Index: security/Makefile
===================================================================
--- security/Makefile
+++ security/Makefile
@@ -449,6 +449,7 @@
     SUBDIR += openssh-askpass
     SUBDIR += openssh-portable
     SUBDIR += openssl
+    SUBDIR += openssl-chelsio
     SUBDIR += openssl-devel
     SUBDIR += openssl-unsafe
     SUBDIR += openssl_tpm_engine
Index: security/openssl-chelsio/Makefile
===================================================================
--- /dev/null
+++ security/openssl-chelsio/Makefile
@@ -0,0 +1,163 @@
+# Created by: Dirk Froemberg <dirk@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	openssl
+PORTVERSION=	1.0.2n
+CATEGORIES=	security devel
+MASTER_SITES=	http://www.openssl.org/source/ \
+		ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/
+PKGNAMESUFFIX=	-chelsio
+DIST_SUBDIR=	${PORTNAME}-${DISTVERSION:C/[a-z]$//}
+
+MAINTAINER=	jhb@FreeBSD.org
+COMMENT=	SSL and crypto library supporting Chelsio TLS offload
+
+LICENSE=	OpenSSL
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+OPTIONS_DEFINE=		PADLOCK RFC3779 THREADS ZLIB
+OPTIONS_DEFAULT=	ASM MD2 SCTP SSE2 SSL2 SSL3 THREADS
+OPTIONS_DEFINE_amd64=	EC
+OPTIONS_DEFAULT_amd64=	EC
+TARGET_ARCH?=	${MACHINE_ARCH}
+.if ${TARGET_ARCH} == "mips64el"
+OPTIONS_DEFINE_mips=	EC
+OPTIONS_DEFAULT_mips=	EC
+.endif
+OPTIONS_GROUP=	CIPHERS HASHES OPTIMIZE PROTOCOLS
+OPTIONS_GROUP_CIPHERS=	EXPCIPHERS RC5
+OPTIONS_GROUP_HASHES=	MD2
+OPTIONS_GROUP_OPTIMIZE=	ASM SSE2
+OPTIONS_GROUP_PROTOCOLS=	SCTP SSL2 SSL3
+.if ${TARGET_ARCH} == "i386"
+OPTIONS_GROUP_OPTIMIZE+=	I386
+.endif
+OPTIONS_SUB=	yes
+ASM_DESC=	Optimized Assembler code
+CIPHERS_DESC=	Cipher Suite support
+EC_DESC=	Optimize NIST elliptic curves
+EXPCIPHERS_DESC=	Include experimental ciphers
+HASHES_DESC=	Hash Function Support
+I386_DESC=	Optimize for i386 (instead of i486+)
+MD2_DESC=	MD2 hash (obsolete)
+OPTIMIZE_DESC=	Optimizations
+PADLOCK_DESC=	VIA Padlock support
+PROTOCOLS_DESC=	Protocol Support
+RC5_DESC=	RC5 cipher (patented)
+RFC3779_DESC=	RFC3779 support (BGP)
+SCTP_DESC=	SCTP protocol support
+SSE2_DESC=	Runtime SSE2 detection
+SSL2_DESC=	SSLv2 protocol support
+SSL3_DESC=	SSLv3 protocol support
+ZLIB_DESC=	zlib compression support
+
+USES=		compiler cpe perl5
+USE_PERL5=	build
+MAKE_ARGS+=	WHOLE_ARCHIVE_FLAG=--whole-archive
+MAKE_ENV+=	LIBRPATH="${PREFIX}/openssl-chelsio/lib" GREP_OPTIONS=
+MAKE_ENV+=	SHLIBVER=${OPENSSL_SHLIBVER}
+
+
+MAKE_JOBS_UNSAFE=	yes
+
+ASM_CONFIGURE_OFF=	no-asm
+EC_CONFIGURE_ON=	enable-ec_nistp_64_gcc_128
+EC_CONFIGURE_OFF=	no-ec_nistp_64_gcc_128
+I386_CONFIGURE_ON=	386
+MD2_CONFIGURE_ON=	enable-md2
+MD2_CONFIGURE_OFF=	no-md2
+PADLOCK_CFLAGS=		-Wno-unused-function
+PADLOCK_CONFIGURE_OFF=	no-padlock
+PADLOCK_PATCH_SITES=	http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock
+PADLOCK_PATCHFILES=	1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \
+			1002-backport-changes-from-upstream-padlock-module.patch:padlock \
+			1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \
+			1004-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock
+PADLOCK_VARS=		PATCH_DIST_STRIP=-p1
+RC5_CONFIGURE_ON=	enable-rc5
+RC5_CONFIGURE_OFF=	no-rc5
+RFC3779_CONFIGURE_ON=	enable-rfc3779
+RFC3779_CONFIGURE_OFF=	no-rfc3779
+SCTP_CONFIGURE_ON=	sctp
+SCTP_CONFIGURE_OFF=	no-sctp
+SSE2_CONFIGURE_OFF=	no-sse2
+SSL2_CONFIGURE_ON=	enable-ssl2
+SSL2_CONFIGURE_OFF=	no-ssl2
+SSL3_CONFIGURE_ON=	enable-ssl3
+SSL3_CONFIGURE_OFF=	no-ssl3 no-ssl3-method
+SSL3_EXTRA_PATCHES_OFF=	${PATCHDIR}/extra-patch-test_testssl
+THREADS_CONFIGURE_ON=	threads
+THREADS_CONFIGURE_OFF=	no-threads
+ZLIB_CONFIGURE_ON=	zlib zlib-dynamic
+ZLIB_CONFIGURE_OFF=	no-zlib no-zlib-dynamic
+
+.include <bsd.port.pre.mk>
+
+OPENSSLDIR?=	${PREFIX}/openssl-chelsio/etc
+PLIST_SUB+=	OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
+PLIST_SUB+=	SHLIBVER=${OPENSSL_SHLIBVER}
+
+.if !exists(/usr/src/sys/dev/cxgbe/tom/t4_tls.h)
+BROKEN=		Requires kernel sources with Chelsio TLS offload driver \
+		(only in HEAD)
+.endif
+
+CFLAGS+=	-DCHSSL_OFFLOAD=yes -DCHSSL_TLS_RX=yes -I/usr/src/sys
+
+.include "version.mk"
+
+.if ${PORT_OPTIONS:MASM}
+BROKEN_sparc64=		option ASM generates illegal instructions
+.endif
+
+CONFIGURE_ARGS+=	no-gmp shared
+
+post-patch:
+	${REINPLACE_CMD} -e 's|m4 -B 8192|m4|g' \
+		${WRKSRC}/crypto/des/Makefile
+	${REINPLACE_CMD} -e 's|SHLIB_VERSION_NUMBER "1.0.0"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \
+		${WRKSRC}/crypto/opensslv.h
+	${REINPLACE_CMD} -e 's|ERR_R_MALLOC_ERROR|ERR_R_MALLOC_FAILURE|' \
+		${WRKSRC}/crypto/bio/bss_dgram.c
+.if ${PORT_OPTIONS:MEXPCIPHERS}
+	${REINPLACE_CMD} -e 's|TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	0|TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	1|' \
+		${WRKSRC}/ssl/tls1.h
+.endif
+	${GREP} -L openssl_manual_section ${WRKSRC}/doc/crypto/*.pod | ${XARGS} ${RM}
+	${RM} -r ${WRKSRC}/doc/ssl/*.pod
+	${REINPLACE_CMD} -e 's|pod doc/ssl/\*\.pod|pod|' ${WRKSRC}/Makefile.org
+	${PATCH} -d ${WRKSRC} -p3 -s < ${PATCHDIR}/extra-patch-chssl
+
+do-configure:
+	${REINPLACE_CMD} -e "s|options 386|options|" \
+		${WRKSRC}/config
+	cd ${WRKSRC} \
+	&& ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \
+	./config --prefix=${PREFIX}/openssl-chelsio --openssldir=${OPENSSLDIR} \
+		--install_prefix=${STAGEDIR} \
+		-L${PREFIX}/openssl-chelsio/lib ${CONFIGURE_ARGS}
+
+post-configure:
+	${REINPLACE_CMD} \
+		-e 's|^MANDIR=.*$$|MANDIR=$$(PREFIX)/man|' \
+		-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
+		-e 's|LIBVERSION=[^ ]* |LIBVERSION=${OPENSSL_SHLIBVER} |' \
+		${WRKSRC}/Makefile
+
+do-install:
+	${MKDIR} ${STAGEDIR}${PREFIX}/openssl-chelsio/lib/engines
+.for i in libcrypto libssl
+	${INSTALL_DATA} ${WRKSRC}/$i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/openssl-chelsio/lib
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/openssl-chelsio/lib/$i.so.${OPENSSL_SHLIBVER}
+.endfor
+.for i in 4758cca aep atalla capi chil cswift gmp nuron padlock sureware ubsec
+	${INSTALL_DATA} ${WRKSRC}/engines/lib${i}.so ${STAGEDIR}/${PREFIX}/openssl-chelsio/lib/engines
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/openssl-chelsio/lib/engines/lib${i}.so
+.endfor
+
+test: build
+	cd ${WRKSRC} && ${MAKE} test
+
+regression-test:	test
+
+.include <bsd.port.post.mk>
Index: security/openssl-chelsio/distinfo
===================================================================
--- /dev/null
+++ security/openssl-chelsio/distinfo
@@ -0,0 +1,11 @@
+TIMESTAMP = 1512655797
+SHA256 (openssl-1.0.2/openssl-1.0.2n.tar.gz) = 370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe
+SIZE (openssl-1.0.2/openssl-1.0.2n.tar.gz) = 5375802
+SHA256 (openssl-1.0.2/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7
+SIZE (openssl-1.0.2/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3717
+SHA256 (openssl-1.0.2/1002-backport-changes-from-upstream-padlock-module.patch) = aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260
+SIZE (openssl-1.0.2/1002-backport-changes-from-upstream-padlock-module.patch) = 5770
+SHA256 (openssl-1.0.2/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea
+SIZE (openssl-1.0.2/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20935
+SHA256 (openssl-1.0.2/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 97eb4411d0fc0890e94bc7c2d682f68b71135da782af769ca73914b37da2b1fd
+SIZE (openssl-1.0.2/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 832
Index: security/openssl-chelsio/files/extra-patch-chssl
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/extra-patch-chssl
@@ -0,0 +1,2092 @@
+diff --git a/crypto/openssl/ssl/Makefile b/crypto/openssl/ssl/Makefile
+index 7866a3ccd77b..a4ce38b0d6c2 100644
+--- a/crypto/openssl/ssl/Makefile
++++ b/crypto/openssl/ssl/Makefile
+@@ -31,7 +31,8 @@ LIBSRC=	\
+ 	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
+ 	ssl_ciph.c ssl_stat.c ssl_rsa.c \
+ 	ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
+-	bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c
++	bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \
++	ssl_tom.c
+ LIBOBJ= \
+ 	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
+ 	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
+@@ -42,7 +43,8 @@ LIBOBJ= \
+ 	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
+ 	ssl_ciph.o ssl_stat.o ssl_rsa.o \
+ 	ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \
+-	bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o ssl_utst.o
++	bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o ssl_utst.o \
++	ssl_tom.o
+ 
+ SRC= $(LIBSRC)
+ 
+@@ -1122,3 +1124,4 @@ tls_srp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ tls_srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ tls_srp.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ tls_srp.o: ../include/openssl/x509_vfy.h ssl_locl.h tls_srp.c
++ssl_tom.o: ../include/openssl/x509_vfy.h ssl_tom.c
+diff --git a/crypto/openssl/ssl/d1_clnt.c b/crypto/openssl/ssl/d1_clnt.c
+index 76451a346d86..cd2b6759377e 100644
+--- a/crypto/openssl/ssl/d1_clnt.c
++++ b/crypto/openssl/ssl/d1_clnt.c
+@@ -127,6 +127,9 @@
+ #ifndef OPENSSL_NO_DH
+ # include <openssl/dh.h>
+ #endif
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++#include "ssl_tom.h"
++#endif
+ 
+ static const SSL_METHOD *dtls1_get_client_method(int ver);
+ static int dtls1_get_hello_verify(SSL *s);
+@@ -615,6 +618,10 @@ int dtls1_connect(SSL *s)
+ 
+         case SSL3_ST_CW_FINISHED_A:
+         case SSL3_ST_CW_FINISHED_B:
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++        if (SSL_ofld(s))
++                chssl_program_hwkey_context(s, KEY_WRITE_TX, SSL_ST_CONNECT);
++#endif
+             if (!s->hit)
+                 dtls1_start_timer(s);
+             ret = ssl3_send_finished(s,
+@@ -700,6 +707,10 @@ int dtls1_connect(SSL *s)
+                                     SSL3_ST_CR_FINISHED_B);
+             if (ret <= 0)
+                 goto end;
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++            if (SSL_ofld_rx(s))
++                chssl_program_hwkey_context(s, KEY_WRITE_RX,SSL_ST_CONNECT);
++#endif
+             dtls1_stop_timer(s);
+ 
+             if (s->hit)
+diff --git a/crypto/openssl/ssl/d1_pkt.c b/crypto/openssl/ssl/d1_pkt.c
+index 10586fee5408..ee76f6020ca0 100644
+--- a/crypto/openssl/ssl/d1_pkt.c
++++ b/crypto/openssl/ssl/d1_pkt.c
+@@ -121,6 +121,9 @@
+ #include <openssl/buffer.h>
+ #include <openssl/pqueue.h>
+ #include <openssl/rand.h>
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++#include "ssl_tom.h"
++#endif
+ 
+ /* mod 128 saturating subtract of two 64-bit values in big-endian order */
+ static int satsub64be(const unsigned char *v1, const unsigned char *v2)
+@@ -503,6 +506,10 @@ static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
+     /* decrypt in place in 'rr->input' */
+     rr->data = rr->input;
+ 
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++    if (!(SSL_enc_offload(s) && SSL_ofld_vers(s) && SSL_ofld_rx(s)))
++    {
++#endif
+     enc_err = s->method->ssl3_enc->enc(s, 0);
+     /*-
+      * enc_err is:
+@@ -516,6 +523,9 @@ static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
+         s->packet_length = 0;
+         goto err;
+     }
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++    }
++#endif
+ #ifdef TLS_DEBUG
+     printf("dec %d\n", rr->length);
+     {
+@@ -528,7 +538,11 @@ static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
+ 
+     /* r->length is now the compressed data plus mac */
+     if ((sess != NULL) &&
+-        (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
++        (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++        && !(SSL_mac_offload(s) && SSL_ofld_vers(s) && SSL_ofld_rx(s))
++#endif
++	) {
+         /* s->read_hash != NULL => mac_size != -1 */
+         unsigned char *mac = NULL;
+         unsigned char mac_tmp[EVP_MAX_MD_SIZE];
+@@ -684,6 +698,13 @@ int dtls1_get_record(SSL *s)
+             goto again;
+         }
+ 
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++        #define SSL3_RT_CHERROR 127
++	if (SSL_ofld_vers(s) && SSL_ofld_rx(s) && (*(p) == SSL3_RT_CHERROR)) {
++		s->rstate = SSL_ST_READ_ERROR;
++	}
++	else
++#endif
+         s->rstate = SSL_ST_READ_BODY;
+ 
+         p = s->packet;
+@@ -733,11 +754,27 @@ int dtls1_get_record(SSL *s)
+         /* now s->rstate == SSL_ST_READ_BODY */
+     }
+ 
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++    if (SSL_Chelsio_ofld(s) && SSL_ofld_rx(s)) {
++	    if (s->rstate == SSL_ST_READ_ERROR) {
++		    i = rr->length;
++		    n = ssl3_read_n(s, i, i, 1);
++		    s->rstate = SSL_ST_READ_HEADER;
++		    if (n<=0) return n;
++		    chssl_process_cherror(s);
++		    printf("%s rstate SSL_ST_READ_ERROR \n",__func__);
++		    goto again;
++	    }
++    }
++    /* this may not be required len in Hdr = '13bytes + decrypted payload' */
++#endif
++
+     /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
+ 
+     if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) {
+         /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
+         i = rr->length;
++	printf("%s i:%d rrl:%d pl:%d\n",__func__,i,rr->length,s->packet_length);
+         n = ssl3_read_n(s, i, i, 1);
+         /* this packet contained a partial record, dump it */
+         if (n != i) {
+@@ -1680,7 +1717,11 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
+     p += 10;
+ 
+     /* Explicit IV length, block ciphers appropriate version flag */
+-    if (s->enc_write_ctx) {
++    if (s->enc_write_ctx
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++	&& !(SSL_enc_offload(s) && SSL_ofld_vers(s) && SSL_Tx_keys(s))
++#endif
++	) {
+         int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+         if (mode == EVP_CIPH_CBC_MODE) {
+             eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+@@ -1721,7 +1762,11 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
+      * wb->buf
+      */
+ 
+-    if (mac_size != 0) {
++    if (mac_size != 0
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++	&& !(SSL_enc_offload(s) && SSL_ofld_vers(s) && SSL_Tx_keys(s))
++#endif
++	) {
+         if (s->method->ssl3_enc->mac(s, &(p[wr->length + eivlen]), 1) < 0)
+             goto err;
+         wr->length += mac_size;
+@@ -1734,8 +1779,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
+     if (eivlen)
+         wr->length += eivlen;
+ 
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++    if (!(SSL_enc_offload(s) && SSL_ofld_vers(s) && SSL_Tx_keys(s))) {
++#endif
+     if (s->method->ssl3_enc->enc(s, 1) < 1)
+         goto err;
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++    }
++#endif
+ 
+     /* record length after mac and block padding */
+     /*
+diff --git a/crypto/openssl/ssl/d1_srvr.c b/crypto/openssl/ssl/d1_srvr.c
+index 8502b242e51c..4f2f8d8b3bfa 100644
+--- a/crypto/openssl/ssl/d1_srvr.c
++++ b/crypto/openssl/ssl/d1_srvr.c
+@@ -125,6 +125,9 @@
+ #ifndef OPENSSL_NO_DH
+ # include <openssl/dh.h>
+ #endif
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++#include "ssl_tom.h"
++#endif
+ 
+ static const SSL_METHOD *dtls1_get_server_method(int ver);
+ static int dtls1_send_hello_verify_request(SSL *s);
+@@ -752,6 +755,10 @@ int dtls1_accept(SSL *s)
+                                     SSL3_ST_SR_FINISHED_B);
+             if (ret <= 0)
+                 goto end;
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++            if (SSL_ofld_rx(s))
++                chssl_program_hwkey_context(s, KEY_WRITE_RX, SSL_ST_ACCEPT);
++#endif
+             dtls1_stop_timer(s);
+             if (s->hit)
+                 s->state = SSL_ST_OK;
+@@ -812,8 +819,14 @@ int dtls1_accept(SSL *s)
+                          0, NULL);
+             }
+ #endif
+-
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++            if (SSL_ofld(s)) {
++                s->s3->tmp.next_state = SSL3_ST_SW_FINISHED_A;
++                s->state = SSL3_ST_SW_FLUSH;
++            } else {
+             s->state = SSL3_ST_SW_FINISHED_A;
++            }
++#endif
+             s->init_num = 0;
+ 
+             if (!s->method->ssl3_enc->change_cipher_state(s,
+@@ -829,6 +842,10 @@ int dtls1_accept(SSL *s)
+ 
+         case SSL3_ST_SW_FINISHED_A:
+         case SSL3_ST_SW_FINISHED_B:
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_DTLS)
++        if (SSL_ofld(s))
++               chssl_program_hwkey_context(s, KEY_WRITE_TX, SSL_ST_ACCEPT);
++#endif
+             ret = ssl3_send_finished(s,
+                                      SSL3_ST_SW_FINISHED_A,
+                                      SSL3_ST_SW_FINISHED_B,
+diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
+index add8c9916c8f..53e13c6fe81d 100644
+--- a/crypto/openssl/ssl/s23_clnt.c
++++ b/crypto/openssl/ssl/s23_clnt.c
+@@ -115,6 +115,9 @@
+ #include <openssl/rand.h>
+ #include <openssl/objects.h>
+ #include <openssl/evp.h>
++#ifdef CHSSL_OFFLOAD
++#include "ssl_tom.h"
++#endif
+ 
+ static const SSL_METHOD *ssl23_get_client_method(int ver);
+ static int ssl23_client_hello(SSL *s);
+@@ -221,6 +224,10 @@ int ssl23_connect(SSL *s)
+             ret = ssl23_client_hello(s);
+             if (ret <= 0)
+                 goto end;
++#ifdef CHSSL_OFFLOAD
++            if (chssl_new(s))
++                ssl_tls_offload(s);
++#endif
+             s->state = SSL23_ST_CR_SRVR_HELLO_A;
+             s->init_num = 0;
+ 
+diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
+index d3f6db15ccee..15f4736277c2 100644
+--- a/crypto/openssl/ssl/s23_srvr.c
++++ b/crypto/openssl/ssl/s23_srvr.c
+@@ -118,6 +118,9 @@
+ #ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
+ #endif
++#ifdef CHSSL_OFFLOAD
++#include "ssl_tom.h"
++#endif
+ 
+ static const SSL_METHOD *ssl23_get_server_method(int ver);
+ int ssl23_get_client_hello(SSL *s);
+@@ -181,6 +184,10 @@ int ssl23_accept(SSL *s)
+ 
+             /* s->version=SSL3_VERSION; */
+             s->type = SSL_ST_ACCEPT;
++#ifdef CHSSL_OFFLOAD
++            if (chssl_new(s))
++                ssl_tls_offload(s);
++#endif
+ 
+             if (s->init_buf == NULL) {
+                 if ((buf = BUF_MEM_new()) == NULL) {
+diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c
+index 054ded1c9903..24885ba86db1 100644
+--- a/crypto/openssl/ssl/s3_both.c
++++ b/crypto/openssl/ssl/s3_both.c
+@@ -123,6 +123,9 @@
+ #include <openssl/objects.h>
+ #include <openssl/evp.h>
+ #include <openssl/x509.h>
++#ifdef CHSSL_OFFLOAD
++#include "ssl_tom.h"
++#endif
+ 
+ /*
+  * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
+@@ -131,6 +134,9 @@
+ int ssl3_do_write(SSL *s, int type)
+ {
+     int ret;
++#ifdef TLS_DEBUG
++    printf("%s type:%d len:%d \n",__func__,type,s->init_num);
++#endif
+ 
+     ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
+                            s->init_num);
+@@ -161,6 +167,9 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
+     unsigned char *p;
+     int i;
+     unsigned long l;
++#ifdef TLS_DEBUG
++    printf("ssl3_send_finished: state:%x a:%x b%x slen:%d M:%x s:%p\n",s->state,a,b,slen,s->method->version,s);
++#endif
+ 
+     if (s->state == a) {
+         p = ssl_handshake_start(s);
+@@ -168,6 +177,9 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
+         i = s->method->ssl3_enc->final_finish_mac(s,
+                                                   sender, slen,
+                                                   s->s3->tmp.finish_md);
++#ifdef TLS_DEBUG
++        printf("ssl3_send_finished: i:%d slen:%d ver:%x s:%p\n",i,slen,s->method->version,s);
++#endif
+         if (i <= 0)
+             return 0;
+         s->s3->tmp.finish_md_len = i;
+@@ -244,10 +256,22 @@ int ssl3_get_finished(SSL *s, int a, int b)
+      * spec message and is in s->s3->tmp.peer_finish_md
+      */
+ #endif
++#ifdef TLS_DEBUG
++    printf("Enter %s \n",__func__);	
++#endif
+ 
+     /* 64 argument should actually be 36+4 :-) */
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++    /* XXX: Why a smaller maximum message size? */
++    if (SSL_ofld_rx(s))
++	n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 16, &ok);
++    else
++#endif
+     n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok);
+ 
++#ifdef TLS_DEBUG
++    printf("%s ok:%d n:%d \n",__func__,ok,n);
++#endif
+     if (!ok)
+         return ((int)n);
+ 
+@@ -346,6 +370,9 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
+     unsigned long l;
+     long n;
+     int i, al;
++#ifdef TLS_DEBUG
++    printf("ssl3_get_message st1:%d stn:%d mt:%d max:%d\n",st1,stn,mt,max);
++#endif
+ 
+     if (s->s3->tmp.reuse_message) {
+         s->s3->tmp.reuse_message = 0;
+diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
+index 5b8b2da59f54..e7b319ffe497 100644
+--- a/crypto/openssl/ssl/s3_clnt.c
++++ b/crypto/openssl/ssl/s3_clnt.c
+@@ -166,6 +166,9 @@
+ #ifndef OPENSSL_NO_ENGINE
+ # include <openssl/engine.h>
+ #endif
++#ifdef CHSSL_OFFLOAD
++#include "ssl_tom.h"
++#endif
+ 
+ static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
+ #ifndef OPENSSL_NO_TLSEXT
+@@ -299,12 +302,22 @@ int ssl3_connect(SSL *s)
+             ret = ssl3_client_hello(s);
+             if (ret <= 0)
+                 goto end;
++#ifdef CHSSL_OFFLOAD
++            if (chssl_new(s) || SSL_ofld_vers(s))
++                ssl_tls_offload(s);
++#endif
+             s->state = SSL3_ST_CR_SRVR_HELLO_A;
+             s->init_num = 0;
+ 
+             /* turn on buffering for the next lot of output */
++#ifdef CHSSL_OFFLOAD
++           if (!(SSL_ofld(s) && s->renegotiate)) {
++#endif
+             if (s->bbio != s->wbio)
+                 s->wbio = BIO_push(s->bbio, s->wbio);
++#ifdef CHSSL_OFFLOAD
++           }
++#endif
+ 
+             break;
+ 
+@@ -485,6 +498,14 @@ int ssl3_connect(SSL *s)
+             else
+                 s->state = SSL3_ST_CW_FINISHED_A;
+ #endif
++
++#ifdef CHSSL_OFFLOAD
++            //if (SSL_ofld(s)) {
++		s->s3->tmp.next_state = s->state;
++		s->state = SSL3_ST_CW_FLUSH;
++	    //}
++#endif
++
+             s->init_num = 0;
+ 
+             s->session->cipher = s->s3->tmp.new_cipher;
+@@ -509,7 +530,6 @@ int ssl3_connect(SSL *s)
+                 s->state = SSL_ST_ERR;
+                 goto end;
+             }
+-
+             break;
+ 
+ #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+@@ -524,6 +544,10 @@ int ssl3_connect(SSL *s)
+ 
+         case SSL3_ST_CW_FINISHED_A:
+         case SSL3_ST_CW_FINISHED_B:
++#ifdef CHSSL_OFFLOAD
++        if (SSL_ofld(s))
++               chssl_program_hwkey_context(s, KEY_WRITE_TX, SSL_ST_CONNECT);
++#endif
+             ret = ssl3_send_finished(s,
+                                      SSL3_ST_CW_FINISHED_A,
+                                      SSL3_ST_CW_FINISHED_B,
+@@ -553,7 +577,6 @@ int ssl3_connect(SSL *s)
+                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
+                 else
+ #endif
+-
+                     s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
+             }
+             s->init_num = 0;
+diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
+index b91456843041..233f73adca3a 100644
+--- a/crypto/openssl/ssl/s3_pkt.c
++++ b/crypto/openssl/ssl/s3_pkt.c
+@@ -112,11 +112,15 @@
+ #include <stdio.h>
+ #include <limits.h>
+ #include <errno.h>
++ #include <fcntl.h>
+ #define USE_SOCKETS
+ #include "ssl_locl.h"
+ #include <openssl/evp.h>
+ #include <openssl/buffer.h>
+ #include <openssl/rand.h>
++#ifdef CHSSL_OFFLOAD
++#include "ssl_tom.h"
++#endif
+ 
+ #ifndef  EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
+ # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
+@@ -152,6 +156,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+     long align = 0;
+     unsigned char *pkt;
+     SSL3_BUFFER *rb;
++    //printf("%s n:%d \n",__func__,n);
+ 
+     if (n <= 0)
+         return n;
+@@ -161,6 +166,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+         if (!ssl3_setup_read_buffer(s))
+             return -1;
+ 
++    //printf("%s left:%d \n",__func__,left);
+     left = rb->left;
+ #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
+     align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
+@@ -212,6 +218,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+         s->packet_length += n;
+         rb->left = left - n;
+         rb->offset += n;
++        //printf("%s n:%d off:%d\n",__func__,n,rb->offset);
+         return (n);
+     }
+ 
+@@ -228,6 +235,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+         s->packet = pkt;
+         rb->offset = len + align;
+     }
++    //printf("%s n:%d rb->len:%d off:%d\n",__func__,n,rb->len,rb->offset);
+ 
+     if (n > (int)(rb->len - rb->offset)) { /* does not happen */
+         SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR);
+@@ -244,6 +252,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+         if (max > (int)(rb->len - rb->offset))
+             max = rb->len - rb->offset;
+     }
++    //printf("max:%d \n",max);
+ 
+     while (left < n) {
+         /*
+@@ -260,6 +269,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+             SSLerr(SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET);
+             i = -1;
+         }
++        //printf("bio read:%d sf:%d\n",i,s->rbio->num);
+ 
+         if (i <= 0) {
+             rb->left = left;
+@@ -285,6 +295,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+     rb->left = left - n;
+     s->packet_length += n;
+     s->rwstate = SSL_NOTHING;
++    //printf("%s Exit n:%d \n",__func__,n);
+     return (n);
+ }
+ 
+@@ -309,7 +320,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+ static int ssl3_get_record(SSL *s)
+ {
+     int ssl_major, ssl_minor, al;
+-    int enc_err, n, i, ret = -1;
++    int enc_err = 0, n, i, ret = -1;
+     SSL3_RECORD *rr;
+     SSL_SESSION *sess;
+     unsigned char *p;
+@@ -340,12 +351,25 @@ static int ssl3_get_record(SSL *s)
+     if ((s->rstate != SSL_ST_READ_BODY) ||
+         (s->packet_length < SSL3_RT_HEADER_LENGTH)) {
+         n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+-        if (n <= 0)
++        if (n <= 0) {
+             return (n);         /* error or non-blocking */
+-        s->rstate = SSL_ST_READ_BODY;
+-
++	}
+         p = s->packet;
+-        if (s->msg_callback)
++
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++    #define SSL3_RT_CHERROR 127
++    if (SSL_ofld_vers(s) && SSL_ofld_rx(s) && (*(p) == SSL3_RT_CHERROR)) {
++        s->rstate = SSL_ST_READ_ERROR;
++    } else
++#endif
++        s->rstate = SSL_ST_READ_BODY;
++
++	if (s->msg_callback
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++            && (SSL_ofld_vers(s) && SSL_ofld_rx(s)
++		&& (s->rstate != SSL_ST_READ_ERROR))
++#endif
++        )
+             s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
+                             s->msg_callback_arg);
+ 
+@@ -399,18 +423,40 @@ static int ssl3_get_record(SSL *s)
+         /* now s->rstate == SSL_ST_READ_BODY */
+     }
+ 
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++    if (SSL_Chelsio_ofld(s) && SSL_ofld_rx(s)) {
++        if (s->rstate == SSL_ST_READ_ERROR) {
++            i = rr->length;
++            n = ssl3_read_n(s, i, i, 1);
++            s->rstate = SSL_ST_READ_HEADER;
++            if (n<=0)
++                return n;
++            al = chssl_process_cherror(s);
++            printf("%s rstate SSL_ST_READ_ERROR \n",__func__);
++            goto f_err;
++        }
++    }
++
++    /* this may not be required len in Hdr = '5bytes + decrypted payload' */
++#endif
++
+     /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
+-
+     if (rr->length > s->packet_length - SSL3_RT_HEADER_LENGTH) {
+         /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
+         i = rr->length;
+         n = ssl3_read_n(s, i, i, 1);
+-        if (n <= 0)
++        if (n <= 0) {
++	    //printf("%s n:%d \n",__func__,n);
+             return (n);         /* error or non-blocking io */
++	}
+         /*
+          * now n == rr->length, and s->packet_length == SSL3_RT_HEADER_LENGTH
+          * + rr->length
+          */
++#if 0
++	for(i=0;i<16;i++)
++	printf("%x ",s->packet[i]);
++#endif
+     }
+ 
+     s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
+@@ -437,12 +483,17 @@ static int ssl3_get_record(SSL *s)
+     if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
+         al = SSL_AD_RECORD_OVERFLOW;
+         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
++	    printf("%s SSL_R_ENCRYPTED_LENGTH_TOO_LONG \n",__func__);
+         goto f_err;
+     }
+ 
+     /* decrypt in place in 'rr->input' */
+     rr->data = rr->input;
+ 
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++    if (!(SSL_enc_offload(s) && SSL_ofld_vers(s) && SSL_ofld_rx(s)))
++#endif
++    {
+     enc_err = s->method->ssl3_enc->enc(s, 0);
+     /*-
+      * enc_err is:
+@@ -453,10 +504,17 @@ static int ssl3_get_record(SSL *s)
+     if (enc_err == 0) {
+         al = SSL_AD_DECRYPTION_FAILED;
+         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
++		    printf("%s SSL_R_BLOCK_CIPHER_PAD_IS_WRONG \n",__func__);
+         goto f_err;
+     }
++    }
+ #ifdef TLS_DEBUG
+-    printf("dec %d\n", rr->length);
++#ifdef CHSSL_OFFLOAD
++    printf("\n dec %d host enc:%d mac:%d enc_err:%d\n",
++	   rr->length,SSL_enc_host(s),SSL_mac_host(s),enc_err);
++#else
++    printf("\n dec %d\n", rr->length);
++#endif
+     {
+         unsigned int z;
+         for (z = 0; z < rr->length; z++)
+@@ -467,7 +525,13 @@ static int ssl3_get_record(SSL *s)
+ 
+     /* r->length is now the compressed data plus mac */
+     if ((sess != NULL) &&
+-        (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
++	(s->enc_read_ctx != NULL) &&
++	(EVP_MD_CTX_md(s->read_hash) != NULL)
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++	&&
++	!(SSL_mac_offload(s) && SSL_ofld_vers(s) && SSL_ofld_rx(s))
++#endif
++       ) {
+         /* s->read_hash != NULL => mac_size != -1 */
+         unsigned char *mac = NULL;
+         unsigned char mac_tmp[EVP_MAX_MD_SIZE];
+@@ -491,6 +555,7 @@ static int ssl3_get_record(SSL *s)
+              orig_len < mac_size + 1)) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
++	    printf("%s SSL_R_LENGTH_TOO_SHORT \n",__func__);
+             goto f_err;
+         }
+ 
+@@ -533,6 +598,7 @@ static int ssl3_get_record(SSL *s)
+         al = SSL_AD_BAD_RECORD_MAC;
+         SSLerr(SSL_F_SSL3_GET_RECORD,
+                SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
++	printf("%s SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC \n",__func__);
+         goto f_err;
+     }
+ 
+@@ -541,6 +607,7 @@ static int ssl3_get_record(SSL *s)
+         if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
+             al = SSL_AD_RECORD_OVERFLOW;
+             SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
++	    printf("%s SSL_R_COMPRESSED_LENGTH_TOO_LONG \n",__func__);
+             goto f_err;
+         }
+         if (!ssl3_do_uncompress(s)) {
+@@ -553,6 +620,7 @@ static int ssl3_get_record(SSL *s)
+     if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
+         al = SSL_AD_RECORD_OVERFLOW;
+         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
++	printf("%s rr->length :%d extra:%zu\n",__func__,rr->length,extra);
+         goto f_err;
+     }
+ 
+@@ -575,11 +643,13 @@ static int ssl3_get_record(SSL *s)
+         if (empty_record_count > MAX_EMPTY_RECORDS) {
+             al = SSL_AD_UNEXPECTED_MESSAGE;
+             SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
++		printf("rr->length == 0 empty_record_count:%d\n",empty_record_count);
++	    printf("%s SSL_F_SSL3_GET_RECORD \n",__func__);
+             goto f_err;
+         }
+         goto again;
+     }
+-#if 0
++#ifdef TLS_DEBUG
+     fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type,
+             rr->length);
+ #endif
+@@ -701,7 +771,11 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
+         SSL_USE_EXPLICIT_IV(s) &&
+         s->enc_write_ctx != NULL &&
+         EVP_CIPHER_flags(s->enc_write_ctx->cipher) &
+-        EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) {
++        EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
++#ifdef CHSSL_OFFLOAD
++	&& !SSL_ofld(s)
++#endif
++	) {
+         unsigned char aad[13];
+         EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
+         int packlen;
+@@ -986,7 +1060,11 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+     plen = p;
+     p += 2;
+     /* Explicit IV length, block ciphers appropriate version flag */
+-    if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) {
++    if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)
++#ifdef CHSSL_OFFLOAD
++	&& !(SSL_enc_offload(s) && SSL_ofld_vers(s))
++#endif
++	) {
+         int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+         if (mode == EVP_CIPH_CBC_MODE) {
+             eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+@@ -1027,7 +1105,11 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+      * wb->buf
+      */
+ 
+-    if (mac_size != 0) {
++    if (mac_size != 0
++#ifdef CHSSL_OFFLOAD
++	&& !(SSL_enc_offload(s) && SSL_ofld_vers(s))
++#endif
++	) {
+         if (s->method->ssl3_enc->mac(s, &(p[wr->length + eivlen]), 1) < 0)
+             goto err;
+         wr->length += mac_size;
+@@ -1043,8 +1125,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+         wr->length += eivlen;
+     }
+ 
++#ifdef CHSSL_OFFLOAD
++    if (!(SSL_enc_offload(s) && SSL_ofld_vers(s))) {
++#endif
+     if (s->method->ssl3_enc->enc(s, 1) < 1)
+         goto err;
++#ifdef CHSSL_OFFLOAD
++    }
++#endif
+ 
+     /* record length after mac and block padding */
+     s2n(wr->length, plen);
+@@ -1172,8 +1260,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+     void (*cb) (const SSL *ssl, int type2, int val) = NULL;
+ 
+     if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
+-        if (!ssl3_setup_read_buffer(s))
++        if (!ssl3_setup_read_buffer(s)) {
++	    printf("%s ssl3_setup_read_buffer fail \n",__func__);
+             return (-1);
++	}
+ 
+     if ((type && (type != SSL3_RT_APPLICATION_DATA)
+          && (type != SSL3_RT_HANDSHAKE)) || (peek
+@@ -1232,9 +1322,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+     /* get new packet if necessary */
+     if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) {
+         ret = ssl3_get_record(s);
+-        if (ret <= 0)
++        if (ret <= 0) {
+             return (ret);
+     }
++    }
+ 
+     /*
+      * Reset the count of consecutive warning alerts if we've got a non-empty
+@@ -1276,8 +1367,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+             goto f_err;
+         }
+ 
+-        if (len <= 0)
++        if (len <= 0) {
++	    printf("%s len:%d \n",__func__,len);
+             return (len);
++	}
+ 
+         if ((unsigned int)len > rr->length)
+             n = rr->length;
+@@ -1296,6 +1389,9 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+                     ssl3_release_read_buffer(s);
+             }
+         }
++#ifdef TLS_DEBUG
++   	printf("%s %d n:%d \n",__func__,__LINE__,n);
++#endif
+         return (n);
+     }
+ 
+@@ -1337,6 +1433,9 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+             s->rwstate = SSL_READING;
+             BIO_clear_retry_flags(SSL_get_rbio(s));
+             BIO_set_retry_read(SSL_get_rbio(s));
++#ifdef TLS_DEBUG
++	    printf("%s TLS1_RT_HEARTBEAT \n",__func__);
++#endif
+             return (-1);
+         }
+ #endif
+@@ -1666,7 +1765,6 @@ int ssl3_do_change_cipher_spec(SSL *s)
+     int i;
+     const char *sender;
+     int slen;
+-
+     if (s->state & SSL_ST_ACCEPT)
+         i = SSL3_CHANGE_CIPHER_SERVER_READ;
+     else
+@@ -1677,25 +1775,39 @@ int ssl3_do_change_cipher_spec(SSL *s)
+             /* might happen if dtls1_read_bytes() calls this */
+             SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
+                    SSL_R_CCS_RECEIVED_EARLY);
+-            return (0);
++            goto err;
+         }
+ 
+         s->session->cipher = s->s3->tmp.new_cipher;
+-        if (!s->method->ssl3_enc->setup_key_block(s))
+-            return (0);
++        if (!s->method->ssl3_enc->setup_key_block(s)) {
++            goto err;
++	}
+     }
+ 
+-    if (!s->method->ssl3_enc->change_cipher_state(s, i))
+-        return (0);
++    if (!s->method->ssl3_enc->change_cipher_state(s, i)){
++            printf("change_cipher_state error \n");
++        goto err;
++	}
+ 
+     /*
+      * we have to record the message digest at this point so we can get it
+      * before we read the finished message
+      */
+     if (s->state & SSL_ST_CONNECT) {
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++	if (SSL_ofld_rx(s)) {
++            chssl_program_hwkey_context(s, KEY_WRITE_RX, SSL_ST_CONNECT);
++	    if (SSL_clr_quiesce(s))
++		chssl_clear_tom(s);
++	}
++#endif
+         sender = s->method->ssl3_enc->server_finished_label;
+         slen = s->method->ssl3_enc->server_finished_label_len;
+     } else {
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++        if (SSL_ofld_rx(s))
++            chssl_program_hwkey_context(s, KEY_WRITE_RX, SSL_ST_ACCEPT);
++#endif
+         sender = s->method->ssl3_enc->client_finished_label;
+         slen = s->method->ssl3_enc->client_finished_label_len;
+     }
+@@ -1707,9 +1819,16 @@ int ssl3_do_change_cipher_spec(SSL *s)
+         SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+         return 0;
+     }
++
+     s->s3->tmp.peer_finish_md_len = i;
+ 
+     return (1);
++err:
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++    if (SSL_ofld_rx(s))
++        chssl_clear_quies(s);
++#endif
++    return (0);
+ }
+ 
+ int ssl3_send_alert(SSL *s, int level, int desc)
+diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
+index 0fb4845d44fa..74afc08f66b8 100644
+--- a/crypto/openssl/ssl/s3_srvr.c
++++ b/crypto/openssl/ssl/s3_srvr.c
+@@ -169,6 +169,9 @@
+ # include <openssl/krb5_asn.h>
+ #endif
+ #include <openssl/md5.h>
++#ifdef CHSSL_OFFLOAD
++#include "ssl_tom.h"
++#endif
+ 
+ #ifndef OPENSSL_NO_SSL3_METHOD
+ static const SSL_METHOD *ssl3_get_server_method(int ver);
+@@ -250,6 +253,9 @@ int ssl3_accept(SSL *s)
+     for (;;) {
+         state = s->state;
+ 
++#ifdef TLS_DEBUG
++	fprintf(stderr, "%s: state %d\n", __func__, state);
++#endif
+         switch (s->state) {
+         case SSL_ST_RENEGOTIATE:
+             s->renegotiate = 1;
+@@ -270,6 +276,10 @@ int ssl3_accept(SSL *s)
+                 return -1;
+             }
+             s->type = SSL_ST_ACCEPT;
++#ifdef CHSSL_OFFLOAD
++            if (chssl_new(s))
++                ssl_tls_offload(s);
++#endif
+ 
+             if (s->init_buf == NULL) {
+                 if ((buf = BUF_MEM_new()) == NULL) {
+@@ -423,6 +433,12 @@ int ssl3_accept(SSL *s)
+             else
+                 s->state = SSL3_ST_SW_CERT_A;
+             s->init_num = 0;
++#ifdef CHSSL_OFFLOAD
++            if (SSL_ofld(s) && s->new_session) {
++                s->s3->tmp.next_state = s->state;
++                s->state = SSL3_ST_SW_FLUSH;
++            }
++#endif
+             break;
+ 
+         case SSL3_ST_SW_CERT_A:
+@@ -453,6 +469,12 @@ int ssl3_accept(SSL *s)
+             s->state = SSL3_ST_SW_KEY_EXCH_A;
+ #endif
+             s->init_num = 0;
++#ifdef CHSSL_OFFLOAD
++            if (SSL_ofld(s) && s->new_session) {
++                s->s3->tmp.next_state = s->state;
++                s->state = SSL3_ST_SW_FLUSH;
++            }
++#endif
+             break;
+ 
+         case SSL3_ST_SW_KEY_EXCH_A:
+@@ -505,6 +527,12 @@ int ssl3_accept(SSL *s)
+ 
+             s->state = SSL3_ST_SW_CERT_REQ_A;
+             s->init_num = 0;
++#ifdef CHSSL_OFFLOAD
++            if (SSL_ofld(s) && s->new_session) {
++                s->s3->tmp.next_state = s->state;
++                s->state = SSL3_ST_SW_FLUSH;
++            }
++#endif
+             break;
+ 
+         case SSL3_ST_SW_CERT_REQ_A:
+@@ -765,6 +793,12 @@ int ssl3_accept(SSL *s)
+                 goto end;
+             s->state = SSL3_ST_SW_CHANGE_A;
+             s->init_num = 0;
++#ifdef CHSSL_OFFLOAD
++            if (SSL_ofld(s) && s->new_session) {
++                s->s3->tmp.next_state = s->state;
++                s->state = SSL3_ST_SW_FLUSH;
++            }
++#endif
+             break;
+ 
+         case SSL3_ST_SW_CERT_STATUS_A:
+@@ -774,6 +808,12 @@ int ssl3_accept(SSL *s)
+                 goto end;
+             s->state = SSL3_ST_SW_KEY_EXCH_A;
+             s->init_num = 0;
++#ifdef CHSSL_OFFLOAD
++            if (SSL_ofld(s) && s->new_session) {
++                s->s3->tmp.next_state = s->state;
++                s->state = SSL3_ST_SW_FLUSH;
++            }
++#endif
+             break;
+ 
+ #endif
+@@ -794,7 +834,17 @@ int ssl3_accept(SSL *s)
+ 
+             if (ret <= 0)
+                 goto end;
++
++#ifdef CHSSL_OFFLOAD 
++            if (SSL_ofld(s)) {
++                s->s3->tmp.next_state = SSL3_ST_SW_FINISHED_A;
++                s->state = SSL3_ST_SW_FLUSH;
++            } else {
+             s->state = SSL3_ST_SW_FINISHED_A;
++            }
++#else
++            s->state = SSL3_ST_SW_FINISHED_A;
++#endif
+             s->init_num = 0;
+ 
+             if (!s->method->ssl3_enc->change_cipher_state(s,
+@@ -804,11 +854,14 @@ int ssl3_accept(SSL *s)
+                 s->state = SSL_ST_ERR;
+                 goto end;
+             }
+-
+             break;
+ 
+         case SSL3_ST_SW_FINISHED_A:
+         case SSL3_ST_SW_FINISHED_B:
++#ifdef CHSSL_OFFLOAD
++            if (SSL_ofld(s))
++                chssl_program_hwkey_context(s, KEY_WRITE_TX, SSL_ST_ACCEPT);
++#endif
+             ret = ssl3_send_finished(s,
+                                      SSL3_ST_SW_FINISHED_A,
+                                      SSL3_ST_SW_FINISHED_B,
+@@ -831,6 +884,7 @@ int ssl3_accept(SSL *s)
+             } else
+                 s->s3->tmp.next_state = SSL_ST_OK;
+             s->init_num = 0;
++
+             break;
+ 
+         case SSL_ST_OK:
+diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
+index 3cf96a239bab..2ae116f78020 100644
+--- a/crypto/openssl/ssl/ssl.h
++++ b/crypto/openssl/ssl/ssl.h
+@@ -1408,11 +1408,47 @@ int SSL_extension_supported(unsigned int ext_type);
+ # define SSL_READING     3
+ # define SSL_X509_LOOKUP 4
+ 
++#ifdef CHSSL_OFFLOAD
++enum {
++        SSL_ENC_HOST = 0,
++        SSL_ENC_OFLD,
++};
++
++enum {
++        SSL_MAC_HOST = 0,
++        SSL_MAC_OFLD,
++};
++
++enum {
++        KEY_SPACE_AVAIL = 0,
++        KEY_SPACE_NOTAVL,
++};
++
++struct ch_ssl_st {
++    int  nl_fd;
++    int  sock_fd; 	
++    char ofld_tx_enable;
++    char ofld_rx_enable;
++    char ofld_enc;
++    char ofld_mac;
++    char key_state;
++    char rx_keys_copied;
++    char tx_keys_copied;
++    void *key_context;
++};
++#endif
++
+ /* These will only be used when doing non-blocking IO */
+ # define SSL_want_nothing(s)     (SSL_want(s) == SSL_NOTHING)
+ # define SSL_want_read(s)        (SSL_want(s) == SSL_READING)
+ # define SSL_want_write(s)       (SSL_want(s) == SSL_WRITING)
+ # define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
++#ifdef CHSSL_OFFLOAD
++# define SSL_enc_offload(s)      (SSL_enc(s)  == SSL_ENC_OFLD)
++# define SSL_enc_host(s)         (SSL_enc(s)  == SSL_ENC_HOST)
++# define SSL_mac_offload(s)      (SSL_mac(s)  == SSL_MAC_OFLD)
++# define SSL_mac_host(s)         (SSL_mac(s)  == SSL_MAC_HOST)
++#endif
+ 
+ # define SSL_MAC_FLAG_READ_MAC_STREAM 1
+ # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
+@@ -1447,6 +1483,7 @@ struct ssl_st {
+     char *wbio;
+     char *bbio;
+ #  endif
++
+     /*
+      * This holds a variable that indicates what we were doing when a 0 or -1
+      * is returned.  This is needed for non-blocking IO so we know what
+@@ -1568,6 +1605,9 @@ struct ssl_st {
+                                          unsigned int max_psk_len);
+ #  endif
+     SSL_CTX *ctx;
++#ifdef CHSSL_OFFLOAD
++    struct ch_ssl_st *chssl;
++#endif
+     /*
+      * set this flag to 1 and a sleep(1) is put into all SSL_read() and
+      * SSL_write() calls, good for nbio debuging :-)
+@@ -1758,6 +1798,9 @@ extern "C" {
+ # define SSL_ST_READ_HEADER                      0xF0
+ # define SSL_ST_READ_BODY                        0xF1
+ # define SSL_ST_READ_DONE                        0xF2
++#ifdef CHSSL_OFFLOAD
++# define SSL_ST_READ_ERROR                       0xF3
++#endif
+ 
+ /*-
+  * Obtain latest Finished message
+@@ -2136,6 +2179,23 @@ X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
+ void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
+ int SSL_want(const SSL *s);
+ int SSL_clear(SSL *s);
++#ifdef CHSSL_OFFLOAD
++int SSL_enc(const SSL *s);
++int SSL_mac(const SSL *s);
++#ifdef CHSSL_TLS_RX
++int SSL_Rx_keys(const SSL *s);
++#endif
++int SSL_Tx_keys(const SSL *s);
++int SSL_ofld(const SSL *s);
++int SSL_compress(const SSL *s);
++int SSL_Chelsio_ofld(const SSL *s);
++#ifdef CHSSL_TLS_RX
++int chssl_clear_quies(const SSL *s);
++#endif
++int chssl_clear_tom(const SSL *s);
++int chssl_process_cherror(SSL *s);
++void chssl_program_hwkey_context(SSL *s, int rw, int state);
++#endif
+ 
+ void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
+ 
+diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
+index 3539f4b8d20a..2d0fee71d50d 100644
+--- a/crypto/openssl/ssl/ssl_lib.c
++++ b/crypto/openssl/ssl/ssl_lib.c
+@@ -159,6 +159,9 @@
+ #ifndef OPENSSL_NO_ENGINE
+ # include <openssl/engine.h>
+ #endif
++#ifdef CHSSL_OFFLOAD
++#include "ssl_tom.h"
++#endif
+ 
+ const char *SSL_version_str = OPENSSL_VERSION_TEXT;
+ 
+@@ -742,6 +745,7 @@ int SSL_set_fd(SSL *s, int fd)
+     }
+     BIO_set_fd(bio, fd, BIO_NOCLOSE);
+     SSL_set_bio(s, bio, bio);
++    //printf("SSL_set_fd: fd:%d bio_fd:%d BIO:%p:%p:%p\n",fd,bio->num,bio,s->wbio,s->rbio);	
+     ret = 1;
+  err:
+     return (ret);
+@@ -1068,6 +1072,11 @@ int SSL_shutdown(SSL *s)
+         SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
+         return -1;
+     }
++#ifdef CHSSL_OFFLOAD
++    if (s->chssl) {
++        chssl_free(s);
++    }
++#endif
+ 
+     if (!SSL_in_init(s)) {
+         return s->method->ssl_shutdown(s);
+diff --git a/crypto/openssl/ssl/ssl_tom.c b/crypto/openssl/ssl/ssl_tom.c
+new file mode 100644
+index 000000000000..3fd915ac2c56
+--- /dev/null
++++ b/crypto/openssl/ssl/ssl_tom.c
+@@ -0,0 +1,724 @@
++/* ssl/ssl_tom.c */
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to.  The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ * w
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ *    must display the following acknowledgement:
++ *    "This product includes cryptographic software written by
++ *     Eric Young (eay@cryptsoft.com)"
++ *    The word 'cryptographic' can be left out if the rouines from the library
++ *    being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ *    the apps directory (application code) you must include an acknowledgement:
++ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed.  i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++/* ====================================================================
++ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ * Chelsio Software written by Atul Gupta (atul.gupta@chelsio.com)
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <errno.h>
++#include <unistd.h>
++#include <poll.h>
++#include <string.h>
++#include <fcntl.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/socket.h>
++#include <sys/ioctl.h>
++#ifdef __linux__
++#include <linux/genetlink.h>
++#include <linux/types.h>
++#endif
++#ifdef __FreeBSD__
++#include <netinet/tcp.h>
++#include <sys/endian.h>
++#endif
++#include "ssl_locl.h"
++#include <openssl/ssl.h>
++#include <netinet/in.h>
++#include "ssl_tom.h"
++#include <sys/uio.h>
++#include <openssl/sha.h>
++
++#ifdef CHSSL_OFFLOAD
++int ssl_tls_offload(SSL *s)
++{
++#ifdef __FreeBSD__
++    socklen_t optlen;
++#endif
++    int ret, mode = 0;
++
++    if ((s->wbio == NULL) || (s->rbio == NULL)) {
++        SSLerr(SSL_R_BAD_STATE, SSL_R_BIO_NOT_SET);
++        return mode;
++    }
++    s->chssl->sock_fd = s->wbio->num = s->rbio->num;
++
++#ifdef __linux__
++    ret = ioctl(s->chssl->sock_fd, IOCTL_TLSOM_GET_TLS_TOM, &mode);
++    if (!ret && mode)
++        s->chssl->ofld_rx_enable = s->chssl->ofld_tx_enable = TLS_OFLD_TRUE;
++    else
++        s->chssl->ofld_rx_enable = s->chssl->ofld_tx_enable = TLS_OFLD_FALSE;
++#else
++    optlen = sizeof(mode);
++    ret = getsockopt(s->chssl->sock_fd, IPPROTO_TCP, TCP_TLSOM_GET_TLS_TOM,
++	&mode, &optlen);
++    s->chssl->ofld_rx_enable = s->chssl->ofld_tx_enable = TLS_OFLD_FALSE;
++    if (ret == 0) {
++        switch (mode) {
++        case TLS_TOM_BOTH:
++            s->chssl->ofld_rx_enable = TLS_OFLD_TRUE;
++            /* FALLTHROUGH */
++        case TLS_TOM_TXONLY:
++            s->chssl->ofld_tx_enable = TLS_OFLD_TRUE;
++            break;
++        }
++    }
++#endif
++
++    return mode;
++}
++
++int SSL_ofld_vers(const SSL *s)
++{
++    return (s->version == TLS1_1_VERSION || s->version == TLS1_2_VERSION
++            || s->version == DTLS1_2_VERSION);
++}
++
++int SSL_ofld(const SSL *s)
++{
++    return(SSL_ofld_vers(s) && s->chssl && s->chssl->ofld_tx_enable);
++}
++
++#ifdef CHSSL_TLS_RX
++int SSL_ofld_rx(const SSL *s)
++{
++    return(s->chssl && s->chssl->ofld_rx_enable);
++}
++#endif
++
++int SSL_compress(const SSL *s)
++{
++    return(s->compress != NULL);
++}
++
++#ifdef CHSSL_TLS_RX
++int SSL_Rx_keys(const SSL *s)
++{
++    return(s->chssl && s->chssl->rx_keys_copied);
++}
++#endif
++
++int SSL_Tx_keys(const SSL *s)
++{
++    return(s->chssl && s->chssl->tx_keys_copied);
++}
++
++int SSL_enc(const SSL *s)
++{
++    return(s->chssl && s->chssl->ofld_tx_enable && s->chssl->ofld_enc);
++}
++
++int SSL_mac(const SSL *s)
++{
++    return(s->chssl && s->chssl->ofld_tx_enable && s->chssl->ofld_mac);
++}
++
++int SSL_Chelsio_ofld(const SSL *s)
++{
++    return (SSL_ofld(s) && SSL_ofld_rx(s) && SSL_enc(s) && SSL_mac(s));
++}
++
++#ifdef CHSSL_TLS_RX
++int SSL_clr_quiesce(const SSL *s)
++{
++    return (SSL_ofld_rx(s) && (s->chssl->key_state == KEY_SPACE_NOTAVL));
++}
++#endif
++
++int CHSSL_EVP_Digest(const void *data,
++		     void *md, const EVP_MD *m)
++{
++    int ret = 1, i;
++
++   if (m->type == NID_sha1){
++	SHA_CTX sha1ctx;
++	unsigned int *temp = md;
++
++	SHA1_Init(&sha1ctx);
++	SHA1_Update(&sha1ctx, data, SHA_CBLOCK);
++	temp[0] = htonl(sha1ctx.h0);
++	temp[1] = htonl(sha1ctx.h1);
++	temp[2] = htonl(sha1ctx.h2);
++	temp[3] = htonl(sha1ctx.h3);
++	temp[4] = htonl(sha1ctx.h4);
++   } else if (m->type == NID_sha256) {
++	SHA256_CTX sha256ctx;
++	SHA256_Init(&sha256ctx);
++	SHA256_Update(&sha256ctx, data, SHA256_CBLOCK);
++
++	for (i = 0; i < SHA256_DIGEST_LENGTH / 4; i++)
++		*((unsigned int *)md + i) = htonl(sha256ctx.h[i]);
++   } else if (m->type == NID_sha384) {
++	   SHA512_CTX sha384ctx;
++
++	   SHA384_Init(&sha384ctx);
++	   SHA384_Update(&sha384ctx, data, SHA512_BLOCK);
++
++	   for (i = 0; i < SHA512_DIGEST_LENGTH / 8; i++)
++		*((unsigned long long *)md + i) =
++			   htobe64(sha384ctx.h[i]);
++
++   } else if (m->type == NID_sha512) {
++	   SHA512_CTX sha512ctx;
++
++	   SHA512_Init(&sha512ctx);
++	   SHA512_Update(&sha512ctx, data, SHA512_BLOCK);
++
++	   for (i = 0; i < SHA512_DIGEST_LENGTH / 8; i++)
++		*((unsigned long long *)md + i) =
++			   htobe64(sha512ctx.h[i]);
++   }
++
++    return ret;
++}
++
++/* 
++ * Determine HW capability for Digest and Cipher Offload 
++ */
++static int tls_ofld_enc_mac(SSL *s)
++{
++    const EVP_CIPHER *p;
++    const SSL_CIPHER *c;
++
++    c = s->s3->tmp.new_cipher;
++    p = s->s3->tmp.new_sym_enc;
++
++    switch(c->algorithm_enc) {
++    case SSL_AES128GCM:
++    case SSL_AES256GCM:
++        s->chssl->ofld_enc = SSL_ENC_OFLD;
++        s->chssl->ofld_mac = SSL_MAC_OFLD;
++        return TLS_OFLD_TRUE;
++
++    case SSL_AES128 :
++    case SSL_AES256 :
++        switch(EVP_CIPHER_mode(p)) {
++        case EVP_CIPH_CTR_MODE:
++        case EVP_CIPH_CBC_MODE:
++            s->chssl->ofld_enc  = SSL_ENC_OFLD;
++            break;
++        default:
++           chssl_print(cl,"No HW support\n");
++           return TLS_OFLD_FALSE;
++        }
++    break;
++
++    case SSL_eNULL:
++        s->chssl->ofld_enc = SSL_ENC_OFLD;
++        break;
++
++    default:
++        chssl_print(cl,"No HW support for ENC\n");
++                    s->chssl->ofld_enc = SSL_ENC_HOST;
++        return TLS_OFLD_FALSE;
++    }
++
++    switch(c->algorithm_mac) {
++    case SSL_SHA1:
++    case SSL_SHA256:
++    case SSL_SHA384:
++        s->chssl->ofld_mac= SSL_MAC_OFLD;
++        break;
++
++    default:
++        s->chssl->ofld_mac= SSL_MAC_HOST;
++	/* Revert enc mode to non-offload */
++        s->chssl->ofld_enc  = SSL_ENC_HOST;
++        chssl_print(cl,"No HW support for MAC\n");
++        return TLS_OFLD_FALSE;
++    }
++    return TLS_OFLD_TRUE;
++}
++
++/* 
++ * Authentication Mode expected by HW
++ */
++static unsigned char get_auth_mode(SSL *s)
++{
++    const SSL_CIPHER *c = s->s3->tmp.new_cipher;
++
++    if(c==NULL) return CHSSL_SHA_NOP;
++
++    switch(c->algorithm_mac) {
++    case SSL_SHA1:
++        return CHSSL_SHA1;
++    case SSL_SHA256:
++       return CHSSL_SHA256;
++    case SSL_SHA384:
++       return CHSSL_SHA512_384;
++    case SSL_AEAD:
++        return CHSSL_GHASH;
++    default:
++        return CHSSL_SHA_NOP;
++}
++}
++
++/* 
++ * Cipher Mode expected by HW
++ */
++static unsigned char get_cipher_mode(SSL *s)
++{
++    const EVP_CIPHER *c = s->s3->tmp.new_sym_enc;
++
++    switch(EVP_CIPHER_mode(c)) {
++    case EVP_CIPH_CBC_MODE:
++        return CHSSL_AES_CBC;
++    case EVP_CIPH_GCM_MODE:
++        return CHSSL_AES_GCM;
++    case EVP_CIPH_CTR_MODE:
++        return CHSSL_AES_CTR;
++    case EVP_CIPH_STREAM_CIPHER:
++        return CHSSL_CIPH_NOP;
++    default:
++        chssl_print(cl,"invalid cipher mode\n");
++        return CHSSL_CIPH_NOP;
++    }
++}
++
++static void chssl_compute_ipad_opad(unsigned char *key,
++				 unsigned char *ipad,
++				 unsigned char *opad,
++				 int k, const EVP_MD *m)
++{
++    int i, blksize;
++    char iblock[SHA512_BLOCK] = {0};
++    char oblock[SHA512_BLOCK] = {0};
++
++    blksize = m->block_size;
++    memset (iblock + k, 0x36, blksize - k);
++    memset (oblock + k, 0x5c, blksize - k);
++    for(i = 0; i < k; i++) {
++        iblock[i] = key[i] ^ 0x36;
++        oblock[i] = key[i] ^ 0x5c;
++    }
++    CHSSL_EVP_Digest(iblock, ipad, m);
++    CHSSL_EVP_Digest(oblock, opad, m);
++}
++
++static void chssl_compute_cipher_key(unsigned char *key,
++				     int key_len,
++				     unsigned char *ghash)
++{
++    int len,len1;
++    EVP_CIPHER_CTX ctx;
++    unsigned char plaintext[GHASH_SIZE] = {0};
++
++    EVP_CIPHER_CTX_init(&ctx);
++    if(key_len == 16)
++        EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, NULL);
++    else
++        EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, NULL);
++    EVP_CIPHER_CTX_set_padding(&ctx, 0);
++    EVP_EncryptUpdate(&ctx, ghash, &len, plaintext, 16);
++    EVP_EncryptFinal_ex(&ctx, ghash+len, &len1);
++    EVP_CIPHER_CTX_cleanup(&ctx);
++}
++
++/*
++ * Create key Context for receive/transmit and program on HW
++ */
++static int ssl_key_context(SSL *s, int rw, int state)
++{
++    const EVP_CIPHER *c;
++    const EVP_MD *m;
++    unsigned int  mac_key_size = 0, cipher_key_size, iv_size;
++    unsigned char *key;
++    unsigned char s_ipad_hash[MAX_MAC_KSZ]= {0x0}; /* blk sz for hashing */
++    unsigned char s_opad_hash[MAX_MAC_KSZ]= {0x0}; /* blk sz for hashing */
++    unsigned char c_ipad_hash[MAX_MAC_KSZ]= {0x0}; /* blk sz for hashing */
++    unsigned char c_opad_hash[MAX_MAC_KSZ]= {0x0}; /* blk sz for hashing */
++
++    unsigned char s_mac_key[MAX_MAC_KSZ] = {0x0};
++    unsigned char c_mac_key[MAX_MAC_KSZ] = {0x0};
++    unsigned char s_key[MAX_CIPHER_KSZ] = {0x0};
++    unsigned char c_key[MAX_CIPHER_KSZ] = {0x0};
++    unsigned char s_iv[MAX_CIPHER_KSZ] = {0x0};
++    unsigned char c_iv[MAX_CIPHER_KSZ] = {0x0};
++    unsigned char ghash[GHASH_SIZE] = {0x0};
++    int pad = 12;
++    int index = 0;
++    int ret = 0;
++    struct tls_key_context *kctx = s->chssl->key_context;
++
++    if (!tls_ofld_enc_mac(s)) {
++        return ret;
++    }
++
++    c = s->s3->tmp.new_sym_enc;
++    m = s->s3->tmp.new_hash;
++    kctx->l_p_key = rw;
++
++    if (s->new_session)
++    kctx->l_p_key |= F_KEY_CLR_LOC;
++    key = s->s3->tmp.key_block;
++
++    if (s->version >= TLS1_VERSION)
++        mac_key_size = s->s3->tmp.new_mac_secret_size;
++    else
++        if (m) mac_key_size = m->md_size;
++    kctx->mac_secret_size = mac_key_size;
++
++    cipher_key_size = EVP_CIPHER_key_length(c);
++    kctx->cipher_secret_size = cipher_key_size;
++
++    iv_size = (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) ?
++    EVP_GCM_TLS_FIXED_IV_LEN:
++    EVP_CIPHER_iv_length(c);
++    kctx->iv_size = iv_size;
++    kctx->iv_ctrl = 1;
++    kctx->iv_algo = 0;
++
++    if ((mac_key_size == SHA256_DIGEST_LENGTH) ||
++        (mac_key_size == SHA384_DIGEST_LENGTH))
++        pad = 0;
++
++    if (mac_key_size) {
++        memcpy(c_mac_key, key, mac_key_size);
++        key += mac_key_size;
++        memcpy(s_mac_key, key, mac_key_size);
++        key += mac_key_size;
++    }
++    memcpy(c_key, key, cipher_key_size);
++    key += cipher_key_size;
++    memcpy(s_key, key, cipher_key_size);
++    key += cipher_key_size;
++
++    memcpy(c_iv, key, iv_size);
++    key += iv_size;
++    memcpy(s_iv, key, iv_size);
++
++    if (s->chssl->ofld_mac && (EVP_CIPHER_mode(c) != EVP_CIPH_GCM_MODE)) {
++        /* IPAD/OPAD for SHA384/512 calculated over 128B block */
++            chssl_compute_ipad_opad(c_mac_key, c_ipad_hash,
++                                    c_opad_hash, mac_key_size, m);
++            chssl_compute_ipad_opad(s_mac_key, s_ipad_hash,
++                                    s_opad_hash, mac_key_size, m);
++    }
++
++    if (state == SSL_ST_ACCEPT) {
++        memcpy(kctx->tx.key, s_key, cipher_key_size);
++        memcpy(kctx->rx.key, c_key, cipher_key_size);
++    } else {
++        memcpy(kctx->tx.key, c_key, cipher_key_size);
++        memcpy(kctx->rx.key, s_key, cipher_key_size);
++    }
++
++    if (mac_key_size == SHA384_DIGEST_LENGTH) mac_key_size = MAX_MAC_KSZ;
++    index = cipher_key_size;
++    if (s->chssl->ofld_mac) {
++        if (mac_key_size) {
++            if (state == SSL_ST_ACCEPT)
++                memcpy(kctx->tx.key+index, s_ipad_hash, mac_key_size);
++            else
++                memcpy(kctx->tx.key+index, c_ipad_hash, mac_key_size);
++
++            index += (mac_key_size + pad);
++            if (state == SSL_ST_ACCEPT)
++                memcpy(kctx->tx.key+index, s_opad_hash, mac_key_size);
++            else
++                memcpy(kctx->tx.key+index, c_opad_hash, mac_key_size);
++
++            index += (mac_key_size + pad);
++        } else {
++            if (state == SSL_ST_ACCEPT) {
++               chssl_compute_cipher_key(s_key, cipher_key_size, ghash);
++               memcpy(kctx->tx.key+index, ghash, GHASH_SIZE);
++            } else {
++               chssl_compute_cipher_key(c_key, cipher_key_size, ghash);
++               memcpy(kctx->tx.key+index, ghash, GHASH_SIZE);
++            }
++            index += GHASH_SIZE;
++        }
++    }
++    kctx->tx_key_info_size = TLS_TX_HDR_SZ + index;
++
++    index = cipher_key_size;
++    if (s->chssl->ofld_mac) {
++        if (mac_key_size) {
++            if (state == SSL_ST_ACCEPT)
++                memcpy(kctx->rx.key+index, c_ipad_hash, mac_key_size);
++            else
++                memcpy(kctx->rx.key+index, s_ipad_hash, mac_key_size);
++
++        index += (mac_key_size + pad);
++        if (state == SSL_ST_ACCEPT)
++            memcpy(kctx->rx.key+index, c_opad_hash, mac_key_size);
++        else
++            memcpy(kctx->rx.key+index, s_opad_hash, mac_key_size);
++
++        index += (mac_key_size + pad);
++        } else {
++            if (state == SSL_ST_ACCEPT)  {
++                chssl_compute_cipher_key(c_key, cipher_key_size, ghash);
++                memcpy(kctx->rx.key+index, ghash, GHASH_SIZE);
++            } else {
++                chssl_compute_cipher_key(s_key, cipher_key_size, ghash);
++                memcpy(kctx->rx.key+index, ghash, GHASH_SIZE);
++            }
++	index += GHASH_SIZE;
++        }
++    }
++
++    kctx->tx_key_info_size = TLS_RX_HDR_SZ + index;
++
++    if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
++        if (state == SSL_ST_ACCEPT)  {
++            memcpy(kctx->tx.salt, s_iv, SALT_SIZE);
++            memcpy(kctx->rx.salt, c_iv, SALT_SIZE);
++        } else {
++            memcpy(kctx->tx.salt, c_iv, SALT_SIZE);
++            memcpy(kctx->rx.salt, s_iv, SALT_SIZE);
++        }
++    }
++
++    kctx->proto_ver = s->version;
++    kctx->state.auth_mode = get_auth_mode(s);
++    kctx->state.enc_mode = get_cipher_mode(s);
++    if (s->version == DTLS1_2_VERSION)
++        kctx->dtls_epoch = s->d1->r_epoch;
++
++    if (s->max_send_fragment)
++        kctx->frag_size = s->max_send_fragment;
++    else
++        kctx->frag_size = SSL3_RT_MAX_PLAIN_LENGTH;
++
++    /* handle renegotiation here */
++    if(!s->chssl->tx_keys_copied)
++        kctx->tx_seq_no = 0;
++    else
++        kctx->tx_seq_no = 1;
++
++    if(!s->chssl->rx_keys_copied)
++        kctx->rx_seq_no = 0;
++    else
++        kctx->rx_seq_no = 1;
++
++    if(EVP_CIPHER_mode(c) != EVP_CIPH_GCM_MODE) {
++        if (!SSL_mac(s) && SSL_enc(s))
++            kctx->hmac_ctrl = 0;
++        else
++            kctx->hmac_ctrl = 1;
++    }
++    kctx->sock_fd = s->chssl->sock_fd;
++
++    return 1;
++}
++
++void chssl_program_hwkey_context(SSL *s, int rw, int state)
++{
++    int ret = 0;
++
++    if (!s->chssl->key_context) {
++        s->chssl->key_context = (struct tls_key_context *)
++        OPENSSL_malloc(sizeof(struct tls_key_context));
++        if (s->chssl->key_context == NULL)
++            return;
++    }
++
++    memset(s->chssl->key_context, 0, sizeof(struct tls_key_context));
++    if((ret = ssl_key_context(s, rw, state)) <=0) {
++#ifdef CHSSL_TLS_RX
++        /* Clear quiesce after CCS receive */
++        if (rw == KEY_WRITE_RX) {
++            ret = chssl_clear_tom(s);
++            s->chssl->ofld_rx_enable = TLS_OFLD_FALSE;
++            s->chssl->ofld_tx_enable = TLS_OFLD_FALSE;
++        }
++#endif
++	goto end;
++    }
++
++#ifdef __linux__
++    ret = ioctl(s->chssl->sock_fd, IOCTL_TLSOM_SET_TLS_CONTEXT,
++		s->chssl->key_context);
++#else
++    ret = setsockopt(s->chssl->sock_fd, IPPROTO_TCP, TCP_TLSOM_SET_TLS_CONTEXT,
++	s->chssl->key_context, sizeof(struct tls_key_context));
++#endif
++    if (!ret) {
++        if (rw & KEY_WRITE_TX)
++            s->chssl->tx_keys_copied = 1;
++        else
++            s->chssl->rx_keys_copied = 1;
++    } else {
++        s->chssl->ofld_rx_enable = TLS_OFLD_FALSE;
++        s->chssl->ofld_tx_enable = TLS_OFLD_FALSE;
++        s->chssl->key_state = KEY_SPACE_NOTAVL;
++    }
++
++end:
++    free(s->chssl->key_context);
++    s->chssl->key_context = NULL;
++    return;
++}
++
++#ifdef CHSSL_TLS_RX
++int chssl_clear_quies(const SSL *s)
++{
++#ifdef __linux__
++    return ioctl(s->chssl->sock_fd, IOCTL_TLSOM_CLR_QUIES);
++#else
++    return setsockopt(s->chssl->sock_fd, IPPROTO_TCP, TCP_TLSOM_CLR_QUIES,
++	NULL, 0);
++#endif
++}
++
++int chssl_clear_tom(const SSL *s)
++{
++#ifdef __linux__
++    return ioctl(s->chssl->sock_fd, IOCTL_TLSOM_CLR_TLS_TOM);
++#else
++    return setsockopt(s->chssl->sock_fd, IPPROTO_TCP, TCP_TLSOM_CLR_TLS_TOM,
++	NULL, 0);
++#endif
++}
++#endif
++
++int chssl_process_cherror(SSL *s)
++{
++    const char *buf = (const char *)&(s->s3->rbuf.buf[0]);
++    unsigned int err = atoi(buf);
++
++    switch (err) {
++    case 0:
++        return SSL_AD_BAD_RECORD_MAC;
++    case 1:
++    case 2:
++        return SSL_AD_ILLEGAL_PARAMETER;
++    case 3:
++        return SSL_AD_RECORD_OVERFLOW;
++    case 4:
++        return SSL_AD_INTERNAL_ERROR;
++    }
++    return 0;
++}
++
++struct ch_ssl_st *chssl_new(SSL *s)
++{
++    if (s->chssl)
++        return s->chssl;
++    s->chssl = OPENSSL_malloc(sizeof(struct ch_ssl_st));
++    if (s->chssl)
++        memset(s->chssl, 0, sizeof(struct ch_ssl_st));
++    return s->chssl;
++}
++
++struct ch_ssl_st *chssl_free(SSL *s)
++{
++    if (!s->chssl)
++        return NULL;
++
++    free(s->chssl);
++    s->chssl = NULL;
++    return NULL;
++}
++#endif
+diff --git a/crypto/openssl/ssl/ssl_tom.h b/crypto/openssl/ssl/ssl_tom.h
+new file mode 100644
+index 000000000000..a1ecf7e38ed7
+--- /dev/null
++++ b/crypto/openssl/ssl/ssl_tom.h
+@@ -0,0 +1,160 @@
++/*
++ * Common Header file TLSOM functionalities
++ *
++ * Copyright (C) 2011-2015 Chelsio Communications.  All rights reserved.
++ *
++ * Written by Atul Gupta
++ *
++ * This program is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the LICENSE file included in this
++ * release for licensing terms and conditions.
++ */
++#ifdef __linux__
++#include <linux/byteorder/little_endian.h>
++#endif
++#ifndef __TLSOM_CMN_H
++#define __TLSOM_CMN_H
++
++#define TLSOM_SUCCESS 0
++#define TLSOM_FAILURE -1
++
++#ifdef CHSSL_DEBUG
++        #define chssl_print(f,c) fprintf(f,c)
++#else
++        #define chssl_print(f,c) ;
++#endif
++
++#define MAX_MAC_KSZ		64	/*512 bits */
++#define SHA512_BLOCK		128	/* Block size for 512 */
++#define MAX_CIPHER_KSZ		32	/* 256 bits */
++#define CIPHER_BLOCK_SZ		16
++#define IV_SIZE			(4+8)	/*reserved 8 bytes */
++#define SALT_SIZE		4
++#define TLS_TX_HDR_SZ		16
++#define TLS_RX_HDR_SZ		16
++#define GHASH_SIZE		16
++#define MAX_TLS_KSZ	(2*MAX_MAC_KSZ + MAX_CIPHER_KSZ)
++
++#ifdef __FreeBSD__
++#include <dev/cxgbe/tom/t4_tls.h>
++#endif
++#ifdef __linux__
++/* XXX: TCP_TLSKEY is not used */
++#define TCP_TLSKEY 291 /* Program Key Context on HW */
++#define IOCTL_TLSOM_SET_TLS_CONTEXT 201 /* Program Key Context on HW */
++#define IOCTL_TLSOM_GET_TLS_TOM     202 /* Query the TLS offload mode */
++#define IOCTL_TLSOM_CLR_TLS_TOM     203	/* Clear the Key */
++#define IOCTL_TLSOM_CLR_QUIES     204	/* Clear the Quiesec */
++#endif
++
++enum {
++    TLS_OFLD_FALSE = 0,
++    TLS_OFLD_TRUE,
++};
++
++#ifdef __linux__
++/* Can accomodate 16, 11-15 are reserved */
++enum {
++    CHSSL_SHA_NOP,
++    CHSSL_SHA1,
++    CHSSL_SHA224,
++    CHSSL_SHA256,
++    CHSSL_GHASH,
++    CHSSL_SHA512_224,
++    CHSSL_SHA512_256,
++    CHSSL_SHA512_384,
++    CHSSL_SHA512_512,
++    CHSSL_CBCMAC,
++    CHSSL_CMAC,
++};
++
++/* Can accomodate 16, 8-15 are reserved */
++enum {
++    CHSSL_CIPH_NOP,
++    CHSSL_AES_CBC,
++    CHSSL_AES_GCM,
++    CHSSL_AES_CTR,
++    CHSSL_AES_GEN,
++    CHSSL_IPSEC_ESP,
++    CHSSL_AES_XTS,
++    CHSSL_AES_CCM,
++};
++
++#define KEY_WRITE_RX	0x1	/* Program Receive Key */
++#define KEY_WRITE_TX	0x2	/* Program Transmit Key */
++#define KEY_DELETE_RX	0x4	/* Delete Receive Key */
++#define KEY_DELETE_TX	0x8	/* Delete Transmit Key */
++
++#define S_KEY_CLR_LOC		4
++#define M_KEY_CLR_LOC		0xf
++#define V_KEY_CLR_LOC(x)	((x) << S_KEY_CLR_LOC)
++#define G_FW_WR_EQUIQ(s)	(((x) >> S_KEY_CLR_LOC) & M_KEY_CLR_LOC)
++#define F_KEY_CLR_LOC		V_KEY_CLR_LOC(1U)
++
++/* XXX: Not used. */
++#define S_KEY_GET_LOC           0
++#define M_KEY_GET_LOC           0xf
++#define V_KEY_GET_LOC(x)        ((x) << S_KEY_GET_LOC)
++#define G_KEY_GET_LOC(s)        (((x) >> S_KEY_GET_LOC) & M_KEY_GET_LOC)
++
++struct tls_ofld_state {
++    unsigned char enc_mode;
++    unsigned char mac_mode;
++    unsigned char key_loc;
++    unsigned char ofld_mode;
++    unsigned char auth_mode;
++    unsigned char resv[3];
++};
++
++struct tls_tx_ctxt {
++    unsigned char   salt[SALT_SIZE];
++    unsigned char key[MAX_CIPHER_KSZ];
++    unsigned char ipad[MAX_MAC_KSZ];
++    unsigned char opad[MAX_MAC_KSZ];
++};
++
++struct tls_rx_ctxt {
++    unsigned char   salt[SALT_SIZE];
++    unsigned char key[MAX_CIPHER_KSZ];
++    unsigned char ipad[MAX_MAC_KSZ];
++    unsigned char opad[MAX_MAC_KSZ];
++};
++
++struct tls_key_context {
++    struct tls_tx_ctxt tx;
++    struct tls_rx_ctxt rx;
++
++    unsigned char l_p_key;
++    unsigned char hmac_ctrl;
++    unsigned char mac_first;
++    unsigned char iv_size;
++    unsigned char iv_ctrl;
++    unsigned char iv_algo;
++    unsigned char tx_seq_no;
++    unsigned char rx_seq_no;
++
++    struct tls_ofld_state state;
++
++    unsigned int tx_key_info_size;
++    unsigned int rx_key_info_size;
++    unsigned int frag_size;
++    unsigned int mac_secret_size;
++    unsigned int cipher_secret_size;
++    int proto_ver;
++    unsigned int sock_fd;
++    unsigned short dtls_epoch;
++    unsigned short rsv;
++};
++#endif
++
++struct ch_ssl_st *chssl_new(SSL *s);
++struct ch_ssl_st *chssl_free(SSL *s);
++int ssl_tls_offload(SSL *s);
++int SSL_ofld_vers(const SSL *s);
++#ifdef CHSSL_TLS_RX
++int SSL_ofld_rx(const SSL *s);
++int SSL_clr_quiesce(const SSL *s);
++#endif
++#endif
++
+diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
+index 1a4387b78eb9..c0dbb8a9cebf 100644
+--- a/crypto/openssl/ssl/t1_lib.c
++++ b/crypto/openssl/ssl/t1_lib.c
+@@ -121,6 +121,9 @@
+ #include <openssl/ocsp.h>
+ #include <openssl/rand.h>
+ #include "ssl_locl.h"
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++#include "ssl_tom.h"
++#endif
+ 
+ const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
+ 
+@@ -4051,6 +4054,10 @@ int tls1_process_heartbeat(SSL *s)
+             s->tlsext_hb_pending = 0;
+         }
+     }
++#if defined(CHSSL_OFFLOAD) && defined(CHSSL_TLS_RX)
++    if (SSL_ofld_rx(s))
++	chssl_clear_quies(s);
++#endif
+ 
+     return 0;
+ }
Index: security/openssl-chelsio/files/extra-patch-test_testssl
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/extra-patch-test_testssl
@@ -0,0 +1,15 @@
+Disable SSLv3 test when built without SSL3 option disabled
+
+ - Test for weak DH fails when enabled
+
+--- test/testssl.orig	2017-04-27 12:23:44 UTC
++++ test/testssl
+@@ -160,7 +160,7 @@ test_cipher() {
+ }
+ set -x
+ echo "Testing ciphersuites"
+-for protocol in TLSv1.2 SSLv3; do
++for protocol in TLSv1.2; do
+   echo "Testing ciphersuites for $protocol"
+   for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
+     test_cipher $cipher $protocol
Index: security/openssl-chelsio/files/patch-Configure
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/patch-Configure
@@ -0,0 +1,45 @@
+--- Configure.orig	2015-06-11 15:50:11.000000000 +0200
++++ Configure	2015-06-12 16:20:39.000000000 +0200
+@@ -467,19 +467,20 @@
+ "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+ #### *BSD [do see comment about ${BSDthreads} above!]
+-"BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"debug-BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-sparcv8",	"gcc:-DB_ENDIAN -O3 -mcpu=v8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic32","$ENV{'FREEBSDCC'}:-O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"debug-BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall -g $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-sparcv8", "$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -mcpu=v8 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+-"BSD-generic64","gcc:-O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic64","$ENV{'FREEBSDCC'}:-O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
+ # simply *happens* to work around a compiler bug in gcc 3.3.3,
+ # triggered by RIPEMD160 code.
+-"BSD-sparc64",	"gcc:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-ia64",	"gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86_64",	"cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-sparc64",	"$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-ia64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86_64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-alpha",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+ "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+@@ -2019,10 +2020,12 @@
+ 	if ( $perl =~ m@^/@) {
+ 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
++	    &dofile("apps/tsget",$perl,'^#!/', '#!%s');
+ 	} else {
+ 	    # No path for Perl known ...
+ 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
++	    &dofile("apps/tsget",'/usr/local/bin/perl',,'^#!/', '#!%s');
+ 	}
+ 	if ($depflags ne $default_depflags && !$make_depend) {
+ 		print <<EOF;
Index: security/openssl-chelsio/files/patch-Makefile
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/patch-Makefile
@@ -0,0 +1,11 @@
+--- apps/Makefile.orig	Tue Aug 10 11:09:07 2004
++++ apps/Makefile	Tue Oct 26 07:00:51 2004
+@@ -112,7 +112,7 @@
+ 	 done
+ 	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+ 	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
++	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.sample
+ 
+ tags:
+ 	ctags $(SRC)
Index: security/openssl-chelsio/files/patch-RFC-5705
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/patch-RFC-5705
@@ -0,0 +1,38 @@
+--- ssl/ssl.h	6 Jan 2010 17:37:38 -0000	1.221.2.24
++++ ssl/ssl.h	17 Jun 2010 12:25:35 -0000
+@@ -1806,6 +1806,10 @@
+ /* Pre-shared secret session resumption functions */
+ int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen);
++
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes
+  * made after this point may be overwritten when the script is next run.
+
+--- ssl/t1_enc.c.orig	2015-01-22 15:58:32.000000000 +0100
++++ ssl/t1_enc.c	2015-03-10 07:21:12.000000000 +0100
+@@ -1261,6 +1261,21 @@
+     return (rv);
+ }
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen)
++	{
++	unsigned char tmp[olen];
++	
++	tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
++			 label, label_len,
++			 s->s3->client_random,SSL3_RANDOM_SIZE,
++			 s->s3->server_random,SSL3_RANDOM_SIZE,
++			 context, context_len, NULL, 0,
++			 s->session->master_key, s->session->master_key_length,
++			 out, tmp, olen);
++	}
++
+ int tls1_alert_code(int code)
+ {
+     switch (code) {
Index: security/openssl-chelsio/files/patch-apps_s__client.c
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/patch-apps_s__client.c
@@ -0,0 +1,22 @@
+From 4e48c77572a9a96a301e362a3646cd3cc7eca0f9 Mon Sep 17 00:00:00 2001
+From: Carlos Alberto Lopez Perez <clopez@igalia.com>
+Date: Mon, 6 Aug 2012 01:45:51 +0200
+Subject: [PATCH] Fix XMPP code detection on s_client starttls xmpp
+
+ * Some XMPP Servers (OpenFire) use double quotes.
+ * This makes s_client starttls work with this servers.
+ * Tested with OpenFire servers from http://xmpp.net/ ::
+
+     openssl s_client -connect coderollers.com:5222 -starttls xmpp
+--- apps/s_client.c.orig	2017-05-25 12:54:38 UTC
++++ apps/s_client.c
+@@ -1663,7 +1663,8 @@ int MAIN(int argc, char **argv)
+         seen = BIO_read(sbio, mbuf, BUFSIZZ);
+         mbuf[seen] = 0;
+         while (!strstr
+-               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
++               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
++		!strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
+             if (strstr(mbuf, "/stream:features>"))
+                 goto shut;
+             seen = BIO_read(sbio, mbuf, BUFSIZZ);
Index: security/openssl-chelsio/files/patch-config
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/patch-config
@@ -0,0 +1,19 @@
+--- config.orig	2013-06-16 07:01:13.038797248 -0500
++++ config	2013-06-16 07:01:18.138794838 -0500
+@@ -734,14 +734,8 @@
+   sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
+   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
+   amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
+-  *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
+-			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
+-			    libc=/usr/lib/libc.so
+-			else					# OpenBSD
+-			    # ld searches for highest libc.so.* and so do we
+-			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
+-			fi
+-			case "`(file -L $libc) 2>/dev/null`" in
++  *86*-*-*bsd*)	
++			case "`(file -L /bin/sh) 2>/dev/null`" in
+ 			*ELF*)	OUT="BSD-x86-elf" ;;
+ 			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
+ 			esac ;;
Index: security/openssl-chelsio/files/patch-ssl_fatalerrtest.c
===================================================================
--- /dev/null
+++ security/openssl-chelsio/files/patch-ssl_fatalerrtest.c
@@ -0,0 +1,48 @@
+From a4597f079bf2662e06d505538f83b6b610c41c7c Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 7 Dec 2017 14:40:49 +0000
+Subject: [PATCH] Fix initialisation in fatalerrtest
+
+---
+ ssl/fatalerrtest.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/fatalerrtest.c b/ssl/fatalerrtest.c
+index 0288c33fa2e..749bc3697ea 100644
+--- ssl/fatalerrtest.c.orig
++++ ssl/fatalerrtest.c
+@@ -13,8 +13,8 @@
+ 
+ int main(int argc, char *argv[])
+ {
+-    SSL_CTX *sctx, *cctx;
+-    SSL *sssl, *cssl;
++    SSL_CTX *sctx = NULL, *cctx = NULL;
++    SSL *sssl = NULL, *cssl = NULL;
+     const char *msg = "Dummy";
+     BIO *err = NULL, *wbio = NULL;
+     int ret = 1, len;
+From b24e0573c6838e8d726fb16d558c562ce4e8f025 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 7 Dec 2017 14:41:21 +0000
+Subject: [PATCH] Fix the buffer sizing in the fatalerrtest
+
+Fixes #4865
+---
+ ssl/fatalerrtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/fatalerrtest.c b/ssl/fatalerrtest.c
+index 749bc3697ea..f9d66e27b30 100644
+--- ssl/fatalerrtest.c.orig
++++ ssl/fatalerrtest.c
+@@ -76,7 +76,7 @@ int main(int argc, char *argv[])
+     }
+ 
+     /* SSL_read()/SSL_write should fail because of a previous fatal error */
+-    if ((len = SSL_read(sssl, buf, sizeof(buf - 1))) > 0) {
++    if ((len = SSL_read(sssl, buf, sizeof(buf) - 1)) > 0) {
+         buf[len] = '\0';
+         printf("Unexpected success reading data: %s\n", buf);
+         goto err;
+
Index: security/openssl-chelsio/pkg-descr
===================================================================
--- /dev/null
+++ security/openssl-chelsio/pkg-descr
@@ -0,0 +1,20 @@
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, full-featured, and Open Source toolkit implementing
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
+(TLS v1) protocols with full-strength cryptography world-wide. The
+project is managed by a worldwide community of volunteers that use
+the Internet to communicate, plan, and develop the OpenSSL tookit
+and its related documentation.
+
+OpenSSL is based on the excellent SSLeay library developed by Eric
+A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
+an Apache-style licence, which basically means that you are free
+to get and use it for commercial and non-commercial purposes subject
+to some simple license conditions.
+
+This version of OpenSSL includes additional patches to support the
+use of TLS offload for offloaded TCP connections on Chelsio T6
+network adapters.
+
+WWW: http://www.openssl.org/
+WWW: http://sctp.fh-muenster.de/dtls-patches.html
Index: security/openssl-chelsio/pkg-plist
===================================================================
--- /dev/null
+++ security/openssl-chelsio/pkg-plist
@@ -0,0 +1,16 @@
+openssl-chelsio/lib/engines/lib4758cca.so
+openssl-chelsio/lib/engines/libaep.so
+openssl-chelsio/lib/engines/libatalla.so
+openssl-chelsio/lib/engines/libcapi.so
+openssl-chelsio/lib/engines/libchil.so
+openssl-chelsio/lib/engines/libcswift.so
+openssl-chelsio/lib/engines/libgmp.so
+openssl-chelsio/lib/engines/libnuron.so
+openssl-chelsio/lib/engines/libpadlock.so
+openssl-chelsio/lib/engines/libsureware.so
+openssl-chelsio/lib/engines/libubsec.so
+openssl-chelsio/lib/libcrypto.so.%%SHLIBVER%%
+openssl-chelsio/lib/libssl.so.%%SHLIBVER%%
+@dir openssl-chelsio/lib/engines
+@dir openssl-chelsio/lib
+@dir openssl-chelsio
Index: security/openssl-chelsio/version.mk
===================================================================
--- /dev/null
+++ security/openssl-chelsio/version.mk
@@ -0,0 +1,2 @@
+# Match FreeBSD 12's base version
+OPENSSL_SHLIBVER?=	8