From 19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9 Mon Sep 17 00:00:00 2001 From: Patrick Steuer Date: Thu, 19 Sep 2019 15:31:27 +0200 Subject: [PATCH] s390x assembly pack: accelerate X25519, X448, Ed25519 and Ed448 using PCC and KDSA instructions. Signed-off-by: Patrick Steuer Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10004) --- CHANGES | 4 + crypto/dh/dh_pmeth.c | 14 +- crypto/dsa/dsa_pmeth.c | 7 +- crypto/ec/build.info | 2 +- crypto/ec/ec_curve.c | 12 +- crypto/ec/ec_local.h | 2 +- crypto/ec/ec_pmeth.c | 7 +- crypto/ec/ecx_meth.c | 672 +++++++++++++++++++++++++++++- crypto/err/openssl.txt | 6 + crypto/evp/pkey_kdf.c | 20 +- crypto/evp/pkey_mac.c | 28 +- crypto/evp/pmeth_lib.c | 65 +-- crypto/include/internal/evp_int.h | 37 +- crypto/rsa/rsa_pmeth.c | 14 +- crypto/s390x_arch.h | 11 + crypto/s390xcap.c | 12 +- crypto/s390xcpuid.pl | 56 +++ crypto/sm2/sm2_pmeth.c | 7 +- doc/man3/OPENSSL_s390xcap.pod | 8 + include/openssl/ecerr.h | 6 + 20 files changed, 914 insertions(+), 76 deletions(-) Index: openssl-1.1.1d/crypto/dh/dh_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/dh/dh_pmeth.c +++ openssl-1.1.1d/crypto/dh/dh_pmeth.c @@ -478,7 +478,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * return 0; } -const EVP_PKEY_METHOD dh_pkey_meth = { +static const EVP_PKEY_METHOD dh_pkey_meth = { EVP_PKEY_DH, EVP_PKEY_FLAG_FIPS, pkey_dh_init, @@ -512,7 +512,12 @@ const EVP_PKEY_METHOD dh_pkey_meth = { pkey_dh_ctrl_str }; -const EVP_PKEY_METHOD dhx_pkey_meth = { +const EVP_PKEY_METHOD *dh_pkey_method(void) +{ + return &dh_pkey_meth; +} + +static const EVP_PKEY_METHOD dhx_pkey_meth = { EVP_PKEY_DHX, EVP_PKEY_FLAG_FIPS, pkey_dh_init, @@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = { pkey_dh_ctrl, pkey_dh_ctrl_str }; + +const EVP_PKEY_METHOD *dhx_pkey_method(void) +{ + return &dhx_pkey_meth; +} Index: openssl-1.1.1d/crypto/dsa/dsa_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/dsa/dsa_pmeth.c +++ openssl-1.1.1d/crypto/dsa/dsa_pmeth.c @@ -243,7 +243,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX return DSA_generate_key(pkey->pkey.dsa); } -const EVP_PKEY_METHOD dsa_pkey_meth = { +static const EVP_PKEY_METHOD dsa_pkey_meth = { EVP_PKEY_DSA, EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, pkey_dsa_init, @@ -275,3 +275,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = { pkey_dsa_ctrl, pkey_dsa_ctrl_str }; + +const EVP_PKEY_METHOD *dsa_pkey_method(void) +{ + return &dsa_pkey_meth; +} Index: openssl-1.1.1d/crypto/ec/ec_curve.c =================================================================== --- openssl-1.1.1d.orig/crypto/ec/ec_curve.c +++ openssl-1.1.1d/crypto/ec/ec_curve.c @@ -2830,7 +2830,7 @@ static const ec_list_element curve_list[ "SECG curve over a 256 bit prime field"}, /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ {NID_secp384r1, &_EC_NIST_PRIME_384.h, -# if defined(S390X_NISTP_ASM) +# if defined(S390X_EC_ASM) EC_GFp_s390x_nistp384_method, # else 0, @@ -2838,7 +2838,7 @@ static const ec_list_element curve_list[ "NIST/SECG curve over a 384 bit prime field"}, {NID_secp521r1, &_EC_NIST_PRIME_521.h, -# if defined(S390X_NISTP_ASM) +# if defined(S390X_EC_ASM) EC_GFp_s390x_nistp521_method, # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) EC_GFp_nistp521_method, @@ -2863,7 +2863,7 @@ static const ec_list_element curve_list[ {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, #if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -# elif defined(S390X_NISTP_ASM) +# elif defined(S390X_EC_ASM) EC_GFp_s390x_nistp256_method, #elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) EC_GFp_nistp256_method, Index: openssl-1.1.1d/crypto/ec/ec_local.h =================================================================== --- openssl-1.1.1d.orig/crypto/ec/ec_local.h +++ openssl-1.1.1d/crypto/ec/ec_local.h @@ -595,7 +595,7 @@ int ec_group_simple_order_bits(const EC_ */ const EC_METHOD *EC_GFp_nistz256_method(void); #endif -#ifdef S390X_NISTP_ASM +#ifdef S390X_EC_ASM const EC_METHOD *EC_GFp_s390x_nistp256_method(void); const EC_METHOD *EC_GFp_s390x_nistp384_method(void); const EC_METHOD *EC_GFp_s390x_nistp521_method(void); Index: openssl-1.1.1d/crypto/ec/ec_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/ec/ec_pmeth.c +++ openssl-1.1.1d/crypto/ec/ec_pmeth.c @@ -436,7 +436,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * return ret ? EC_KEY_generate_key(ec) : 0; } -const EVP_PKEY_METHOD ec_pkey_meth = { +static const EVP_PKEY_METHOD ec_pkey_meth = { EVP_PKEY_EC, EVP_PKEY_FLAG_FIPS, pkey_ec_init, @@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = { pkey_ec_ctrl, pkey_ec_ctrl_str }; + +const EVP_PKEY_METHOD *ec_pkey_method(void) +{ + return &ec_pkey_meth; +} Index: openssl-1.1.1d/crypto/ec/ecx_meth.c =================================================================== --- openssl-1.1.1d.orig/crypto/ec/ecx_meth.c +++ openssl-1.1.1d/crypto/ec/ecx_meth.c @@ -715,7 +715,7 @@ static int pkey_ecx_ctrl(EVP_PKEY_CTX *c return -2; } -const EVP_PKEY_METHOD ecx25519_pkey_meth = { +static const EVP_PKEY_METHOD ecx25519_pkey_meth = { EVP_PKEY_X25519, 0, 0, 0, 0, 0, 0, 0, pkey_ecx_keygen, @@ -725,7 +725,7 @@ const EVP_PKEY_METHOD ecx25519_pkey_meth 0 }; -const EVP_PKEY_METHOD ecx448_pkey_meth = { +static const EVP_PKEY_METHOD ecx448_pkey_meth = { EVP_PKEY_X448, 0, 0, 0, 0, 0, 0, 0, pkey_ecx_keygen, @@ -818,7 +818,7 @@ static int pkey_ecd_ctrl(EVP_PKEY_CTX *c return -2; } -const EVP_PKEY_METHOD ed25519_pkey_meth = { +static const EVP_PKEY_METHOD ed25519_pkey_meth = { EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM, 0, 0, 0, 0, 0, 0, pkey_ecx_keygen, @@ -829,7 +829,7 @@ const EVP_PKEY_METHOD ed25519_pkey_meth pkey_ecd_digestverify25519 }; -const EVP_PKEY_METHOD ed448_pkey_meth = { +static const EVP_PKEY_METHOD ed448_pkey_meth = { EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM, 0, 0, 0, 0, 0, 0, pkey_ecx_keygen, @@ -839,3 +839,667 @@ const EVP_PKEY_METHOD ed448_pkey_meth = pkey_ecd_digestsign448, pkey_ecd_digestverify448 }; + +#ifdef S390X_EC_ASM +# include "s390x_arch.h" + +static void s390x_x25519_mod_p(unsigned char u[32]) +{ + unsigned char u_red[32]; + unsigned int c = 0; + int i; + + memcpy(u_red, u, sizeof(u_red)); + + c += (unsigned int)u_red[31] + 19; + u_red[31] = (unsigned char)c; + c >>= 8; + + for (i = 30; c > 0 && i >= 0; i--) { + c += (unsigned int)u_red[i]; + u_red[i] = (unsigned char)c; + c >>= 8; + } + + if (u_red[0] & 0x80) { + u_red[0] &= 0x7f; + memcpy(u, u_red, sizeof(u_red)); + } +} + +static void s390x_x448_mod_p(unsigned char u[56]) +{ + unsigned char u_red[56]; + unsigned int c = 0; + int i; + + memcpy(u_red, u, sizeof(u_red)); + + c += (unsigned int)u_red[55] + 1; + u_red[55] = (unsigned char)c; + c >>= 8; + + for (i = 54; i >= 28; i--) { + c += (unsigned int)u_red[i]; + u_red[i] = (unsigned char)c; + c >>= 8; + } + + c += (unsigned int)u_red[27] + 1; + u_red[27] = (unsigned char)c; + c >>= 8; + + for (i = 26; c > 0 && i >= 0; i--) { + c += (unsigned int)u_red[i]; + u_red[i] = (unsigned char)c; + c >>= 8; + } + + if (u_red[0] & 0x80) { + u_red[0] &= 0x7f; + memcpy(u, u_red, sizeof(u_red)); + } +} + +static int s390x_x25519_mul(unsigned char u_dst[32], + const unsigned char u_src[32], + const unsigned char d_src[32]) +{ + union { + struct { + unsigned char u_dst[32]; + unsigned char u_src[32]; + unsigned char d_src[32]; + } x25519; + unsigned long long buff[512]; + } param; + int rc; + + memset(¶m, 0, sizeof(param)); + + s390x_flip_endian32(param.x25519.u_src, u_src); + param.x25519.u_src[0] &= 0x7f; + s390x_x25519_mod_p(param.x25519.u_src); + + s390x_flip_endian32(param.x25519.d_src, d_src); + param.x25519.d_src[31] &= 248; + param.x25519.d_src[0] &= 127; + param.x25519.d_src[0] |= 64; + + rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, ¶m.x25519) ? 0 : 1; + if (rc == 1) + s390x_flip_endian32(u_dst, param.x25519.u_dst); + + OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src)); + return rc; +} + +static int s390x_x448_mul(unsigned char u_dst[56], + const unsigned char u_src[56], + const unsigned char d_src[56]) +{ + union { + struct { + unsigned char u_dst[64]; + unsigned char u_src[64]; + unsigned char d_src[64]; + } x448; + unsigned long long buff[512]; + } param; + int rc; + + memset(¶m, 0, sizeof(param)); + + memcpy(param.x448.u_src, u_src, 56); + memcpy(param.x448.d_src, d_src, 56); + + s390x_flip_endian64(param.x448.u_src, param.x448.u_src); + s390x_x448_mod_p(param.x448.u_src); + + s390x_flip_endian64(param.x448.d_src, param.x448.d_src); + param.x448.d_src[63] &= 252; + param.x448.d_src[8] |= 128; + + rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, ¶m.x448) ? 0 : 1; + if (rc == 1) { + s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst); + memcpy(u_dst, param.x448.u_dst, 56); + } + + OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src)); + return rc; +} + +static int s390x_ed25519_mul(unsigned char x_dst[32], + unsigned char y_dst[32], + const unsigned char x_src[32], + const unsigned char y_src[32], + const unsigned char d_src[32]) +{ + union { + struct { + unsigned char x_dst[32]; + unsigned char y_dst[32]; + unsigned char x_src[32]; + unsigned char y_src[32]; + unsigned char d_src[32]; + } ed25519; + unsigned long long buff[512]; + } param; + int rc; + + memset(¶m, 0, sizeof(param)); + + s390x_flip_endian32(param.ed25519.x_src, x_src); + s390x_flip_endian32(param.ed25519.y_src, y_src); + s390x_flip_endian32(param.ed25519.d_src, d_src); + + rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, ¶m.ed25519) ? 0 : 1; + if (rc == 1) { + s390x_flip_endian32(x_dst, param.ed25519.x_dst); + s390x_flip_endian32(y_dst, param.ed25519.y_dst); + } + + OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src)); + return rc; +} + +static int s390x_ed448_mul(unsigned char x_dst[57], + unsigned char y_dst[57], + const unsigned char x_src[57], + const unsigned char y_src[57], + const unsigned char d_src[57]) +{ + union { + struct { + unsigned char x_dst[64]; + unsigned char y_dst[64]; + unsigned char x_src[64]; + unsigned char y_src[64]; + unsigned char d_src[64]; + } ed448; + unsigned long long buff[512]; + } param; + int rc; + + memset(¶m, 0, sizeof(param)); + + memcpy(param.ed448.x_src, x_src, 57); + memcpy(param.ed448.y_src, y_src, 57); + memcpy(param.ed448.d_src, d_src, 57); + s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src); + s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src); + s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src); + + rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, ¶m.ed448) ? 0 : 1; + if (rc == 1) { + s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst); + s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst); + memcpy(x_dst, param.ed448.x_dst, 57); + memcpy(y_dst, param.ed448.y_dst, 57); + } + + OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src)); + return rc; +} + +static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) +{ + static const unsigned char generator[] = { + 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + ECX_KEY *key; + unsigned char *privkey = NULL, *pubkey; + + key = OPENSSL_zalloc(sizeof(*key)); + if (key == NULL) { + ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); + goto err; + } + + pubkey = key->pubkey; + + privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN); + if (privkey == NULL) { + ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); + goto err; + } + + if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0) + goto err; + + privkey[0] &= 248; + privkey[31] &= 127; + privkey[31] |= 64; + + if (s390x_x25519_mul(pubkey, generator, privkey) != 1) + goto err; + + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); + return 1; + err: + OPENSSL_secure_clear_free(privkey, X25519_KEYLEN); + key->privkey = NULL; + OPENSSL_free(key); + return 0; +} + +static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) +{ + static const unsigned char generator[] = { + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + ECX_KEY *key; + unsigned char *privkey = NULL, *pubkey; + + key = OPENSSL_zalloc(sizeof(*key)); + if (key == NULL) { + ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); + goto err; + } + + pubkey = key->pubkey; + + privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN); + if (privkey == NULL) { + ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); + goto err; + } + + if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0) + goto err; + + privkey[0] &= 252; + privkey[55] |= 128; + + if (s390x_x448_mul(pubkey, generator, privkey) != 1) + goto err; + + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); + return 1; + err: + OPENSSL_secure_clear_free(privkey, X448_KEYLEN); + key->privkey = NULL; + OPENSSL_free(key); + return 0; +} + +static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) +{ + static const unsigned char generator_x[] = { + 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, + 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, + 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21 + }; + static const unsigned char generator_y[] = { + 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + }; + unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH]; + ECX_KEY *key; + unsigned char *privkey = NULL, *pubkey; + + key = OPENSSL_zalloc(sizeof(*key)); + if (key == NULL) { + ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); + goto err; + } + + pubkey = key->pubkey; + + privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN); + if (privkey == NULL) { + ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); + goto err; + } + + if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0) + goto err; + + SHA512(privkey, 32, buff); + buff[0] &= 248; + buff[31] &= 63; + buff[31] |= 64; + + if (s390x_ed25519_mul(x_dst, pubkey, + generator_x, generator_y, buff) != 1) + goto err; + + pubkey[31] |= ((x_dst[0] & 0x01) << 7); + + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); + return 1; + err: + OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN); + key->privkey = NULL; + OPENSSL_free(key); + return 0; +} + +static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) +{ + static const unsigned char generator_x[] = { + 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b, + 0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12, + 0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47, + 0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22, + 0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00 + }; + static const unsigned char generator_y[] = { + 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e, + 0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a, + 0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c, + 0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88, + 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00 + }; + unsigned char x_dst[57], buff[114]; + ECX_KEY *key; + unsigned char *privkey = NULL, *pubkey; + EVP_MD_CTX *hashctx = NULL; + + key = OPENSSL_zalloc(sizeof(*key)); + if (key == NULL) { + ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); + goto err; + } + + pubkey = key->pubkey; + + privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN); + if (privkey == NULL) { + ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); + goto err; + } + + if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0) + goto err; + + hashctx = EVP_MD_CTX_new(); + if (hashctx == NULL) + goto err; + if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1) + goto err; + if (EVP_DigestUpdate(hashctx, privkey, 57) != 1) + goto err; + if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1) + goto err; + + buff[0] &= -4; + buff[55] |= 0x80; + buff[56] = 0; + + if (s390x_ed448_mul(x_dst, pubkey, + generator_x, generator_y, buff) != 1) + goto err; + + pubkey[56] |= ((x_dst[0] & 0x01) << 7); + + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); + EVP_MD_CTX_free(hashctx); + return 1; + err: + OPENSSL_secure_clear_free(privkey, ED448_KEYLEN); + key->privkey = NULL; + OPENSSL_free(key); + EVP_MD_CTX_free(hashctx); + return 0; +} + +static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + const unsigned char *privkey, *pubkey; + + if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) + return 0; + + if (key != NULL) + return s390x_x25519_mul(key, pubkey, privkey); + + *keylen = X25519_KEYLEN; + return 1; +} + +static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + const unsigned char *privkey, *pubkey; + + if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) + return 0; + + if (key != NULL) + return s390x_x448_mul(key, pubkey, privkey); + + *keylen = X448_KEYLEN; + return 1; +} + +static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, + unsigned char *sig, size_t *siglen, + const unsigned char *tbs, + size_t tbslen) +{ + union { + struct { + unsigned char sig[64]; + unsigned char priv[32]; + } ed25519; + unsigned long long buff[512]; + } param; + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; + int rc; + + if (sig == NULL) { + *siglen = ED25519_SIGSIZE; + return 1; + } + + if (*siglen < ED25519_SIGSIZE) { + ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL); + return 0; + } + + memset(¶m, 0, sizeof(param)); + memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv)); + + rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, ¶m.ed25519, tbs, tbslen); + OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv)); + if (rc != 0) + return 0; + + s390x_flip_endian32(sig, param.ed25519.sig); + s390x_flip_endian32(sig + 32, param.ed25519.sig + 32); + + *siglen = ED25519_SIGSIZE; + return 1; +} + +static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx, + unsigned char *sig, size_t *siglen, + const unsigned char *tbs, + size_t tbslen) +{ + union { + struct { + unsigned char sig[128]; + unsigned char priv[64]; + } ed448; + unsigned long long buff[512]; + } param; + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; + int rc; + + if (sig == NULL) { + *siglen = ED448_SIGSIZE; + return 1; + } + + if (*siglen < ED448_SIGSIZE) { + ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL); + return 0; + } + + memset(¶m, 0, sizeof(param)); + memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57); + + rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, ¶m.ed448, tbs, tbslen); + OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv)); + if (rc != 0) + return 0; + + s390x_flip_endian64(param.ed448.sig, param.ed448.sig); + s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); + memcpy(sig, param.ed448.sig, 57); + memcpy(sig + 57, param.ed448.sig + 64, 57); + + *siglen = ED448_SIGSIZE; + return 1; +} + +static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, + const unsigned char *sig, + size_t siglen, + const unsigned char *tbs, + size_t tbslen) +{ + union { + struct { + unsigned char sig[64]; + unsigned char pub[32]; + } ed25519; + unsigned long long buff[512]; + } param; + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; + + if (siglen != ED25519_SIGSIZE) + return 0; + + memset(¶m, 0, sizeof(param)); + s390x_flip_endian32(param.ed25519.sig, sig); + s390x_flip_endian32(param.ed25519.sig + 32, sig + 32); + s390x_flip_endian32(param.ed25519.pub, edkey->pubkey); + + return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519, + ¶m.ed25519, tbs, tbslen) == 0 ? 1 : 0; +} + +static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx, + const unsigned char *sig, + size_t siglen, + const unsigned char *tbs, + size_t tbslen) +{ + union { + struct { + unsigned char sig[128]; + unsigned char pub[64]; + } ed448; + unsigned long long buff[512]; + } param; + const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; + + if (siglen != ED448_SIGSIZE) + return 0; + + memset(¶m, 0, sizeof(param)); + memcpy(param.ed448.sig, sig, 57); + s390x_flip_endian64(param.ed448.sig, param.ed448.sig); + memcpy(param.ed448.sig + 64, sig + 57, 57); + s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); + memcpy(param.ed448.pub, edkey->pubkey, 57); + s390x_flip_endian64(param.ed448.pub, param.ed448.pub); + + return s390x_kdsa(S390X_EDDSA_VERIFY_ED448, + ¶m.ed448, tbs, tbslen) == 0 ? 1 : 0; +} + +static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = { + EVP_PKEY_X25519, + 0, 0, 0, 0, 0, 0, 0, + s390x_pkey_ecx_keygen25519, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + s390x_pkey_ecx_derive25519, + pkey_ecx_ctrl, + 0 +}; + +static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = { + EVP_PKEY_X448, + 0, 0, 0, 0, 0, 0, 0, + s390x_pkey_ecx_keygen448, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + s390x_pkey_ecx_derive448, + pkey_ecx_ctrl, + 0 +}; +static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = { + EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM, + 0, 0, 0, 0, 0, 0, + s390x_pkey_ecd_keygen25519, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + pkey_ecd_ctrl, + 0, + s390x_pkey_ecd_digestsign25519, + s390x_pkey_ecd_digestverify25519 +}; + +static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = { + EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM, + 0, 0, 0, 0, 0, 0, + s390x_pkey_ecd_keygen448, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + pkey_ecd_ctrl, + 0, + s390x_pkey_ecd_digestsign448, + s390x_pkey_ecd_digestverify448 +}; +#endif + +const EVP_PKEY_METHOD *ecx25519_pkey_method(void) +{ +#ifdef S390X_EC_ASM + if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)) + return &ecx25519_s390x_pkey_meth; +#endif + return &ecx25519_pkey_meth; +} + +const EVP_PKEY_METHOD *ecx448_pkey_method(void) +{ +#ifdef S390X_EC_ASM + if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)) + return &ecx448_s390x_pkey_meth; +#endif + return &ecx448_pkey_meth; +} + +const EVP_PKEY_METHOD *ed25519_pkey_method(void) +{ +#ifdef S390X_EC_ASM + if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) + && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519) + && OPENSSL_s390xcap_P.kdsa[0] + & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519)) + return &ed25519_s390x_pkey_meth; +#endif + return &ed25519_pkey_meth; +} + +const EVP_PKEY_METHOD *ed448_pkey_method(void) +{ +#ifdef S390X_EC_ASM + if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) + && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448) + && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448)) + return &ed448_s390x_pkey_meth; +#endif + return &ed448_pkey_meth; +} Index: openssl-1.1.1d/crypto/err/openssl.txt =================================================================== --- openssl-1.1.1d.orig/crypto/err/openssl.txt +++ openssl-1.1.1d/crypto/err/openssl.txt @@ -678,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_ EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen EC_F_PKEY_EC_SIGN:218:pkey_ec_sign +EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519 +EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448 +EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519 +EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448 +EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519 +EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448 EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive ENGINE_F_DIGEST_UPDATE:198:digest_update ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl Index: openssl-1.1.1d/crypto/evp/pkey_kdf.c =================================================================== --- openssl-1.1.1d.orig/crypto/evp/pkey_kdf.c +++ openssl-1.1.1d/crypto/evp/pkey_kdf.c @@ -162,7 +162,7 @@ static int pkey_kdf_derive(EVP_PKEY_CTX } #ifndef OPENSSL_NO_SCRYPT -const EVP_PKEY_METHOD scrypt_pkey_meth = { +static const EVP_PKEY_METHOD scrypt_pkey_meth = { EVP_PKEY_SCRYPT, 0, pkey_kdf_init, @@ -191,9 +191,14 @@ const EVP_PKEY_METHOD scrypt_pkey_meth = pkey_kdf_ctrl, pkey_kdf_ctrl_str }; + +const EVP_PKEY_METHOD *scrypt_pkey_method(void) +{ + return &scrypt_pkey_meth; +} #endif -const EVP_PKEY_METHOD tls1_prf_pkey_meth = { +static const EVP_PKEY_METHOD tls1_prf_pkey_meth = { EVP_PKEY_TLS1_PRF, EVP_PKEY_FLAG_FIPS, pkey_kdf_init, @@ -223,7 +228,12 @@ const EVP_PKEY_METHOD tls1_prf_pkey_meth pkey_kdf_ctrl_str }; -const EVP_PKEY_METHOD hkdf_pkey_meth = { +const EVP_PKEY_METHOD *tls1_prf_pkey_method(void) +{ + return &tls1_prf_pkey_meth; +} + +static const EVP_PKEY_METHOD hkdf_pkey_meth = { EVP_PKEY_HKDF, EVP_PKEY_FLAG_FIPS, pkey_kdf_init, @@ -253,3 +263,7 @@ const EVP_PKEY_METHOD hkdf_pkey_meth = { pkey_kdf_ctrl_str }; +const EVP_PKEY_METHOD *hkdf_pkey_method(void) +{ + return &hkdf_pkey_meth; +} Index: openssl-1.1.1d/crypto/evp/pmeth_lib.c =================================================================== --- openssl-1.1.1d.orig/crypto/evp/pmeth_lib.c +++ openssl-1.1.1d/crypto/evp/pmeth_lib.c @@ -17,60 +17,67 @@ #include "crypto/evp.h" #include "internal/numbers.h" +typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void); typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; /* This array needs to be in order of NIDs */ -static const EVP_PKEY_METHOD *standard_methods[] = { +static pmeth_fn standard_methods[] = { #ifndef OPENSSL_NO_RSA - &rsa_pkey_meth, + rsa_pkey_method, #endif #ifndef OPENSSL_NO_DH - &dh_pkey_meth, + dh_pkey_method, #endif #ifndef OPENSSL_NO_DSA - &dsa_pkey_meth, + dsa_pkey_method, #endif #ifndef OPENSSL_NO_EC - &ec_pkey_meth, + ec_pkey_method, #endif - &hmac_pkey_meth, + hmac_pkey_method, #ifndef OPENSSL_NO_CMAC - &cmac_pkey_meth, + cmac_pkey_method, #endif #ifndef OPENSSL_NO_RSA - &rsa_pss_pkey_meth, + rsa_pss_pkey_method, #endif #ifndef OPENSSL_NO_DH - &dhx_pkey_meth, + dhx_pkey_method, #endif #ifndef OPENSSL_NO_SCRYPT - &scrypt_pkey_meth, + scrypt_pkey_method, #endif - &tls1_prf_pkey_meth, + tls1_prf_pkey_method, #ifndef OPENSSL_NO_EC - &ecx25519_pkey_meth, - &ecx448_pkey_meth, + ecx25519_pkey_method, + ecx448_pkey_method, #endif - &hkdf_pkey_meth, + hkdf_pkey_method, #ifndef OPENSSL_NO_POLY1305 - &poly1305_pkey_meth, + poly1305_pkey_method, #endif #ifndef OPENSSL_NO_SIPHASH - &siphash_pkey_meth, + siphash_pkey_method, #endif #ifndef OPENSSL_NO_EC - &ed25519_pkey_meth, - &ed448_pkey_meth, + ed25519_pkey_method, + ed448_pkey_method, #endif #ifndef OPENSSL_NO_SM2 - &sm2_pkey_meth, + sm2_pkey_method, #endif }; -DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, - pmeth); +DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); + +static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b) +{ + return ((*a)->pkey_id - ((**b)())->pkey_id); +} + +IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); static int pmeth_cmp(const EVP_PKEY_METHOD *const *a, const EVP_PKEY_METHOD *const *b) @@ -78,13 +85,11 @@ static int pmeth_cmp(const EVP_PKEY_METH return ((*a)->pkey_id - (*b)->pkey_id); } -IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, - pmeth); - const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type) { + pmeth_fn *ret; EVP_PKEY_METHOD tmp; - const EVP_PKEY_METHOD *t = &tmp, **ret; + const EVP_PKEY_METHOD *t = &tmp; tmp.pkey_id = type; if (app_pkey_methods) { int idx; @@ -92,12 +97,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_fin if (idx >= 0) return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx); } - ret = OBJ_bsearch_pmeth(&t, standard_methods, - sizeof(standard_methods) / - sizeof(EVP_PKEY_METHOD *)); + ret = OBJ_bsearch_pmeth_func(&t, standard_methods, + sizeof(standard_methods) / + sizeof(pmeth_fn)); if (!ret || !*ret) return NULL; - return *ret; + return (**ret)(); } static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) @@ -348,7 +353,7 @@ size_t EVP_PKEY_meth_get_count(void) const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx) { if (idx < OSSL_NELEM(standard_methods)) - return standard_methods[idx]; + return (standard_methods[idx])(); if (app_pkey_methods == NULL) return NULL; idx -= OSSL_NELEM(standard_methods); Index: openssl-1.1.1d/include/crypto/evp.h =================================================================== --- openssl-1.1.1d.orig/include/crypto/evp.h +++ openssl-1.1.1d/include/crypto/evp.h @@ -93,24 +93,24 @@ DEFINE_STACK_OF_CONST(EVP_PKEY_METHOD) void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); -extern const EVP_PKEY_METHOD cmac_pkey_meth; -extern const EVP_PKEY_METHOD dh_pkey_meth; -extern const EVP_PKEY_METHOD dhx_pkey_meth; -extern const EVP_PKEY_METHOD dsa_pkey_meth; -extern const EVP_PKEY_METHOD ec_pkey_meth; -extern const EVP_PKEY_METHOD sm2_pkey_meth; -extern const EVP_PKEY_METHOD ecx25519_pkey_meth; -extern const EVP_PKEY_METHOD ecx448_pkey_meth; -extern const EVP_PKEY_METHOD ed25519_pkey_meth; -extern const EVP_PKEY_METHOD ed448_pkey_meth; -extern const EVP_PKEY_METHOD hmac_pkey_meth; -extern const EVP_PKEY_METHOD rsa_pkey_meth; -extern const EVP_PKEY_METHOD rsa_pss_pkey_meth; -extern const EVP_PKEY_METHOD scrypt_pkey_meth; -extern const EVP_PKEY_METHOD tls1_prf_pkey_meth; -extern const EVP_PKEY_METHOD hkdf_pkey_meth; -extern const EVP_PKEY_METHOD poly1305_pkey_meth; -extern const EVP_PKEY_METHOD siphash_pkey_meth; +const EVP_PKEY_METHOD *cmac_pkey_method(void); +const EVP_PKEY_METHOD *dh_pkey_method(void); +const EVP_PKEY_METHOD *dhx_pkey_method(void); +const EVP_PKEY_METHOD *dsa_pkey_method(void); +const EVP_PKEY_METHOD *ec_pkey_method(void); +const EVP_PKEY_METHOD *sm2_pkey_method(void); +const EVP_PKEY_METHOD *ecx25519_pkey_method(void); +const EVP_PKEY_METHOD *ecx448_pkey_method(void); +const EVP_PKEY_METHOD *ed25519_pkey_method(void); +const EVP_PKEY_METHOD *ed448_pkey_method(void); +const EVP_PKEY_METHOD *hmac_pkey_method(void); +const EVP_PKEY_METHOD *rsa_pkey_method(void); +const EVP_PKEY_METHOD *rsa_pss_pkey_method(void); +const EVP_PKEY_METHOD *scrypt_pkey_method(void); +const EVP_PKEY_METHOD *tls1_prf_pkey_method(void); +const EVP_PKEY_METHOD *hkdf_pkey_method(void); +const EVP_PKEY_METHOD *poly1305_pkey_method(void); +const EVP_PKEY_METHOD *siphash_pkey_method(void); /* struct evp_kdf_impl_st is defined by the implementation */ typedef struct evp_kdf_impl_st EVP_KDF_IMPL; @@ -396,6 +396,7 @@ const EVP_CIPHER *EVP_##cname##_ecb(void #define X25519_KEYLEN 32 #define X448_KEYLEN 56 +#define ED25519_KEYLEN 32 #define ED448_KEYLEN 57 #define MAX_KEYLEN ED448_KEYLEN Index: openssl-1.1.1d/crypto/rsa/rsa_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/rsa/rsa_pmeth.c +++ openssl-1.1.1d/crypto/rsa/rsa_pmeth.c @@ -754,7 +754,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX return ret; } -const EVP_PKEY_METHOD rsa_pkey_meth = { +static const EVP_PKEY_METHOD rsa_pkey_meth = { EVP_PKEY_RSA, EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, pkey_rsa_init, @@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = { pkey_rsa_ctrl_str }; +const EVP_PKEY_METHOD *rsa_pkey_method(void) +{ + return &rsa_pkey_meth; +} + /* * Called for PSS sign or verify initialisation: checks PSS parameter * sanity and sets any restrictions on key usage. @@ -836,7 +841,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c return 1; } -const EVP_PKEY_METHOD rsa_pss_pkey_meth = { +static const EVP_PKEY_METHOD rsa_pss_pkey_meth = { EVP_PKEY_RSA_PSS, EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, pkey_rsa_init, @@ -859,3 +864,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth pkey_rsa_ctrl, pkey_rsa_ctrl_str }; + +const EVP_PKEY_METHOD *rsa_pss_pkey_method(void) +{ + return &rsa_pss_pkey_meth; +} Index: openssl-1.1.1d/crypto/s390x_arch.h =================================================================== --- openssl-1.1.1d.orig/crypto/s390x_arch.h +++ openssl-1.1.1d/crypto/s390x_arch.h @@ -30,6 +30,9 @@ int s390x_pcc(unsigned int fc, void *par int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in, size_t len); +void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]); +void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]); + /* * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by * the STFLE instruction followed by the 64-bit word pairs returned by @@ -123,6 +126,10 @@ extern struct OPENSSL_s390xcap_st OPENSS # define S390X_SCALAR_MULTIPLY_P256 64 # define S390X_SCALAR_MULTIPLY_P384 65 # define S390X_SCALAR_MULTIPLY_P521 66 +# define S390X_SCALAR_MULTIPLY_ED25519 72 +# define S390X_SCALAR_MULTIPLY_ED448 73 +# define S390X_SCALAR_MULTIPLY_X25519 80 +# define S390X_SCALAR_MULTIPLY_X448 81 /* kdsa */ # define S390X_ECDSA_VERIFY_P256 1 @@ -131,6 +138,10 @@ extern struct OPENSSL_s390xcap_st OPENSS # define S390X_ECDSA_SIGN_P256 9 # define S390X_ECDSA_SIGN_P384 10 # define S390X_ECDSA_SIGN_P521 11 +# define S390X_EDDSA_VERIFY_ED25519 32 +# define S390X_EDDSA_VERIFY_ED448 36 +# define S390X_EDDSA_SIGN_ED25519 40 +# define S390X_EDDSA_SIGN_ED448 44 /* Register 0 Flags */ # define S390X_DECRYPT 0x80 Index: openssl-1.1.1d/crypto/s390xcap.c =================================================================== --- openssl-1.1.1d.orig/crypto/s390xcap.c +++ openssl-1.1.1d/crypto/s390xcap.c @@ -615,14 +615,22 @@ static int parse_env(struct OPENSSL_s390 /*.pcc = */{S390X_CAPBIT(S390X_QUERY), S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384) - | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)}, + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521) + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519) + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)}, /*.kdsa = */{S390X_CAPBIT(S390X_QUERY) | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256) | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384) | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521) | S390X_CAPBIT(S390X_ECDSA_SIGN_P256) | S390X_CAPBIT(S390X_ECDSA_SIGN_P384) - | S390X_CAPBIT(S390X_ECDSA_SIGN_P521), + | S390X_CAPBIT(S390X_ECDSA_SIGN_P521) + | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519) + | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448) + | S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519) + | S390X_CAPBIT(S390X_EDDSA_SIGN_ED448), 0ULL}, }; Index: openssl-1.1.1d/crypto/s390xcpuid.pl =================================================================== --- openssl-1.1.1d.orig/crypto/s390xcpuid.pl +++ openssl-1.1.1d/crypto/s390xcpuid.pl @@ -493,6 +493,62 @@ s390x_kdsa: ___ } +################ +# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]) +{ +my ($dst,$src) = map("%r$_",(2..3)); +$code.=<<___; +.globl s390x_flip_endian32 +.type s390x_flip_endian32,\@function +.align 16 +s390x_flip_endian32: + lrvg %r0,0(%r0,$src) + lrvg %r1,8(%r0,$src) + lrvg %r4,16(%r0,$src) + lrvg %r5,24(%r0,$src) + stg %r0,24(%r0,$dst) + stg %r1,16(%r0,$dst) + stg %r4,8(%r0,$dst) + stg %r5,0(%r0,$dst) + br $ra +.size s390x_flip_endian32,.-s390x_flip_endian32 +___ +} + +################ +# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]) +{ +my ($dst,$src) = map("%r$_",(2..3)); +$code.=<<___; +.globl s390x_flip_endian64 +.type s390x_flip_endian64,\@function +.align 16 +s390x_flip_endian64: + stmg %r6,%r9,6*$SIZE_T($sp) + + lrvg %r0,0(%r0,$src) + lrvg %r1,8(%r0,$src) + lrvg %r4,16(%r0,$src) + lrvg %r5,24(%r0,$src) + lrvg %r6,32(%r0,$src) + lrvg %r7,40(%r0,$src) + lrvg %r8,48(%r0,$src) + lrvg %r9,56(%r0,$src) + stg %r0,56(%r0,$dst) + stg %r1,48(%r0,$dst) + stg %r4,40(%r0,$dst) + stg %r5,32(%r0,$dst) + stg %r6,24(%r0,$dst) + stg %r7,16(%r0,$dst) + stg %r8,8(%r0,$dst) + stg %r9,0(%r0,$dst) + + lmg %r6,%r9,6*$SIZE_T($sp) + br $ra +.size s390x_flip_endian64,.-s390x_flip_endian64 +___ +} + $code.=<<___; .section .init brasl $ra,OPENSSL_cpuid_setup Index: openssl-1.1.1d/crypto/sm2/sm2_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/sm2/sm2_pmeth.c +++ openssl-1.1.1d/crypto/sm2/sm2_pmeth.c @@ -283,7 +283,7 @@ static int pkey_sm2_digest_custom(EVP_PK return EVP_DigestUpdate(mctx, z, (size_t)mdlen); } -const EVP_PKEY_METHOD sm2_pkey_meth = { +static const EVP_PKEY_METHOD sm2_pkey_meth = { EVP_PKEY_SM2, 0, pkey_sm2_init, @@ -323,3 +323,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = { pkey_sm2_digest_custom }; + +const EVP_PKEY_METHOD *sm2_pkey_method(void) +{ + return &sm2_pkey_meth; +} Index: openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod =================================================================== --- openssl-1.1.1d.orig/doc/man3/OPENSSL_s390xcap.pod +++ openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod @@ -159,6 +159,10 @@ Disables the KM-XTS-AES and and the KIMD # 64 1<<63 PCC-Scalar-Multiply-P256 # 65 1<<62 PCC-Scalar-Multiply-P384 # 66 1<<61 PCC-Scalar-Multiply-P521 + # 72 1<<55 PCC-Scalar-Multiply-Ed25519 + # 73 1<<54 PCC-Scalar-Multiply-Ed448 + # 80 1<<47 PCC-Scalar-Multiply-X25519 + # 81 1<<46 PCC-Scalar-Multiply-X448 kdsa : # 1 1<<62 KDSA-ECDSA-Verify-P256 @@ -167,6 +171,10 @@ Disables the KM-XTS-AES and and the KIMD # 9 1<<54 KDSA-ECDSA-Sign-P256 # 10 1<<53 KDSA-ECDSA-Sign-P384 # 11 1<<52 KDSA-ECDSA-Sign-P521 + # 32 1<<31 KDSA-EdDSA-Verify-Ed25519 + # 36 1<<27 KDSA-EdDSA-Verify-Ed448 + # 40 1<<23 KDSA-EdDSA-Sign-Ed25519 + # 44 1<<19 KDSA-EdDSA-Sign-Ed448 : =head1 RETURN VALUES Index: openssl-1.1.1d/include/openssl/ecerr.h =================================================================== --- openssl-1.1.1d.orig/include/openssl/ecerr.h +++ openssl-1.1.1d/include/openssl/ecerr.h @@ -206,6 +206,12 @@ int ERR_load_EC_strings(void); # define EC_F_PKEY_EC_KEYGEN 199 # define EC_F_PKEY_EC_PARAMGEN 219 # define EC_F_PKEY_EC_SIGN 218 +# define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519 303 +# define EC_F_S390X_PKEY_ECD_DIGESTSIGN448 304 +# define EC_F_S390X_PKEY_ECD_KEYGEN25519 305 +# define EC_F_S390X_PKEY_ECD_KEYGEN448 306 +# define EC_F_S390X_PKEY_ECX_KEYGEN25519 307 +# define EC_F_S390X_PKEY_ECX_KEYGEN448 308 # define EC_F_VALIDATE_ECX_DERIVE 278 /* Index: openssl-1.1.1d/Configure =================================================================== --- openssl-1.1.1d.orig/Configure +++ openssl-1.1.1d/Configure @@ -1401,7 +1401,7 @@ unless ($disabled{asm}) { push @{$config{lib_defines}}, "X25519_ASM"; } if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) { - push @{$config{lib_defines}}, "S390X_NISTP_ASM"; + push @{$config{lib_defines}}, "S390X_EC_ASM"; } if ($target{padlock_asm_src} ne $table{DEFAULTS}->{padlock_asm_src}) { push @{$config{dso_defines}}, "PADLOCK_ASM"; Index: openssl-1.1.1d/crypto/cmac/cm_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/cmac/cm_pmeth.c +++ openssl-1.1.1d/crypto/cmac/cm_pmeth.c @@ -127,7 +127,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C return -2; } -const EVP_PKEY_METHOD cmac_pkey_meth = { +static const EVP_PKEY_METHOD cmac_pkey_meth = { EVP_PKEY_CMAC, EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS, pkey_cmac_init, @@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = { pkey_cmac_ctrl, pkey_cmac_ctrl_str }; + +const EVP_PKEY_METHOD *cmac_pkey_method(void) +{ + return &cmac_pkey_meth; +} Index: openssl-1.1.1d/crypto/hmac/hm_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/hmac/hm_pmeth.c +++ openssl-1.1.1d/crypto/hmac/hm_pmeth.c @@ -178,7 +178,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C return -2; } -const EVP_PKEY_METHOD hmac_pkey_meth = { +static const EVP_PKEY_METHOD hmac_pkey_meth = { EVP_PKEY_HMAC, EVP_PKEY_FLAG_FIPS, pkey_hmac_init, @@ -210,3 +210,9 @@ const EVP_PKEY_METHOD hmac_pkey_meth = { pkey_hmac_ctrl, pkey_hmac_ctrl_str }; + +const EVP_PKEY_METHOD *hmac_pkey_method(void) +{ + return &hmac_pkey_meth; +} + Index: openssl-1.1.1d/crypto/poly1305/poly1305_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/poly1305/poly1305_pmeth.c +++ openssl-1.1.1d/crypto/poly1305/poly1305_pmeth.c @@ -160,7 +160,7 @@ static int pkey_poly1305_ctrl_str(EVP_PK return -2; } -const EVP_PKEY_METHOD poly1305_pkey_meth = { +static const EVP_PKEY_METHOD poly1305_pkey_meth = { EVP_PKEY_POLY1305, EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */ pkey_poly1305_init, @@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth pkey_poly1305_ctrl, pkey_poly1305_ctrl_str }; + +const EVP_PKEY_METHOD *poly1305_pkey_method(void) +{ + return &poly1305_pkey_meth; +} Index: openssl-1.1.1d/crypto/siphash/siphash_pmeth.c =================================================================== --- openssl-1.1.1d.orig/crypto/siphash/siphash_pmeth.c +++ openssl-1.1.1d/crypto/siphash/siphash_pmeth.c @@ -171,7 +171,7 @@ static int pkey_siphash_ctrl_str(EVP_PKE return -2; } -const EVP_PKEY_METHOD siphash_pkey_meth = { +static const EVP_PKEY_METHOD siphash_pkey_meth = { EVP_PKEY_SIPHASH, EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */ pkey_siphash_init, @@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth pkey_siphash_ctrl, pkey_siphash_ctrl_str }; + +const EVP_PKEY_METHOD *siphash_pkey_method(void) +{ + return &siphash_pkey_meth; +}