crypto: New experimental api

The new files api_ng.h and api_ng.c implements an api using EVP.
The api is not by any mean new, except for the crypto application
in Erlang/OTP.

The aims at using the block api in a stream manor, that is
  1) call crypto_init/4
  2..N) call crypto_update/{2,3}

The purpose is to simplify and hopefully optimize the SSL and SSH
applications.

By keeping the crypto state in C in an enif_resource the costful state
copying in SSL and SSH is reduced with 1-2 per message sent or received.

Changes in other files are for adaptation like FIPS etc since many
functions uses the central get_cipher_type() function.

1 files changed, 5 insertions, 1 deletions

diff --git a/lib/crypto/c_src/cmac.c b/lib/crypto/c_src/cmac.c
index 196b7476e3..49e67ccf29 100644
--- a/lib/crypto/c_src/cmac.c
+++ b/lib/crypto/c_src/cmac.c
@@ -24,7 +24,7 @@
 ERL_NIF_TERM cmac_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {/* (Type, Key, Data) */
 #if defined(HAVE_CMAC)
-    struct cipher_type_t *cipherp = NULL;
+    const struct cipher_type_t *cipherp;
     const EVP_CIPHER     *cipher;
     CMAC_CTX             *ctx = NULL;
     ErlNifBinary         key;
@@ -40,9 +40,13 @@ ERL_NIF_TERM cmac_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
         goto bad_arg;
     if ((cipherp = get_cipher_type(argv[0], key.size)) == NULL)
         goto bad_arg;
+    if (cipherp->flags & (NON_EVP_CIPHER | AEAD_CIPHER))
+        goto bad_arg;
     if (!enif_inspect_iolist_as_binary(env, argv[2], &data))
         goto bad_arg;
 
+    if (FORBIDDEN_IN_FIPS(cipherp))
+        return enif_raise_exception(env, atom_notsup);
     if ((cipher = cipherp->cipher.p) == NULL)
         return enif_raise_exception(env, atom_notsup);