pool/openssl-1_1
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b303f421d6
openssl-1_1/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch

674 lines
24 KiB
Diff
Raw Normal View History

Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h
index 64e7ebb..34e04b4 100644
--- a/crypto/s390x_arch.h
+++ b/crypto/s390x_arch.h
@@ -52,6 +52,9 @@ __attribute__ ((visibility("hidden")))
#endif
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
+/* Max number of 64-bit words currently returned by STFLE */
+# define S390X_STFLE_MAX 3
+
/* convert facility bit number or function code to bit mask */
# define S390X_CAPBIT(i) (1ULL << (63 - (i) % 64))
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
@@ -71,9 +74,15 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
# define S390X_KMA 0xb0
/* Facility Bit Numbers */
-# define S390X_VX 129
-# define S390X_VXD 134
-# define S390X_VXE 135
+# define S390X_MSA 17 /* message-security-assist */
+# define S390X_STCKF 25 /* store-clock-fast */
+# define S390X_MSA5 57 /* message-security-assist-ext. 5 */
+# define S390X_MSA3 76 /* message-security-assist-ext. 3 */
+# define S390X_MSA4 77 /* message-security-assist-ext. 4 */
+# define S390X_VX 129 /* vector */
+# define S390X_VXD 134 /* vector packed decimal */
+# define S390X_VXE 135 /* vector enhancements 1 */
+# define S390X_MSA8 146 /* message-security-assist-ext. 8 */
/* Function Codes */
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
@@ -81,6 +90,9 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
# define S390X_QUERY 0
/* kimd/klmd */
+# define S390X_SHA_1 1
+# define S390X_SHA_256 2
+# define S390X_SHA_512 3
# define S390X_SHA3_224 32
# define S390X_SHA3_256 33
# define S390X_SHA3_384 34
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
@@ -94,7 +106,12 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
# define S390X_AES_192 19
# define S390X_AES_256 20
+/* km */
+# define S390X_XTS_AES_128 50
+# define S390X_XTS_AES_256 52
+
/* prno */
+# define S390X_SHA_512_DRNG 3
# define S390X_TRNG 114
/* Register 0 Flags */
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c
index 1097c70..da6af34 100644
--- a/crypto/s390xcap.c
+++ b/crypto/s390xcap.c
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
@@ -13,15 +13,51 @@
#include <setjmp.h>
#include <signal.h>
#include "internal/cryptlib.h"
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/ctype.h"
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
#include "s390x_arch.h"
+#define LEN 128
+#define STR_(S) #S
+#define STR(S) STR_(S)
+
+#define TOK_FUNC(NAME) \
+ (sscanf(tok_begin, \
+ " " STR(NAME) " : %" STR(LEN) "[^:] : " \
+ "%" STR(LEN) "s %" STR(LEN) "s ", \
+ tok[0], tok[1], tok[2]) == 2) { \
+ \
+ off = (tok[0][0] == '~') ? 1 : 0; \
+ if (sscanf(tok[0] + off, "%llx", &cap->NAME[0]) != 1) \
+ goto ret; \
+ if (off) \
+ cap->NAME[0] = ~cap->NAME[0]; \
+ \
+ off = (tok[1][0] == '~') ? 1 : 0; \
+ if (sscanf(tok[1] + off, "%llx", &cap->NAME[1]) != 1) \
+ goto ret; \
+ if (off) \
+ cap->NAME[1] = ~cap->NAME[1]; \
+ }
+
+#define TOK_CPU(NAME) \
+ (sscanf(tok_begin, \
+ " %" STR(LEN) "s %" STR(LEN) "s ", \
+ tok[0], tok[1]) == 1 \
+ && !strcmp(tok[0], #NAME)) { \
+ memcpy(cap, &NAME, sizeof(*cap)); \
+ }
+
static sigjmp_buf ill_jmp;
static void ill_handler(int sig)
{
siglongjmp(ill_jmp, sig);
}
+static const char *env;
+static int parse_env(struct OPENSSL_s390xcap_st *cap);
+
void OPENSSL_s390x_facilities(void);
+void OPENSSL_s390x_functions(void);
void OPENSSL_vx_probe(void);
struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
@@ -33,6 +69,7 @@ void OPENSSL_cpuid_setup(void)
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
{
sigset_t oset;
struct sigaction ill_act, oact_ill, oact_fpe;
+ struct OPENSSL_s390xcap_st cap;
if (OPENSSL_s390xcap_P.stfle[0])
return;
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
@@ -40,6 +77,12 @@ void OPENSSL_cpuid_setup(void)
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
/* set a bit that will not be tested later */
OPENSSL_s390xcap_P.stfle[0] |= S390X_CAPBIT(0);
+ env = getenv("OPENSSL_s390xcap");
+ if (env != NULL) {
+ if (!parse_env(&cap))
+ env = NULL;
+ }
+
memset(&ill_act, 0, sizeof(ill_act));
ill_act.sa_handler = ill_handler;
sigfillset(&ill_act.sa_mask);
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
@@ -54,6 +97,12 @@ void OPENSSL_cpuid_setup(void)
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
if (sigsetjmp(ill_jmp, 1) == 0)
OPENSSL_s390x_facilities();
+ if (env != NULL) {
+ OPENSSL_s390xcap_P.stfle[0] &= cap.stfle[0];
+ OPENSSL_s390xcap_P.stfle[1] &= cap.stfle[1];
+ OPENSSL_s390xcap_P.stfle[2] &= cap.stfle[2];
+ }
+
/* protection against disabled vector facility */
if ((OPENSSL_s390xcap_P.stfle[2] & S390X_CAPBIT(S390X_VX))
&& (sigsetjmp(ill_jmp, 1) == 0)) {
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
@@ -67,4 +116,470 @@ void OPENSSL_cpuid_setup(void)
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
sigaction(SIGFPE, &oact_fpe, NULL);
sigaction(SIGILL, &oact_ill, NULL);
sigprocmask(SIG_SETMASK, &oset, NULL);
+
+ OPENSSL_s390x_functions();
+
+ if (env != NULL) {
+ OPENSSL_s390xcap_P.kimd[0] &= cap.kimd[0];
+ OPENSSL_s390xcap_P.kimd[1] &= cap.kimd[1];
+ OPENSSL_s390xcap_P.klmd[0] &= cap.klmd[0];
+ OPENSSL_s390xcap_P.klmd[1] &= cap.klmd[1];
+ OPENSSL_s390xcap_P.km[0] &= cap.km[0];
+ OPENSSL_s390xcap_P.km[1] &= cap.km[1];
+ OPENSSL_s390xcap_P.kmc[0] &= cap.kmc[0];
+ OPENSSL_s390xcap_P.kmc[1] &= cap.kmc[1];
+ OPENSSL_s390xcap_P.kmac[0] &= cap.kmac[0];
+ OPENSSL_s390xcap_P.kmac[1] &= cap.kmac[1];
+ OPENSSL_s390xcap_P.kmctr[0] &= cap.kmctr[0];
+ OPENSSL_s390xcap_P.kmctr[1] &= cap.kmctr[1];
+ OPENSSL_s390xcap_P.kmo[0] &= cap.kmo[0];
+ OPENSSL_s390xcap_P.kmo[1] &= cap.kmo[1];
+ OPENSSL_s390xcap_P.kmf[0] &= cap.kmf[0];
+ OPENSSL_s390xcap_P.kmf[1] &= cap.kmf[1];
+ OPENSSL_s390xcap_P.prno[0] &= cap.prno[0];
+ OPENSSL_s390xcap_P.prno[1] &= cap.prno[1];
+ OPENSSL_s390xcap_P.kma[0] &= cap.kma[0];
+ OPENSSL_s390xcap_P.kma[1] &= cap.kma[1];
+ }
+}
+
+static int parse_env(struct OPENSSL_s390xcap_st *cap)
+{
+ /*-
+ * CPU model data
+ * (only the STFLE- and QUERY-bits relevant to libcrypto are set)
+ */
+
+ /*-
+ * z900 (2000) - z/Architecture POP SA22-7832-00
+ * Facility detection would fail on real hw (no STFLE).
+ */
+ static const struct OPENSSL_s390xcap_st z900 = {
+ .stfle = {0ULL, 0ULL, 0ULL, 0ULL},
+ .kimd = {0ULL, 0ULL},
+ .klmd = {0ULL, 0ULL},
+ .km = {0ULL, 0ULL},
+ .kmc = {0ULL, 0ULL},
+ .kmac = {0ULL, 0ULL},
+ .kmctr = {0ULL, 0ULL},
+ .kmo = {0ULL, 0ULL},
+ .kmf = {0ULL, 0ULL},
+ .prno = {0ULL, 0ULL},
+ .kma = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z990 (2003) - z/Architecture POP SA22-7832-02
+ * Implements MSA. Facility detection would fail on real hw (no STFLE).
+ */
+ static const struct OPENSSL_s390xcap_st z990 = {
+ .stfle = {S390X_CAPBIT(S390X_MSA),
+ 0ULL, 0ULL, 0ULL},
+ .kimd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1),
+ 0ULL},
+ .klmd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1),
+ 0ULL},
+ .km = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kmc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kmac = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kmctr = {0ULL, 0ULL},
+ .kmo = {0ULL, 0ULL},
+ .kmf = {0ULL, 0ULL},
+ .prno = {0ULL, 0ULL},
+ .kma = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z9 (2005) - z/Architecture POP SA22-7832-04
+ * Implements MSA and MSA1.
+ */
+ static const struct OPENSSL_s390xcap_st z9 = {
+ .stfle = {S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF),
+ 0ULL, 0ULL, 0ULL},
+ .kimd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256),
+ 0ULL},
+ .klmd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256),
+ 0ULL},
+ .km = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128),
+ 0ULL},
+ .kmc = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128),
+ 0ULL},
+ .kmac = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kmctr = {0ULL, 0ULL},
+ .kmo = {0ULL, 0ULL},
+ .kmf = {0ULL, 0ULL},
+ .prno = {0ULL, 0ULL},
+ .kma = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z10 (2008) - z/Architecture POP SA22-7832-06
+ * Implements MSA and MSA1-2.
+ */
+ static const struct OPENSSL_s390xcap_st z10 = {
+ .stfle = {S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF),
+ 0ULL, 0ULL, 0ULL},
+ .kimd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ 0ULL},
+ .klmd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ 0ULL},
+ .km = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmc = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmac = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kmctr = {0ULL, 0ULL},
+ .kmo = {0ULL, 0ULL},
+ .kmf = {0ULL, 0ULL},
+ .prno = {0ULL, 0ULL},
+ .kma = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z196 (2010) - z/Architecture POP SA22-7832-08
+ * Implements MSA and MSA1-4.
+ */
+ static const struct OPENSSL_s390xcap_st z196 = {
+ .stfle = {S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF),
+ S390X_CAPBIT(S390X_MSA3)
+ | S390X_CAPBIT(S390X_MSA4),
+ 0ULL, 0ULL},
+ .kimd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ S390X_CAPBIT(S390X_GHASH)},
+ .klmd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ 0ULL},
+ .km = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256)
+ | S390X_CAPBIT(S390X_XTS_AES_128)
+ | S390X_CAPBIT(S390X_XTS_AES_256),
+ 0ULL},
+ .kmc = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmac = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmctr = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmo = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmf = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .prno = {0ULL, 0ULL},
+ .kma = {0ULL, 0ULL},
+ };
+
+ /*-
+ * zEC12 (2012) - z/Architecture POP SA22-7832-09
+ * Implements MSA and MSA1-4.
+ */
+ static const struct OPENSSL_s390xcap_st zEC12 = {
+ .stfle = {S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF),
+ S390X_CAPBIT(S390X_MSA3)
+ | S390X_CAPBIT(S390X_MSA4),
+ 0ULL, 0ULL},
+ .kimd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ S390X_CAPBIT(S390X_GHASH)},
+ .klmd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ 0ULL},
+ .km = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256)
+ | S390X_CAPBIT(S390X_XTS_AES_128)
+ | S390X_CAPBIT(S390X_XTS_AES_256),
+ 0ULL},
+ .kmc = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmac = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmctr = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmo = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmf = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .prno = {0ULL, 0ULL},
+ .kma = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z13 (2015) - z/Architecture POP SA22-7832-10
+ * Implements MSA and MSA1-5.
+ */
+ static const struct OPENSSL_s390xcap_st z13 = {
+ .stfle = {S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF)
+ | S390X_CAPBIT(S390X_MSA5),
+ S390X_CAPBIT(S390X_MSA3)
+ | S390X_CAPBIT(S390X_MSA4),
+ S390X_CAPBIT(S390X_VX),
+ 0ULL},
+ .kimd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ S390X_CAPBIT(S390X_GHASH)},
+ .klmd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512),
+ 0ULL},
+ .km = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256)
+ | S390X_CAPBIT(S390X_XTS_AES_128)
+ | S390X_CAPBIT(S390X_XTS_AES_256),
+ 0ULL},
+ .kmc = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmac = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmctr = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmo = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmf = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .prno = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_512_DRNG),
+ 0ULL},
+ .kma = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z14 (2017) - z/Architecture POP SA22-7832-11
+ * Implements MSA and MSA1-8.
+ */
+ static const struct OPENSSL_s390xcap_st z14 = {
+ .stfle = {S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF)
+ | S390X_CAPBIT(S390X_MSA5),
+ S390X_CAPBIT(S390X_MSA3)
+ | S390X_CAPBIT(S390X_MSA4),
+ S390X_CAPBIT(S390X_VX)
+ | S390X_CAPBIT(S390X_VXD)
+ | S390X_CAPBIT(S390X_VXE)
+ | S390X_CAPBIT(S390X_MSA8),
+ 0ULL},
+ .kimd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ S390X_CAPBIT(S390X_GHASH)},
+ .klmd = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ 0ULL},
+ .km = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256)
+ | S390X_CAPBIT(S390X_XTS_AES_128)
+ | S390X_CAPBIT(S390X_XTS_AES_256),
+ 0ULL},
+ .kmc = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmac = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmctr = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmo = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .kmf = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ .prno = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_512_DRNG),
+ S390X_CAPBIT(S390X_TRNG)},
+ .kma = {S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ };
+
+ char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1];
+ int rc, off, i, n;
+
+ buff = malloc(strlen(env) + 1);
+ if (buff == NULL)
+ return 0;
+
+ rc = 0;
+ memset(cap, ~0, sizeof(*cap));
+ strcpy(buff, env);
+
+ tok_begin = buff + strspn(buff, ";");
+ strtok(tok_begin, ";");
+ tok_end = strtok(NULL, ";");
+
+ while (tok_begin != NULL) {
+ /* stfle token */
+ if ((n = sscanf(tok_begin,
+ " stfle : %" STR(LEN) "[^:] : "
+ "%" STR(LEN) "[^:] : %" STR(LEN) "s ",
+ tok[0], tok[1], tok[2]))) {
+ for (i = 0; i < n; i++) {
+ off = (tok[i][0] == '~') ? 1 : 0;
+ if (sscanf(tok[i] + off, "%llx", &cap->stfle[i]) != 1)
+ goto ret;
+ if (off)
+ cap->stfle[i] = ~cap->stfle[i];
+ }
+ }
+
+ /* query function tokens */
+ else if TOK_FUNC(kimd)
+ else if TOK_FUNC(klmd)
+ else if TOK_FUNC(km)
+ else if TOK_FUNC(kmc)
+ else if TOK_FUNC(kmac)
+ else if TOK_FUNC(kmctr)
+ else if TOK_FUNC(kmo)
+ else if TOK_FUNC(kmf)
+ else if TOK_FUNC(prno)
+ else if TOK_FUNC(kma)
+
+ /* CPU model tokens */
+ else if TOK_CPU(z900)
+ else if TOK_CPU(z990)
+ else if TOK_CPU(z9)
+ else if TOK_CPU(z10)
+ else if TOK_CPU(z196)
+ else if TOK_CPU(zEC12)
+ else if TOK_CPU(z13)
+ else if TOK_CPU(z14)
+
+ /* whitespace(ignored) or invalid tokens */
+ else {
+ while (*tok_begin != '\0') {
+ if (!ossl_isspace(*tok_begin))
+ goto ret;
+ tok_begin++;
+ }
+ }
+
+ tok_begin = tok_end;
+ tok_end = strtok(NULL, ";");
+ }
+
+ rc = 1;
+ret:
+ free(buff);
+ return rc;
}
Accepting request 980599 from home:jsikes:branches:security:tls Fixed CVE-2022-1292 and updated expired certificates. Enjoy! OBS-URL: https://build.opensuse.org/request/show/980599 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=111
2022-06-07 08:28:40 +02:00
diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl
index 5cbb962..3602301 100755
--- a/crypto/s390xcpuid.pl
+++ b/crypto/s390xcpuid.pl
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 12:52:58 +01:00
@@ -38,7 +38,26 @@ OPENSSL_s390x_facilities:
stg %r0,S390X_STFLE+8(%r4) # wipe capability vectors
stg %r0,S390X_STFLE+16(%r4)
stg %r0,S390X_STFLE+24(%r4)
- stg %r0,S390X_KIMD(%r4)
+
+ .long 0xb2b04000 # stfle 0(%r4)
+ brc 8,.Ldone
+ lghi %r0,1
+ .long 0xb2b04000 # stfle 0(%r4)
+ brc 8,.Ldone
+ lghi %r0,2
+ .long 0xb2b04000 # stfle 0(%r4)
+.Ldone:
+ br $ra
+.size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities
+
+.globl OPENSSL_s390x_functions
+.type OPENSSL_s390x_functions,\@function
+.align 16
+OPENSSL_s390x_functions:
+ lghi %r0,0
+ larl %r4,OPENSSL_s390xcap_P
+
+ stg %r0,S390X_KIMD(%r4) # wipe capability vectors
stg %r0,S390X_KIMD+8(%r4)
stg %r0,S390X_KLMD(%r4)
stg %r0,S390X_KLMD+8(%r4)
@@ -59,14 +78,6 @@ OPENSSL_s390x_facilities:
stg %r0,S390X_KMA(%r4)
stg %r0,S390X_KMA+8(%r4)
- .long 0xb2b04000 # stfle 0(%r4)
- brc 8,.Ldone
- lghi %r0,1
- .long 0xb2b04000 # stfle 0(%r4)
- brc 8,.Ldone
- lghi %r0,2
- .long 0xb2b04000 # stfle 0(%r4)
-.Ldone:
lmg %r2,%r3,S390X_STFLE(%r4)
tmhl %r2,0x4000 # check for message-security-assist
jz .Lret
@@ -123,7 +134,7 @@ OPENSSL_s390x_facilities:
.Lret:
br $ra
-.size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities
+.size OPENSSL_s390x_functions,.-OPENSSL_s390x_functions
.globl OPENSSL_rdtsc
.type OPENSSL_rdtsc,\@function
Reference in New Issue Copy Permalink