rpm/openssl-1_1
SHA256
1
0
Fork 0
forked from pool/openssl-1_1
Code Pull Requests Activity
863b688e84
openssl-1_1/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
Tomáš Chvátal c29de1fbdc Accepting request 766865 from home:vitezslav_cizek:branches:security:tls 
Add million FIPS and s390 patches

- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our
  layered FIPS initialization
  * openssl-fips-ignore_broken_atexit_test.patch

- Import FIPS patches from SLE-15
  * openssl-fips-dont_run_FIPS_module_installed.patch
  * openssl-fips_mode.patch
  * openssl-ship_fips_standalone_hmac.patch
  * openssl-fips-clearerror.patch
  * openssl-fips-selftests_in_nonfips_mode.patch

- Don't run FIPS power-up self-tests when the checksum files aren't
  installed (bsc#1042392)
  * add openssl-fips-run_selftests_only_when_module_is_complete.patch

- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553)
  * openssl-1.1.1-fips-crng-test.patch
  * openssl-1.1.1-fips-post-rand.patch
  * openssl-1.1.1-fips.patch
  * openssl-1.1.0-issuer-hash.patch
  * openssl-1.1.1-evp-kdf.patch
  * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch

- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861]
- Add patches:
  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
  * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
  * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
  * openssl-s390xcpuid.pl-fix-comment.patch

OBS-URL: https://build.opensuse.org/request/show/766865
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51
2020-01-24 11:52:58 +00:00

395 lines
13 KiB
Diff
Raw Blame History

From e382f507fb67863be02bfa69b08533cc55f0cd96 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Thu, 27 Jun 2019 01:07:54 +0200
Subject: [PATCH 08967/10000] s390x assembly pack: add support for pcc and kma
instructions
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9258)
---
crypto/s390x_arch.h | 22 ++++++++
crypto/s390xcap.c | 119 +++++++++++++++++++++++++++++++++++++++++++
crypto/s390xcpuid.pl | 71 ++++++++++++++++++++++++++
3 files changed, 212 insertions(+)
Index: openssl-1.1.1d/crypto/s390x_arch.h
===================================================================
--- openssl-1.1.1d.orig/crypto/s390x_arch.h
+++ openssl-1.1.1d/crypto/s390x_arch.h
@@ -26,6 +26,9 @@ void s390x_kmf(const unsigned char *in,
unsigned int fc, void *param);
void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
size_t len, unsigned char *out, unsigned int fc, void *param);
+int s390x_pcc(unsigned int fc, void *param);
+int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
+ size_t len);
/*
* The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
@@ -45,6 +48,8 @@ struct OPENSSL_s390xcap_st {
unsigned long long kmf[2];
unsigned long long prno[2];
unsigned long long kma[2];
+ unsigned long long pcc[2];
+ unsigned long long kdsa[2];
};
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
@@ -69,6 +74,8 @@ extern struct OPENSSL_s390xcap_st OPENSS
# define S390X_KMF 0x90
# define S390X_PRNO 0xa0
# define S390X_KMA 0xb0
+# define S390X_PCC 0xc0
+# define S390X_KDSA 0xd0
/* Facility Bit Numbers */
# define S390X_MSA 17 /* message-security-assist */
@@ -80,6 +87,7 @@ extern struct OPENSSL_s390xcap_st OPENSS
# define S390X_VXD 134 /* vector packed decimal */
# define S390X_VXE 135 /* vector enhancements 1 */
# define S390X_MSA8 146 /* message-security-assist-ext. 8 */
+# define S390X_MSA9 155 /* message-security-assist-ext. 9 */
/* Function Codes */
@@ -111,10 +119,24 @@ extern struct OPENSSL_s390xcap_st OPENSS
# define S390X_SHA_512_DRNG 3
# define S390X_TRNG 114
+/* pcc */
+# define S390X_SCALAR_MULTIPLY_P256 64
+# define S390X_SCALAR_MULTIPLY_P384 65
+# define S390X_SCALAR_MULTIPLY_P521 66
+
+/* kdsa */
+# define S390X_ECDSA_VERIFY_P256 1
+# define S390X_ECDSA_VERIFY_P384 2
+# define S390X_ECDSA_VERIFY_P521 3
+# define S390X_ECDSA_SIGN_P256 9
+# define S390X_ECDSA_SIGN_P384 10
+# define S390X_ECDSA_SIGN_P521 11
+
/* Register 0 Flags */
# define S390X_DECRYPT 0x80
# define S390X_KMA_LPC 0x100
# define S390X_KMA_LAAD 0x200
# define S390X_KMA_HS 0x400
+# define S390X_KDSA_D 0x80
#endif
Index: openssl-1.1.1d/crypto/s390xcap.c
===================================================================
--- openssl-1.1.1d.orig/crypto/s390xcap.c
+++ openssl-1.1.1d/crypto/s390xcap.c
@@ -137,6 +137,10 @@ void OPENSSL_cpuid_setup(void)
OPENSSL_s390xcap_P.prno[1] &= cap.prno[1];
OPENSSL_s390xcap_P.kma[0] &= cap.kma[0];
OPENSSL_s390xcap_P.kma[1] &= cap.kma[1];
+ OPENSSL_s390xcap_P.pcc[0] &= cap.pcc[0];
+ OPENSSL_s390xcap_P.pcc[1] &= cap.pcc[1];
+ OPENSSL_s390xcap_P.kdsa[0] &= cap.kdsa[0];
+ OPENSSL_s390xcap_P.kdsa[1] &= cap.kdsa[1];
}
}
@@ -163,6 +167,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -189,6 +195,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -220,6 +228,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -257,6 +267,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -313,6 +325,9 @@ static int parse_env(struct OPENSSL_s390
0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -369,6 +384,9 @@ static int parse_env(struct OPENSSL_s390
0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -429,6 +447,9 @@ static int parse_env(struct OPENSSL_s390
| S390X_CAPBIT(S390X_SHA_512_DRNG),
0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -508,6 +529,101 @@ static int parse_env(struct OPENSSL_s390
| S390X_CAPBIT(S390X_AES_192)
| S390X_CAPBIT(S390X_AES_256),
0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z15 (2019) - z/Architecture POP SA22-7832-12
+ * Implements MSA and MSA1-9.
+ */
+ static const struct OPENSSL_s390xcap_st z15 = {
+ /*.stfle = */{S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF)
+ | S390X_CAPBIT(S390X_MSA5),
+ S390X_CAPBIT(S390X_MSA3)
+ | S390X_CAPBIT(S390X_MSA4),
+ S390X_CAPBIT(S390X_VX)
+ | S390X_CAPBIT(S390X_VXD)
+ | S390X_CAPBIT(S390X_VXE)
+ | S390X_CAPBIT(S390X_MSA8),
+ 0ULL},
+ /*.kimd = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ S390X_CAPBIT(S390X_GHASH)},
+ /*.klmd = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ 0ULL},
+ /*.km = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256)
+ | S390X_CAPBIT(S390X_XTS_AES_128)
+ | S390X_CAPBIT(S390X_XTS_AES_256),
+ 0ULL},
+ /*.kmc = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmac = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmctr = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmo = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmf = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.prno = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_512_DRNG),
+ S390X_CAPBIT(S390X_TRNG)},
+ /*.kma = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.pcc = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521),
+ 0ULL},
+ /*.kdsa = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P256)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P384)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P521),
+ 0ULL},
};
char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1];
@@ -551,6 +667,8 @@ static int parse_env(struct OPENSSL_s390
else if TOK_FUNC(kmf)
else if TOK_FUNC(prno)
else if TOK_FUNC(kma)
+ else if TOK_FUNC(pcc)
+ else if TOK_FUNC(kdsa)
/* CPU model tokens */
else if TOK_CPU(z900)
@@ -561,6 +679,7 @@ static int parse_env(struct OPENSSL_s390
else if TOK_CPU(zEC12)
else if TOK_CPU(z13)
else if TOK_CPU(z14)
+ else if TOK_CPU(z15)
/* whitespace(ignored) or invalid tokens */
else {
Index: openssl-1.1.1d/crypto/s390xcpuid.pl
===================================================================
--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
+++ openssl-1.1.1d/crypto/s390xcpuid.pl
@@ -77,8 +77,13 @@ OPENSSL_s390x_functions:
stg %r0,S390X_PRNO+8(%r4)
stg %r0,S390X_KMA(%r4)
stg %r0,S390X_KMA+8(%r4)
+ stg %r0,S390X_PCC(%r4)
+ stg %r0,S390X_PCC+8(%r4)
+ stg %r0,S390X_KDSA(%r4)
+ stg %r0,S390X_KDSA+8(%r4)
lmg %r2,%r3,S390X_STFLE(%r4)
+
tmhl %r2,0x4000 # check for message-security-assist
jz .Lret
@@ -102,6 +107,13 @@ OPENSSL_s390x_functions:
la %r1,S390X_KMAC(%r4)
.long 0xb91e0042 # kmac %r4,%r2
+ tmhh %r3,0x0003 # check for message-security-assist-3
+ jz .Lret
+
+ lghi %r0,S390X_QUERY # query pcc capability vector
+ la %r1,S390X_PCC(%r4)
+ .long 0xb92c0000 # pcc
+
tmhh %r3,0x0004 # check for message-security-assist-4
jz .Lret
@@ -125,6 +137,7 @@ OPENSSL_s390x_functions:
.long 0xb93c0042 # prno %r4,%r2
lg %r2,S390X_STFLE+16(%r4)
+
tmhl %r2,0x2000 # check for message-security-assist-8
jz .Lret
@@ -132,6 +145,13 @@ OPENSSL_s390x_functions:
la %r1,S390X_KMA(%r4)
.long 0xb9294022 # kma %r2,%r4,%r2
+ tmhl %r2,0x0010 # check for message-security-assist-9
+ jz .Lret
+
+ lghi %r0,S390X_QUERY # query kdsa capability vector
+ la %r1,S390X_KDSA(%r4)
+ .long 0xb93a0002 # kdsa %r0,%r2
+
.Lret:
br $ra
.size OPENSSL_s390x_functions,.-OPENSSL_s390x_functions
@@ -422,6 +442,57 @@ s390x_kma:
___
}
+################
+# void s390x_pcc(unsigned int fc, void *param)
+{
+my ($fc,$param) = map("%r$_",(2..3));
+$code.=<<___;
+.globl s390x_pcc
+.type s390x_pcc,\@function
+.align 16
+s390x_pcc:
+ lr %r0,$fc
+ l${g}r %r1,$param
+ lhi %r2,0
+
+ .long 0xb92c0000 # pcc
+ brc 1,.-4 # pay attention to "partial completion"
+ brc 7,.Lpcc_err # if CC==0 return 0, else return 1
+.Lpcc_out:
+ br $ra
+.Lpcc_err:
+ lhi %r2,1
+ j .Lpcc_out
+.size s390x_pcc,.-s390x_pcc
+___
+}
+
+################
+# void s390x_kdsa(unsigned int fc, void *param,
+# const unsigned char *in, size_t len)
+{
+my ($fc,$param,$in,$len) = map("%r$_",(2..5));
+$code.=<<___;
+.globl s390x_kdsa
+.type s390x_kdsa,\@function
+.align 16
+s390x_kdsa:
+ lr %r0,$fc
+ l${g}r %r1,$param
+ lhi %r2,0
+
+ .long 0xb93a0004 # kdsa %r0,$in
+ brc 1,.-4 # pay attention to "partial completion"
+ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1
+.Lkdsa_out:
+ br $ra
+.Lkdsa_err:
+ lhi %r2,1
+ j .Lkdsa_out
+.size s390x_kdsa,.-s390x_kdsa
+___
+}
+
$code.=<<___;
.section .init
brasl $ra,OPENSSL_cpuid_setup
View Git Blame Copy Permalink