c29de1fbdc
Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
395 lines
13 KiB
Diff
395 lines
13 KiB
Diff
From e382f507fb67863be02bfa69b08533cc55f0cd96 Mon Sep 17 00:00:00 2001
|
|
From: Patrick Steuer <patrick.steuer@de.ibm.com>
|
|
Date: Thu, 27 Jun 2019 01:07:54 +0200
|
|
Subject: [PATCH 08967/10000] s390x assembly pack: add support for pcc and kma
|
|
instructions
|
|
|
|
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
|
|
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
(Merged from https://github.com/openssl/openssl/pull/9258)
|
|
---
|
|
crypto/s390x_arch.h | 22 ++++++++
|
|
crypto/s390xcap.c | 119 +++++++++++++++++++++++++++++++++++++++++++
|
|
crypto/s390xcpuid.pl | 71 ++++++++++++++++++++++++++
|
|
3 files changed, 212 insertions(+)
|
|
|
|
Index: openssl-1.1.1d/crypto/s390x_arch.h
|
|
===================================================================
|
|
--- openssl-1.1.1d.orig/crypto/s390x_arch.h
|
|
+++ openssl-1.1.1d/crypto/s390x_arch.h
|
|
@@ -26,6 +26,9 @@ void s390x_kmf(const unsigned char *in,
|
|
unsigned int fc, void *param);
|
|
void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
|
|
size_t len, unsigned char *out, unsigned int fc, void *param);
|
|
+int s390x_pcc(unsigned int fc, void *param);
|
|
+int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
|
|
+ size_t len);
|
|
|
|
/*
|
|
* The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
|
|
@@ -45,6 +48,8 @@ struct OPENSSL_s390xcap_st {
|
|
unsigned long long kmf[2];
|
|
unsigned long long prno[2];
|
|
unsigned long long kma[2];
|
|
+ unsigned long long pcc[2];
|
|
+ unsigned long long kdsa[2];
|
|
};
|
|
|
|
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
|
|
@@ -69,6 +74,8 @@ extern struct OPENSSL_s390xcap_st OPENSS
|
|
# define S390X_KMF 0x90
|
|
# define S390X_PRNO 0xa0
|
|
# define S390X_KMA 0xb0
|
|
+# define S390X_PCC 0xc0
|
|
+# define S390X_KDSA 0xd0
|
|
|
|
/* Facility Bit Numbers */
|
|
# define S390X_MSA 17 /* message-security-assist */
|
|
@@ -80,6 +87,7 @@ extern struct OPENSSL_s390xcap_st OPENSS
|
|
# define S390X_VXD 134 /* vector packed decimal */
|
|
# define S390X_VXE 135 /* vector enhancements 1 */
|
|
# define S390X_MSA8 146 /* message-security-assist-ext. 8 */
|
|
+# define S390X_MSA9 155 /* message-security-assist-ext. 9 */
|
|
|
|
/* Function Codes */
|
|
|
|
@@ -111,10 +119,24 @@ extern struct OPENSSL_s390xcap_st OPENSS
|
|
# define S390X_SHA_512_DRNG 3
|
|
# define S390X_TRNG 114
|
|
|
|
+/* pcc */
|
|
+# define S390X_SCALAR_MULTIPLY_P256 64
|
|
+# define S390X_SCALAR_MULTIPLY_P384 65
|
|
+# define S390X_SCALAR_MULTIPLY_P521 66
|
|
+
|
|
+/* kdsa */
|
|
+# define S390X_ECDSA_VERIFY_P256 1
|
|
+# define S390X_ECDSA_VERIFY_P384 2
|
|
+# define S390X_ECDSA_VERIFY_P521 3
|
|
+# define S390X_ECDSA_SIGN_P256 9
|
|
+# define S390X_ECDSA_SIGN_P384 10
|
|
+# define S390X_ECDSA_SIGN_P521 11
|
|
+
|
|
/* Register 0 Flags */
|
|
# define S390X_DECRYPT 0x80
|
|
# define S390X_KMA_LPC 0x100
|
|
# define S390X_KMA_LAAD 0x200
|
|
# define S390X_KMA_HS 0x400
|
|
+# define S390X_KDSA_D 0x80
|
|
|
|
#endif
|
|
Index: openssl-1.1.1d/crypto/s390xcap.c
|
|
===================================================================
|
|
--- openssl-1.1.1d.orig/crypto/s390xcap.c
|
|
+++ openssl-1.1.1d/crypto/s390xcap.c
|
|
@@ -137,6 +137,10 @@ void OPENSSL_cpuid_setup(void)
|
|
OPENSSL_s390xcap_P.prno[1] &= cap.prno[1];
|
|
OPENSSL_s390xcap_P.kma[0] &= cap.kma[0];
|
|
OPENSSL_s390xcap_P.kma[1] &= cap.kma[1];
|
|
+ OPENSSL_s390xcap_P.pcc[0] &= cap.pcc[0];
|
|
+ OPENSSL_s390xcap_P.pcc[1] &= cap.pcc[1];
|
|
+ OPENSSL_s390xcap_P.kdsa[0] &= cap.kdsa[0];
|
|
+ OPENSSL_s390xcap_P.kdsa[1] &= cap.kdsa[1];
|
|
}
|
|
}
|
|
|
|
@@ -163,6 +167,8 @@ static int parse_env(struct OPENSSL_s390
|
|
.kmf = {0ULL, 0ULL},
|
|
.prno = {0ULL, 0ULL},
|
|
.kma = {0ULL, 0ULL},
|
|
+ .pcc = {0ULL, 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
};
|
|
|
|
/*-
|
|
@@ -189,6 +195,8 @@ static int parse_env(struct OPENSSL_s390
|
|
.kmf = {0ULL, 0ULL},
|
|
.prno = {0ULL, 0ULL},
|
|
.kma = {0ULL, 0ULL},
|
|
+ .pcc = {0ULL, 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
};
|
|
|
|
/*-
|
|
@@ -220,6 +228,8 @@ static int parse_env(struct OPENSSL_s390
|
|
.kmf = {0ULL, 0ULL},
|
|
.prno = {0ULL, 0ULL},
|
|
.kma = {0ULL, 0ULL},
|
|
+ .pcc = {0ULL, 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
};
|
|
|
|
/*-
|
|
@@ -257,6 +267,8 @@ static int parse_env(struct OPENSSL_s390
|
|
.kmf = {0ULL, 0ULL},
|
|
.prno = {0ULL, 0ULL},
|
|
.kma = {0ULL, 0ULL},
|
|
+ .pcc = {0ULL, 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
};
|
|
|
|
/*-
|
|
@@ -313,6 +325,9 @@ static int parse_env(struct OPENSSL_s390
|
|
0ULL},
|
|
.prno = {0ULL, 0ULL},
|
|
.kma = {0ULL, 0ULL},
|
|
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
|
|
+ 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
};
|
|
|
|
/*-
|
|
@@ -369,6 +384,9 @@ static int parse_env(struct OPENSSL_s390
|
|
0ULL},
|
|
.prno = {0ULL, 0ULL},
|
|
.kma = {0ULL, 0ULL},
|
|
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
|
|
+ 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
};
|
|
|
|
/*-
|
|
@@ -429,6 +447,9 @@ static int parse_env(struct OPENSSL_s390
|
|
| S390X_CAPBIT(S390X_SHA_512_DRNG),
|
|
0ULL},
|
|
.kma = {0ULL, 0ULL},
|
|
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
|
|
+ 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
};
|
|
|
|
/*-
|
|
@@ -508,6 +529,101 @@ static int parse_env(struct OPENSSL_s390
|
|
| S390X_CAPBIT(S390X_AES_192)
|
|
| S390X_CAPBIT(S390X_AES_256),
|
|
0ULL},
|
|
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
|
|
+ 0ULL},
|
|
+ .kdsa = {0ULL, 0ULL},
|
|
+ };
|
|
+
|
|
+ /*-
|
|
+ * z15 (2019) - z/Architecture POP SA22-7832-12
|
|
+ * Implements MSA and MSA1-9.
|
|
+ */
|
|
+ static const struct OPENSSL_s390xcap_st z15 = {
|
|
+ /*.stfle = */{S390X_CAPBIT(S390X_MSA)
|
|
+ | S390X_CAPBIT(S390X_STCKF)
|
|
+ | S390X_CAPBIT(S390X_MSA5),
|
|
+ S390X_CAPBIT(S390X_MSA3)
|
|
+ | S390X_CAPBIT(S390X_MSA4),
|
|
+ S390X_CAPBIT(S390X_VX)
|
|
+ | S390X_CAPBIT(S390X_VXD)
|
|
+ | S390X_CAPBIT(S390X_VXE)
|
|
+ | S390X_CAPBIT(S390X_MSA8),
|
|
+ 0ULL},
|
|
+ /*.kimd = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_SHA_1)
|
|
+ | S390X_CAPBIT(S390X_SHA_256)
|
|
+ | S390X_CAPBIT(S390X_SHA_512)
|
|
+ | S390X_CAPBIT(S390X_SHA3_224)
|
|
+ | S390X_CAPBIT(S390X_SHA3_256)
|
|
+ | S390X_CAPBIT(S390X_SHA3_384)
|
|
+ | S390X_CAPBIT(S390X_SHA3_512)
|
|
+ | S390X_CAPBIT(S390X_SHAKE_128)
|
|
+ | S390X_CAPBIT(S390X_SHAKE_256),
|
|
+ S390X_CAPBIT(S390X_GHASH)},
|
|
+ /*.klmd = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_SHA_1)
|
|
+ | S390X_CAPBIT(S390X_SHA_256)
|
|
+ | S390X_CAPBIT(S390X_SHA_512)
|
|
+ | S390X_CAPBIT(S390X_SHA3_224)
|
|
+ | S390X_CAPBIT(S390X_SHA3_256)
|
|
+ | S390X_CAPBIT(S390X_SHA3_384)
|
|
+ | S390X_CAPBIT(S390X_SHA3_512)
|
|
+ | S390X_CAPBIT(S390X_SHAKE_128)
|
|
+ | S390X_CAPBIT(S390X_SHAKE_256),
|
|
+ 0ULL},
|
|
+ /*.km = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_AES_128)
|
|
+ | S390X_CAPBIT(S390X_AES_192)
|
|
+ | S390X_CAPBIT(S390X_AES_256)
|
|
+ | S390X_CAPBIT(S390X_XTS_AES_128)
|
|
+ | S390X_CAPBIT(S390X_XTS_AES_256),
|
|
+ 0ULL},
|
|
+ /*.kmc = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_AES_128)
|
|
+ | S390X_CAPBIT(S390X_AES_192)
|
|
+ | S390X_CAPBIT(S390X_AES_256),
|
|
+ 0ULL},
|
|
+ /*.kmac = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_AES_128)
|
|
+ | S390X_CAPBIT(S390X_AES_192)
|
|
+ | S390X_CAPBIT(S390X_AES_256),
|
|
+ 0ULL},
|
|
+ /*.kmctr = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_AES_128)
|
|
+ | S390X_CAPBIT(S390X_AES_192)
|
|
+ | S390X_CAPBIT(S390X_AES_256),
|
|
+ 0ULL},
|
|
+ /*.kmo = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_AES_128)
|
|
+ | S390X_CAPBIT(S390X_AES_192)
|
|
+ | S390X_CAPBIT(S390X_AES_256),
|
|
+ 0ULL},
|
|
+ /*.kmf = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_AES_128)
|
|
+ | S390X_CAPBIT(S390X_AES_192)
|
|
+ | S390X_CAPBIT(S390X_AES_256),
|
|
+ 0ULL},
|
|
+ /*.prno = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_SHA_512_DRNG),
|
|
+ S390X_CAPBIT(S390X_TRNG)},
|
|
+ /*.kma = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_AES_128)
|
|
+ | S390X_CAPBIT(S390X_AES_192)
|
|
+ | S390X_CAPBIT(S390X_AES_256),
|
|
+ 0ULL},
|
|
+ /*.pcc = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
|
|
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
|
|
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521),
|
|
+ 0ULL},
|
|
+ /*.kdsa = */{S390X_CAPBIT(S390X_QUERY)
|
|
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
|
|
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
|
|
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521)
|
|
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P256)
|
|
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P384)
|
|
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P521),
|
|
+ 0ULL},
|
|
};
|
|
|
|
char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1];
|
|
@@ -551,6 +667,8 @@ static int parse_env(struct OPENSSL_s390
|
|
else if TOK_FUNC(kmf)
|
|
else if TOK_FUNC(prno)
|
|
else if TOK_FUNC(kma)
|
|
+ else if TOK_FUNC(pcc)
|
|
+ else if TOK_FUNC(kdsa)
|
|
|
|
/* CPU model tokens */
|
|
else if TOK_CPU(z900)
|
|
@@ -561,6 +679,7 @@ static int parse_env(struct OPENSSL_s390
|
|
else if TOK_CPU(zEC12)
|
|
else if TOK_CPU(z13)
|
|
else if TOK_CPU(z14)
|
|
+ else if TOK_CPU(z15)
|
|
|
|
/* whitespace(ignored) or invalid tokens */
|
|
else {
|
|
Index: openssl-1.1.1d/crypto/s390xcpuid.pl
|
|
===================================================================
|
|
--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
|
|
+++ openssl-1.1.1d/crypto/s390xcpuid.pl
|
|
@@ -77,8 +77,13 @@ OPENSSL_s390x_functions:
|
|
stg %r0,S390X_PRNO+8(%r4)
|
|
stg %r0,S390X_KMA(%r4)
|
|
stg %r0,S390X_KMA+8(%r4)
|
|
+ stg %r0,S390X_PCC(%r4)
|
|
+ stg %r0,S390X_PCC+8(%r4)
|
|
+ stg %r0,S390X_KDSA(%r4)
|
|
+ stg %r0,S390X_KDSA+8(%r4)
|
|
|
|
lmg %r2,%r3,S390X_STFLE(%r4)
|
|
+
|
|
tmhl %r2,0x4000 # check for message-security-assist
|
|
jz .Lret
|
|
|
|
@@ -102,6 +107,13 @@ OPENSSL_s390x_functions:
|
|
la %r1,S390X_KMAC(%r4)
|
|
.long 0xb91e0042 # kmac %r4,%r2
|
|
|
|
+ tmhh %r3,0x0003 # check for message-security-assist-3
|
|
+ jz .Lret
|
|
+
|
|
+ lghi %r0,S390X_QUERY # query pcc capability vector
|
|
+ la %r1,S390X_PCC(%r4)
|
|
+ .long 0xb92c0000 # pcc
|
|
+
|
|
tmhh %r3,0x0004 # check for message-security-assist-4
|
|
jz .Lret
|
|
|
|
@@ -125,6 +137,7 @@ OPENSSL_s390x_functions:
|
|
.long 0xb93c0042 # prno %r4,%r2
|
|
|
|
lg %r2,S390X_STFLE+16(%r4)
|
|
+
|
|
tmhl %r2,0x2000 # check for message-security-assist-8
|
|
jz .Lret
|
|
|
|
@@ -132,6 +145,13 @@ OPENSSL_s390x_functions:
|
|
la %r1,S390X_KMA(%r4)
|
|
.long 0xb9294022 # kma %r2,%r4,%r2
|
|
|
|
+ tmhl %r2,0x0010 # check for message-security-assist-9
|
|
+ jz .Lret
|
|
+
|
|
+ lghi %r0,S390X_QUERY # query kdsa capability vector
|
|
+ la %r1,S390X_KDSA(%r4)
|
|
+ .long 0xb93a0002 # kdsa %r0,%r2
|
|
+
|
|
.Lret:
|
|
br $ra
|
|
.size OPENSSL_s390x_functions,.-OPENSSL_s390x_functions
|
|
@@ -422,6 +442,57 @@ s390x_kma:
|
|
___
|
|
}
|
|
|
|
+################
|
|
+# void s390x_pcc(unsigned int fc, void *param)
|
|
+{
|
|
+my ($fc,$param) = map("%r$_",(2..3));
|
|
+$code.=<<___;
|
|
+.globl s390x_pcc
|
|
+.type s390x_pcc,\@function
|
|
+.align 16
|
|
+s390x_pcc:
|
|
+ lr %r0,$fc
|
|
+ l${g}r %r1,$param
|
|
+ lhi %r2,0
|
|
+
|
|
+ .long 0xb92c0000 # pcc
|
|
+ brc 1,.-4 # pay attention to "partial completion"
|
|
+ brc 7,.Lpcc_err # if CC==0 return 0, else return 1
|
|
+.Lpcc_out:
|
|
+ br $ra
|
|
+.Lpcc_err:
|
|
+ lhi %r2,1
|
|
+ j .Lpcc_out
|
|
+.size s390x_pcc,.-s390x_pcc
|
|
+___
|
|
+}
|
|
+
|
|
+################
|
|
+# void s390x_kdsa(unsigned int fc, void *param,
|
|
+# const unsigned char *in, size_t len)
|
|
+{
|
|
+my ($fc,$param,$in,$len) = map("%r$_",(2..5));
|
|
+$code.=<<___;
|
|
+.globl s390x_kdsa
|
|
+.type s390x_kdsa,\@function
|
|
+.align 16
|
|
+s390x_kdsa:
|
|
+ lr %r0,$fc
|
|
+ l${g}r %r1,$param
|
|
+ lhi %r2,0
|
|
+
|
|
+ .long 0xb93a0004 # kdsa %r0,$in
|
|
+ brc 1,.-4 # pay attention to "partial completion"
|
|
+ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1
|
|
+.Lkdsa_out:
|
|
+ br $ra
|
|
+.Lkdsa_err:
|
|
+ lhi %r2,1
|
|
+ j .Lkdsa_out
|
|
+.size s390x_kdsa,.-s390x_kdsa
|
|
+___
|
|
+}
|
|
+
|
|
$code.=<<___;
|
|
.section .init
|
|
brasl $ra,OPENSSL_cpuid_setup
|