- Support MSA 11 HMAC on s390x jsc#PED-10273

* Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
  * Add openssl-3-fix-hmac-digest-detection-s390x.patch
  * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch

- Add hardware acceleration for full AES-XTS  jsc#PED-10273
  * Add openssl-3-hw-acceleration-aes-xts-s390x.patch

- Support MSA 12 SHA3 on s390x jsc#PED-10280
  * Add openssl-3-add_EVP_DigestSqueeze_api.patch
  * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch
  * Add openssl-3-add-xof-state-handling-s3_absorb.patch
  * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch
  * Add openssl-3-fix-state-handling-sha3_final_s390x.patch
  * Add openssl-3-fix-state-handling-shake_final_s390x.patch
  * Add openssl-3-fix-state-handling-keccak_final_s390x.patch
  * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
  * Add openssl-3-add-defines-CPACF-funcs.patch
  * Add openssl-3-add-hw-acceleration-hmac.patch
  * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
  * Add openssl-3-fix-s390x_sha3_absorb.patch
  * Add openssl-3-fix-s390x_shake_squeeze.patch

- Update to 3.2.3:
  * Changes between 3.2.2 and 3.2.3:
    - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119]
    - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535]
  * Changes between 3.2.1 and 3.2.2:
    - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741]
    - Fixed an issue where checking excessively long DSA keys or parameters may

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121

openssl-3-fix-s390x_sha3_absorb.patch

@@ -0,0 +1,50 @@
+From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 5 Sep 2024 08:45:29 +0200
+Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by
+ KIMD
+
+If the data to absorb is less than a block, then the KIMD instruction is
+called with zero bytes. This is superfluous, and causes incorrect hash
+output later on if this is the very first absorb call, i.e. when the
+xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
+the NIP flag is set in the function code for KIMD, but KIMD ignores the
+NIP flag when it is called with zero bytes to process.
+
+Skip any KIMD calls for zero length data. Also do not set the xof_state
+to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
+the next KIMD (with non-zero length data) or KLMD call will get the NIP
+flag set and will then honor it to produce correct output.
+
+Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25388)
+---
+ providers/implementations/digests/sha3_prov.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc
+     if (!(ctx->xof_state == XOF_STATE_INIT ||
+           ctx->xof_state == XOF_STATE_ABSORB))
+         return 0;
+-    fc = ctx->pad;
+-    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
+-    ctx->xof_state = XOF_STATE_ABSORB;
+-    s390x_kimd(inp, len - rem, fc, ctx->A);
++    if (len - rem > 0) {
++        fc = ctx->pad;
++        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
++        ctx->xof_state = XOF_STATE_ABSORB;
++        s390x_kimd(inp, len - rem, fc, ctx->A);
++    }
+     return rem;
+ }
+