diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-01 14:09:41 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-01 14:09:41 +0000 |
| commit | d8253271bee23ac54145c0ba1d15f48e6620bb5e (patch) | |
| tree | 470a23e7c4bb3541b4ff08932ce1fbd46fe59c9c /openssl-1.1.1-s390x-ecc.patch | |
| parent | 17146a82118c2690c851cbb31077186594ba86d6 (diff) | |
automatic import of compat-openssl11openeuler24.03_LTSopeneuler23.09
Diffstat (limited to 'openssl-1.1.1-s390x-ecc.patch')
| -rw-r--r-- | openssl-1.1.1-s390x-ecc.patch | 2306 |
1 files changed, 2306 insertions, 0 deletions
diff --git a/openssl-1.1.1-s390x-ecc.patch b/openssl-1.1.1-s390x-ecc.patch new file mode 100644 index 0000000..6b5963f --- /dev/null +++ b/openssl-1.1.1-s390x-ecc.patch @@ -0,0 +1,2306 @@ +diff -up openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1g/Configurations/00-base-templates.conf +--- openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/Configurations/00-base-templates.conf 2020-05-18 12:45:40.855234262 +0200 +@@ -289,6 +289,7 @@ my %targets=( + template => 1, + cpuid_asm_src => "s390xcap.c s390xcpuid.S", + bn_asm_src => "asm/s390x.S s390x-mont.S s390x-gf2m.s", ++ ec_asm_src => "ecp_s390x_nistp.c", + aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake", + sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S", + rc4_asm_src => "rc4-s390x.s", +diff -up openssl-1.1.1g/Configure.s390x-ecc openssl-1.1.1g/Configure +--- openssl-1.1.1g/Configure.s390x-ecc 2020-05-18 12:45:40.781233618 +0200 ++++ openssl-1.1.1g/Configure 2020-05-18 12:45:40.856234270 +0200 +@@ -1398,6 +1398,9 @@ unless ($disabled{asm}) { + if ($target{ec_asm_src} =~ /ecp_nistz256/) { + push @{$config{lib_defines}}, "ECP_NISTZ256_ASM"; + } ++ if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) { ++ push @{$config{lib_defines}}, "S390X_EC_ASM"; ++ } + if ($target{ec_asm_src} =~ /x25519/) { + push @{$config{lib_defines}}, "X25519_ASM"; + } +diff -up openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/cmac/cm_pmeth.c +--- openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200 ++++ openssl-1.1.1g/crypto/cmac/cm_pmeth.c 2020-05-18 12:45:42.661249957 +0200 +@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = { + pkey_cmac_ctrl, + pkey_cmac_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *cmac_pkey_method(void) ++{ ++ return &cmac_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dh/dh_pmeth.c +--- openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200 ++++ openssl-1.1.1g/crypto/dh/dh_pmeth.c 2020-05-18 12:45:42.661249957 +0200 +@@ -512,6 +512,11 @@ const EVP_PKEY_METHOD dh_pkey_meth = { + pkey_dh_ctrl_str + }; + ++const EVP_PKEY_METHOD *dh_pkey_method(void) ++{ ++ return &dh_pkey_meth; ++} ++ + const EVP_PKEY_METHOD dhx_pkey_meth = { + EVP_PKEY_DHX, + EVP_PKEY_FLAG_FIPS, +@@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = { + pkey_dh_ctrl, + pkey_dh_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *dhx_pkey_method(void) ++{ ++ return &dhx_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dsa/dsa_pmeth.c +--- openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.783233636 +0200 ++++ openssl-1.1.1g/crypto/dsa/dsa_pmeth.c 2020-05-18 12:45:42.662249966 +0200 +@@ -271,3 +271,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = { + pkey_dsa_ctrl, + pkey_dsa_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *dsa_pkey_method(void) ++{ ++ return &dsa_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/ec/build.info.s390x-ecc openssl-1.1.1g/crypto/ec/build.info +--- openssl-1.1.1g/crypto/ec/build.info.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/build.info 2020-05-18 12:45:42.662249966 +0200 +@@ -26,6 +26,9 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n + INCLUDE[ecp_nistz256-armv8.o]=.. + GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME) + ++INCLUDE[ecp_s390x_nistp.o]=.. ++INCLUDE[ecx_meth.o]=.. ++ + GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME) + GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME) + +diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_curve.c +--- openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc 2020-05-18 12:45:40.753233375 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:45:42.663249975 +0200 +@@ -255,20 +255,29 @@ static const ec_list_element curve_list[ + {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, + "SECG curve over a 256 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ +- {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, ++ {NID_secp384r1, &_EC_NIST_PRIME_384.h, ++# if defined(S390X_EC_ASM) ++ EC_GFp_s390x_nistp384_method, ++# else ++ 0, ++# endif + "NIST/SECG curve over a 384 bit prime field"}, +-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +- {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, +- "NIST/SECG curve over a 521 bit prime field"}, +-#else +- {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, ++ {NID_secp521r1, &_EC_NIST_PRIME_521.h, ++# if defined(S390X_EC_ASM) ++ EC_GFp_s390x_nistp521_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++ EC_GFp_nistp521_method, ++# else ++ 0, ++# endif + "NIST/SECG curve over a 521 bit prime field"}, +-#endif + /* X9.62 curves */ + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + #if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +-#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++# elif defined(S390X_EC_ASM) ++ EC_GFp_s390x_nistp256_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp256_method, + #else + 0, +diff -up openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecdsa_ossl.c +--- openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200 ++++ openssl-1.1.1g/crypto/ec/ecdsa_ossl.c 2020-05-18 12:45:42.664249983 +0200 +@@ -18,6 +18,41 @@ + # include <openssl/fips.h> + #endif + ++int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp) ++{ ++ if (eckey->group->meth->ecdsa_sign_setup == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return 0; ++ } ++ ++ return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); ++} ++ ++ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey) ++{ ++ if (eckey->group->meth->ecdsa_sign_sig == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return NULL; ++ } ++ ++ return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len, ++ in_kinv, in_r, eckey); ++} ++ ++int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey) ++{ ++ if (eckey->group->meth->ecdsa_verify_sig == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return 0; ++ } ++ ++ return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey); ++} ++ + int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, + unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) +@@ -149,15 +184,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke + return ret; + } + +-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, +- BIGNUM **rp) ++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp) + { + return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); + } + +-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, +- const BIGNUM *in_kinv, const BIGNUM *in_r, +- EC_KEY *eckey) ++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey) + { + int ok = 0, i; + BIGNUM *kinv = NULL, *s, *m = NULL; +@@ -218,25 +253,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + if (8 * dgst_len > i) + dgst_len = (i + 7) / 8; + if (!BN_bin2bn(dgst, dgst_len, m)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + /* If still too long, truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + do { + if (in_kinv == NULL || in_r == NULL) { + if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB); + goto err; + } + ckinv = kinv; + } else { + ckinv = in_kinv; + if (BN_copy(ret->r, in_r) == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + } +@@ -250,11 +285,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + */ + if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx) + || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + if (!bn_mod_add_fixed_top(s, s, m, order)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + /* +@@ -263,7 +298,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + */ + if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx) + || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + +@@ -273,7 +308,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + * generate new kinv and r values + */ + if (in_kinv != NULL && in_r != NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } else { +@@ -325,8 +360,8 @@ int ossl_ecdsa_verify(int type, const un + return ret; + } + +-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, +- const ECDSA_SIG *sig, EC_KEY *eckey) ++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey) + { + int ret = -1, i; + BN_CTX *ctx; +@@ -346,18 +381,18 @@ int ossl_ecdsa_verify_sig(const unsigned + /* check input values */ + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || + (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS); + return -1; + } + + if (!EC_KEY_can_sign(eckey)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); + return -1; + } + + ctx = BN_CTX_new(); + if (ctx == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + return -1; + } + BN_CTX_start(ctx); +@@ -366,26 +401,26 @@ int ossl_ecdsa_verify_sig(const unsigned + m = BN_CTX_get(ctx); + X = BN_CTX_get(ctx); + if (X == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + + order = EC_GROUP_get0_order(group); + if (order == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || + BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || + BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_BAD_SIGNATURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE); + ret = 0; /* signature is invalid */ + goto err; + } + /* calculate tmp1 = inv(S) mod order */ + if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* digest -> m */ +@@ -396,41 +431,41 @@ int ossl_ecdsa_verify_sig(const unsigned + if (8 * dgst_len > i) + dgst_len = (i + 7) / 8; + if (!BN_bin2bn(dgst, dgst_len, m)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* If still too long truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* u1 = m * tmp mod order */ + if (!BN_mod_mul(u1, m, u2, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* u2 = r * w mod q */ + if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + + if ((point = EC_POINT_new(group)) == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (!BN_nnmod(u1, X, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* if the signature is correct u1 is equal to sig->r */ +diff -up openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_err.c +--- openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_err.c 2020-05-18 12:45:42.664249983 +0200 +@@ -31,6 +31,11 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0), "ecdsa_simple_sign_setup"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0), "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0), "ecdsa_simple_verify_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0), "ecdsa_s390x_nistp_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0), "ecdsa_s390x_nistp_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM_DECODE, 0), "eckey_param_decode"}, +@@ -266,6 +271,7 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0), + "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0), "ossl_ecdsa_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0), + "ossl_ecdsa_verify_sig"}, +@@ -284,6 +290,12 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0), "s390x_pkey_ecd_digestsign25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0), "s390x_pkey_ecd_digestsign448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0), "s390x_pkey_ecd_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0), "s390x_pkey_ecd_keygen448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0), "s390x_pkey_ecx_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0), "s390x_pkey_ecx_keygen448"}, + {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"}, + {0, NULL} + }; +@@ -298,6 +310,8 @@ static const ERR_STRING_DATA EC_str_reas + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, ++ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA), ++ "curve does not support ecdsa"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE), +diff -up openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc openssl-1.1.1g/crypto/ec/ec_local.h +--- openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc 2020-05-18 12:45:40.554231646 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_local.h 2020-05-18 12:45:44.564266496 +0200 +@@ -179,6 +179,14 @@ struct ec_method_st { + /* custom ECDH operation */ + int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh); ++ /* custom ECDSA */ ++ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp, ++ BIGNUM **rp); ++ ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen, ++ const BIGNUM *kinv, const BIGNUM *r, ++ EC_KEY *eckey); ++ int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen, ++ const ECDSA_SIG *sig, EC_KEY *eckey); + /* Inverse modulo order */ + int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, + const BIGNUM *x, BN_CTX *); +@@ -587,6 +595,11 @@ int ec_group_simple_order_bits(const EC_ + */ + const EC_METHOD *EC_GFp_nistz256_method(void); + #endif ++#ifdef S390X_EC_ASM ++const EC_METHOD *EC_GFp_s390x_nistp256_method(void); ++const EC_METHOD *EC_GFp_s390x_nistp384_method(void); ++const EC_METHOD *EC_GFp_s390x_nistp521_method(void); ++#endif + + size_t ec_key_simple_priv2oct(const EC_KEY *eckey, + unsigned char *buf, size_t len); +@@ -651,6 +664,13 @@ int ossl_ecdsa_verify(int type, const un + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); + int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey); ++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp); ++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey); ++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey); + + int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, + const uint8_t public_key[32], const uint8_t private_key[32]); +diff -up openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_pmeth.c +--- openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200 ++++ openssl-1.1.1g/crypto/ec/ec_pmeth.c 2020-05-18 12:45:44.565266505 +0200 +@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = { + pkey_ec_ctrl, + pkey_ec_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *ec_pkey_method(void) ++{ ++ return &ec_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_mont.c +--- openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_mont.c 2020-05-18 12:45:44.567266523 +0200 +@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +diff -up openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nist.c +--- openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nist.c 2020-05-18 12:45:44.567266523 +0200 +@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +diff -up openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp224.c +--- openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistp224.c 2020-05-18 12:45:44.568266531 +0200 +@@ -292,6 +292,9 @@ const EC_METHOD *EC_GFp_nistp224_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp256.c +--- openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistp256.c 2020-05-18 12:45:44.568266531 +0200 +@@ -1829,6 +1829,9 @@ const EC_METHOD *EC_GFp_nistp256_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp521.c +--- openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistp521.c 2020-05-18 12:45:44.569266540 +0200 +@@ -1669,6 +1669,9 @@ const EC_METHOD *EC_GFp_nistp521_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistz256.c +--- openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_nistz256.c 2020-05-18 12:45:44.570266549 +0200 +@@ -1720,6 +1720,9 @@ const EC_METHOD *EC_GFp_nistz256_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +diff -up openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c +--- openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2020-05-18 12:45:44.571266557 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c 2020-05-18 12:45:44.571266557 +0200 +@@ -0,0 +1,394 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include <stdlib.h> ++#include <string.h> ++#include <openssl/err.h> ++#include <openssl/rand.h> ++#include "ec_local.h" ++#include "s390x_arch.h" ++ ++/* Size of parameter blocks */ ++#define S390X_SIZE_PARAM 4096 ++ ++/* Size of fields in parameter blocks */ ++#define S390X_SIZE_P256 32 ++#define S390X_SIZE_P384 48 ++#define S390X_SIZE_P521 80 ++ ++/* Offsets of fields in PCC parameter blocks */ ++#define S390X_OFF_RES_X(n) (0 * n) ++#define S390X_OFF_RES_Y(n) (1 * n) ++#define S390X_OFF_SRC_X(n) (2 * n) ++#define S390X_OFF_SRC_Y(n) (3 * n) ++#define S390X_OFF_SCALAR(n) (4 * n) ++ ++/* Offsets of fields in KDSA parameter blocks */ ++#define S390X_OFF_R(n) (0 * n) ++#define S390X_OFF_S(n) (1 * n) ++#define S390X_OFF_H(n) (2 * n) ++#define S390X_OFF_K(n) (3 * n) ++#define S390X_OFF_X(n) (3 * n) ++#define S390X_OFF_RN(n) (4 * n) ++#define S390X_OFF_Y(n) (4 * n) ++ ++static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, ++ size_t num, const EC_POINT *points[], ++ const BIGNUM *scalars[], ++ BN_CTX *ctx, unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ BIGNUM *x, *y; ++ const EC_POINT *point_ptr = NULL; ++ const BIGNUM *scalar_ptr = NULL; ++ BN_CTX *new_ctx = NULL; ++ int rc = -1; ++ ++ if (ctx == NULL) { ++ ctx = new_ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ return 0; ++ } ++ ++ BN_CTX_start(ctx); ++ ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (x == NULL || y == NULL) { ++ rc = 0; ++ goto ret; ++ } ++ ++ /* ++ * Use PCC for EC keygen and ECDH key derivation: ++ * scalar * generator and scalar * peer public key, ++ * scalar in [0,order). ++ */ ++ if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0) ++ || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) { ++ ++ if (num == 0) { ++ point_ptr = EC_GROUP_get0_generator(group); ++ scalar_ptr = scalar; ++ } else { ++ point_ptr = points[0]; ++ scalar_ptr = scalars[0]; ++ } ++ ++ if (EC_POINT_is_at_infinity(group, point_ptr) == 1 ++ || BN_is_zero(scalar_ptr)) { ++ rc = EC_POINT_set_to_infinity(group, r); ++ goto ret; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ if (group->meth->point_get_affine_coordinates(group, point_ptr, ++ x, y, ctx) != 1 ++ || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1 ++ || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1 ++ || BN_bn2binpad(scalar_ptr, ++ param + S390X_OFF_SCALAR(len), len) == -1 ++ || s390x_pcc(fc, param) != 0 ++ || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL ++ || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL ++ || group->meth->point_set_affine_coordinates(group, r, ++ x, y, ctx) != 1) ++ goto ret; ++ ++ rc = 1; ++ } ++ ++ret: ++ /* Otherwise use default. */ ++ if (rc == -1) ++ rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); ++ OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len); ++ BN_CTX_end(ctx); ++ BN_CTX_free(new_ctx); ++ return rc; ++} ++ ++static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, ++ int dgstlen, ++ const BIGNUM *kinv, ++ const BIGNUM *r, ++ EC_KEY *eckey, ++ unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ int ok = 0; ++ BIGNUM *k; ++ ECDSA_SIG *sig; ++ const EC_GROUP *group; ++ const BIGNUM *privkey; ++ int off; ++ ++ group = EC_KEY_get0_group(eckey); ++ privkey = EC_KEY_get0_private_key(eckey); ++ if (group == NULL || privkey == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS); ++ return NULL; ++ } ++ ++ if (!EC_KEY_can_sign(eckey)) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ return NULL; ++ } ++ ++ k = BN_secure_new(); ++ sig = ECDSA_SIG_new(); ++ if (k == NULL || sig == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ sig->r = BN_new(); ++ sig->s = BN_new(); ++ if (sig->r == NULL || sig->s == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ memset(param, 0, sizeof(param)); ++ off = len - (dgstlen > len ? len : dgstlen); ++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); ++ ++ if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ if (r == NULL || kinv == NULL) { ++ /* ++ * Generate random k and copy to param param block. RAND_priv_bytes ++ * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce ++ * because kdsa instruction constructs an in-range, invertible nonce ++ * internally implementing counter-measures for RNG weakness. ++ */ ++ if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ++ EC_R_RANDOM_NUMBER_GENERATION_FAILED); ++ goto ret; ++ } ++ } else { ++ /* Reconstruct k = (k^-1)^-1. */ ++ if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 ++ || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ /* Turns KDSA internal nonce-generation off. */ ++ fc |= S390X_KDSA_D; ++ } ++ ++ if (s390x_kdsa(fc, param, NULL, 0) != 0) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB); ++ goto ret; ++ } ++ ++ if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL ++ || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ ok = 1; ++ret: ++ OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len); ++ if (ok != 1) { ++ ECDSA_SIG_free(sig); ++ sig = NULL; ++ } ++ BN_clear_free(k); ++ return sig; ++} ++ ++static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen, ++ const ECDSA_SIG *sig, EC_KEY *eckey, ++ unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ int rc = -1; ++ BN_CTX *ctx; ++ BIGNUM *x, *y; ++ const EC_GROUP *group; ++ const EC_POINT *pubkey; ++ int off; ++ ++ group = EC_KEY_get0_group(eckey); ++ pubkey = EC_KEY_get0_public_key(eckey); ++ if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS); ++ return -1; ++ } ++ ++ if (!EC_KEY_can_sign(eckey)) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ return -1; ++ } ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ return -1; ++ } ++ ++ BN_CTX_start(ctx); ++ ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (x == NULL || y == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ memset(param, 0, sizeof(param)); ++ off = len - (dgstlen > len ? len : dgstlen); ++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); ++ ++ if (group->meth->point_get_affine_coordinates(group, pubkey, ++ x, y, ctx) != 1 ++ || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1 ++ || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1 ++ || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1 ++ || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0; ++ret: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return rc; ++} ++ ++#define EC_GFP_S390X_NISTP_METHOD(bits) \ ++ \ ++static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \ ++ EC_POINT *r, \ ++ const BIGNUM *scalar, \ ++ size_t num, \ ++ const EC_POINT *points[], \ ++ const BIGNUM *scalars[], \ ++ BN_CTX *ctx) \ ++{ \ ++ return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points, \ ++ scalars, ctx, \ ++ S390X_SCALAR_MULTIPLY_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned \ ++ char *dgst, \ ++ int dgstlen, \ ++ const BIGNUM *kinv,\ ++ const BIGNUM *r, \ ++ EC_KEY *eckey) \ ++{ \ ++ return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey, \ ++ S390X_ECDSA_SIGN_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++static int ecdsa_s390x_nistp##bits##_verify_sig(const \ ++ unsigned char *dgst, \ ++ int dgstlen, \ ++ const ECDSA_SIG *sig, \ ++ EC_KEY *eckey) \ ++{ \ ++ return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey, \ ++ S390X_ECDSA_VERIFY_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ ++{ \ ++ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \ ++ EC_FLAGS_DEFAULT_OCT, \ ++ NID_X9_62_prime_field, \ ++ ec_GFp_simple_group_init, \ ++ ec_GFp_simple_group_finish, \ ++ ec_GFp_simple_group_clear_finish, \ ++ ec_GFp_simple_group_copy, \ ++ ec_GFp_simple_group_set_curve, \ ++ ec_GFp_simple_group_get_curve, \ ++ ec_GFp_simple_group_get_degree, \ ++ ec_group_simple_order_bits, \ ++ ec_GFp_simple_group_check_discriminant, \ ++ ec_GFp_simple_point_init, \ ++ ec_GFp_simple_point_finish, \ ++ ec_GFp_simple_point_clear_finish, \ ++ ec_GFp_simple_point_copy, \ ++ ec_GFp_simple_point_set_to_infinity, \ ++ ec_GFp_simple_set_Jprojective_coordinates_GFp, \ ++ ec_GFp_simple_get_Jprojective_coordinates_GFp, \ ++ ec_GFp_simple_point_set_affine_coordinates, \ ++ ec_GFp_simple_point_get_affine_coordinates, \ ++ NULL, /* point_set_compressed_coordinates */ \ ++ NULL, /* point2oct */ \ ++ NULL, /* oct2point */ \ ++ ec_GFp_simple_add, \ ++ ec_GFp_simple_dbl, \ ++ ec_GFp_simple_invert, \ ++ ec_GFp_simple_is_at_infinity, \ ++ ec_GFp_simple_is_on_curve, \ ++ ec_GFp_simple_cmp, \ ++ ec_GFp_simple_make_affine, \ ++ ec_GFp_simple_points_make_affine, \ ++ ec_GFp_s390x_nistp##bits##_mul, \ ++ NULL, /* precompute_mult */ \ ++ NULL, /* have_precompute_mult */ \ ++ ec_GFp_simple_field_mul, \ ++ ec_GFp_simple_field_sqr, \ ++ NULL, /* field_div */ \ ++ ec_GFp_simple_field_inv, \ ++ NULL, /* field_encode */ \ ++ NULL, /* field_decode */ \ ++ NULL, /* field_set_to_one */ \ ++ ec_key_simple_priv2oct, \ ++ ec_key_simple_oct2priv, \ ++ NULL, /* set_private */ \ ++ ec_key_simple_generate_key, \ ++ ec_key_simple_check_key, \ ++ ec_key_simple_generate_public_key, \ ++ NULL, /* keycopy */ \ ++ NULL, /* keyfinish */ \ ++ ecdh_simple_compute_key, \ ++ ecdsa_simple_sign_setup, \ ++ ecdsa_s390x_nistp##bits##_sign_sig, \ ++ ecdsa_s390x_nistp##bits##_verify_sig, \ ++ NULL, /* field_inverse_mod_ord */ \ ++ ec_GFp_simple_blind_coordinates, \ ++ ec_GFp_simple_ladder_pre, \ ++ ec_GFp_simple_ladder_step, \ ++ ec_GFp_simple_ladder_post \ ++ }; \ ++ static const EC_METHOD *ret; \ ++ \ ++ if ((OPENSSL_s390xcap_P.pcc[1] \ ++ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \ ++ && (OPENSSL_s390xcap_P.kdsa[0] \ ++ & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits)) \ ++ && (OPENSSL_s390xcap_P.kdsa[0] \ ++ & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits))) \ ++ ret = &EC_GFp_s390x_nistp##bits##_meth; \ ++ else \ ++ ret = EC_GFp_mont_method(); \ ++ \ ++ return ret; \ ++} ++ ++EC_GFP_S390X_NISTP_METHOD(256) ++EC_GFP_S390X_NISTP_METHOD(384) ++EC_GFP_S390X_NISTP_METHOD(521) +diff -up openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_smpl.c +--- openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc 2020-05-18 12:45:40.769233514 +0200 ++++ openssl-1.1.1g/crypto/ec/ecp_smpl.c 2020-05-18 12:45:44.572266566 +0200 +@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +diff -up openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecx_meth.c +--- openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/ec/ecx_meth.c 2020-05-18 12:45:44.573266575 +0200 +@@ -20,6 +20,7 @@ + #define X25519_BITS 253 + #define X25519_SECURITY_BITS 128 + ++#define ED25519_KEYLEN 32 + #define ED25519_SIGSIZE 64 + + #define X448_BITS 448 +@@ -839,3 +840,666 @@ const EVP_PKEY_METHOD ed448_pkey_meth = + pkey_ecd_digestsign448, + pkey_ecd_digestverify448 + }; ++ ++#ifdef S390X_EC_ASM ++# include "s390x_arch.h" ++# include "internal/constant_time.h" ++ ++static void s390x_x25519_mod_p(unsigned char u[32]) ++{ ++ unsigned char u_red[32]; ++ unsigned int c = 0; ++ int i; ++ ++ memcpy(u_red, u, sizeof(u_red)); ++ ++ c += (unsigned int)u_red[31] + 19; ++ u_red[31] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 30; i >= 0; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ c = (u_red[0] & 0x80) >> 7; ++ u_red[0] &= 0x7f; ++ constant_time_cond_swap_buff(0 - (unsigned char)c, ++ u, u_red, sizeof(u_red)); ++} ++ ++static void s390x_x448_mod_p(unsigned char u[56]) ++{ ++ unsigned char u_red[56]; ++ unsigned int c = 0; ++ int i; ++ ++ memcpy(u_red, u, sizeof(u_red)); ++ ++ c += (unsigned int)u_red[55] + 1; ++ u_red[55] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 54; i >= 28; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ c += (unsigned int)u_red[27] + 1; ++ u_red[27] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 26; i >= 0; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ constant_time_cond_swap_buff(0 - (unsigned char)c, ++ u, u_red, sizeof(u_red)); ++} ++ ++static int s390x_x25519_mul(unsigned char u_dst[32], ++ const unsigned char u_src[32], ++ const unsigned char d_src[32]) ++{ ++ union { ++ struct { ++ unsigned char u_dst[32]; ++ unsigned char u_src[32]; ++ unsigned char d_src[32]; ++ } x25519; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ s390x_flip_endian32(param.x25519.u_src, u_src); ++ param.x25519.u_src[0] &= 0x7f; ++ s390x_x25519_mod_p(param.x25519.u_src); ++ ++ s390x_flip_endian32(param.x25519.d_src, d_src); ++ param.x25519.d_src[31] &= 248; ++ param.x25519.d_src[0] &= 127; ++ param.x25519.d_src[0] |= 64; ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, ¶m.x25519) ? 0 : 1; ++ if (rc == 1) ++ s390x_flip_endian32(u_dst, param.x25519.u_dst); ++ ++ OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src)); ++ return rc; ++} ++ ++static int s390x_x448_mul(unsigned char u_dst[56], ++ const unsigned char u_src[56], ++ const unsigned char d_src[56]) ++{ ++ union { ++ struct { ++ unsigned char u_dst[64]; ++ unsigned char u_src[64]; ++ unsigned char d_src[64]; ++ } x448; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ memcpy(param.x448.u_src, u_src, 56); ++ memcpy(param.x448.d_src, d_src, 56); ++ ++ s390x_flip_endian64(param.x448.u_src, param.x448.u_src); ++ s390x_x448_mod_p(param.x448.u_src + 8); ++ ++ s390x_flip_endian64(param.x448.d_src, param.x448.d_src); ++ param.x448.d_src[63] &= 252; ++ param.x448.d_src[8] |= 128; ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, ¶m.x448) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst); ++ memcpy(u_dst, param.x448.u_dst, 56); ++ } ++ ++ OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src)); ++ return rc; ++} ++ ++static int s390x_ed25519_mul(unsigned char x_dst[32], ++ unsigned char y_dst[32], ++ const unsigned char x_src[32], ++ const unsigned char y_src[32], ++ const unsigned char d_src[32]) ++{ ++ union { ++ struct { ++ unsigned char x_dst[32]; ++ unsigned char y_dst[32]; ++ unsigned char x_src[32]; ++ unsigned char y_src[32]; ++ unsigned char d_src[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ s390x_flip_endian32(param.ed25519.x_src, x_src); ++ s390x_flip_endian32(param.ed25519.y_src, y_src); ++ s390x_flip_endian32(param.ed25519.d_src, d_src); ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, ¶m.ed25519) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian32(x_dst, param.ed25519.x_dst); ++ s390x_flip_endian32(y_dst, param.ed25519.y_dst); ++ } ++ ++ OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src)); ++ return rc; ++} ++ ++static int s390x_ed448_mul(unsigned char x_dst[57], ++ unsigned char y_dst[57], ++ const unsigned char x_src[57], ++ const unsigned char y_src[57], ++ const unsigned char d_src[57]) ++{ ++ union { ++ struct { ++ unsigned char x_dst[64]; ++ unsigned char y_dst[64]; ++ unsigned char x_src[64]; ++ unsigned char y_src[64]; ++ unsigned char d_src[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ memcpy(param.ed448.x_src, x_src, 57); ++ memcpy(param.ed448.y_src, y_src, 57); ++ memcpy(param.ed448.d_src, d_src, 57); ++ s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src); ++ s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src); ++ s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src); ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, ¶m.ed448) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst); ++ s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst); ++ memcpy(x_dst, param.ed448.x_dst, 57); ++ memcpy(y_dst, param.ed448.y_dst, 57); ++ } ++ ++ OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src)); ++ return rc; ++} ++ ++static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator[] = { ++ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0) ++ goto err; ++ ++ privkey[0] &= 248; ++ privkey[31] &= 127; ++ privkey[31] |= 64; ++ ++ if (s390x_x25519_mul(pubkey, generator, privkey) != 1) ++ goto err; ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, X25519_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator[] = { ++ 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0) ++ goto err; ++ ++ privkey[0] &= 252; ++ privkey[55] |= 128; ++ ++ if (s390x_x448_mul(pubkey, generator, privkey) != 1) ++ goto err; ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, X448_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator_x[] = { ++ 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, ++ 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, ++ 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21 ++ }; ++ static const unsigned char generator_y[] = { ++ 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ }; ++ unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH]; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0) ++ goto err; ++ ++ SHA512(privkey, 32, buff); ++ buff[0] &= 248; ++ buff[31] &= 63; ++ buff[31] |= 64; ++ ++ if (s390x_ed25519_mul(x_dst, pubkey, ++ generator_x, generator_y, buff) != 1) ++ goto err; ++ ++ pubkey[31] |= ((x_dst[0] & 0x01) << 7); ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator_x[] = { ++ 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b, ++ 0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12, ++ 0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47, ++ 0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22, ++ 0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00 ++ }; ++ static const unsigned char generator_y[] = { ++ 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e, ++ 0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a, ++ 0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c, ++ 0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88, ++ 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00 ++ }; ++ unsigned char x_dst[57], buff[114]; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ EVP_MD_CTX *hashctx = NULL; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0) ++ goto err; ++ ++ hashctx = EVP_MD_CTX_new(); ++ if (hashctx == NULL) ++ goto err; ++ if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1) ++ goto err; ++ if (EVP_DigestUpdate(hashctx, privkey, 57) != 1) ++ goto err; ++ if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1) ++ goto err; ++ ++ buff[0] &= -4; ++ buff[55] |= 0x80; ++ buff[56] = 0; ++ ++ if (s390x_ed448_mul(x_dst, pubkey, ++ generator_x, generator_y, buff) != 1) ++ goto err; ++ ++ pubkey[56] |= ((x_dst[0] & 0x01) << 7); ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ EVP_MD_CTX_free(hashctx); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, ED448_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ EVP_MD_CTX_free(hashctx); ++ return 0; ++} ++ ++static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key, ++ size_t *keylen) ++{ ++ const unsigned char *privkey, *pubkey; ++ ++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) ++ return 0; ++ ++ if (key != NULL) ++ return s390x_x25519_mul(key, pubkey, privkey); ++ ++ *keylen = X25519_KEYLEN; ++ return 1; ++} ++ ++static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key, ++ size_t *keylen) ++{ ++ const unsigned char *privkey, *pubkey; ++ ++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) ++ return 0; ++ ++ if (key != NULL) ++ return s390x_x448_mul(key, pubkey, privkey); ++ ++ *keylen = X448_KEYLEN; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, ++ unsigned char *sig, size_t *siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[64]; ++ unsigned char priv[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ int rc; ++ ++ if (sig == NULL) { ++ *siglen = ED25519_SIGSIZE; ++ return 1; ++ } ++ ++ if (*siglen < ED25519_SIGSIZE) { ++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL); ++ return 0; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv)); ++ ++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, ¶m.ed25519, tbs, tbslen); ++ OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv)); ++ if (rc != 0) ++ return 0; ++ ++ s390x_flip_endian32(sig, param.ed25519.sig); ++ s390x_flip_endian32(sig + 32, param.ed25519.sig + 32); ++ ++ *siglen = ED25519_SIGSIZE; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx, ++ unsigned char *sig, size_t *siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[128]; ++ unsigned char priv[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ int rc; ++ ++ if (sig == NULL) { ++ *siglen = ED448_SIGSIZE; ++ return 1; ++ } ++ ++ if (*siglen < ED448_SIGSIZE) { ++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL); ++ return 0; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57); ++ ++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, ¶m.ed448, tbs, tbslen); ++ OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv)); ++ if (rc != 0) ++ return 0; ++ ++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig); ++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); ++ memcpy(sig, param.ed448.sig, 57); ++ memcpy(sig + 57, param.ed448.sig + 64, 57); ++ ++ *siglen = ED448_SIGSIZE; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, ++ const unsigned char *sig, ++ size_t siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[64]; ++ unsigned char pub[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ ++ if (siglen != ED25519_SIGSIZE) ++ return 0; ++ ++ memset(¶m, 0, sizeof(param)); ++ s390x_flip_endian32(param.ed25519.sig, sig); ++ s390x_flip_endian32(param.ed25519.sig + 32, sig + 32); ++ s390x_flip_endian32(param.ed25519.pub, edkey->pubkey); ++ ++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519, ++ ¶m.ed25519, tbs, tbslen) == 0 ? 1 : 0; ++} ++ ++static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx, ++ const unsigned char *sig, ++ size_t siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[128]; ++ unsigned char pub[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ ++ if (siglen != ED448_SIGSIZE) ++ return 0; ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed448.sig, sig, 57); ++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig); ++ memcpy(param.ed448.sig + 64, sig + 57, 57); ++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); ++ memcpy(param.ed448.pub, edkey->pubkey, 57); ++ s390x_flip_endian64(param.ed448.pub, param.ed448.pub); ++ ++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED448, ++ ¶m.ed448, tbs, tbslen) == 0 ? 1 : 0; ++} ++ ++static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = { ++ EVP_PKEY_X25519, ++ 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_keygen25519, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_derive25519, ++ pkey_ecx_ctrl, ++ 0 ++}; ++ ++static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = { ++ EVP_PKEY_X448, ++ 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_keygen448, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_derive448, ++ pkey_ecx_ctrl, ++ 0 ++}; ++static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = { ++ EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecd_keygen25519, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ pkey_ecd_ctrl, ++ 0, ++ s390x_pkey_ecd_digestsign25519, ++ s390x_pkey_ecd_digestverify25519 ++}; ++ ++static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = { ++ EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecd_keygen448, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ pkey_ecd_ctrl, ++ 0, ++ s390x_pkey_ecd_digestsign448, ++ s390x_pkey_ecd_digestverify448 ++}; ++#endif ++ ++const EVP_PKEY_METHOD *ecx25519_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)) ++ return &ecx25519_s390x_pkey_meth; ++#endif ++ return &ecx25519_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ecx448_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)) ++ return &ecx448_s390x_pkey_meth; ++#endif ++ return &ecx448_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ed25519_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519) ++ && OPENSSL_s390xcap_P.kdsa[0] ++ & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519)) ++ return &ed25519_s390x_pkey_meth; ++#endif ++ return &ed25519_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ed448_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448)) ++ return &ed448_s390x_pkey_meth; ++#endif ++ return &ed448_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1g/crypto/err/openssl.txt +--- openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc 2020-05-18 12:45:40.834234079 +0200 ++++ openssl-1.1.1g/crypto/err/openssl.txt 2020-05-18 12:45:44.575266592 +0200 +@@ -496,6 +496,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex + EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup + EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new + EC_F_ECDSA_VERIFY:253:ECDSA_verify ++EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup ++EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig ++EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig ++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig ++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig + EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify + EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type + EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode +@@ -657,6 +662,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_ + EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey + EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode + EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key ++EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup + EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig + EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig + EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl +@@ -672,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_ + EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen + EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen + EC_F_PKEY_EC_SIGN:218:pkey_ec_sign ++EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519 ++EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448 ++EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519 ++EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448 ++EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519 ++EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448 + EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive + ENGINE_F_DIGEST_UPDATE:198:digest_update + ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl +@@ -2160,6 +2172,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma + EC_R_CANNOT_INVERT:165:cannot invert + EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range + EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh ++EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa + EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing + EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure + EC_R_DECODE_ERROR:142:decode error +diff -up openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1g/crypto/evp/pmeth_lib.c +--- openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc 2020-05-18 12:45:40.787233671 +0200 ++++ openssl-1.1.1g/crypto/evp/pmeth_lib.c 2020-05-18 12:45:44.576266601 +0200 +@@ -17,60 +17,67 @@ + #include "crypto/evp.h" + #include "internal/numbers.h" + ++typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void); + typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); + + static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; + + /* This array needs to be in order of NIDs */ +-static const EVP_PKEY_METHOD *standard_methods[] = { ++static pmeth_fn standard_methods[] = { + #ifndef OPENSSL_NO_RSA +- &rsa_pkey_meth, ++ rsa_pkey_method, + #endif + #ifndef OPENSSL_NO_DH +- &dh_pkey_meth, ++ dh_pkey_method, + #endif + #ifndef OPENSSL_NO_DSA +- &dsa_pkey_meth, ++ dsa_pkey_method, + #endif + #ifndef OPENSSL_NO_EC +- &ec_pkey_meth, ++ ec_pkey_method, + #endif +- &hmac_pkey_meth, ++ hmac_pkey_method, + #ifndef OPENSSL_NO_CMAC +- &cmac_pkey_meth, ++ cmac_pkey_method, + #endif + #ifndef OPENSSL_NO_RSA +- &rsa_pss_pkey_meth, ++ rsa_pss_pkey_method, + #endif + #ifndef OPENSSL_NO_DH +- &dhx_pkey_meth, ++ dhx_pkey_method, + #endif + #ifndef OPENSSL_NO_SCRYPT +- &scrypt_pkey_meth, ++ scrypt_pkey_method, + #endif +- &tls1_prf_pkey_meth, ++ tls1_prf_pkey_method, + #ifndef OPENSSL_NO_EC +- &ecx25519_pkey_meth, +- &ecx448_pkey_meth, ++ ecx25519_pkey_method, ++ ecx448_pkey_method, + #endif +- &hkdf_pkey_meth, ++ hkdf_pkey_method, + #ifndef OPENSSL_NO_POLY1305 +- &poly1305_pkey_meth, ++ poly1305_pkey_method, + #endif + #ifndef OPENSSL_NO_SIPHASH +- &siphash_pkey_meth, ++ siphash_pkey_method, + #endif + #ifndef OPENSSL_NO_EC +- &ed25519_pkey_meth, +- &ed448_pkey_meth, ++ ed25519_pkey_method, ++ ed448_pkey_method, + #endif + #ifndef OPENSSL_NO_SM2 +- &sm2_pkey_meth, ++ sm2_pkey_method, + #endif + }; + +-DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, +- pmeth); ++DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); ++ ++static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b) ++{ ++ return ((*a)->pkey_id - ((**b)())->pkey_id); ++} ++ ++IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); + + static int pmeth_cmp(const EVP_PKEY_METHOD *const *a, + const EVP_PKEY_METHOD *const *b) +@@ -78,13 +85,11 @@ static int pmeth_cmp(const EVP_PKEY_METH + return ((*a)->pkey_id - (*b)->pkey_id); + } + +-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, +- pmeth); +- + const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type) + { ++ pmeth_fn *ret; + EVP_PKEY_METHOD tmp; +- const EVP_PKEY_METHOD *t = &tmp, **ret; ++ const EVP_PKEY_METHOD *t = &tmp; + tmp.pkey_id = type; + if (app_pkey_methods) { + int idx; +@@ -92,12 +97,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_fin + if (idx >= 0) + return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx); + } +- ret = OBJ_bsearch_pmeth(&t, standard_methods, +- sizeof(standard_methods) / +- sizeof(EVP_PKEY_METHOD *)); ++ ret = OBJ_bsearch_pmeth_func(&t, standard_methods, ++ sizeof(standard_methods) / ++ sizeof(pmeth_fn)); + if (!ret || !*ret) + return NULL; +- return *ret; ++ return (**ret)(); + } + + static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) +@@ -348,7 +353,7 @@ size_t EVP_PKEY_meth_get_count(void) + const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx) + { + if (idx < OSSL_NELEM(standard_methods)) +- return standard_methods[idx]; ++ return (standard_methods[idx])(); + if (app_pkey_methods == NULL) + return NULL; + idx -= OSSL_NELEM(standard_methods); +diff -up openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/hmac/hm_pmeth.c +--- openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.796233749 +0200 ++++ openssl-1.1.1g/crypto/hmac/hm_pmeth.c 2020-05-18 12:45:44.576266601 +0200 +@@ -210,3 +210,8 @@ const EVP_PKEY_METHOD hmac_pkey_meth = { + pkey_hmac_ctrl, + pkey_hmac_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *hmac_pkey_method(void) ++{ ++ return &hmac_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/hkdf.c +--- openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc 2020-05-18 12:45:40.826234009 +0200 ++++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:45:44.577266609 +0200 +@@ -233,6 +233,11 @@ const EVP_KDF_METHOD hkdf_kdf_meth = { + kdf_hkdf_derive + }; + ++const EVP_PKEY_METHOD *hkdf_pkey_method(void) ++{ ++ return &hkdf_pkey_meth; ++} ++ + static int HKDF(const EVP_MD *evp_md, + const unsigned char *salt, size_t salt_len, + const unsigned char *key, size_t key_len, +diff -up openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1g/crypto/kdf/scrypt.c +--- openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc 2020-05-18 12:45:40.827234018 +0200 ++++ openssl-1.1.1g/crypto/kdf/scrypt.c 2020-05-18 12:45:44.578266618 +0200 +@@ -504,4 +504,9 @@ static int scrypt_alg(const char *pass, + return rv; + } + ++const EVP_PKEY_METHOD *scrypt_pkey_method(void) ++{ ++ return &scrypt_pkey_meth; ++} ++ + #endif +diff -up openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/tls1_prf.c +--- openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc 2020-05-18 12:45:40.828234027 +0200 ++++ openssl-1.1.1g/crypto/kdf/tls1_prf.c 2020-05-18 12:45:44.578266618 +0200 +@@ -168,6 +168,11 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth = + kdf_tls1_prf_derive + }; + ++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void) ++{ ++ return &tls1_prf_pkey_meth; ++} ++ + static int tls1_prf_P_hash(const EVP_MD *md, + const unsigned char *sec, size_t sec_len, + const unsigned char *seed, size_t seed_len, +diff -up openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c +--- openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c 2020-05-18 12:45:44.579266627 +0200 +@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth + pkey_poly1305_ctrl, + pkey_poly1305_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *poly1305_pkey_method(void) ++{ ++ return &poly1305_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/rsa/rsa_pmeth.c +--- openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.798233766 +0200 ++++ openssl-1.1.1g/crypto/rsa/rsa_pmeth.c 2020-05-18 12:45:44.580266635 +0200 +@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = { + pkey_rsa_ctrl_str + }; + ++const EVP_PKEY_METHOD *rsa_pkey_method(void) ++{ ++ return &rsa_pkey_meth; ++} ++ + /* + * Called for PSS sign or verify initialisation: checks PSS parameter + * sanity and sets any restrictions on key usage. +@@ -859,3 +864,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth + pkey_rsa_ctrl, + pkey_rsa_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void) ++{ ++ return &rsa_pss_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1g/crypto/s390x_arch.h +--- openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc 2020-05-18 12:45:40.603232072 +0200 ++++ openssl-1.1.1g/crypto/s390x_arch.h 2020-05-18 12:45:44.580266635 +0200 +@@ -26,6 +26,12 @@ void s390x_kmf(const unsigned char *in, + unsigned int fc, void *param); + void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in, + size_t len, unsigned char *out, unsigned int fc, void *param); ++int s390x_pcc(unsigned int fc, void *param); ++int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in, ++ size_t len); ++ ++void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]); ++void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]); + + /* + * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by +@@ -45,6 +51,8 @@ struct OPENSSL_s390xcap_st { + unsigned long long kmf[2]; + unsigned long long prno[2]; + unsigned long long kma[2]; ++ unsigned long long pcc[2]; ++ unsigned long long kdsa[2]; + }; + + extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; +@@ -66,11 +74,14 @@ extern struct OPENSSL_s390xcap_st OPENSS + # define S390X_KMF 0x90 + # define S390X_PRNO 0xa0 + # define S390X_KMA 0xb0 ++# define S390X_PCC 0xc0 ++# define S390X_KDSA 0xd0 + + /* Facility Bit Numbers */ + # define S390X_VX 129 + # define S390X_VXD 134 + # define S390X_VXE 135 ++# define S390X_MSA9 155 /* message-security-assist-ext. 9 */ + + /* Function Codes */ + +@@ -94,10 +105,32 @@ extern struct OPENSSL_s390xcap_st OPENSS + /* prno */ + # define S390X_TRNG 114 + ++/* pcc */ ++# define S390X_SCALAR_MULTIPLY_P256 64 ++# define S390X_SCALAR_MULTIPLY_P384 65 ++# define S390X_SCALAR_MULTIPLY_P521 66 ++# define S390X_SCALAR_MULTIPLY_ED25519 72 ++# define S390X_SCALAR_MULTIPLY_ED448 73 ++# define S390X_SCALAR_MULTIPLY_X25519 80 ++# define S390X_SCALAR_MULTIPLY_X448 81 ++ ++/* kdsa */ ++# define S390X_ECDSA_VERIFY_P256 1 ++# define S390X_ECDSA_VERIFY_P384 2 ++# define S390X_ECDSA_VERIFY_P521 3 ++# define S390X_ECDSA_SIGN_P256 9 ++# define S390X_ECDSA_SIGN_P384 10 ++# define S390X_ECDSA_SIGN_P521 11 ++# define S390X_EDDSA_VERIFY_ED25519 32 ++# define S390X_EDDSA_VERIFY_ED448 36 ++# define S390X_EDDSA_SIGN_ED25519 40 ++# define S390X_EDDSA_SIGN_ED448 44 ++ + /* Register 0 Flags */ + # define S390X_DECRYPT 0x80 + # define S390X_KMA_LPC 0x100 + # define S390X_KMA_LAAD 0x200 + # define S390X_KMA_HS 0x400 ++# define S390X_KDSA_D 0x80 + + #endif +diff -up openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1g/crypto/s390xcpuid.pl +--- openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/s390xcpuid.pl 2020-05-18 12:45:44.581266644 +0200 +@@ -58,6 +58,10 @@ OPENSSL_s390x_facilities: + stg %r0,S390X_PRNO+8(%r4) + stg %r0,S390X_KMA(%r4) + stg %r0,S390X_KMA+8(%r4) ++ stg %r0,S390X_PCC(%r4) ++ stg %r0,S390X_PCC+8(%r4) ++ stg %r0,S390X_KDSA(%r4) ++ stg %r0,S390X_KDSA+8(%r4) + + .long 0xb2b04000 # stfle 0(%r4) + brc 8,.Ldone +@@ -68,6 +72,7 @@ OPENSSL_s390x_facilities: + .long 0xb2b04000 # stfle 0(%r4) + .Ldone: + lmg %r2,%r3,S390X_STFLE(%r4) ++ + tmhl %r2,0x4000 # check for message-security-assist + jz .Lret + +@@ -91,6 +96,13 @@ OPENSSL_s390x_facilities: + la %r1,S390X_KMAC(%r4) + .long 0xb91e0042 # kmac %r4,%r2 + ++ tmhh %r3,0x0008 # check for message-security-assist-3 ++ jz .Lret ++ ++ lghi %r0,S390X_QUERY # query pcc capability vector ++ la %r1,S390X_PCC(%r4) ++ .long 0xb92c0000 # pcc ++ + tmhh %r3,0x0004 # check for message-security-assist-4 + jz .Lret + +@@ -114,6 +126,7 @@ OPENSSL_s390x_facilities: + .long 0xb93c0042 # prno %r4,%r2 + + lg %r2,S390X_STFLE+16(%r4) ++ + tmhl %r2,0x2000 # check for message-security-assist-8 + jz .Lret + +@@ -121,6 +134,13 @@ OPENSSL_s390x_facilities: + la %r1,S390X_KMA(%r4) + .long 0xb9294022 # kma %r2,%r4,%r2 + ++ tmhl %r2,0x0010 # check for message-security-assist-9 ++ jz .Lret ++ ++ lghi %r0,S390X_QUERY # query kdsa capability vector ++ la %r1,S390X_KDSA(%r4) ++ .long 0xb93a0002 # kdsa %r0,%r2 ++ + .Lret: + br $ra + .size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities +@@ -411,6 +431,113 @@ s390x_kma: + ___ + } + ++################ ++# int s390x_pcc(unsigned int fc, void *param) ++{ ++my ($fc,$param) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_pcc ++.type s390x_pcc,\@function ++.align 16 ++s390x_pcc: ++ lr %r0,$fc ++ l${g}r %r1,$param ++ lhi %r2,0 ++ ++ .long 0xb92c0000 # pcc ++ brc 1,.-4 # pay attention to "partial completion" ++ brc 7,.Lpcc_err # if CC==0 return 0, else return 1 ++.Lpcc_out: ++ br $ra ++.Lpcc_err: ++ lhi %r2,1 ++ j .Lpcc_out ++.size s390x_pcc,.-s390x_pcc ++___ ++} ++ ++################ ++# int s390x_kdsa(unsigned int fc, void *param, ++# const unsigned char *in, size_t len) ++{ ++my ($fc,$param,$in,$len) = map("%r$_",(2..5)); ++$code.=<<___; ++.globl s390x_kdsa ++.type s390x_kdsa,\@function ++.align 16 ++s390x_kdsa: ++ lr %r0,$fc ++ l${g}r %r1,$param ++ lhi %r2,0 ++ ++ .long 0xb93a0004 # kdsa %r0,$in ++ brc 1,.-4 # pay attention to "partial completion" ++ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1 ++.Lkdsa_out: ++ br $ra ++.Lkdsa_err: ++ lhi %r2,1 ++ j .Lkdsa_out ++.size s390x_kdsa,.-s390x_kdsa ++___ ++} ++ ++################ ++# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]) ++{ ++my ($dst,$src) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_flip_endian32 ++.type s390x_flip_endian32,\@function ++.align 16 ++s390x_flip_endian32: ++ lrvg %r0,0(%r0,$src) ++ lrvg %r1,8(%r0,$src) ++ lrvg %r4,16(%r0,$src) ++ lrvg %r5,24(%r0,$src) ++ stg %r0,24(%r0,$dst) ++ stg %r1,16(%r0,$dst) ++ stg %r4,8(%r0,$dst) ++ stg %r5,0(%r0,$dst) ++ br $ra ++.size s390x_flip_endian32,.-s390x_flip_endian32 ++___ ++} ++ ++################ ++# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]) ++{ ++my ($dst,$src) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_flip_endian64 ++.type s390x_flip_endian64,\@function ++.align 16 ++s390x_flip_endian64: ++ stmg %r6,%r9,6*$SIZE_T($sp) ++ ++ lrvg %r0,0(%r0,$src) ++ lrvg %r1,8(%r0,$src) ++ lrvg %r4,16(%r0,$src) ++ lrvg %r5,24(%r0,$src) ++ lrvg %r6,32(%r0,$src) ++ lrvg %r7,40(%r0,$src) ++ lrvg %r8,48(%r0,$src) ++ lrvg %r9,56(%r0,$src) ++ stg %r0,56(%r0,$dst) ++ stg %r1,48(%r0,$dst) ++ stg %r4,40(%r0,$dst) ++ stg %r5,32(%r0,$dst) ++ stg %r6,24(%r0,$dst) ++ stg %r7,16(%r0,$dst) ++ stg %r8,8(%r0,$dst) ++ stg %r9,0(%r0,$dst) ++ ++ lmg %r6,%r9,6*$SIZE_T($sp) ++ br $ra ++.size s390x_flip_endian64,.-s390x_flip_endian64 ++___ ++} ++ + $code.=<<___; + .section .init + brasl $ra,OPENSSL_cpuid_setup +diff -up openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/siphash/siphash_pmeth.c +--- openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/siphash/siphash_pmeth.c 2020-05-18 12:45:44.581266644 +0200 +@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth + pkey_siphash_ctrl, + pkey_siphash_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *siphash_pkey_method(void) ++{ ++ return &siphash_pkey_meth; ++} +diff -up openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/sm2/sm2_pmeth.c +--- openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/sm2/sm2_pmeth.c 2020-05-18 12:45:44.582266653 +0200 +@@ -327,3 +327,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = { + + pkey_sm2_digest_custom + }; ++ ++const EVP_PKEY_METHOD *sm2_pkey_method(void) ++{ ++ return &sm2_pkey_meth; ++} +diff -up openssl-1.1.1g/include/crypto/evp.h.s390x-ecc openssl-1.1.1g/include/crypto/evp.h +--- openssl-1.1.1g/include/crypto/evp.h.s390x-ecc 2020-05-18 12:45:40.834234079 +0200 ++++ openssl-1.1.1g/include/crypto/evp.h 2020-05-18 12:45:44.577266609 +0200 +@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE + #define EVP_ENCODE_CTX_NO_NEWLINES 1 + /* Use the SRP base64 alphabet instead of the standard one */ + #define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2 ++ ++const EVP_PKEY_METHOD *cmac_pkey_method(void); ++const EVP_PKEY_METHOD *dh_pkey_method(void); ++const EVP_PKEY_METHOD *dhx_pkey_method(void); ++const EVP_PKEY_METHOD *dsa_pkey_method(void); ++const EVP_PKEY_METHOD *ec_pkey_method(void); ++const EVP_PKEY_METHOD *sm2_pkey_method(void); ++const EVP_PKEY_METHOD *ecx25519_pkey_method(void); ++const EVP_PKEY_METHOD *ecx448_pkey_method(void); ++const EVP_PKEY_METHOD *ed25519_pkey_method(void); ++const EVP_PKEY_METHOD *ed448_pkey_method(void); ++const EVP_PKEY_METHOD *hmac_pkey_method(void); ++const EVP_PKEY_METHOD *rsa_pkey_method(void); ++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void); ++const EVP_PKEY_METHOD *scrypt_pkey_method(void); ++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void); ++const EVP_PKEY_METHOD *hkdf_pkey_method(void); ++const EVP_PKEY_METHOD *poly1305_pkey_method(void); ++const EVP_PKEY_METHOD *siphash_pkey_method(void); +diff -up openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc openssl-1.1.1g/include/internal/constant_time.h +--- openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/include/internal/constant_time.h 2020-05-18 12:45:44.582266653 +0200 +@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co + } + + /* ++ * mask must be 0xFF or 0x00. ++ * "constant time" is per len. ++ * ++ * if (mask) { ++ * unsigned char tmp[len]; ++ * ++ * memcpy(tmp, a, len); ++ * memcpy(a, b); ++ * memcpy(b, tmp); ++ * } ++ */ ++static ossl_inline void constant_time_cond_swap_buff(unsigned char mask, ++ unsigned char *a, ++ unsigned char *b, ++ size_t len) ++{ ++ size_t i; ++ unsigned char tmp; ++ ++ for (i = 0; i < len; i++) { ++ tmp = a[i] ^ b[i]; ++ tmp &= mask; ++ a[i] ^= tmp; ++ b[i] ^= tmp; ++ } ++} ++ ++/* + * table is a two dimensional array of bytes. Each row has rowsize elements. + * Copies row number idx into out. rowsize and numrows are not considered + * private. +diff -up openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1g/include/openssl/ecerr.h +--- openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/include/openssl/ecerr.h 2020-05-18 12:45:44.583266662 +0200 +@@ -42,6 +42,11 @@ int ERR_load_EC_strings(void); + # define EC_F_ECDSA_SIGN_SETUP 248 + # define EC_F_ECDSA_SIG_NEW 265 + # define EC_F_ECDSA_VERIFY 253 ++# define EC_F_ECDSA_SIMPLE_SIGN_SETUP 310 ++# define EC_F_ECDSA_SIMPLE_SIGN_SIG 311 ++# define EC_F_ECDSA_SIMPLE_VERIFY_SIG 312 ++# define EC_F_ECDSA_S390X_NISTP_SIGN_SIG 313 ++# define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG 314 + # define EC_F_ECD_ITEM_VERIFY 270 + # define EC_F_ECKEY_PARAM2TYPE 223 + # define EC_F_ECKEY_PARAM_DECODE 212 +@@ -185,6 +190,7 @@ int ERR_load_EC_strings(void); + # define EC_F_O2I_ECPUBLICKEY 152 + # define EC_F_OLD_EC_PRIV_DECODE 222 + # define EC_F_OSSL_ECDH_COMPUTE_KEY 247 ++# define EC_F_OSSL_ECDSA_SIGN_SETUP 300 + # define EC_F_OSSL_ECDSA_SIGN_SIG 249 + # define EC_F_OSSL_ECDSA_VERIFY_SIG 250 + # define EC_F_PKEY_ECD_CTRL 271 +@@ -200,6 +206,12 @@ int ERR_load_EC_strings(void); + # define EC_F_PKEY_EC_KEYGEN 199 + # define EC_F_PKEY_EC_PARAMGEN 219 + # define EC_F_PKEY_EC_SIGN 218 ++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519 320 ++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN448 321 ++# define EC_F_S390X_PKEY_ECD_KEYGEN25519 322 ++# define EC_F_S390X_PKEY_ECD_KEYGEN448 323 ++# define EC_F_S390X_PKEY_ECX_KEYGEN25519 324 ++# define EC_F_S390X_PKEY_ECX_KEYGEN448 325 + # define EC_F_VALIDATE_ECX_DERIVE 278 + + /* +@@ -212,6 +224,7 @@ int ERR_load_EC_strings(void); + # define EC_R_CANNOT_INVERT 165 + # define EC_R_COORDINATES_OUT_OF_RANGE 146 + # define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160 ++# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170 + # define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159 + # define EC_R_D2I_ECPKPARAMETERS_FAILURE 117 + # define EC_R_DECODE_ERROR 142 +diff -up openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt +--- openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt 2020-05-18 12:45:44.590266722 +0200 +@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb + + PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw + ++PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ++ + Derive=Alice-448 + PeerKey=Bob-448-PUBLIC + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d +@@ -830,6 +832,11 @@ Derive=Bob-448-Raw + PeerKey=Alice-448-PUBLIC-Raw + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d + ++# Self-generated non-canonical ++Derive=Alice-448-Raw ++PeerKey=Bob-448-PUBLIC-Raw-NonCanonical ++SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb ++ + # Illegal sign/verify operations with X448 key + + Sign=Alice-448 |