implement a general interface to their boxes, and recently declared
@@ -471,15 +471,19 @@ static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
 	switch(cmd)
 		{
 	case ENGINE_CTRL_SET_LOGSTREAM:
+		{
+		BIO *bio = (BIO *)p;
+
 		if (logstream)
 			{
 			BIO_free(logstream);
 			logstream = NULL;
 			}
 		if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
-			logstream = (BIO *)p;
+			logstream = bio;
 		else
 			ENGINEerr(ENGINE_F_HWCRHK_CTRL,ENGINE_R_BIO_WAS_FREED);
+		}
 		break;
 	default:
 		ENGINEerr(ENGINE_F_HWCRHK_CTRL,
@@ -768,5 +772,4 @@ static void log_message(void *logstream, const char *message)
 	CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
 	}
 
-#endif /* HW_NCIPHER */
-
+#endif /* !NO_HW_NCIPHER */