Hello community,
here is the log from the commit of package openssl-1_1 for openSUSE:Factory
checked in at 2020-02-03 11:10:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
and /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1"
Mon Feb 3 11:10:35 2020 rev:12 rq:768078 version:1.1.1d
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes 2020-01-10
18:40:29.795493348 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092/openssl-1_1.changes
2020-02-03 11:10:36.765762884 +0100
@@ -1,0 +2,64 @@
+Tue Jan 28 12:14:59 UTC 2020 - Pedro Monreal Gonzalez
<pmonrealgonza...@suse.com>
+
+- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7575]
+- Add patches:
+ * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+ * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
+
+-------------------------------------------------------------------
+Thu Jan 23 14:32:28 UTC 2020 - Vítězslav Čížek <vci...@suse.com>
+
+- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our
+ layered FIPS initialization (bsc#1161789)
+ * openssl-fips-ignore_broken_atexit_test.patch
+
+-------------------------------------------------------------------
+Wed Jan 22 13:59:15 UTC 2020 - Vítězslav Čížek <vci...@suse.com>
+
+- Import FIPS patches from SLE-15
+ * openssl-fips-dont_run_FIPS_module_installed.patch
+ * openssl-fips_mode.patch
+ * openssl-ship_fips_standalone_hmac.patch
+ * openssl-fips-clearerror.patch
+ * openssl-fips-selftests_in_nonfips_mode.patch
+
+-------------------------------------------------------------------
+Tue Jan 21 16:08:21 UTC 2020 - Vítězslav Čížek <vci...@suse.com>
+
+- Don't run FIPS power-up self-tests when the checksum files aren't
+ installed (bsc#1042392)
+ * add openssl-fips-run_selftests_only_when_module_is_complete.patch
+
+-------------------------------------------------------------------
+Tue Jan 21 11:10:42 UTC 2020 - Vítězslav Čížek <vci...@suse.com>
+
+- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553)
+ * openssl-1.1.1-fips-crng-test.patch
+ * openssl-1.1.1-fips-post-rand.patch
+ * openssl-1.1.1-fips.patch
+ * openssl-1.1.0-issuer-hash.patch
+ * openssl-1.1.1-evp-kdf.patch
+ * openssl-1.1.1-ssh-kdf.patch replaces
openssl-jsc-SLE-8789-backport_KDF.patch
+- keep EVP_KDF functions at version 1.1.1d for backward compatibility
+ * add openssl-keep_EVP_KDF_functions_version.patch
+
+-------------------------------------------------------------------
+Fri Dec 20 13:44:06 UTC 2019 - Pedro Monreal Gonzalez
<pmonrealgonza...@suse.com>
+
+- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861]
+- Add patches:
+ * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+ * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
+ * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+ * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
+ * openssl-s390xcpuid.pl-fix-comment.patch
+ * openssl-assembly-pack-accelerate-scalar-multiplication.patch
+ * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
+ * openssl-s390x-assembly-pack-accelerate-ECDSA.patch
+ * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
+ * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
+ * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
+ * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
+ * openssl-Fix-9bf682f-which-broke-nistp224_method.patch
+
+-------------------------------------------------------------------
Old:
----
openssl-jsc-SLE-8789-backport_KDF.patch
New:
----
openssl-1.1.0-issuer-hash.patch
openssl-1.1.1-evp-kdf.patch
openssl-1.1.1-fips-crng-test.patch
openssl-1.1.1-fips-post-rand.patch
openssl-1.1.1-fips.patch
openssl-1.1.1-ssh-kdf.patch
openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
openssl-Fix-9bf682f-which-broke-nistp224_method.patch
openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
openssl-assembly-pack-accelerate-scalar-multiplication.patch
openssl-fips-clearerror.patch
openssl-fips-dont_run_FIPS_module_installed.patch
openssl-fips-ignore_broken_atexit_test.patch
openssl-fips-run_selftests_only_when_module_is_complete.patch
openssl-fips-selftests_in_nonfips_mode.patch
openssl-fips_mode.patch
openssl-keep_EVP_KDF_functions_version.patch
openssl-s390x-assembly-pack-accelerate-ECDSA.patch
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
openssl-s390xcpuid.pl-fix-comment.patch
openssl-ship_fips_standalone_hmac.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-1_1.spec ++++++
--- /var/tmp/diff_new_pack.K3DPf4/_old 2020-02-03 11:10:39.369764200 +0100
+++ /var/tmp/diff_new_pack.K3DPf4/_new 2020-02-03 11:10:39.373764202 +0100
@@ -50,10 +50,41 @@
Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
-Patch14: openssl-jsc-SLE-8789-backport_KDF.patch
# OpenSSL Security Advisory [6 December 2019] bsc#1158809 CVE-2019-1551
# PATCH-FIX-UPSTREAM Integer overflow in RSAZ modular exponentiation on x86_64
Patch15: openssl-1_1-CVE-2019-1551.patch
+# PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements -
part 1 (crypto)
+Patch16:
openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+Patch17:
openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
+Patch18: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+Patch19: openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
+Patch20: openssl-s390xcpuid.pl-fix-comment.patch
+Patch21: openssl-assembly-pack-accelerate-scalar-multiplication.patch
+Patch22:
openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
+Patch23: openssl-s390x-assembly-pack-accelerate-ECDSA.patch
+Patch24: openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
+Patch25: openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
+Patch26:
openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
+Patch27: openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
+Patch28: openssl-Fix-9bf682f-which-broke-nistp224_method.patch
+# FIPS patches
+Patch30: openssl-1.1.1-fips.patch
+Patch31: openssl-1.1.1-fips-post-rand.patch
+Patch32: openssl-1.1.1-fips-crng-test.patch
+Patch33: openssl-1.1.0-issuer-hash.patch
+Patch34: openssl-fips-run_selftests_only_when_module_is_complete.patch
+Patch35: openssl-ship_fips_standalone_hmac.patch
+Patch36: openssl-fips_mode.patch
+Patch37: openssl-1.1.1-evp-kdf.patch
+Patch38: openssl-1.1.1-ssh-kdf.patch
+Patch39: openssl-fips-dont_run_FIPS_module_installed.patch
+Patch40: openssl-fips-selftests_in_nonfips_mode.patch
+Patch41: openssl-fips-clearerror.patch
+Patch42: openssl-fips-ignore_broken_atexit_test.patch
+Patch43: openssl-keep_EVP_KDF_functions_version.patch
+# PATCH-FIX-UPSTREAM jsc#SLE-7575 Support for CPACF enhancements - part 2
(crypto)
+Patch44:
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+Patch45:
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
BuildRequires: pkgconfig
Conflicts: ssl
Provides: ssl
@@ -71,8 +102,11 @@
%package -n libopenssl1_1
Summary: Secure Sockets and Transport Layer Security
+License: OpenSSL
Group: Productivity/Networking/Security
Recommends: ca-certificates-mozilla
+# install libopenssl and libopenssl-hmac close together (bsc#1090765)
+Suggests: libopenssl1_1-hmac = %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0
@@ -84,6 +118,7 @@
%package -n libopenssl-1_1-devel
Summary: Development files for OpenSSL
+License: OpenSSL
Group: Development/Libraries/C and C++
Requires: libopenssl1_1 = %{version}
Recommends: %{name} = %{version}
@@ -101,8 +136,23 @@
This subpackage contains header files for developing applications
that want to make use of the OpenSSL C API.
+%package -n libopenssl1_1-hmac
+Summary: HMAC files for FIPS-140-2 integrity checking of the openssl
shared libraries
+License: BSD-3-Clause
+Group: Productivity/Networking/Security
+Requires: libopenssl1_1 = %{version}-%{release}
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes: libopenssl1_1_0-hmac
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes: libopenssl-1_0_0-hmac
+
+%description -n libopenssl1_1-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
%package doc
Summary: Additional Package Documentation
+License: OpenSSL
Group: Productivity/Networking/Security
Conflicts: openssl-doc
Provides: openssl-doc = %{version}
@@ -175,7 +225,6 @@
# avoid file conflicts with man pages from other packages
#
-set +x
pushd %{buildroot}/%{_mandir}
# some man pages now contain spaces. This makes several scripts go havoc,
among them /usr/sbin/Check.
# replace spaces by underscores
@@ -199,7 +248,6 @@
esac
done
popd
-set -x
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} \;
@@ -207,6 +255,29 @@
# Place showciphers.c for %%doc macro
cp %{SOURCE5} .
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %expand of
+# the macro is too late.
+# remark: This is the same as running
+# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
+%{expand:%%global __os_install_post {%__os_install_post
+
+%{buildroot}%{_bindir}/fips_standalone_hmac \
+ %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
+ %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac
+
+%{buildroot}%{_bindir}/fips_standalone_hmac \
+ %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
+ %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+
+}}
+
%post -n libopenssl1_1 -p /sbin/ldconfig
%postun -n libopenssl1_1 -p /sbin/ldconfig
@@ -216,6 +287,10 @@
%{_libdir}/libcrypto.so.%{maj_min}
%{_libdir}/engines-%{maj_min}
+%files -n libopenssl1_1-hmac
+%{_libdir}/.libssl.so.%{maj_min}.hmac
+%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+
%files -n libopenssl-1_1-devel
%{_includedir}/%{_rname}/
%{_includedir}/ssl
@@ -240,6 +315,7 @@
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%{_bindir}/c_rehash
+%{_bindir}/fips_standalone_hmac
%{_bindir}/%{_rname}
%changelog
++++++ openssl-1.1.0-issuer-hash.patch ++++++
Index: openssl-1.1.1d/crypto/x509/x509_cmp.c
===================================================================
--- openssl-1.1.1d.orig/crypto/x509/x509_cmp.c 2019-09-10 15:13:07.000000000
+0200
+++ openssl-1.1.1d/crypto/x509/x509_cmp.c 2020-01-23 13:45:11.404634047
+0100
@@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has
if (ctx == NULL)
goto err;
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
goto err;
++++++ openssl-1.1.1-evp-kdf.patch ++++++
++++ 5279 lines (skipped)
++++++ openssl-1.1.1-fips-crng-test.patch ++++++
Index: openssl-1.1.1d/crypto/include/internal/rand_int.h
===================================================================
--- openssl-1.1.1d.orig/crypto/include/internal/rand_int.h 2020-01-23
13:45:11.368633835 +0100
+++ openssl-1.1.1d/crypto/include/internal/rand_int.h 2020-01-23
13:45:11.384633930 +0100
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+/* CRNG test entropy filter callbacks. */
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance);
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
+ unsigned char *out, size_t outlen);
+
/*
* RAND_POOL functions
*/
Index: openssl-1.1.1d/crypto/rand/build.info
===================================================================
--- openssl-1.1.1d.orig/crypto/rand/build.info 2019-09-10 15:13:07.000000000
+0200
+++ openssl-1.1.1d/crypto/rand/build.info 2020-01-23 13:45:11.384633930
+0100
@@ -1,4 +1,4 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- randfile.c rand_lib.c rand_err.c rand_egd.c \
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
===================================================================
--- openssl-1.1.1d.orig/crypto/rand/drbg_lib.c 2020-01-23 13:45:11.368633835
+0100
+++ openssl-1.1.1d/crypto/rand/drbg_lib.c 2020-01-23 13:45:11.384633930
+0100
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
drbg->parent = parent;
if (parent == NULL) {
+#ifdef OPENSSL_FIPS
+ drbg->get_entropy = rand_crngt_get_entropy;
+ drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
+#else
drbg->get_entropy = rand_drbg_get_entropy;
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
+#endif
#ifndef RAND_DRBG_GET_RANDOM_NONCE
drbg->get_nonce = rand_drbg_get_nonce;
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.1.1d/crypto/rand/rand_crng_test.c 2020-01-23 13:45:11.384633930
+0100
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
+ */
+
+#include <string.h>
+#include <openssl/evp.h>
+#include "internal/rand_int.h"
+#include "internal/thread_once.h"
+#include "rand_lcl.h"
+
+static RAND_POOL *crngt_pool;
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
+
+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
+ = &rand_crngt_get_entropy_cb;
+
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
+ unsigned int *md_size)
+{
+ int r;
+ size_t n;
+ unsigned char *p;
+
+ n = rand_pool_acquire_entropy(crngt_pool);
+ if (n >= CRNGT_BUFSIZ) {
+ p = rand_pool_detach(crngt_pool);
+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
+ if (r != 0)
+ memcpy(buf, p, CRNGT_BUFSIZ);
+ rand_pool_reattach(crngt_pool, p);
+ return r;
+ }
+ return 0;
+}
+
+void rand_crngt_cleanup(void)
+{
+ rand_pool_free(crngt_pool);
+ crngt_pool = NULL;
+}
+
+int rand_crngt_init(void)
+{
+ unsigned char buf[CRNGT_BUFSIZ];
+
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
+ return 0;
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
+ OPENSSL_cleanse(buf, sizeof(buf));
+ return 1;
+ }
+ rand_crngt_cleanup();
+ return 0;
+}
+
+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
+{
+ return OPENSSL_init_crypto(0, NULL)
+ && rand_crngt_init()
+ && OPENSSL_atexit(&rand_crngt_cleanup);
+}
+
+int rand_crngt_single_init(void)
+{
+ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
+}
+
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
+ unsigned int sz;
+ RAND_POOL *pool;
+ size_t q, r = 0, s, t = 0;
+ int attempts = 3;
+
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
+ return 0;
+
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
+ return 0;
+
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
+ s = q > sizeof(buf) ? sizeof(buf) : q;
+ if (!crngt_get_entropy(buf, md, &sz)
+ || memcmp(crngt_prev, md, sz) == 0
+ || !rand_pool_add(pool, buf, s, s * 8))
+ goto err;
+ memcpy(crngt_prev, md, sz);
+ t += s;
+ attempts++;
+ }
+ r = t;
+ *pout = rand_pool_detach(pool);
+err:
+ OPENSSL_cleanse(buf, sizeof(buf));
+ rand_pool_free(pool);
+ return r;
+}
+
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
+ unsigned char *out, size_t outlen)
+{
+ OPENSSL_secure_clear_free(out, outlen);
+}
Index: openssl-1.1.1d/crypto/rand/rand_lcl.h
===================================================================
--- openssl-1.1.1d.orig/crypto/rand/rand_lcl.h 2019-09-10 15:13:07.000000000
+0200
+++ openssl-1.1.1d/crypto/rand/rand_lcl.h 2020-01-23 13:45:11.384633930
+0100
@@ -33,7 +33,15 @@
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
-
+/*
+ * The number of bytes that constitutes an atomic lump of entropy with respect
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
+ * arbitrary, the smaller the value, the less entropy is consumed on first
+ * read but the higher the probability of the test failing by accident.
+ *
+ * The value is in bytes.
+ */
+#define CRNGT_BUFSIZ 16
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
@@ -44,6 +52,8 @@
*/
# define DRBG_MAX_LENGTH INT32_MAX
+/* The default nonce */
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
/*
* Maximum allocation size for RANDOM_POOL buffers
@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
/* initializes the AES-CTR DRBG implementation */
int drbg_ctr_init(RAND_DRBG *drbg);
+/*
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
+ * These need to be exposed for the unit tests.
+ */
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
+ unsigned int *md_size);
+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
+ unsigned int *md_size);
+int rand_crngt_init(void);
+void rand_crngt_cleanup(void);
+
+/*
+ * Expose the run once initialisation function for the unit tests because.
+ * they need to restart from scratch to validate the first block is skipped
+ * properly.
+ */
+int rand_crngt_single_init(void);
+
#endif
Index: openssl-1.1.1d/test/drbgtest.c
===================================================================
--- openssl-1.1.1d.orig/test/drbgtest.c 2019-09-10 15:13:07.000000000 +0200
+++ openssl-1.1.1d/test/drbgtest.c 2020-01-23 13:45:11.384633930 +0100
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
return t->noncelen;
}
+ /*
+ * Disable CRNG testing if it is enabled.
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
+ * for which the default personalisation string is used.
+ */
+static int disable_crngt(RAND_DRBG *drbg)
+{
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;
+
+ if (drbg->get_entropy != rand_crngt_get_entropy)
+ return 1;
+
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
+ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
+ &rand_drbg_cleanup_entropy,
+ &rand_drbg_get_nonce,
+ &rand_drbg_cleanup_nonce))
+ || (instantiate
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
+ sizeof(pers) - 1)))
+ return 0;
+ return 1;
+}
+
static int uninstantiate(RAND_DRBG *drbg)
{
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
- kat_nonce, NULL))) {
+ kat_nonce, NULL))
+ || !TEST_true(disable_crngt(drbg))) {
failures++;
goto err;
}
@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
unsigned int reseed_counter_tmp;
int ret = 0;
- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
+ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
+ || !TEST_true(disable_crngt(drbg)))
goto err;
/*
@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
|| !TEST_ptr_eq(private->parent, master))
return 0;
+ /* Disable CRNG testing for the master DRBG */
+ if (!TEST_true(disable_crngt(master)))
+ return 0;
+
/* uninstantiate the three global DRBGs */
RAND_DRBG_uninstantiate(private);
RAND_DRBG_uninstantiate(public);
@@ -964,7 +995,8 @@ static int test_rand_seed(void)
size_t rand_buflen;
size_t required_seed_buflen = 0;
- if (!TEST_ptr(master = RAND_DRBG_get0_master()))
+ if (!TEST_ptr(master = RAND_DRBG_get0_master())
+ || !TEST_true(disable_crngt(master)))
return 0;
#ifdef OPENSSL_RAND_SEED_NONE
@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
return 1;
}
+/*
+ * A list of the FIPS DRGB types.
+ */
+static const struct s_drgb_types {
+ int nid;
+ int flags;
+} drgb_types[] = {
+ { NID_aes_128_ctr, 0 },
+ { NID_aes_192_ctr, 0 },
+ { NID_aes_256_ctr, 0 },
+};
+
+/* Six cases for each covers seed sizes up to 32 bytes */
+static const size_t crngt_num_cases = 6;
+
+static size_t crngt_case, crngt_idx;
+
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
+ unsigned int *md_size)
+{
+ size_t i, z;
+
+ if (!TEST_int_lt(crngt_idx, crngt_num_cases))
+ return 0;
+ /* Generate a block of unique data unless this is the duplication point */
+ z = crngt_idx++;
+ if (z > 0 && crngt_case == z)
+ z--;
+ for (i = 0; i < CRNGT_BUFSIZ; i++)
+ buf[i] = (unsigned char)(i + 'A' + z);
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
+}
+
+static int test_crngt(int n)
+{
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
+ RAND_DRBG *drbg = NULL;
+ unsigned char buff[100];
+ size_t ent;
+ int res = 0;
+ int expect;
+
+ if (!TEST_true(rand_crngt_single_init()))
+ return 0;
+ rand_crngt_cleanup();
+
+ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
+ return 0;
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
+ crngt_case = n % crngt_num_cases;
+ crngt_idx = 0;
+ crngt_get_entropy = &crngt_entropy_cb;
+ if (!TEST_true(rand_crngt_init()))
+ goto err;
+#ifndef OPENSSL_FIPS
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
+ &rand_crngt_cleanup_entropy,
+ &rand_drbg_get_nonce,
+ &rand_drbg_cleanup_nonce)))
+ goto err;
+#endif
+ expect = crngt_case == 0 || crngt_case > ent;
+ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
+ goto err;
+ if (!expect)
+ goto fin;
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
+ goto err;
+
+ expect = crngt_case == 0 || crngt_case > 2 * ent;
+ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
+ goto err;
+ if (!expect)
+ goto fin;
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
+ goto err;
+
+fin:
+ res = 1;
+err:
+ if (!res)
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
+ crngt_case, crngt_idx);
+ uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;
+ return res;
+}
+
int setup_tests(void)
{
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
@@ -1025,5 +1146,6 @@ int setup_tests(void)
#if defined(OPENSSL_THREADS)
ADD_TEST(test_multi_thread);
#endif
+ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
return 1;
}
++++++ openssl-1.1.1-fips-post-rand.patch ++++++
Index: openssl-1.1.1d/crypto/fips/fips.c
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.232633025
+0100
+++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:48.216852822 +0100
@@ -68,6 +68,7 @@
# include <openssl/fips.h>
# include "internal/thread_once.h"
+# include "internal/rand_int.h"
# ifndef PATH_MAX
# define PATH_MAX 1024
@@ -76,6 +77,7 @@
static int fips_selftest_fail = 0;
static int fips_mode = 0;
static int fips_started = 0;
+static int fips_post = 0;
static int fips_is_owning_thread(void);
static int fips_set_owning_thread(void);
@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
fips_selftest_fail = 1;
}
+int fips_in_post(void)
+{
+ return fips_post;
+}
+
/* we implement what libfipscheck does ourselves */
static int
@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
}
# endif
+ fips_post = 1;
+
if (!FIPS_selftest()) {
fips_selftest_fail = 1;
ret = 0;
@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
goto end;
}
+ fips_post = 0;
+
fips_set_mode(onoff);
+ /* force RNG reseed with entropy from getrandom() on next call */
+ rand_force_reseed();
+
ret = 1;
goto end;
}
Index: openssl-1.1.1d/crypto/include/internal/fips_int.h
===================================================================
--- openssl-1.1.1d.orig/crypto/include/internal/fips_int.h 2020-01-23
13:45:11.336633643 +0100
+++ openssl-1.1.1d/crypto/include/internal/fips_int.h 2020-01-23
13:45:11.368633835 +0100
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
+int fips_in_post(void);
+
int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen,
const unsigned char *kat,
Index: openssl-1.1.1d/crypto/include/internal/rand_int.h
===================================================================
--- openssl-1.1.1d.orig/crypto/include/internal/rand_int.h 2019-09-10
15:13:07.000000000 +0200
+++ openssl-1.1.1d/crypto/include/internal/rand_int.h 2020-01-23
13:45:53.964886989 +0100
@@ -24,6 +24,7 @@
typedef struct rand_pool_st RAND_POOL;
void rand_cleanup_int(void);
+void rand_force_reseed(void);
void rand_drbg_cleanup_int(void);
void drbg_delete_thread_state(void);
Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
===================================================================
--- openssl-1.1.1d.orig/crypto/rand/drbg_lib.c 2019-09-10 15:13:07.000000000
+0200
+++ openssl-1.1.1d/crypto/rand/drbg_lib.c 2020-01-23 13:45:53.964886989
+0100
@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
}
+void rand_force_reseed(void)
+{
+ RAND_DRBG *drbg;
+
+ drbg = RAND_DRBG_get0_master();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_private();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_public();
+ drbg->fork_id = 0;
+}
+
/* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness)
{
Index: openssl-1.1.1d/crypto/rand/rand_unix.c
===================================================================
--- openssl-1.1.1d.orig/crypto/rand/rand_unix.c 2019-09-10 15:13:07.000000000
+0200
+++ openssl-1.1.1d/crypto/rand/rand_unix.c 2020-01-23 13:45:11.368633835
+0100
@@ -17,10 +17,12 @@
#include <openssl/crypto.h>
#include "rand_lcl.h"
#include "internal/rand_int.h"
+#include "internal/fips_int.h"
#include <stdio.h>
#include "internal/dso.h"
#ifdef __linux
# include <sys/syscall.h>
+# include <sys/random.h>
# ifdef DEVRANDOM_WAIT
# include <sys/shm.h>
# include <sys/utsname.h>
@@ -295,7 +297,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
*/
-static ssize_t syscall_random(void *buf, size_t buflen)
+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
{
/*
* Note: 'buflen' equals the size of the buffer which is used by the
@@ -317,6 +319,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061)
*/
+# if 0
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
@@ -338,10 +341,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif
-
+# endif
/* Linux supports this since version 3.17 */
-# if defined(__linux) && defined(__NR_getrandom)
- return syscall(__NR_getrandom, buf, buflen, 0);
+# if defined(__linux) && defined(SYS_getrandom)
+ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen);
# else
@@ -576,6 +579,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t entropy_available;
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
+ int in_post;
+
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
{
size_t bytes_needed;
unsigned char *buffer;
@@ -586,7 +592,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
- bytes = syscall_random(buffer, bytes_needed);
+ bytes = syscall_random(buffer, bytes_needed, in_post);
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
@@ -621,8 +627,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3;
const int fd = get_random_device(i);
- if (fd == -1)
+ if (fd == -1) {
+ OPENSSL_showfatal("Random device %s cannot be opened.\n",
random_device_paths[i]);
continue;
+ }
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -685,7 +693,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
return entropy_available;
}
# endif
-
+# ifdef OPENSSL_RAND_SEED_GETRANDOM
+ }
+# endif
return rand_pool_entropy_available(pool);
# endif
}
++++++ openssl-1.1.1-fips.patch ++++++
++++ 11873 lines (skipped)
++++++ openssl-1.1.1-ssh-kdf.patch ++++++
++++ 5583 lines (skipped)
++++++ openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch ++++++
>From 9bf682f62bd819d2fbceb95eeabd61dd4532240f Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Thu, 11 Jul 2019 10:23:49 +0200
Subject: [PATCH 09205/10000] Enable curve-spefific ECDSA implementations via
EC_METHOD
which are already enabled for ECDH.
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9348)
---
crypto/ec/ec2_smpl.c | 3 +
crypto/ec/ec_lcl.h | 15 +++++
crypto/ec/ecdsa_ossl.c | 107 ++++++++++++++++++++++++------------
crypto/ec/ecp_mont.c | 3 +
crypto/ec/ecp_nist.c | 3 +
crypto/ec/ecp_nistp224.c | 3 +
crypto/ec/ecp_nistp256.c | 3 +
crypto/ec/ecp_nistp521.c | 3 +
crypto/ec/ecp_nistz256.c | 3 +
crypto/ec/ecp_s390x_nistp.c | 3 +
crypto/ec/ecp_smpl.c | 3 +
crypto/err/openssl.txt | 5 ++
include/openssl/ecerr.h | 1 +
13 files changed, 119 insertions(+), 36 deletions(-)
Index: openssl-1.1.1d/crypto/ec/ec2_smpl.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ec2_smpl.c
+++ openssl-1.1.1d/crypto/ec/ec2_smpl.c
@@ -956,6 +956,9 @@ const EC_METHOD *EC_GF2m_simple_method(v
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
ec_GF2m_simple_ladder_pre,
Index: openssl-1.1.1d/crypto/ec/ec_lcl.h
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ec_lcl.h
+++ openssl-1.1.1d/crypto/ec/ec_lcl.h
@@ -179,6 +179,14 @@ struct ec_method_st {
/* custom ECDH operation */
int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
const EC_POINT *pub_key, const EC_KEY *ecdh);
+ /* custom ECDSA */
+ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp,
+ BIGNUM **rp);
+ ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen,
+ const BIGNUM *kinv, const BIGNUM *r,
+ EC_KEY *eckey);
+ int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen,
+ const ECDSA_SIG *sig, EC_KEY *eckey);
/* Inverse modulo order */
int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
const BIGNUM *x, BN_CTX *);
@@ -656,6 +664,13 @@ int ossl_ecdsa_verify(int type, const un
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey);
+int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp);
+ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
+ EC_KEY *eckey);
+int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
+ const ECDSA_SIG *sig, EC_KEY *eckey);
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
const uint8_t public_key[32], const uint8_t private_key[32]);
Index: openssl-1.1.1d/crypto/ec/ecdsa_ossl.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecdsa_ossl.c
+++ openssl-1.1.1d/crypto/ec/ecdsa_ossl.c
@@ -14,6 +14,41 @@
#include "internal/bn_int.h"
#include "ec_lcl.h"
+int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp)
+{
+ if (eckey->group->meth->ecdsa_sign_setup == NULL) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
+ return 0;
+ }
+
+ return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
+}
+
+ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
+ EC_KEY *eckey)
+{
+ if (eckey->group->meth->ecdsa_sign_sig == NULL) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
+ return NULL;
+ }
+
+ return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
+ in_kinv, in_r, eckey);
+}
+
+int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+ const ECDSA_SIG *sig, EC_KEY *eckey)
+{
+ if (eckey->group->meth->ecdsa_verify_sig == NULL) {
+ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
+ return 0;
+ }
+
+ return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
+}
+
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
@@ -145,15 +180,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke
return ret;
}
-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
- BIGNUM **rp)
+int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+ BIGNUM **rp)
{
return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
}
-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
- const BIGNUM *in_kinv, const BIGNUM *in_r,
- EC_KEY *eckey)
+ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
+ EC_KEY *eckey)
{
int ok = 0, i;
BIGNUM *kinv = NULL, *s, *m = NULL;
@@ -167,35 +202,35 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
priv_key = EC_KEY_get0_private_key(eckey);
if (group == NULL) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
if (priv_key == NULL) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY);
return NULL;
}
if (!EC_KEY_can_sign(eckey)) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
return NULL;
}
ret = ECDSA_SIG_new();
if (ret == NULL) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->r = BN_new();
ret->s = BN_new();
if (ret->r == NULL || ret->s == NULL) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
goto err;
}
s = ret->s;
if ((ctx = BN_CTX_new()) == NULL
|| (m = BN_new()) == NULL) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -207,25 +242,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
if (8 * dgst_len > i)
dgst_len = (i + 7) / 8;
if (!BN_bin2bn(dgst, dgst_len, m)) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
/* If still too long, truncate remaining bits with a shift */
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
do {
if (in_kinv == NULL || in_r == NULL) {
if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len))
{
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB);
goto err;
}
ckinv = kinv;
} else {
ckinv = in_kinv;
if (BN_copy(ret->r, in_r) == NULL) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -239,11 +274,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
*/
if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
|| !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
if (!bn_mod_add_fixed_top(s, s, m, order)) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
/*
@@ -252,7 +287,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
*/
if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
|| !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
@@ -262,7 +297,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
* generate new kinv and r values
*/
if (in_kinv != NULL && in_r != NULL) {
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
goto err;
}
} else {
@@ -314,8 +349,8 @@ int ossl_ecdsa_verify(int type, const un
return ret;
}
-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
- const ECDSA_SIG *sig, EC_KEY *eckey)
+int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
+ const ECDSA_SIG *sig, EC_KEY *eckey)
{
int ret = -1, i;
BN_CTX *ctx;
@@ -328,18 +363,18 @@ int ossl_ecdsa_verify_sig(const unsigned
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
return -1;
}
if (!EC_KEY_can_sign(eckey)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG,
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
return -1;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
return -1;
}
BN_CTX_start(ctx);
@@ -348,26 +383,26 @@ int ossl_ecdsa_verify_sig(const unsigned
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (X == NULL) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
goto err;
}
order = EC_GROUP_get0_order(group);
if (order == NULL) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
goto err;
}
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_BAD_SIGNATURE);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE);
ret = 0; /* signature is invalid */
goto err;
}
/* calculate tmp1 = inv(S) mod order */
if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
goto err;
}
/* digest -> m */
@@ -378,41 +413,41 @@ int ossl_ecdsa_verify_sig(const unsigned
if (8 * dgst_len > i)
dgst_len = (i + 7) / 8;
if (!BN_bin2bn(dgst, dgst_len, m)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
goto err;
}
/* If still too long truncate remaining bits with a shift */
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
goto err;
}
/* u1 = m * tmp mod order */
if (!BN_mod_mul(u1, m, u2, order, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
goto err;
}
/* u2 = r * w mod q */
if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
goto err;
}
if ((point = EC_POINT_new(group)) == NULL) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
goto err;
}
if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
goto err;
}
if (!BN_nnmod(u1, X, order, ctx)) {
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
goto err;
}
/* if the signature is correct u1 is equal to sig->r */
Index: openssl-1.1.1d/crypto/ec/ecp_mont.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_mont.c
+++ openssl-1.1.1d/crypto/ec/ecp_mont.c
@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
Index: openssl-1.1.1d/crypto/ec/ecp_nist.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_nist.c
+++ openssl-1.1.1d/crypto/ec/ecp_nist.c
@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
Index: openssl-1.1.1d/crypto/ec/ecp_nistp224.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_nistp224.c
+++ openssl-1.1.1d/crypto/ec/ecp_nistp224.c
@@ -291,6 +291,9 @@ const EC_METHOD *EC_GFp_nistp224_method(
ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
ecdh_simple_compute_key,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
Index: openssl-1.1.1d/crypto/ec/ecp_nistp256.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_nistp256.c
+++ openssl-1.1.1d/crypto/ec/ecp_nistp256.c
@@ -1809,6 +1809,9 @@ const EC_METHOD *EC_GFp_nistp256_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
Index: openssl-1.1.1d/crypto/ec/ecp_nistp521.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_nistp521.c
+++ openssl-1.1.1d/crypto/ec/ecp_nistp521.c
@@ -1651,6 +1651,9 @@ const EC_METHOD *EC_GFp_nistp521_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
Index: openssl-1.1.1d/crypto/ec/ecp_nistz256.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_nistz256.c
+++ openssl-1.1.1d/crypto/ec/ecp_nistz256.c
@@ -1689,6 +1689,9 @@ const EC_METHOD *EC_GFp_nistz256_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */
0, /* blind_coordinates */
0, /* ladder_pre */
Index: openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_s390x_nistp.c
+++ openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c
@@ -175,6 +175,9 @@ const EC_METHOD *EC_GFp_s390x_nistp##bit
NULL, /* keycopy */ \
NULL, /* keyfinish */ \
ecdh_simple_compute_key, \
+ ecdsa_simple_sign_setup, \
+ ecdsa_simple_sign_sig, \
+ ecdsa_simple_verify_sig, \
NULL, /* field_inverse_mod_ord */ \
ec_GFp_simple_blind_coordinates, \
ec_GFp_simple_ladder_pre, \
Index: openssl-1.1.1d/crypto/ec/ecp_smpl.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_smpl.c
+++ openssl-1.1.1d/crypto/ec/ecp_smpl.c
@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
+ ecdsa_simple_sign_setup,
+ ecdsa_simple_sign_sig,
+ ecdsa_simple_verify_sig,
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
Index: openssl-1.1.1d/crypto/err/openssl.txt
===================================================================
--- openssl-1.1.1d.orig/crypto/err/openssl.txt
+++ openssl-1.1.1d/crypto/err/openssl.txt
@@ -496,6 +496,9 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup
EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new
EC_F_ECDSA_VERIFY:253:ECDSA_verify
+EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup
+EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig
+EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig
EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
@@ -657,6 +660,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_
EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey
EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode
EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key
+EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup
EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
@@ -2130,6 +2134,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma
EC_R_CANNOT_INVERT:165:cannot invert
EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
+EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
EC_R_DECODE_ERROR:142:decode error
Index: openssl-1.1.1d/include/openssl/ecerr.h
===================================================================
--- openssl-1.1.1d.orig/include/openssl/ecerr.h
+++ openssl-1.1.1d/include/openssl/ecerr.h
@@ -41,6 +41,9 @@ int ERR_load_EC_strings(void);
# define EC_F_ECDSA_SIGN_EX 254
# define EC_F_ECDSA_SIGN_SETUP 248
# define EC_F_ECDSA_SIG_NEW 265
+# define EC_F_ECDSA_SIMPLE_SIGN_SETUP 310
+# define EC_F_ECDSA_SIMPLE_SIGN_SIG 311
+# define EC_F_ECDSA_SIMPLE_VERIFY_SIG 312
# define EC_F_ECDSA_VERIFY 253
# define EC_F_ECD_ITEM_VERIFY 270
# define EC_F_ECKEY_PARAM2TYPE 223
@@ -185,6 +186,7 @@ int ERR_load_EC_strings(void);
# define EC_F_O2I_ECPUBLICKEY 152
# define EC_F_OLD_EC_PRIV_DECODE 222
# define EC_F_OSSL_ECDH_COMPUTE_KEY 247
+# define EC_F_OSSL_ECDSA_SIGN_SETUP 300
# define EC_F_OSSL_ECDSA_SIGN_SIG 249
# define EC_F_OSSL_ECDSA_VERIFY_SIG 250
# define EC_F_PKEY_ECD_CTRL 271
@@ -212,6 +214,7 @@ int ERR_load_EC_strings(void);
# define EC_R_CANNOT_INVERT 165
# define EC_R_COORDINATES_OUT_OF_RANGE 146
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
+# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
# define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
# define EC_R_DECODE_ERROR 142
++++++ openssl-Fix-9bf682f-which-broke-nistp224_method.patch ++++++
>From 653b883b97f72a15d35d21246696881aa65311e2 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Thu, 15 Aug 2019 22:51:57 +0200
Subject: [PATCH] Fix 9bf682f which broke nistp224_method
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9607)
---
crypto/ec/ecp_nistp224.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: openssl-1.1.1d/crypto/ec/ecp_nistp224.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecp_nistp224.c 2020-01-23
13:45:11.104632265 +0100
+++ openssl-1.1.1d/crypto/ec/ecp_nistp224.c 2020-01-23 13:45:11.208632883
+0100
@@ -291,10 +291,10 @@ const EC_METHOD *EC_GFp_nistp224_method(
ec_key_simple_generate_public_key,
0, /* keycopy */
0, /* keyfinish */
+ ecdh_simple_compute_key,
ecdsa_simple_sign_setup,
ecdsa_simple_sign_sig,
ecdsa_simple_verify_sig,
- ecdh_simple_compute_key,
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
Index: openssl-1.1.1d/crypto/ec/build.info
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/build.info 2019-09-10 15:13:07.000000000
+0200
+++ openssl-1.1.1d/crypto/ec/build.info 2020-01-23 13:45:11.208632883 +0100
@@ -20,6 +20,9 @@ GENERATE[ecp_nistz256-avx2.s]=asm/ecp_ni
GENERATE[ecp_nistz256-sparcv9.S]=asm/ecp_nistz256-sparcv9.pl $(PERLASM_SCHEME)
INCLUDE[ecp_nistz256-sparcv9.o]=..
+INCLUDE[ecp_s390x_nistp.o]=..
+INCLUDE[ecx_meth.o]=..
+
GENERATE[ecp_nistz256-armv4.S]=asm/ecp_nistz256-armv4.pl $(PERLASM_SCHEME)
INCLUDE[ecp_nistz256-armv4.o]=..
GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl $(PERLASM_SCHEME)
Index: openssl-1.1.1d/include/openssl/ecerr.h
===================================================================
--- openssl-1.1.1d.orig/include/openssl/ecerr.h 2020-01-23 13:45:11.108632290
+0100
+++ openssl-1.1.1d/include/openssl/ecerr.h 2020-01-23 13:45:11.208632883
+0100
@@ -38,6 +38,8 @@ int ERR_load_EC_strings(void);
# define EC_F_ECDH_SIMPLE_COMPUTE_KEY 257
# define EC_F_ECDSA_DO_SIGN_EX 251
# define EC_F_ECDSA_DO_VERIFY 252
+# define EC_F_ECDSA_S390X_NISTP_SIGN_SIG 313
+# define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG 314
# define EC_F_ECDSA_SIGN_EX 254
# define EC_F_ECDSA_SIGN_SETUP 248
# define EC_F_ECDSA_SIG_NEW 265
++++++ openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch ++++++
>From 3ded2288a45d2cc3a27a1b08d29499cbcec52c0e Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Fri, 12 Jul 2019 13:47:32 +0200
Subject: [PATCH 09207/10000] OPENSSL_s390xcap.pod: list msa9 facility bit
(155)
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9348)
---
doc/man3/OPENSSL_s390xcap.pod | 1 +
1 file changed, 1 insertion(+)
diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
index e45da4467f..1f4ee85fdf 100644
--- a/doc/man3/OPENSSL_s390xcap.pod
+++ b/doc/man3/OPENSSL_s390xcap.pod
@@ -72,6 +72,7 @@ the numbering is continuous across 64-bit mask boundaries.
#134 1<<57 vector packed decimal facility
#135 1<<56 vector enhancements facility 1
#146 1<<45 message-security assist extension 8
+ #155 1<<36 message-security assist extension 9
kimd :
# 1 1<<62 KIMD-SHA-1
--
2.24.0
++++++ openssl-assembly-pack-accelerate-scalar-multiplication.patch ++++++
>From 1461e66706f24da657d7322706d1165ae515533f Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Tue, 9 Jul 2019 10:25:04 +0200
Subject: [PATCH 09204/10000] s390x assembly pack: accelerate scalar
multiplication
for NIST P-256, P-384 and P-521 using PCC instruction.
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9348)
---
crypto/ec/build.info | 3 +-
crypto/ec/ec_curve.c | 42 +++++---
crypto/ec/ec_lcl.h | 5 +
crypto/ec/ecp_s390x_nistp.c | 197 ++++++++++++++++++++++++++++++++++++
4 files changed, 234 insertions(+), 13 deletions(-)
create mode 100644 crypto/ec/ecp_s390x_nistp.c
Index: openssl-1.1.1d/crypto/ec/ec_curve.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ec_curve.c
+++ openssl-1.1.1d/crypto/ec/ec_curve.c
@@ -2829,16 +2829,25 @@ static const ec_list_element curve_list[
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
"SECG curve over a 256 bit prime field"},
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
- {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
+ {NID_secp384r1, &_EC_NIST_PRIME_384.h,
+# if defined(S390X_NISTP_ASM)
+ EC_GFp_s390x_nistp384_method,
+# else
+ 0,
+# endif
"NIST/SECG curve over a 384 bit prime field"},
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
- "NIST/SECG curve over a 521 bit prime field"},
+
+ {NID_secp521r1, &_EC_NIST_PRIME_521.h,
+# if defined(S390X_NISTP_ASM)
+ EC_GFp_s390x_nistp521_method,
+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+ EC_GFp_nistp521_method,
#else
- {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
- "NIST/SECG curve over a 521 bit prime field"},
+ 0,
#endif
- /* X9.62 curves */
+ "NIST/SECG curve over a 521 bit prime field"},
+
+ /* X9.62 curves */
{NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0,
"NIST/X9.62/SECG curve over a 192 bit prime field"},
{NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0,
@@ -2854,6 +2863,8 @@ static const ec_list_element curve_list[
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
#if defined(ECP_NISTZ256_ASM)
EC_GFp_nistz256_method,
+# elif defined(S390X_NISTP_ASM)
+ EC_GFp_s390x_nistp256_method,
#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
EC_GFp_nistp256_method,
#else
Index: openssl-1.1.1d/crypto/ec/ec_lcl.h
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ec_lcl.h
+++ openssl-1.1.1d/crypto/ec/ec_lcl.h
@@ -587,6 +587,11 @@ int ec_group_simple_order_bits(const EC_
*/
const EC_METHOD *EC_GFp_nistz256_method(void);
#endif
+#ifdef S390X_NISTP_ASM
+const EC_METHOD *EC_GFp_s390x_nistp256_method(void);
+const EC_METHOD *EC_GFp_s390x_nistp384_method(void);
+const EC_METHOD *EC_GFp_s390x_nistp521_method(void);
+#endif
size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
unsigned char *buf, size_t len);
Index: openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c
===================================================================
--- /dev/null
+++ openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c
@@ -0,0 +1,197 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/err.h>
+#include "ec_lcl.h"
+#include "s390x_arch.h"
+
+/* Size of parameter blocks */
+#define S390X_SIZE_PARAM 4096
+
+/* Size of fields in parameter blocks */
+#define S390X_SIZE_P256 32
+#define S390X_SIZE_P384 48
+#define S390X_SIZE_P521 80
+
+/* Offsets of fields in PCC parameter blocks */
+#define S390X_OFF_RES_X(n) (0 * n)
+#define S390X_OFF_RES_Y(n) (1 * n)
+#define S390X_OFF_SRC_X(n) (2 * n)
+#define S390X_OFF_SRC_Y(n) (3 * n)
+#define S390X_OFF_SCALAR(n) (4 * n)
+
+static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar,
+ size_t num, const EC_POINT *points[],
+ const BIGNUM *scalars[],
+ BN_CTX *ctx, unsigned int fc, int len)
+{
+ unsigned char param[S390X_SIZE_PARAM];
+ BIGNUM *x, *y;
+ const EC_POINT *point_ptr = NULL;
+ const BIGNUM *scalar_ptr = NULL;
+ BN_CTX *new_ctx = NULL;
+ int rc = -1;
+
+ if (ctx == NULL) {
+ ctx = new_ctx = BN_CTX_new();
+ if (ctx == NULL)
+ return 0;
+ }
+
+ BN_CTX_start(ctx);
+
+ x = BN_CTX_get(ctx);
+ y = BN_CTX_get(ctx);
+ if (x == NULL || y == NULL) {
+ rc = 0;
+ goto ret;
+ }
+
+ /*
+ * Use PCC for EC keygen and ECDH key derivation:
+ * scalar * generator and scalar * peer public key,
+ * scalar in [0,order).
+ */
+ if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0)
+ || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) {
+
+ if (num == 0) {
+ point_ptr = EC_GROUP_get0_generator(group);
+ scalar_ptr = scalar;
+ } else {
+ point_ptr = points[0];
+ scalar_ptr = scalars[0];
+ }
+
+ if (EC_POINT_is_at_infinity(group, point_ptr) == 1
+ || BN_is_zero(scalar_ptr)) {
+ rc = EC_POINT_set_to_infinity(group, r);
+ goto ret;
+ }
+
+ memset(¶m, 0, sizeof(param));
+
+ if (group->meth->point_get_affine_coordinates(group, point_ptr,
+ x, y, ctx) != 1
+ || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1
+ || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1
+ || BN_bn2binpad(scalar_ptr,
+ param + S390X_OFF_SCALAR(len), len) == -1
+ || s390x_pcc(fc, param) != 0
+ || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL
+ || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL
+ || group->meth->point_set_affine_coordinates(group, r,
+ x, y, ctx) != 1)
+ goto ret;
+
+ rc = 1;
+ }
+
+ret:
+ /* Otherwise use default. */
+ if (rc == -1)
+ rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+ OPENSSL_cleanse(param, sizeof(param));
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+ return rc;
+}
+
+#define EC_GFP_S390X_NISTP_METHOD(bits) \
+ \
+static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \
+ EC_POINT *r, \
+ const BIGNUM *scalar, \
+ size_t num, \
+ const EC_POINT *points[], \
+ const BIGNUM *scalars[], \
+ BN_CTX *ctx) \
+{ \
+ return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points, \
+ scalars, ctx, \
+ S390X_SCALAR_MULTIPLY_P##bits, \
+ S390X_SIZE_P##bits); \
+} \
+ \
+const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \
+{ \
+ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \
+ EC_FLAGS_DEFAULT_OCT, \
+ NID_X9_62_prime_field, \
+ ec_GFp_simple_group_init, \
+ ec_GFp_simple_group_finish, \
+ ec_GFp_simple_group_clear_finish, \
+ ec_GFp_simple_group_copy, \
+ ec_GFp_simple_group_set_curve, \
+ ec_GFp_simple_group_get_curve, \
+ ec_GFp_simple_group_get_degree, \
+ ec_group_simple_order_bits, \
+ ec_GFp_simple_group_check_discriminant, \
+ ec_GFp_simple_point_init, \
+ ec_GFp_simple_point_finish, \
+ ec_GFp_simple_point_clear_finish, \
+ ec_GFp_simple_point_copy, \
+ ec_GFp_simple_point_set_to_infinity, \
+ ec_GFp_simple_set_Jprojective_coordinates_GFp, \
+ ec_GFp_simple_get_Jprojective_coordinates_GFp, \
+ ec_GFp_simple_point_set_affine_coordinates, \
+ ec_GFp_simple_point_get_affine_coordinates, \
+ NULL, /* point_set_compressed_coordinates */ \
+ NULL, /* point2oct */ \
+ NULL, /* oct2point */ \
+ ec_GFp_simple_add, \
+ ec_GFp_simple_dbl, \
+ ec_GFp_simple_invert, \
+ ec_GFp_simple_is_at_infinity, \
+ ec_GFp_simple_is_on_curve, \
+ ec_GFp_simple_cmp, \
+ ec_GFp_simple_make_affine, \
+ ec_GFp_simple_points_make_affine, \
+ ec_GFp_s390x_nistp##bits##_mul, \
+ NULL, /* precompute_mult */ \
+ NULL, /* have_precompute_mult */ \
+ ec_GFp_simple_field_mul, \
+ ec_GFp_simple_field_sqr, \
+ NULL, /* field_div */ \
+ ec_GFp_simple_field_inv, \
+ NULL, /* field_encode */ \
+ NULL, /* field_decode */ \
+ NULL, /* field_set_to_one */ \
+ ec_key_simple_priv2oct, \
+ ec_key_simple_oct2priv, \
+ NULL, /* set_private */ \
+ ec_key_simple_generate_key, \
+ ec_key_simple_check_key, \
+ ec_key_simple_generate_public_key, \
+ NULL, /* keycopy */ \
+ NULL, /* keyfinish */ \
+ ecdh_simple_compute_key, \
+ NULL, /* field_inverse_mod_ord */ \
+ ec_GFp_simple_blind_coordinates, \
+ ec_GFp_simple_ladder_pre, \
+ ec_GFp_simple_ladder_step, \
+ ec_GFp_simple_ladder_post \
+ }; \
+ static const EC_METHOD *ret; \
+ \
+ if (OPENSSL_s390xcap_P.pcc[1] \
+ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \
+ ret = &EC_GFp_s390x_nistp##bits##_meth; \
+ else \
+ ret = EC_GFp_mont_method(); \
+ \
+ return ret; \
+}
+
+EC_GFP_S390X_NISTP_METHOD(256)
+EC_GFP_S390X_NISTP_METHOD(384)
+EC_GFP_S390X_NISTP_METHOD(521)
Index: openssl-1.1.1d/Configurations/00-base-templates.conf
===================================================================
--- openssl-1.1.1d.orig/Configurations/00-base-templates.conf
+++ openssl-1.1.1d/Configurations/00-base-templates.conf
@@ -289,6 +289,7 @@ my %targets=(
template => 1,
cpuid_asm_src => "s390xcap.c s390xcpuid.S",
bn_asm_src => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
+ ec_asm_src => "ecp_s390x_nistp.c",
aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake",
sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
rc4_asm_src => "rc4-s390x.s",
Index: openssl-1.1.1d/Configure
===================================================================
--- openssl-1.1.1d.orig/Configure
+++ openssl-1.1.1d/Configure
@@ -1400,6 +1400,9 @@ unless ($disabled{asm}) {
if ($target{ec_asm_src} =~ /x25519/) {
push @{$config{lib_defines}}, "X25519_ASM";
}
+ if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) {
+ push @{$config{lib_defines}}, "S390X_NISTP_ASM";
+ }
if ($target{padlock_asm_src} ne $table{DEFAULTS}->{padlock_asm_src}) {
push @{$config{dso_defines}}, "PADLOCK_ASM";
}
++++++ openssl-fips-clearerror.patch ++++++
Index: openssl-1.1.1d/crypto/o_init.c
===================================================================
--- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.556634952 +0100
+++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:11.572635047 +0100
@@ -49,6 +49,7 @@ static void init_fips_mode(void)
NONFIPS_selftest_check();
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
+ ERR_clear_error();
} else {
/* abort if selftest failed */
FIPS_selftest_check();
++++++ openssl-fips-dont_run_FIPS_module_installed.patch ++++++
Index: openssl-1.1.1d/crypto/o_init.c
===================================================================
--- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.336633643 +0100
+++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:21.316692954 +0100
@@ -63,9 +63,6 @@ void __attribute__ ((constructor)) OPENS
if (done)
return;
done = 1;
- if (!FIPS_module_installed()) {
- return;
- }
init_fips_mode();
}
#endif
++++++ openssl-fips-ignore_broken_atexit_test.patch ++++++
Index: openssl-1.1.1d/test/recipes/90-test_shlibload.t
===================================================================
--- openssl-1.1.1d.orig/test/recipes/90-test_shlibload.t 2019-09-10
15:13:07.000000000 +0200
+++ openssl-1.1.1d/test/recipes/90-test_shlibload.t 2020-01-23
15:22:27.355814857 +0100
@@ -23,7 +23,7 @@ plan skip_all => "Test is disabled on AI
plan skip_all => "Test is disabled on VMS" if config('target') =~ m|^vms|;
plan skip_all => "Test only supported in a dso build" if disabled("dso");
-plan tests => 10;
+plan tests => 9;
# When libssl and libcrypto are compiled on Linux with "-rpath", but not
# "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH,
@@ -56,7 +56,7 @@ unlink $filename;
($fh, $filename) = tempfile();
ok(run(test(["shlibloadtest", "-no_atexit", $libcrypto, $libssl, $filename])),
"running shlibloadtest -no_atexit $filename");
-ok(!check_atexit($fh));
+#ok(!check_atexit($fh));
unlink $filename;
sub shlib {
++++++ openssl-fips-run_selftests_only_when_module_is_complete.patch ++++++
Index: openssl-1.1.1d/crypto/fips/fips.c
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.368633835
+0100
+++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:21.316692954 +0100
@@ -454,15 +454,15 @@ int FIPS_module_mode_set(int onoff)
fips_post = 1;
- if (!FIPS_selftest()) {
+ if (!verify_checksums()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
ret = 0;
goto end;
}
- if (!verify_checksums()) {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ if (!FIPS_selftest()) {
fips_selftest_fail = 1;
ret = 0;
goto end;
++++++ openssl-fips-selftests_in_nonfips_mode.patch ++++++
Index: openssl-1.1.1d/crypto/fips/fips.c
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.416634119
+0100
+++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:11.556634952 +0100
@@ -486,6 +486,44 @@ int FIPS_module_mode_set(int onoff)
return ret;
}
+/* In non-FIPS mode, the selftests must succeed if the
+ * checksum files are present
+ */
+void NONFIPS_selftest_check(void)
+{
+ int rv;
+ char *hmacpath;
+ char path[PATH_MAX+1];
+
+ if (fips_selftest_fail)
+ {
+ /* check if the checksum files are installed */
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
"FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST
FAILURE");
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST
FAILURE");
+
+ if (access(hmacpath, F_OK))
+ {
+ /* no hmac file is present, ignore the failed
selftests */
+ if (errno == ENOENT)
+ {
+ free(hmacpath);
+ return;
+ }
+ /* we fail on any other error */
+ }
+ /* if the file exists, but the selftests failed
+ (eg wrong checksum), we fail too */
+ free(hmacpath);
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
+ }
+ /* otherwise ok, selftests were successful */
+}
+
static CRYPTO_THREAD_ID fips_threadid;
static int fips_thread_set = 0;
Index: openssl-1.1.1d/crypto/o_init.c
===================================================================
--- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.536634832 +0100
+++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:17.000667299 +0100
@@ -45,6 +45,8 @@ static void init_fips_mode(void)
*/
if (buf[0] != '1') {
+ /* abort if selftest failed and the module is complete */
+ NONFIPS_selftest_check();
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
} else {
Index: openssl-1.1.1d/include/openssl/fips.h
===================================================================
--- openssl-1.1.1d.orig/include/openssl/fips.h 2020-01-23 13:45:11.344633691
+0100
+++ openssl-1.1.1d/include/openssl/fips.h 2020-01-23 13:45:11.556634952
+0100
@@ -65,6 +65,7 @@ extern "C" {
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
int FIPS_selftest_drbg_all(void);
+ void NONFIPS_selftest_check(void);
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
const EVP_MD *evpmd, const unsigned char
*seed_in,
++++++ openssl-fips_mode.patch ++++++
Index: openssl-1.1.1d/apps/openssl.c
===================================================================
--- openssl-1.1.1d.orig/apps/openssl.c 2019-09-10 15:13:07.000000000 +0200
+++ openssl-1.1.1d/apps/openssl.c 2020-01-23 13:45:11.452634334 +0100
@@ -151,8 +151,15 @@ int main(int argc, char *argv[])
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
if (getenv("OPENSSL_FIPS")) {
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode_set(1)) {
+ ERR_print_errors(bio_err);
+ return 1;
+ }
+#else
BIO_printf(bio_err, "FIPS mode not supported.\n");
return 1;
+#endif
}
if (!apps_startup()) {
++++++ openssl-keep_EVP_KDF_functions_version.patch ++++++
Index: openssl-1.1.1d/util/libcrypto.num
===================================================================
--- openssl-1.1.1d.orig/util/libcrypto.num 2020-01-27 12:07:26.467151662
+0100
+++ openssl-1.1.1d/util/libcrypto.num 2020-01-27 13:18:44.456778054 +0100
@@ -4617,11 +4617,11 @@ FIPS_drbg_get_strength
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
-EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION:
-EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION:
-EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION:
-EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION:
-EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION:
-EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
-EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
-EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
+EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION:
+EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION:
+EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION:
+EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION:
+EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION:
+EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION:
+EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION:
+EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION:
++++++ openssl-s390x-assembly-pack-accelerate-ECDSA.patch ++++++
>From 58c35587eacba090414522a6506cb86f2d0e91af Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Thu, 11 Jul 2019 10:38:18 +0200
Subject: [PATCH 09206/10000] s390x assembly pack: accelerate ECDSA
for NIST P-256, P-384 and P-521 using KDSA instruction.
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9348)
---
crypto/ec/ecp_s390x_nistp.c | 202 +++++++++++++++++++++++++++++++++++-
crypto/err/openssl.txt | 2 +
2 files changed, 200 insertions(+), 4 deletions(-)
diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
index 0b03d7fd04..be81f0b8f0 100644
--- a/crypto/ec/ecp_s390x_nistp.c
+++ b/crypto/ec/ecp_s390x_nistp.c
@@ -10,6 +10,7 @@
#include <stdlib.h>
#include <string.h>
#include <openssl/err.h>
+#include <openssl/rand.h>
#include "ec_lcl.h"
#include "s390x_arch.h"
@@ -28,6 +29,15 @@
#define S390X_OFF_SRC_Y(n) (3 * n)
#define S390X_OFF_SCALAR(n) (4 * n)
+/* Offsets of fields in KDSA parameter blocks */
+#define S390X_OFF_R(n) (0 * n)
+#define S390X_OFF_S(n) (1 * n)
+#define S390X_OFF_H(n) (2 * n)
+#define S390X_OFF_K(n) (3 * n)
+#define S390X_OFF_X(n) (3 * n)
+#define S390X_OFF_RN(n) (4 * n)
+#define S390X_OFF_Y(n) (4 * n)
+
static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
const BIGNUM *scalar,
size_t num, const EC_POINT *points[],
@@ -106,6 +116,163 @@ ret:
return rc;
}
+static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
+ int dgstlen,
+ const BIGNUM *kinv,
+ const BIGNUM *r,
+ EC_KEY *eckey,
+ unsigned int fc, int len)
+{
+ unsigned char param[S390X_SIZE_PARAM];
+ int ok = 0;
+ BIGNUM *k;
+ ECDSA_SIG *sig;
+ const EC_GROUP *group;
+ const BIGNUM *privkey;
+ int off;
+
+ group = EC_KEY_get0_group(eckey);
+ privkey = EC_KEY_get0_private_key(eckey);
+ if (group == NULL || privkey == NULL) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS);
+ return NULL;
+ }
+
+ if (!EC_KEY_can_sign(eckey)) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
+ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
+ return NULL;
+ }
+
+ k = BN_secure_new();
+ sig = ECDSA_SIG_new();
+ if (k == NULL || sig == NULL) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ goto ret;
+ }
+
+ sig->r = BN_new();
+ sig->s = BN_new();
+ if (sig->r == NULL || sig->s == NULL) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ goto ret;
+ }
+
+ memset(param, 0, sizeof(param));
+ off = len - (dgstlen > len ? len : dgstlen);
+ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
+
+ if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
+ goto ret;
+ }
+
+ if (r == NULL || kinv == NULL) {
+ /*
+ * Generate random k and copy to param param block. RAND_priv_bytes
+ * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce
+ * because kdsa instruction constructs an in-range, invertible nonce
+ * internally implementing counter-measures for RNG weakness.
+ */
+ if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
+ EC_R_RANDOM_NUMBER_GENERATION_FAILED);
+ goto ret;
+ }
+ } else {
+ /* Reconstruct k = (k^-1)^-1. */
+ if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
+ || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
+ goto ret;
+ }
+ /* Turns KDSA internal nonce-generation off. */
+ fc |= S390X_KDSA_D;
+ }
+
+ if (s390x_kdsa(fc, param, NULL, 0) != 0) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB);
+ goto ret;
+ }
+
+ if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL
+ || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
+ goto ret;
+ }
+
+ ok = 1;
+ret:
+ OPENSSL_cleanse(param, sizeof(param));
+ if (ok != 1) {
+ ECDSA_SIG_free(sig);
+ sig = NULL;
+ }
+ BN_clear_free(k);
+ return sig;
+}
+
+static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen,
+ const ECDSA_SIG *sig, EC_KEY *eckey,
+ unsigned int fc, int len)
+{
+ unsigned char param[S390X_SIZE_PARAM];
+ int rc = -1;
+ BN_CTX *ctx;
+ BIGNUM *x, *y;
+ const EC_GROUP *group;
+ const EC_POINT *pubkey;
+ int off;
+
+ group = EC_KEY_get0_group(eckey);
+ pubkey = EC_KEY_get0_public_key(eckey);
+ if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
+ return -1;
+ }
+
+ if (!EC_KEY_can_sign(eckey)) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG,
+ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
+ return -1;
+ }
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+ return -1;
+ }
+
+ BN_CTX_start(ctx);
+
+ x = BN_CTX_get(ctx);
+ y = BN_CTX_get(ctx);
+ if (x == NULL || y == NULL) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+ goto ret;
+ }
+
+ memset(param, 0, sizeof(param));
+ off = len - (dgstlen > len ? len : dgstlen);
+ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
+
+ if (group->meth->point_get_affine_coordinates(group, pubkey,
+ x, y, ctx) != 1
+ || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1
+ || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1
+ || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1
+ || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) {
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB);
+ goto ret;
+ }
+
+ rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0;
+ret:
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ return rc;
+}
+
#define EC_GFP_S390X_NISTP_METHOD(bits) \
\
static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \
@@ -122,6 +289,29 @@ static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP
*group, \
S390X_SIZE_P##bits); \
} \
\
+static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned \
+ char *dgst, \
+ int dgstlen, \
+ const BIGNUM *kinv,\
+ const BIGNUM *r, \
+ EC_KEY *eckey) \
+{ \
+ return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey, \
+ S390X_ECDSA_SIGN_P##bits, \
+ S390X_SIZE_P##bits); \
+} \
+ \
+static int ecdsa_s390x_nistp##bits##_verify_sig(const \
+ unsigned char *dgst, \
+ int dgstlen, \
+ const ECDSA_SIG *sig, \
+ EC_KEY *eckey) \
+{ \
+ return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey, \
+ S390X_ECDSA_VERIFY_P##bits, \
+ S390X_SIZE_P##bits); \
+} \
+ \
const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \
{ \
static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \
@@ -176,8 +366,8 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)
\
NULL, /* keyfinish */ \
ecdh_simple_compute_key, \
ecdsa_simple_sign_setup, \
- ecdsa_simple_sign_sig, \
- ecdsa_simple_verify_sig, \
+ ecdsa_s390x_nistp##bits##_sign_sig, \
+ ecdsa_s390x_nistp##bits##_verify_sig, \
NULL, /* field_inverse_mod_ord */ \
ec_GFp_simple_blind_coordinates, \
ec_GFp_simple_ladder_pre, \
@@ -186,8 +376,12 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)
\
}; \
static const EC_METHOD *ret; \
\
- if (OPENSSL_s390xcap_P.pcc[1] \
- & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \
+ if ((OPENSSL_s390xcap_P.pcc[1] \
+ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \
+ && (OPENSSL_s390xcap_P.kdsa[0] \
+ & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits)) \
+ && (OPENSSL_s390xcap_P.kdsa[0] \
+ & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits))) \
ret = &EC_GFp_s390x_nistp##bits##_meth; \
else \
ret = EC_GFp_mont_method(); \
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 035bd729f3..5d5981035c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -554,6 +554,8 @@ EC_F_ECDSA_VERIFY:253:ECDSA_verify
EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup
EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig
EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig
+EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig
+EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig
EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
--
2.24.0
++++++
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
++++++
++++ 1467 lines (skipped)
++++++ openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch ++++++
++++ 694 lines (skipped)
++++++ openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch ++++++
>From d68af00685c4a76e9545882e350717ae5e4071df Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Tue, 31 Jan 2017 12:43:35 +0100
Subject: [PATCH] s390x assembly pack: add OPENSSL_s390xcap man page.
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Andy Polyakov <ap...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6813)
---
doc/man3/OPENSSL_s390xcap.pod | 173 ++++++++++++++++++++++++++++++++++
util/private.num | 1 +
2 files changed, 174 insertions(+)
create mode 100644 doc/man3/OPENSSL_s390xcap.pod
diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
new file mode 100644
index 00000000000..550136a82b8
--- /dev/null
+++ b/doc/man3/OPENSSL_s390xcap.pod
@@ -0,0 +1,173 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_s390xcap - the IBM z processor capabilities vector
+
+=head1 SYNOPSIS
+
+ env OPENSSL_s390xcap=... <application>
+
+=head1 DESCRIPTION
+
+libcrypto supports z/Architecture instruction set extensions. These
+extensions are denoted by individual bits in the capabilities vector.
+When libcrypto is initialized, the bits returned by the STFLE instruction
+and by the QUERY functions are stored in the vector.
+
+To change the set of instructions available to an application, you can
+set the OPENSSL_s390xcap environment variable before you start the
+application. After initialization, the capability vector is ANDed bitwise
+with a mask which is derived from the environment variable.
+
+The environment variable is a semicolon-separated list of tokens which is
+processed from left to right (whitespace is ignored):
+
+ OPENSSL_s390xcap="<tok1>;<tok2>;..."
+
+There are three types of tokens:
+
+=over 4
+
+=item <string>
+
+The name of a processor generation. A bit in the environment variable's
+mask is set to one if and only if the specified processor generation
+implements the corresponding instruction set extension. Possible values
+are z900, z990, z9, z10, z196, zEC12, z13 and z14.
+
+=item <string>:<mask>:<mask>
+
+The name of an instruction followed by two 64-bit masks. The part of the
+environment variable's mask corresponding to the specified instruction is
+set to the specified 128-bit mask. Possible values are kimd, klmd, km, kmc,
+kmac, kmctr, kmo, kmf, prno and kma.
+
+=item stfle:<mask>:<mask>:<mask>
+
+Store-facility-list-extended (stfle) followed by three 64-bit masks. The
+part of the environment variable's mask corresponding to the stfle
+instruction is set to the specified 192-bit mask.
+
+=back
+
+The 64-bit masks are specified in hexadecimal notation. The 0x prefix is
+optional. Prefix a mask with a tilde (~) to denote a bitwise NOT operation.
+
+The following is a list of significant bits for each instruction. Colon
+rows separate the individual 64-bit masks. The bit numbers in the first
+column are consistent with [1], that is, 0 denotes the leftmost bit and
+the numbering is continuous across 64-bit mask boundaries.
+
+ Bit Mask Facility/Function
+
+ stfle:
+ # 17 1<<46 message-security assist
+ # 25 1<<38 store-clock-fast facility
+ :
+ # 76 1<<51 message-security assist extension 3
+ # 77 1<<50 message-security assist extension 4
+ :
+ #129 1<<62 vector facility
+ #134 1<<57 vector packed decimal facility
+ #135 1<<56 vector enhancements facility 1
+ #146 1<<45 message-security assist extension 8
+
+ kimd :
+ # 1 1<<62 KIMD-SHA-1
+ # 2 1<<61 KIMD-SHA-256
+ # 3 1<<60 KIMD-SHA-512
+ # 32 1<<31 KIMD-SHA3-224
+ # 33 1<<30 KIMD-SHA3-256
+ # 34 1<<29 KIMD-SHA3-384
+ # 35 1<<28 KIMD-SHA3-512
+ # 36 1<<27 KIMD-SHAKE-128
+ # 37 1<<26 KIMD-SHAKE-256
+ :
+ # 65 1<<62 KIMD-GHASH
+
+ klmd :
+ # 32 1<<31 KLMD-SHA3-224
+ # 33 1<<30 KLMD-SHA3-256
+ # 34 1<<29 KLMD-SHA3-384
+ # 35 1<<28 KLMD-SHA3-512
+ # 36 1<<27 KLMD-SHAKE-128
+ # 37 1<<26 KLMD-SHAKE-256
+ :
+
+ km :
+ # 18 1<<45 KM-AES-128
+ # 19 1<<44 KM-AES-192
+ # 20 1<<43 KM-AES-256
+ # 50 1<<13 KM-XTS-AES-128
+ # 52 1<<11 KM-XTS-AES-256
+ :
+
+ kmc :
+ # 18 1<<45 KMC-AES-128
+ # 19 1<<44 KMC-AES-192
+ # 20 1<<43 KMC-AES-256
+ :
+
+ kmac :
+ # 18 1<<45 KMAC-AES-128
+ # 19 1<<44 KMAC-AES-192
+ # 20 1<<43 KMAC-AES-256
+ :
+
+ kmctr:
+ :
+
+ kmo :
+ # 18 1<<45 KMO-AES-128
+ # 19 1<<44 KMO-AES-192
+ # 20 1<<43 KMO-AES-256
+ :
+
+ kmf :
+ # 18 1<<45 KMF-AES-128
+ # 19 1<<44 KMF-AES-192
+ # 20 1<<43 KMF-AES-256
+ :
+
+ prno :
+ :
+
+ kma :
+ # 18 1<<45 KMA-GCM-AES-128
+ # 19 1<<44 KMA-GCM-AES-192
+ # 20 1<<43 KMA-GCM-AES-256
+ :
+
+=head1 EXAMPLES
+
+Disables all instruction set extensions which the z196 processor does not
implement:
+
+ OPENSSL_s390xcap="z196"
+
+Disables the vector facility:
+
+ OPENSSL_s390xcap="stfle:~0:~0:~0x4000000000000000"
+
+Disables the KM-XTS-AES and and the KIMD-SHAKE function codes:
+
+ OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0"
+
+=head1 RETURN VALUES
+
+Not available.
+
+=head1 SEE ALSO
+
+[1] z/Architecture Principles of Operation, SA22-7832-11
+
+=head1 COPYRIGHT
+
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/util/private.num b/util/private.num
index c456578c335..2bfe987b437 100644
--- a/util/private.num
+++ b/util/private.num
@@ -3,6 +3,7 @@
# assembly language, etc.
#
OPENSSL_ia32cap environment
+OPENSSL_s390xcap environment
OPENSSL_MALLOC_FD environment
OPENSSL_MALLOC_FAILURES environment
OPENSSL_instrument_bus assembler
++++++ openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch ++++++
>From e382f507fb67863be02bfa69b08533cc55f0cd96 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Thu, 27 Jun 2019 01:07:54 +0200
Subject: [PATCH 08967/10000] s390x assembly pack: add support for pcc and kma
instructions
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9258)
---
crypto/s390x_arch.h | 22 ++++++++
crypto/s390xcap.c | 119 +++++++++++++++++++++++++++++++++++++++++++
crypto/s390xcpuid.pl | 71 ++++++++++++++++++++++++++
3 files changed, 212 insertions(+)
Index: openssl-1.1.1d/crypto/s390x_arch.h
===================================================================
--- openssl-1.1.1d.orig/crypto/s390x_arch.h
+++ openssl-1.1.1d/crypto/s390x_arch.h
@@ -26,6 +26,9 @@ void s390x_kmf(const unsigned char *in,
unsigned int fc, void *param);
void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
size_t len, unsigned char *out, unsigned int fc, void *param);
+int s390x_pcc(unsigned int fc, void *param);
+int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
+ size_t len);
/*
* The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
@@ -45,6 +48,8 @@ struct OPENSSL_s390xcap_st {
unsigned long long kmf[2];
unsigned long long prno[2];
unsigned long long kma[2];
+ unsigned long long pcc[2];
+ unsigned long long kdsa[2];
};
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
@@ -69,6 +74,8 @@ extern struct OPENSSL_s390xcap_st OPENSS
# define S390X_KMF 0x90
# define S390X_PRNO 0xa0
# define S390X_KMA 0xb0
+# define S390X_PCC 0xc0
+# define S390X_KDSA 0xd0
/* Facility Bit Numbers */
# define S390X_MSA 17 /* message-security-assist */
@@ -80,6 +87,7 @@ extern struct OPENSSL_s390xcap_st OPENSS
# define S390X_VXD 134 /* vector packed decimal */
# define S390X_VXE 135 /* vector enhancements 1 */
# define S390X_MSA8 146 /* message-security-assist-ext. 8 */
+# define S390X_MSA9 155 /* message-security-assist-ext. 9 */
/* Function Codes */
@@ -111,10 +119,24 @@ extern struct OPENSSL_s390xcap_st OPENSS
# define S390X_SHA_512_DRNG 3
# define S390X_TRNG 114
+/* pcc */
+# define S390X_SCALAR_MULTIPLY_P256 64
+# define S390X_SCALAR_MULTIPLY_P384 65
+# define S390X_SCALAR_MULTIPLY_P521 66
+
+/* kdsa */
+# define S390X_ECDSA_VERIFY_P256 1
+# define S390X_ECDSA_VERIFY_P384 2
+# define S390X_ECDSA_VERIFY_P521 3
+# define S390X_ECDSA_SIGN_P256 9
+# define S390X_ECDSA_SIGN_P384 10
+# define S390X_ECDSA_SIGN_P521 11
+
/* Register 0 Flags */
# define S390X_DECRYPT 0x80
# define S390X_KMA_LPC 0x100
# define S390X_KMA_LAAD 0x200
# define S390X_KMA_HS 0x400
+# define S390X_KDSA_D 0x80
#endif
Index: openssl-1.1.1d/crypto/s390xcap.c
===================================================================
--- openssl-1.1.1d.orig/crypto/s390xcap.c
+++ openssl-1.1.1d/crypto/s390xcap.c
@@ -137,6 +137,10 @@ void OPENSSL_cpuid_setup(void)
OPENSSL_s390xcap_P.prno[1] &= cap.prno[1];
OPENSSL_s390xcap_P.kma[0] &= cap.kma[0];
OPENSSL_s390xcap_P.kma[1] &= cap.kma[1];
+ OPENSSL_s390xcap_P.pcc[0] &= cap.pcc[0];
+ OPENSSL_s390xcap_P.pcc[1] &= cap.pcc[1];
+ OPENSSL_s390xcap_P.kdsa[0] &= cap.kdsa[0];
+ OPENSSL_s390xcap_P.kdsa[1] &= cap.kdsa[1];
}
}
@@ -163,6 +167,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -189,6 +195,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -220,6 +228,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -257,6 +267,8 @@ static int parse_env(struct OPENSSL_s390
.kmf = {0ULL, 0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {0ULL, 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -313,6 +325,9 @@ static int parse_env(struct OPENSSL_s390
0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -369,6 +384,9 @@ static int parse_env(struct OPENSSL_s390
0ULL},
.prno = {0ULL, 0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -429,6 +447,9 @@ static int parse_env(struct OPENSSL_s390
| S390X_CAPBIT(S390X_SHA_512_DRNG),
0ULL},
.kma = {0ULL, 0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
};
/*-
@@ -508,6 +529,101 @@ static int parse_env(struct OPENSSL_s390
| S390X_CAPBIT(S390X_AES_192)
| S390X_CAPBIT(S390X_AES_256),
0ULL},
+ .pcc = {S390X_CAPBIT(S390X_QUERY),
+ 0ULL},
+ .kdsa = {0ULL, 0ULL},
+ };
+
+ /*-
+ * z15 (2019) - z/Architecture POP SA22-7832-12
+ * Implements MSA and MSA1-9.
+ */
+ static const struct OPENSSL_s390xcap_st z15 = {
+ /*.stfle = */{S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF)
+ | S390X_CAPBIT(S390X_MSA5),
+ S390X_CAPBIT(S390X_MSA3)
+ | S390X_CAPBIT(S390X_MSA4),
+ S390X_CAPBIT(S390X_VX)
+ | S390X_CAPBIT(S390X_VXD)
+ | S390X_CAPBIT(S390X_VXE)
+ | S390X_CAPBIT(S390X_MSA8),
+ 0ULL},
+ /*.kimd = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ S390X_CAPBIT(S390X_GHASH)},
+ /*.klmd = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ 0ULL},
+ /*.km = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256)
+ | S390X_CAPBIT(S390X_XTS_AES_128)
+ | S390X_CAPBIT(S390X_XTS_AES_256),
+ 0ULL},
+ /*.kmc = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmac = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmctr = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmo = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmf = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.prno = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_512_DRNG),
+ S390X_CAPBIT(S390X_TRNG)},
+ /*.kma = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.pcc = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521),
+ 0ULL},
+ /*.kdsa = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P256)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P384)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P521),
+ 0ULL},
};
char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1];
@@ -551,6 +667,8 @@ static int parse_env(struct OPENSSL_s390
else if TOK_FUNC(kmf)
else if TOK_FUNC(prno)
else if TOK_FUNC(kma)
+ else if TOK_FUNC(pcc)
+ else if TOK_FUNC(kdsa)
/* CPU model tokens */
else if TOK_CPU(z900)
@@ -561,6 +679,7 @@ static int parse_env(struct OPENSSL_s390
else if TOK_CPU(zEC12)
else if TOK_CPU(z13)
else if TOK_CPU(z14)
+ else if TOK_CPU(z15)
/* whitespace(ignored) or invalid tokens */
else {
Index: openssl-1.1.1d/crypto/s390xcpuid.pl
===================================================================
--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
+++ openssl-1.1.1d/crypto/s390xcpuid.pl
@@ -77,8 +77,13 @@ OPENSSL_s390x_functions:
stg %r0,S390X_PRNO+8(%r4)
stg %r0,S390X_KMA(%r4)
stg %r0,S390X_KMA+8(%r4)
+ stg %r0,S390X_PCC(%r4)
+ stg %r0,S390X_PCC+8(%r4)
+ stg %r0,S390X_KDSA(%r4)
+ stg %r0,S390X_KDSA+8(%r4)
lmg %r2,%r3,S390X_STFLE(%r4)
+
tmhl %r2,0x4000 # check for message-security-assist
jz .Lret
@@ -102,6 +107,13 @@ OPENSSL_s390x_functions:
la %r1,S390X_KMAC(%r4)
.long 0xb91e0042 # kmac %r4,%r2
+ tmhh %r3,0x0003 # check for message-security-assist-3
+ jz .Lret
+
+ lghi %r0,S390X_QUERY # query pcc capability vector
+ la %r1,S390X_PCC(%r4)
+ .long 0xb92c0000 # pcc
+
tmhh %r3,0x0004 # check for message-security-assist-4
jz .Lret
@@ -125,6 +137,7 @@ OPENSSL_s390x_functions:
.long 0xb93c0042 # prno %r4,%r2
lg %r2,S390X_STFLE+16(%r4)
+
tmhl %r2,0x2000 # check for message-security-assist-8
jz .Lret
@@ -132,6 +145,13 @@ OPENSSL_s390x_functions:
la %r1,S390X_KMA(%r4)
.long 0xb9294022 # kma %r2,%r4,%r2
+ tmhl %r2,0x0010 # check for message-security-assist-9
+ jz .Lret
+
+ lghi %r0,S390X_QUERY # query kdsa capability vector
+ la %r1,S390X_KDSA(%r4)
+ .long 0xb93a0002 # kdsa %r0,%r2
+
.Lret:
br $ra
.size OPENSSL_s390x_functions,.-OPENSSL_s390x_functions
@@ -422,6 +442,57 @@ s390x_kma:
___
}
+################
+# void s390x_pcc(unsigned int fc, void *param)
+{
+my ($fc,$param) = map("%r$_",(2..3));
+$code.=<<___;
+.globl s390x_pcc
+.type s390x_pcc,\@function
+.align 16
+s390x_pcc:
+ lr %r0,$fc
+ l${g}r %r1,$param
+ lhi %r2,0
+
+ .long 0xb92c0000 # pcc
+ brc 1,.-4 # pay attention to "partial completion"
+ brc 7,.Lpcc_err # if CC==0 return 0, else return 1
+.Lpcc_out:
+ br $ra
+.Lpcc_err:
+ lhi %r2,1
+ j .Lpcc_out
+.size s390x_pcc,.-s390x_pcc
+___
+}
+
+################
+# void s390x_kdsa(unsigned int fc, void *param,
+# const unsigned char *in, size_t len)
+{
+my ($fc,$param,$in,$len) = map("%r$_",(2..5));
+$code.=<<___;
+.globl s390x_kdsa
+.type s390x_kdsa,\@function
+.align 16
+s390x_kdsa:
+ lr %r0,$fc
+ l${g}r %r1,$param
+ lhi %r2,0
+
+ .long 0xb93a0004 # kdsa %r0,$in
+ brc 1,.-4 # pay attention to "partial completion"
+ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1
+.Lkdsa_out:
+ br $ra
+.Lkdsa_err:
+ lhi %r2,1
+ j .Lkdsa_out
+.size s390x_kdsa,.-s390x_kdsa
+___
+}
+
$code.=<<___;
.section .init
brasl $ra,OPENSSL_cpuid_setup
++++++ openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch ++++++
>From 2281be2ed4a7df462677661d30b13826ae6b3e26 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Tue, 24 Sep 2019 14:44:27 +0200
Subject: [PATCH 09530/10000] s390x assembly pack: cleanse only sensitive
fields
of instruction parameter blocks.
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
---
crypto/ec/ecp_s390x_nistp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
index be81f0b8f0..9533698b0f 100644
--- a/crypto/ec/ecp_s390x_nistp.c
+++ b/crypto/ec/ecp_s390x_nistp.c
@@ -110,7 +110,7 @@ ret:
/* Otherwise use default. */
if (rc == -1)
rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
- OPENSSL_cleanse(param, sizeof(param));
+ OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return rc;
@@ -203,7 +203,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned
char *dgst,
ok = 1;
ret:
- OPENSSL_cleanse(param, sizeof(param));
+ OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
if (ok != 1) {
ECDSA_SIG_free(sig);
sig = NULL;
--
2.24.0
++++++ openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch ++++++
>From ac037dc874a721ca81a33b4314e26cef4a7e8d48 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Tue, 24 Sep 2019 23:20:00 +0200
Subject: [PATCH 09529/10000] s390x assembly pack: fix OPENSSL_s390xcap z15 cpu
mask
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
---
crypto/s390xcap.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c
index 5123e14fa6..3e6aeae1df 100644
--- a/crypto/s390xcap.c
+++ b/crypto/s390xcap.c
@@ -578,7 +578,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap)
S390X_CAPBIT(S390X_VX)
| S390X_CAPBIT(S390X_VXD)
| S390X_CAPBIT(S390X_VXE)
- | S390X_CAPBIT(S390X_MSA8),
+ | S390X_CAPBIT(S390X_MSA8)
+ | S390X_CAPBIT(S390X_MSA9),
0ULL},
/*.kimd = */{S390X_CAPBIT(S390X_QUERY)
| S390X_CAPBIT(S390X_SHA_1)
@@ -642,11 +643,10 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap)
| S390X_CAPBIT(S390X_AES_192)
| S390X_CAPBIT(S390X_AES_256),
0ULL},
- /*.pcc = */{S390X_CAPBIT(S390X_QUERY)
- | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
+ /*.pcc = */{S390X_CAPBIT(S390X_QUERY),
+ S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
| S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
- | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521),
- 0ULL},
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)},
/*.kdsa = */{S390X_CAPBIT(S390X_QUERY)
| S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
| S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
--
2.24.0
++++++ openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch ++++++
>From b3681e2641999be6c1f70e66497fe384d683a07e Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Tue, 24 Sep 2019 23:03:19 +0200
Subject: [PATCH 09528/10000] s390x assembly pack: fix msa3 stfle bit detection
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10004)
---
crypto/s390xcpuid.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: openssl-1.1.1d/crypto/s390xcpuid.pl
===================================================================
--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl 2020-01-23 13:45:11.064632028
+0100
+++ openssl-1.1.1d/crypto/s390xcpuid.pl 2020-01-23 13:45:11.188632764 +0100
@@ -107,7 +107,7 @@ OPENSSL_s390x_functions:
la %r1,S390X_KMAC(%r4)
.long 0xb91e0042 # kmac %r4,%r2
- tmhh %r3,0x0003 # check for message-security-assist-3
+ tmhh %r3,0x0008 # check for message-security-assist-3
jz .Lret
lghi %r0,S390X_QUERY # query pcc capability vector
++++++ openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch ++++++
>From da93b5cc2bc931b998f33ee432bc1ae2b38fccca Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Wed, 26 Jun 2019 23:41:35 +0200
Subject: [PATCH 08968/10000] s390x assembly pack: update OPENSSL_s390xcap(3)
Add description of capability vector's pcc and kma parts.
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9258)
---
doc/man3/OPENSSL_s390xcap.pod | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
Index: openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod
===================================================================
--- openssl-1.1.1d.orig/doc/man3/OPENSSL_s390xcap.pod
+++ openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod
@@ -34,14 +34,14 @@ There are three types of tokens:
The name of a processor generation. A bit in the environment variable's
mask is set to one if and only if the specified processor generation
implements the corresponding instruction set extension. Possible values
-are z900, z990, z9, z10, z196, zEC12, z13 and z14.
+are z900, z990, z9, z10, z196, zEC12, z13, z14 and z15.
=item <string>:<mask>:<mask>
The name of an instruction followed by two 64-bit masks. The part of the
environment variable's mask corresponding to the specified instruction is
set to the specified 128-bit mask. Possible values are kimd, klmd, km, kmc,
-kmac, kmctr, kmo, kmf, prno and kma.
+kmac, kmctr, kmo, kmf, prno, kma, pcc and kdsa.
=item stfle:<mask>:<mask>:<mask>
@@ -153,13 +153,28 @@ Disables the KM-XTS-AES and and the KIMD
OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0"
+ pcc :
+ :
+ # 64 1<<63 PCC-Scalar-Multiply-P256
+ # 65 1<<62 PCC-Scalar-Multiply-P384
+ # 66 1<<61 PCC-Scalar-Multiply-P521
+
+ kdsa :
+ # 1 1<<62 KDSA-ECDSA-Verify-P256
+ # 2 1<<61 KDSA-ECDSA-Verify-P384
+ # 3 1<<60 KDSA-ECDSA-Verify-P521
+ # 9 1<<54 KDSA-ECDSA-Sign-P256
+ # 10 1<<53 KDSA-ECDSA-Sign-P384
+ # 11 1<<52 KDSA-ECDSA-Sign-P521
+ :
+
=head1 RETURN VALUES
Not available.
=head1 SEE ALSO
-[1] z/Architecture Principles of Operation, SA22-7832-11
+[1] z/Architecture Principles of Operation, SA22-7832-12
=head1 COPYRIGHT
++++++
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
++++++
Index: openssl-1.1.1d/crypto/ec/ecx_meth.c
===================================================================
--- openssl-1.1.1d.orig/crypto/ec/ecx_meth.c
+++ openssl-1.1.1d/crypto/ec/ecx_meth.c
@@ -842,6 +842,7 @@ static const EVP_PKEY_METHOD ed448_pkey_
#ifdef S390X_EC_ASM
# include "s390x_arch.h"
+# include "internal/constant_time_locl.h"
static void s390x_x25519_mod_p(unsigned char u[32])
{
@@ -855,16 +856,16 @@ static void s390x_x25519_mod_p(unsigned
u_red[31] = (unsigned char)c;
c >>= 8;
- for (i = 30; c > 0 && i >= 0; i--) {
+ for (i = 30; i >= 0; i--) {
c += (unsigned int)u_red[i];
u_red[i] = (unsigned char)c;
c >>= 8;
}
- if (u_red[0] & 0x80) {
- u_red[0] &= 0x7f;
- memcpy(u, u_red, sizeof(u_red));
- }
+ c = (u_red[0] & 0x80) >> 7;
+ u_red[0] &= 0x7f;
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
+ u, u_red, sizeof(u_red));
}
static void s390x_x448_mod_p(unsigned char u[56])
@@ -889,16 +890,14 @@ static void s390x_x448_mod_p(unsigned ch
u_red[27] = (unsigned char)c;
c >>= 8;
- for (i = 26; c > 0 && i >= 0; i--) {
+ for (i = 26; i >= 0; i--) {
c += (unsigned int)u_red[i];
u_red[i] = (unsigned char)c;
c >>= 8;
}
- if (u_red[0] & 0x80) {
- u_red[0] &= 0x7f;
- memcpy(u, u_red, sizeof(u_red));
- }
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
+ u, u_red, sizeof(u_red));
}
static int s390x_x25519_mul(unsigned char u_dst[32],
@@ -954,7 +953,7 @@ static int s390x_x448_mul(unsigned char
memcpy(param.x448.d_src, d_src, 56);
s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
- s390x_x448_mod_p(param.x448.u_src);
+ s390x_x448_mod_p(param.x448.u_src + 8);
s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
param.x448.d_src[63] &= 252;
Index: openssl-1.1.1d/include/internal/constant_time_locl.h
===================================================================
--- openssl-1.1.1d.orig/include/internal/constant_time_locl.h
+++ openssl-1.1.1d/include/internal/constant_time_locl.h
@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co
}
/*
+ * mask must be 0xFF or 0x00.
+ * "constant time" is per len.
+ *
+ * if (mask) {
+ * unsigned char tmp[len];
+ *
+ * memcpy(tmp, a, len);
+ * memcpy(a, b);
+ * memcpy(b, tmp);
+ * }
+ */
+static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
+ unsigned char *a,
+ unsigned char *b,
+ size_t len)
+{
+ size_t i;
+ unsigned char tmp;
+
+ for (i = 0; i < len; i++) {
+ tmp = a[i] ^ b[i];
+ tmp &= mask;
+ a[i] ^= tmp;
+ b[i] ^= tmp;
+ }
+}
+
+/*
* table is a two dimensional array of bytes. Each row has rowsize elements.
* Copies row number idx into out. rowsize and numrows are not considered
* private.
Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt
===================================================================
--- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evppkey.txt
+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt
@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb
PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw
+PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+
Derive=Alice-448
PeerKey=Bob-448-PUBLIC
SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
@@ -830,6 +832,11 @@ Derive=Bob-448-Raw
PeerKey=Alice-448-PUBLIC-Raw
SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+# Self-generated non-canonical
+Derive=Alice-448-Raw
+PeerKey=Bob-448-PUBLIC-Raw-NonCanonical
+SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb
+
# Illegal sign/verify operations with X448 key
Sign=Alice-448
++++++ openssl-s390xcpuid.pl-fix-comment.patch ++++++
>From 9baa4d5f4c9f596faba2b3e219b367a09c472d1d Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.ste...@de.ibm.com>
Date: Wed, 3 Jul 2019 18:02:11 +0200
Subject: [PATCH 09203/10000] s390xcpuid.pl: fix comment
Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9348)
---
crypto/s390xcpuid.pl | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: openssl-1.1.1d/crypto/s390xcpuid.pl
===================================================================
--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
+++ openssl-1.1.1d/crypto/s390xcpuid.pl
@@ -431,7 +431,7 @@ ___
}
################
-# void s390x_pcc(unsigned int fc, void *param)
+# int s390x_pcc(unsigned int fc, void *param)
{
my ($fc,$param) = map("%r$_",(2..3));
$code.=<<___;
@@ -456,8 +456,8 @@ ___
}
################
-# void s390x_kdsa(unsigned int fc, void *param,
-# const unsigned char *in, size_t len)
+# int s390x_kdsa(unsigned int fc, void *param,
+# const unsigned char *in, size_t len)
{
my ($fc,$param,$in,$len) = map("%r$_",(2..5));
$code.=<<___;
++++++ openssl-ship_fips_standalone_hmac.patch ++++++
Index: openssl-1.1.1d/crypto/fips/build.info
===================================================================
--- openssl-1.1.1d.orig/crypto/fips/build.info 2020-01-23 13:45:11.232633025
+0100
+++ openssl-1.1.1d/crypto/fips/build.info 2020-01-23 13:45:11.432634214
+0100
@@ -7,7 +7,7 @@ SOURCE[../../libcrypto]=\
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
fips_dh_selftest.c fips_ers.c
-PROGRAMS_NO_INST=\
+PROGRAMS=\
fips_standalone_hmac
SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
