2328 lines
87 KiB
Diff
2328 lines
87 KiB
Diff
diff -up openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1c/Configurations/00-base-templates.conf
|
|
--- openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/Configurations/00-base-templates.conf 2019-11-20 11:36:02.190860451 +0100
|
|
@@ -289,6 +289,7 @@ my %targets=(
|
|
template => 1,
|
|
cpuid_asm_src => "s390xcap.c s390xcpuid.S",
|
|
bn_asm_src => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
|
|
+ ec_asm_src => "ecp_s390x_nistp.c",
|
|
aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake",
|
|
sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
|
|
rc4_asm_src => "rc4-s390x.s",
|
|
diff -up openssl-1.1.1c/Configure.s390x-ecc openssl-1.1.1c/Configure
|
|
--- openssl-1.1.1c/Configure.s390x-ecc 2019-11-20 11:36:02.078862415 +0100
|
|
+++ openssl-1.1.1c/Configure 2019-11-20 11:36:02.191860433 +0100
|
|
@@ -1410,6 +1410,9 @@ unless ($disabled{asm}) {
|
|
if ($target{ec_asm_src} =~ /ecp_nistz256/) {
|
|
push @{$config{lib_defines}}, "ECP_NISTZ256_ASM";
|
|
}
|
|
+ if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) {
|
|
+ push @{$config{lib_defines}}, "S390X_EC_ASM";
|
|
+ }
|
|
if ($target{ec_asm_src} =~ /x25519/) {
|
|
push @{$config{lib_defines}}, "X25519_ASM";
|
|
}
|
|
diff -up openssl-1.1.1c/crypto/bn/asm/s390x.S.s390x-ecc openssl-1.1.1c/crypto/bn/asm/s390x.S
|
|
--- openssl-1.1.1c/crypto/bn/asm/s390x.S.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/bn/asm/s390x.S 2019-11-20 11:36:02.191860433 +0100
|
|
@@ -511,7 +511,7 @@ bn_mul_comba4:
|
|
lghi zero,0
|
|
|
|
mul_add_c(0,0,c1,c2,c3);
|
|
- stg c1,0*8(%r3)
|
|
+ stg c1,0*8(%r2)
|
|
lghi c1,0
|
|
|
|
mul_add_c(0,1,c2,c3,c1);
|
|
diff -up openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/cmac/cm_pmeth.c
|
|
--- openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc 2019-11-20 11:36:02.078862415 +0100
|
|
+++ openssl-1.1.1c/crypto/cmac/cm_pmeth.c 2019-11-20 11:36:02.191860433 +0100
|
|
@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = {
|
|
pkey_cmac_ctrl,
|
|
pkey_cmac_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *cmac_pkey_method(void)
|
|
+{
|
|
+ return &cmac_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dh/dh_pmeth.c
|
|
--- openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc 2019-11-20 11:36:02.079862397 +0100
|
|
+++ openssl-1.1.1c/crypto/dh/dh_pmeth.c 2019-11-20 11:36:02.191860433 +0100
|
|
@@ -512,6 +512,11 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
|
|
pkey_dh_ctrl_str
|
|
};
|
|
|
|
+const EVP_PKEY_METHOD *dh_pkey_method(void)
|
|
+{
|
|
+ return &dh_pkey_meth;
|
|
+}
|
|
+
|
|
const EVP_PKEY_METHOD dhx_pkey_meth = {
|
|
EVP_PKEY_DHX,
|
|
EVP_PKEY_FLAG_FIPS,
|
|
@@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = {
|
|
pkey_dh_ctrl,
|
|
pkey_dh_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *dhx_pkey_method(void)
|
|
+{
|
|
+ return &dhx_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dsa/dsa_pmeth.c
|
|
--- openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc 2019-11-20 11:36:02.100862029 +0100
|
|
+++ openssl-1.1.1c/crypto/dsa/dsa_pmeth.c 2019-11-20 11:36:02.191860433 +0100
|
|
@@ -275,3 +275,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
|
|
pkey_dsa_ctrl,
|
|
pkey_dsa_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *dsa_pkey_method(void)
|
|
+{
|
|
+ return &dsa_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/ec/build.info.s390x-ecc openssl-1.1.1c/crypto/ec/build.info
|
|
--- openssl-1.1.1c/crypto/ec/build.info.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/build.info 2019-11-20 11:36:02.192860416 +0100
|
|
@@ -26,6 +26,9 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n
|
|
INCLUDE[ecp_nistz256-armv8.o]=..
|
|
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME)
|
|
|
|
+INCLUDE[ecp_s390x_nistp.o]=..
|
|
+INCLUDE[ecx_meth.o]=..
|
|
+
|
|
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME)
|
|
GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME)
|
|
|
|
diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_curve.c
|
|
--- openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc 2019-11-20 11:36:02.043863029 +0100
|
|
+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-20 11:36:02.192860416 +0100
|
|
@@ -255,20 +255,29 @@ static const ec_list_element curve_list[
|
|
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
|
"SECG curve over a 256 bit prime field"},
|
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
|
- {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
|
|
+ {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
|
+# if defined(S390X_EC_ASM)
|
|
+ EC_GFp_s390x_nistp384_method,
|
|
+# else
|
|
+ 0,
|
|
+# endif
|
|
"NIST/SECG curve over a 384 bit prime field"},
|
|
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
|
- {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
|
|
- "NIST/SECG curve over a 521 bit prime field"},
|
|
-#else
|
|
- {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
|
|
+ {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
|
+# if defined(S390X_EC_ASM)
|
|
+ EC_GFp_s390x_nistp521_method,
|
|
+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
+ EC_GFp_nistp521_method,
|
|
+# else
|
|
+ 0,
|
|
+# endif
|
|
"NIST/SECG curve over a 521 bit prime field"},
|
|
-#endif
|
|
/* X9.62 curves */
|
|
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
|
#if defined(ECP_NISTZ256_ASM)
|
|
EC_GFp_nistz256_method,
|
|
-#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
+# elif defined(S390X_EC_ASM)
|
|
+ EC_GFp_s390x_nistp256_method,
|
|
+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
EC_GFp_nistp256_method,
|
|
#else
|
|
0,
|
|
diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecdsa_ossl.c
|
|
--- openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc 2019-11-20 11:36:02.100862029 +0100
|
|
+++ openssl-1.1.1c/crypto/ec/ecdsa_ossl.c 2019-11-20 11:36:02.192860416 +0100
|
|
@@ -18,6 +18,41 @@
|
|
# include <openssl/fips.h>
|
|
#endif
|
|
|
|
+int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
+ BIGNUM **rp)
|
|
+{
|
|
+ if (eckey->group->meth->ecdsa_sign_setup == NULL) {
|
|
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
|
|
+}
|
|
+
|
|
+ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
|
|
+ EC_KEY *eckey)
|
|
+{
|
|
+ if (eckey->group->meth->ecdsa_sign_sig == NULL) {
|
|
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
|
|
+ in_kinv, in_r, eckey);
|
|
+}
|
|
+
|
|
+int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
+ const ECDSA_SIG *sig, EC_KEY *eckey)
|
|
+{
|
|
+ if (eckey->group->meth->ecdsa_verify_sig == NULL) {
|
|
+ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
|
|
+}
|
|
+
|
|
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
|
|
unsigned char *sig, unsigned int *siglen,
|
|
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
|
|
@@ -145,15 +180,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
|
return ret;
|
|
}
|
|
|
|
-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
- BIGNUM **rp)
|
|
+int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
+ BIGNUM **rp)
|
|
{
|
|
return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
|
|
}
|
|
|
|
-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
- const BIGNUM *in_kinv, const BIGNUM *in_r,
|
|
- EC_KEY *eckey)
|
|
+ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
|
|
+ EC_KEY *eckey)
|
|
{
|
|
int ok = 0, i;
|
|
BIGNUM *kinv = NULL, *s, *m = NULL;
|
|
@@ -210,25 +245,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
|
|
if (8 * dgst_len > i)
|
|
dgst_len = (i + 7) / 8;
|
|
if (!BN_bin2bn(dgst, dgst_len, m)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
/* If still too long, truncate remaining bits with a shift */
|
|
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
do {
|
|
if (in_kinv == NULL || in_r == NULL) {
|
|
if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB);
|
|
goto err;
|
|
}
|
|
ckinv = kinv;
|
|
} else {
|
|
ckinv = in_kinv;
|
|
if (BN_copy(ret->r, in_r) == NULL) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
|
|
goto err;
|
|
}
|
|
}
|
|
@@ -242,11 +277,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
|
|
*/
|
|
if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
|
|
|| !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
if (!bn_mod_add_fixed_top(s, s, m, order)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
/*
|
|
@@ -255,7 +290,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
|
|
*/
|
|
if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
|
|
|| !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
|
|
@@ -265,7 +300,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
|
|
* generate new kinv and r values
|
|
*/
|
|
if (in_kinv != NULL && in_r != NULL) {
|
|
- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
|
|
goto err;
|
|
}
|
|
} else {
|
|
@@ -317,8 +352,8 @@ int ossl_ecdsa_verify(int type, const un
|
|
return ret;
|
|
}
|
|
|
|
-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
- const ECDSA_SIG *sig, EC_KEY *eckey)
|
|
+int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
+ const ECDSA_SIG *sig, EC_KEY *eckey)
|
|
{
|
|
int ret = -1, i;
|
|
BN_CTX *ctx;
|
|
@@ -338,18 +373,18 @@ int ossl_ecdsa_verify_sig(const unsigned
|
|
/* check input values */
|
|
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
|
|
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
|
|
return -1;
|
|
}
|
|
|
|
if (!EC_KEY_can_sign(eckey)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
|
|
return -1;
|
|
}
|
|
|
|
ctx = BN_CTX_new();
|
|
if (ctx == NULL) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
|
|
return -1;
|
|
}
|
|
BN_CTX_start(ctx);
|
|
@@ -358,26 +393,26 @@ int ossl_ecdsa_verify_sig(const unsigned
|
|
m = BN_CTX_get(ctx);
|
|
X = BN_CTX_get(ctx);
|
|
if (X == NULL) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
|
|
order = EC_GROUP_get0_order(group);
|
|
if (order == NULL) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
|
|
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
|
|
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
|
|
BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_BAD_SIGNATURE);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE);
|
|
ret = 0; /* signature is invalid */
|
|
goto err;
|
|
}
|
|
/* calculate tmp1 = inv(S) mod order */
|
|
if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
/* digest -> m */
|
|
@@ -388,41 +423,41 @@ int ossl_ecdsa_verify_sig(const unsigned
|
|
if (8 * dgst_len > i)
|
|
dgst_len = (i + 7) / 8;
|
|
if (!BN_bin2bn(dgst, dgst_len, m)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
/* If still too long truncate remaining bits with a shift */
|
|
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
/* u1 = m * tmp mod order */
|
|
if (!BN_mod_mul(u1, m, u2, order, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
/* u2 = r * w mod q */
|
|
if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
|
|
if ((point = EC_POINT_new(group)) == NULL) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
|
|
goto err;
|
|
}
|
|
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
|
|
if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
|
|
if (!BN_nnmod(u1, X, order, ctx)) {
|
|
- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
|
|
goto err;
|
|
}
|
|
/* if the signature is correct u1 is equal to sig->r */
|
|
diff -up openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_err.c
|
|
--- openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ec_err.c 2019-11-20 11:36:02.192860416 +0100
|
|
@@ -31,6 +31,11 @@ static const ERR_STRING_DATA EC_str_func
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0), "ecdsa_simple_sign_setup"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0), "ecdsa_simple_sign_sig"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0), "ecdsa_simple_verify_sig"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0), "ecdsa_s390x_nistp_sign_sig"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0), "ecdsa_s390x_nistp_verify_sig"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM_DECODE, 0), "eckey_param_decode"},
|
|
@@ -266,6 +271,7 @@ static const ERR_STRING_DATA EC_str_func
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0),
|
|
"ossl_ecdh_compute_key"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0), "ossl_ecdsa_sign_setup"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0),
|
|
"ossl_ecdsa_verify_sig"},
|
|
@@ -284,6 +290,12 @@ static const ERR_STRING_DATA EC_str_func
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0), "s390x_pkey_ecd_digestsign25519"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0), "s390x_pkey_ecd_digestsign448"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0), "s390x_pkey_ecd_keygen25519"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0), "s390x_pkey_ecd_keygen448"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0), "s390x_pkey_ecx_keygen25519"},
|
|
+ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0), "s390x_pkey_ecx_keygen448"},
|
|
{ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"},
|
|
{0, NULL}
|
|
};
|
|
@@ -298,6 +310,8 @@ static const ERR_STRING_DATA EC_str_reas
|
|
"coordinates out of range"},
|
|
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),
|
|
"curve does not support ecdh"},
|
|
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA),
|
|
+ "curve does not support ecdsa"},
|
|
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
|
|
"curve does not support signing"},
|
|
{ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE),
|
|
diff -up openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc openssl-1.1.1c/crypto/ec/ec_lcl.h
|
|
--- openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc 2019-11-20 11:36:01.676869466 +0100
|
|
+++ openssl-1.1.1c/crypto/ec/ec_lcl.h 2019-11-20 11:36:02.192860416 +0100
|
|
@@ -154,7 +154,7 @@ struct ec_method_st {
|
|
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
const BIGNUM *b, BN_CTX *);
|
|
/*-
|
|
- * 'field_inv' computes the multipicative inverse of a in the field,
|
|
+ * 'field_inv' computes the multiplicative inverse of a in the field,
|
|
* storing the result in r.
|
|
*
|
|
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
|
|
@@ -179,6 +179,14 @@ struct ec_method_st {
|
|
/* custom ECDH operation */
|
|
int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
|
|
const EC_POINT *pub_key, const EC_KEY *ecdh);
|
|
+ /* custom ECDSA */
|
|
+ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp,
|
|
+ BIGNUM **rp);
|
|
+ ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen,
|
|
+ const BIGNUM *kinv, const BIGNUM *r,
|
|
+ EC_KEY *eckey);
|
|
+ int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen,
|
|
+ const ECDSA_SIG *sig, EC_KEY *eckey);
|
|
/* Inverse modulo order */
|
|
int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
|
|
const BIGNUM *x, BN_CTX *);
|
|
@@ -587,6 +595,11 @@ int ec_group_simple_order_bits(const EC_
|
|
*/
|
|
const EC_METHOD *EC_GFp_nistz256_method(void);
|
|
#endif
|
|
+#ifdef S390X_EC_ASM
|
|
+const EC_METHOD *EC_GFp_s390x_nistp256_method(void);
|
|
+const EC_METHOD *EC_GFp_s390x_nistp384_method(void);
|
|
+const EC_METHOD *EC_GFp_s390x_nistp521_method(void);
|
|
+#endif
|
|
|
|
size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
|
|
unsigned char *buf, size_t len);
|
|
@@ -649,6 +662,13 @@ int ossl_ecdsa_verify(int type, const un
|
|
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
|
|
int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
const ECDSA_SIG *sig, EC_KEY *eckey);
|
|
+int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
+ BIGNUM **rp);
|
|
+ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
+ const BIGNUM *in_kinv, const BIGNUM *in_r,
|
|
+ EC_KEY *eckey);
|
|
+int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
+ const ECDSA_SIG *sig, EC_KEY *eckey);
|
|
|
|
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
|
|
const uint8_t public_key[32], const uint8_t private_key[32]);
|
|
diff -up openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_pmeth.c
|
|
--- openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc 2019-11-20 11:36:02.101862012 +0100
|
|
+++ openssl-1.1.1c/crypto/ec/ec_pmeth.c 2019-11-20 11:36:02.193860398 +0100
|
|
@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = {
|
|
pkey_ec_ctrl,
|
|
pkey_ec_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *ec_pkey_method(void)
|
|
+{
|
|
+ return &ec_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_mont.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_mont.c 2019-11-20 11:36:02.193860398 +0100
|
|
@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void
|
|
0, /* keycopy */
|
|
0, /* keyfinish */
|
|
ecdh_simple_compute_key,
|
|
+ ecdsa_simple_sign_setup,
|
|
+ ecdsa_simple_sign_sig,
|
|
+ ecdsa_simple_verify_sig,
|
|
0, /* field_inverse_mod_ord */
|
|
ec_GFp_simple_blind_coordinates,
|
|
ec_GFp_simple_ladder_pre,
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nist.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_nist.c 2019-11-20 11:36:02.193860398 +0100
|
|
@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void
|
|
0, /* keycopy */
|
|
0, /* keyfinish */
|
|
ecdh_simple_compute_key,
|
|
+ ecdsa_simple_sign_setup,
|
|
+ ecdsa_simple_sign_sig,
|
|
+ ecdsa_simple_verify_sig,
|
|
0, /* field_inverse_mod_ord */
|
|
ec_GFp_simple_blind_coordinates,
|
|
ec_GFp_simple_ladder_pre,
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp224.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_nistp224.c 2019-11-20 11:36:02.193860398 +0100
|
|
@@ -292,6 +292,9 @@ const EC_METHOD *EC_GFp_nistp224_method(
|
|
0, /* keycopy */
|
|
0, /* keyfinish */
|
|
ecdh_simple_compute_key,
|
|
+ ecdsa_simple_sign_setup,
|
|
+ ecdsa_simple_sign_sig,
|
|
+ ecdsa_simple_verify_sig,
|
|
0, /* field_inverse_mod_ord */
|
|
0, /* blind_coordinates */
|
|
0, /* ladder_pre */
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp256.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_nistp256.c 2019-11-20 11:36:02.194860380 +0100
|
|
@@ -1823,6 +1823,9 @@ const EC_METHOD *EC_GFp_nistp256_method(
|
|
0, /* keycopy */
|
|
0, /* keyfinish */
|
|
ecdh_simple_compute_key,
|
|
+ ecdsa_simple_sign_setup,
|
|
+ ecdsa_simple_sign_sig,
|
|
+ ecdsa_simple_verify_sig,
|
|
0, /* field_inverse_mod_ord */
|
|
0, /* blind_coordinates */
|
|
0, /* ladder_pre */
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp521.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_nistp521.c 2019-11-20 11:36:02.194860380 +0100
|
|
@@ -1665,6 +1665,9 @@ const EC_METHOD *EC_GFp_nistp521_method(
|
|
0, /* keycopy */
|
|
0, /* keyfinish */
|
|
ecdh_simple_compute_key,
|
|
+ ecdsa_simple_sign_setup,
|
|
+ ecdsa_simple_sign_sig,
|
|
+ ecdsa_simple_verify_sig,
|
|
0, /* field_inverse_mod_ord */
|
|
0, /* blind_coordinates */
|
|
0, /* ladder_pre */
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistz256.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_nistz256.c 2019-11-20 11:36:02.195860363 +0100
|
|
@@ -1689,6 +1689,9 @@ const EC_METHOD *EC_GFp_nistz256_method(
|
|
0, /* keycopy */
|
|
0, /* keyfinish */
|
|
ecdh_simple_compute_key,
|
|
+ ecdsa_simple_sign_setup,
|
|
+ ecdsa_simple_sign_sig,
|
|
+ ecdsa_simple_verify_sig,
|
|
ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */
|
|
0, /* blind_coordinates */
|
|
0, /* ladder_pre */
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2019-11-20 11:36:02.195860363 +0100
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c 2019-11-20 11:36:02.195860363 +0100
|
|
@@ -0,0 +1,394 @@
|
|
+/*
|
|
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
+ *
|
|
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
+ * this file except in compliance with the License. You can obtain a copy
|
|
+ * in the file LICENSE in the source distribution or at
|
|
+ * https://www.openssl.org/source/license.html
|
|
+ */
|
|
+
|
|
+#include <stdlib.h>
|
|
+#include <string.h>
|
|
+#include <openssl/err.h>
|
|
+#include <openssl/rand.h>
|
|
+#include "ec_lcl.h"
|
|
+#include "s390x_arch.h"
|
|
+
|
|
+/* Size of parameter blocks */
|
|
+#define S390X_SIZE_PARAM 4096
|
|
+
|
|
+/* Size of fields in parameter blocks */
|
|
+#define S390X_SIZE_P256 32
|
|
+#define S390X_SIZE_P384 48
|
|
+#define S390X_SIZE_P521 80
|
|
+
|
|
+/* Offsets of fields in PCC parameter blocks */
|
|
+#define S390X_OFF_RES_X(n) (0 * n)
|
|
+#define S390X_OFF_RES_Y(n) (1 * n)
|
|
+#define S390X_OFF_SRC_X(n) (2 * n)
|
|
+#define S390X_OFF_SRC_Y(n) (3 * n)
|
|
+#define S390X_OFF_SCALAR(n) (4 * n)
|
|
+
|
|
+/* Offsets of fields in KDSA parameter blocks */
|
|
+#define S390X_OFF_R(n) (0 * n)
|
|
+#define S390X_OFF_S(n) (1 * n)
|
|
+#define S390X_OFF_H(n) (2 * n)
|
|
+#define S390X_OFF_K(n) (3 * n)
|
|
+#define S390X_OFF_X(n) (3 * n)
|
|
+#define S390X_OFF_RN(n) (4 * n)
|
|
+#define S390X_OFF_Y(n) (4 * n)
|
|
+
|
|
+static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
|
|
+ const BIGNUM *scalar,
|
|
+ size_t num, const EC_POINT *points[],
|
|
+ const BIGNUM *scalars[],
|
|
+ BN_CTX *ctx, unsigned int fc, int len)
|
|
+{
|
|
+ unsigned char param[S390X_SIZE_PARAM];
|
|
+ BIGNUM *x, *y;
|
|
+ const EC_POINT *point_ptr = NULL;
|
|
+ const BIGNUM *scalar_ptr = NULL;
|
|
+ BN_CTX *new_ctx = NULL;
|
|
+ int rc = -1;
|
|
+
|
|
+ if (ctx == NULL) {
|
|
+ ctx = new_ctx = BN_CTX_new();
|
|
+ if (ctx == NULL)
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ BN_CTX_start(ctx);
|
|
+
|
|
+ x = BN_CTX_get(ctx);
|
|
+ y = BN_CTX_get(ctx);
|
|
+ if (x == NULL || y == NULL) {
|
|
+ rc = 0;
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Use PCC for EC keygen and ECDH key derivation:
|
|
+ * scalar * generator and scalar * peer public key,
|
|
+ * scalar in [0,order).
|
|
+ */
|
|
+ if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0)
|
|
+ || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) {
|
|
+
|
|
+ if (num == 0) {
|
|
+ point_ptr = EC_GROUP_get0_generator(group);
|
|
+ scalar_ptr = scalar;
|
|
+ } else {
|
|
+ point_ptr = points[0];
|
|
+ scalar_ptr = scalars[0];
|
|
+ }
|
|
+
|
|
+ if (EC_POINT_is_at_infinity(group, point_ptr) == 1
|
|
+ || BN_is_zero(scalar_ptr)) {
|
|
+ rc = EC_POINT_set_to_infinity(group, r);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+
|
|
+ if (group->meth->point_get_affine_coordinates(group, point_ptr,
|
|
+ x, y, ctx) != 1
|
|
+ || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1
|
|
+ || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1
|
|
+ || BN_bn2binpad(scalar_ptr,
|
|
+ param + S390X_OFF_SCALAR(len), len) == -1
|
|
+ || s390x_pcc(fc, param) != 0
|
|
+ || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL
|
|
+ || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL
|
|
+ || group->meth->point_set_affine_coordinates(group, r,
|
|
+ x, y, ctx) != 1)
|
|
+ goto ret;
|
|
+
|
|
+ rc = 1;
|
|
+ }
|
|
+
|
|
+ret:
|
|
+ /* Otherwise use default. */
|
|
+ if (rc == -1)
|
|
+ rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
|
|
+ OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
|
|
+ BN_CTX_end(ctx);
|
|
+ BN_CTX_free(new_ctx);
|
|
+ return rc;
|
|
+}
|
|
+
|
|
+static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
|
|
+ int dgstlen,
|
|
+ const BIGNUM *kinv,
|
|
+ const BIGNUM *r,
|
|
+ EC_KEY *eckey,
|
|
+ unsigned int fc, int len)
|
|
+{
|
|
+ unsigned char param[S390X_SIZE_PARAM];
|
|
+ int ok = 0;
|
|
+ BIGNUM *k;
|
|
+ ECDSA_SIG *sig;
|
|
+ const EC_GROUP *group;
|
|
+ const BIGNUM *privkey;
|
|
+ int off;
|
|
+
|
|
+ group = EC_KEY_get0_group(eckey);
|
|
+ privkey = EC_KEY_get0_private_key(eckey);
|
|
+ if (group == NULL || privkey == NULL) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (!EC_KEY_can_sign(eckey)) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
|
|
+ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ k = BN_secure_new();
|
|
+ sig = ECDSA_SIG_new();
|
|
+ if (k == NULL || sig == NULL) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ sig->r = BN_new();
|
|
+ sig->s = BN_new();
|
|
+ if (sig->r == NULL || sig->s == NULL) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ memset(param, 0, sizeof(param));
|
|
+ off = len - (dgstlen > len ? len : dgstlen);
|
|
+ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
|
|
+
|
|
+ if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ if (r == NULL || kinv == NULL) {
|
|
+ /*
|
|
+ * Generate random k and copy to param param block. RAND_priv_bytes
|
|
+ * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce
|
|
+ * because kdsa instruction constructs an in-range, invertible nonce
|
|
+ * internally implementing counter-measures for RNG weakness.
|
|
+ */
|
|
+ if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
|
|
+ EC_R_RANDOM_NUMBER_GENERATION_FAILED);
|
|
+ goto ret;
|
|
+ }
|
|
+ } else {
|
|
+ /* Reconstruct k = (k^-1)^-1. */
|
|
+ if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
|
|
+ || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ goto ret;
|
|
+ }
|
|
+ /* Turns KDSA internal nonce-generation off. */
|
|
+ fc |= S390X_KDSA_D;
|
|
+ }
|
|
+
|
|
+ if (s390x_kdsa(fc, param, NULL, 0) != 0) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL
|
|
+ || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ ok = 1;
|
|
+ret:
|
|
+ OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
|
|
+ if (ok != 1) {
|
|
+ ECDSA_SIG_free(sig);
|
|
+ sig = NULL;
|
|
+ }
|
|
+ BN_clear_free(k);
|
|
+ return sig;
|
|
+}
|
|
+
|
|
+static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen,
|
|
+ const ECDSA_SIG *sig, EC_KEY *eckey,
|
|
+ unsigned int fc, int len)
|
|
+{
|
|
+ unsigned char param[S390X_SIZE_PARAM];
|
|
+ int rc = -1;
|
|
+ BN_CTX *ctx;
|
|
+ BIGNUM *x, *y;
|
|
+ const EC_GROUP *group;
|
|
+ const EC_POINT *pubkey;
|
|
+ int off;
|
|
+
|
|
+ group = EC_KEY_get0_group(eckey);
|
|
+ pubkey = EC_KEY_get0_public_key(eckey);
|
|
+ if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (!EC_KEY_can_sign(eckey)) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG,
|
|
+ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ ctx = BN_CTX_new();
|
|
+ if (ctx == NULL) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ BN_CTX_start(ctx);
|
|
+
|
|
+ x = BN_CTX_get(ctx);
|
|
+ y = BN_CTX_get(ctx);
|
|
+ if (x == NULL || y == NULL) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ memset(param, 0, sizeof(param));
|
|
+ off = len - (dgstlen > len ? len : dgstlen);
|
|
+ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
|
|
+
|
|
+ if (group->meth->point_get_affine_coordinates(group, pubkey,
|
|
+ x, y, ctx) != 1
|
|
+ || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1
|
|
+ || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1
|
|
+ || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1
|
|
+ || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) {
|
|
+ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB);
|
|
+ goto ret;
|
|
+ }
|
|
+
|
|
+ rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0;
|
|
+ret:
|
|
+ BN_CTX_end(ctx);
|
|
+ BN_CTX_free(ctx);
|
|
+ return rc;
|
|
+}
|
|
+
|
|
+#define EC_GFP_S390X_NISTP_METHOD(bits) \
|
|
+ \
|
|
+static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \
|
|
+ EC_POINT *r, \
|
|
+ const BIGNUM *scalar, \
|
|
+ size_t num, \
|
|
+ const EC_POINT *points[], \
|
|
+ const BIGNUM *scalars[], \
|
|
+ BN_CTX *ctx) \
|
|
+{ \
|
|
+ return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points, \
|
|
+ scalars, ctx, \
|
|
+ S390X_SCALAR_MULTIPLY_P##bits, \
|
|
+ S390X_SIZE_P##bits); \
|
|
+} \
|
|
+ \
|
|
+static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned \
|
|
+ char *dgst, \
|
|
+ int dgstlen, \
|
|
+ const BIGNUM *kinv,\
|
|
+ const BIGNUM *r, \
|
|
+ EC_KEY *eckey) \
|
|
+{ \
|
|
+ return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey, \
|
|
+ S390X_ECDSA_SIGN_P##bits, \
|
|
+ S390X_SIZE_P##bits); \
|
|
+} \
|
|
+ \
|
|
+static int ecdsa_s390x_nistp##bits##_verify_sig(const \
|
|
+ unsigned char *dgst, \
|
|
+ int dgstlen, \
|
|
+ const ECDSA_SIG *sig, \
|
|
+ EC_KEY *eckey) \
|
|
+{ \
|
|
+ return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey, \
|
|
+ S390X_ECDSA_VERIFY_P##bits, \
|
|
+ S390X_SIZE_P##bits); \
|
|
+} \
|
|
+ \
|
|
+const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \
|
|
+{ \
|
|
+ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \
|
|
+ EC_FLAGS_DEFAULT_OCT, \
|
|
+ NID_X9_62_prime_field, \
|
|
+ ec_GFp_simple_group_init, \
|
|
+ ec_GFp_simple_group_finish, \
|
|
+ ec_GFp_simple_group_clear_finish, \
|
|
+ ec_GFp_simple_group_copy, \
|
|
+ ec_GFp_simple_group_set_curve, \
|
|
+ ec_GFp_simple_group_get_curve, \
|
|
+ ec_GFp_simple_group_get_degree, \
|
|
+ ec_group_simple_order_bits, \
|
|
+ ec_GFp_simple_group_check_discriminant, \
|
|
+ ec_GFp_simple_point_init, \
|
|
+ ec_GFp_simple_point_finish, \
|
|
+ ec_GFp_simple_point_clear_finish, \
|
|
+ ec_GFp_simple_point_copy, \
|
|
+ ec_GFp_simple_point_set_to_infinity, \
|
|
+ ec_GFp_simple_set_Jprojective_coordinates_GFp, \
|
|
+ ec_GFp_simple_get_Jprojective_coordinates_GFp, \
|
|
+ ec_GFp_simple_point_set_affine_coordinates, \
|
|
+ ec_GFp_simple_point_get_affine_coordinates, \
|
|
+ NULL, /* point_set_compressed_coordinates */ \
|
|
+ NULL, /* point2oct */ \
|
|
+ NULL, /* oct2point */ \
|
|
+ ec_GFp_simple_add, \
|
|
+ ec_GFp_simple_dbl, \
|
|
+ ec_GFp_simple_invert, \
|
|
+ ec_GFp_simple_is_at_infinity, \
|
|
+ ec_GFp_simple_is_on_curve, \
|
|
+ ec_GFp_simple_cmp, \
|
|
+ ec_GFp_simple_make_affine, \
|
|
+ ec_GFp_simple_points_make_affine, \
|
|
+ ec_GFp_s390x_nistp##bits##_mul, \
|
|
+ NULL, /* precompute_mult */ \
|
|
+ NULL, /* have_precompute_mult */ \
|
|
+ ec_GFp_simple_field_mul, \
|
|
+ ec_GFp_simple_field_sqr, \
|
|
+ NULL, /* field_div */ \
|
|
+ ec_GFp_simple_field_inv, \
|
|
+ NULL, /* field_encode */ \
|
|
+ NULL, /* field_decode */ \
|
|
+ NULL, /* field_set_to_one */ \
|
|
+ ec_key_simple_priv2oct, \
|
|
+ ec_key_simple_oct2priv, \
|
|
+ NULL, /* set_private */ \
|
|
+ ec_key_simple_generate_key, \
|
|
+ ec_key_simple_check_key, \
|
|
+ ec_key_simple_generate_public_key, \
|
|
+ NULL, /* keycopy */ \
|
|
+ NULL, /* keyfinish */ \
|
|
+ ecdh_simple_compute_key, \
|
|
+ ecdsa_simple_sign_setup, \
|
|
+ ecdsa_s390x_nistp##bits##_sign_sig, \
|
|
+ ecdsa_s390x_nistp##bits##_verify_sig, \
|
|
+ NULL, /* field_inverse_mod_ord */ \
|
|
+ ec_GFp_simple_blind_coordinates, \
|
|
+ ec_GFp_simple_ladder_pre, \
|
|
+ ec_GFp_simple_ladder_step, \
|
|
+ ec_GFp_simple_ladder_post \
|
|
+ }; \
|
|
+ static const EC_METHOD *ret; \
|
|
+ \
|
|
+ if ((OPENSSL_s390xcap_P.pcc[1] \
|
|
+ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \
|
|
+ && (OPENSSL_s390xcap_P.kdsa[0] \
|
|
+ & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits)) \
|
|
+ && (OPENSSL_s390xcap_P.kdsa[0] \
|
|
+ & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits))) \
|
|
+ ret = &EC_GFp_s390x_nistp##bits##_meth; \
|
|
+ else \
|
|
+ ret = EC_GFp_mont_method(); \
|
|
+ \
|
|
+ return ret; \
|
|
+}
|
|
+
|
|
+EC_GFP_S390X_NISTP_METHOD(256)
|
|
+EC_GFP_S390X_NISTP_METHOD(384)
|
|
+EC_GFP_S390X_NISTP_METHOD(521)
|
|
diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_smpl.c
|
|
--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc 2019-11-20 11:36:02.066862626 +0100
|
|
+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-11-20 11:36:02.195860363 +0100
|
|
@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo
|
|
0, /* keycopy */
|
|
0, /* keyfinish */
|
|
ecdh_simple_compute_key,
|
|
+ ecdsa_simple_sign_setup,
|
|
+ ecdsa_simple_sign_sig,
|
|
+ ecdsa_simple_verify_sig,
|
|
0, /* field_inverse_mod_ord */
|
|
ec_GFp_simple_blind_coordinates,
|
|
ec_GFp_simple_ladder_pre,
|
|
diff -up openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecx_meth.c
|
|
--- openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/ec/ecx_meth.c 2019-11-20 11:36:02.196860345 +0100
|
|
@@ -20,6 +20,7 @@
|
|
#define X25519_BITS 253
|
|
#define X25519_SECURITY_BITS 128
|
|
|
|
+#define ED25519_KEYLEN 32
|
|
#define ED25519_SIGSIZE 64
|
|
|
|
#define X448_BITS 448
|
|
@@ -839,3 +840,666 @@ const EVP_PKEY_METHOD ed448_pkey_meth =
|
|
pkey_ecd_digestsign448,
|
|
pkey_ecd_digestverify448
|
|
};
|
|
+
|
|
+#ifdef S390X_EC_ASM
|
|
+# include "s390x_arch.h"
|
|
+# include "internal/constant_time_locl.h"
|
|
+
|
|
+static void s390x_x25519_mod_p(unsigned char u[32])
|
|
+{
|
|
+ unsigned char u_red[32];
|
|
+ unsigned int c = 0;
|
|
+ int i;
|
|
+
|
|
+ memcpy(u_red, u, sizeof(u_red));
|
|
+
|
|
+ c += (unsigned int)u_red[31] + 19;
|
|
+ u_red[31] = (unsigned char)c;
|
|
+ c >>= 8;
|
|
+
|
|
+ for (i = 30; i >= 0; i--) {
|
|
+ c += (unsigned int)u_red[i];
|
|
+ u_red[i] = (unsigned char)c;
|
|
+ c >>= 8;
|
|
+ }
|
|
+
|
|
+ c = (u_red[0] & 0x80) >> 7;
|
|
+ u_red[0] &= 0x7f;
|
|
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
|
|
+ u, u_red, sizeof(u_red));
|
|
+}
|
|
+
|
|
+static void s390x_x448_mod_p(unsigned char u[56])
|
|
+{
|
|
+ unsigned char u_red[56];
|
|
+ unsigned int c = 0;
|
|
+ int i;
|
|
+
|
|
+ memcpy(u_red, u, sizeof(u_red));
|
|
+
|
|
+ c += (unsigned int)u_red[55] + 1;
|
|
+ u_red[55] = (unsigned char)c;
|
|
+ c >>= 8;
|
|
+
|
|
+ for (i = 54; i >= 28; i--) {
|
|
+ c += (unsigned int)u_red[i];
|
|
+ u_red[i] = (unsigned char)c;
|
|
+ c >>= 8;
|
|
+ }
|
|
+
|
|
+ c += (unsigned int)u_red[27] + 1;
|
|
+ u_red[27] = (unsigned char)c;
|
|
+ c >>= 8;
|
|
+
|
|
+ for (i = 26; i >= 0; i--) {
|
|
+ c += (unsigned int)u_red[i];
|
|
+ u_red[i] = (unsigned char)c;
|
|
+ c >>= 8;
|
|
+ }
|
|
+
|
|
+ constant_time_cond_swap_buff(0 - (unsigned char)c,
|
|
+ u, u_red, sizeof(u_red));
|
|
+}
|
|
+
|
|
+static int s390x_x25519_mul(unsigned char u_dst[32],
|
|
+ const unsigned char u_src[32],
|
|
+ const unsigned char d_src[32])
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char u_dst[32];
|
|
+ unsigned char u_src[32];
|
|
+ unsigned char d_src[32];
|
|
+ } x25519;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ int rc;
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+
|
|
+ s390x_flip_endian32(param.x25519.u_src, u_src);
|
|
+ param.x25519.u_src[0] &= 0x7f;
|
|
+ s390x_x25519_mod_p(param.x25519.u_src);
|
|
+
|
|
+ s390x_flip_endian32(param.x25519.d_src, d_src);
|
|
+ param.x25519.d_src[31] &= 248;
|
|
+ param.x25519.d_src[0] &= 127;
|
|
+ param.x25519.d_src[0] |= 64;
|
|
+
|
|
+ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, ¶m.x25519) ? 0 : 1;
|
|
+ if (rc == 1)
|
|
+ s390x_flip_endian32(u_dst, param.x25519.u_dst);
|
|
+
|
|
+ OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src));
|
|
+ return rc;
|
|
+}
|
|
+
|
|
+static int s390x_x448_mul(unsigned char u_dst[56],
|
|
+ const unsigned char u_src[56],
|
|
+ const unsigned char d_src[56])
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char u_dst[64];
|
|
+ unsigned char u_src[64];
|
|
+ unsigned char d_src[64];
|
|
+ } x448;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ int rc;
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+
|
|
+ memcpy(param.x448.u_src, u_src, 56);
|
|
+ memcpy(param.x448.d_src, d_src, 56);
|
|
+
|
|
+ s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
|
|
+ s390x_x448_mod_p(param.x448.u_src + 8);
|
|
+
|
|
+ s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
|
|
+ param.x448.d_src[63] &= 252;
|
|
+ param.x448.d_src[8] |= 128;
|
|
+
|
|
+ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, ¶m.x448) ? 0 : 1;
|
|
+ if (rc == 1) {
|
|
+ s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst);
|
|
+ memcpy(u_dst, param.x448.u_dst, 56);
|
|
+ }
|
|
+
|
|
+ OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src));
|
|
+ return rc;
|
|
+}
|
|
+
|
|
+static int s390x_ed25519_mul(unsigned char x_dst[32],
|
|
+ unsigned char y_dst[32],
|
|
+ const unsigned char x_src[32],
|
|
+ const unsigned char y_src[32],
|
|
+ const unsigned char d_src[32])
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char x_dst[32];
|
|
+ unsigned char y_dst[32];
|
|
+ unsigned char x_src[32];
|
|
+ unsigned char y_src[32];
|
|
+ unsigned char d_src[32];
|
|
+ } ed25519;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ int rc;
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+
|
|
+ s390x_flip_endian32(param.ed25519.x_src, x_src);
|
|
+ s390x_flip_endian32(param.ed25519.y_src, y_src);
|
|
+ s390x_flip_endian32(param.ed25519.d_src, d_src);
|
|
+
|
|
+ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, ¶m.ed25519) ? 0 : 1;
|
|
+ if (rc == 1) {
|
|
+ s390x_flip_endian32(x_dst, param.ed25519.x_dst);
|
|
+ s390x_flip_endian32(y_dst, param.ed25519.y_dst);
|
|
+ }
|
|
+
|
|
+ OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src));
|
|
+ return rc;
|
|
+}
|
|
+
|
|
+static int s390x_ed448_mul(unsigned char x_dst[57],
|
|
+ unsigned char y_dst[57],
|
|
+ const unsigned char x_src[57],
|
|
+ const unsigned char y_src[57],
|
|
+ const unsigned char d_src[57])
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char x_dst[64];
|
|
+ unsigned char y_dst[64];
|
|
+ unsigned char x_src[64];
|
|
+ unsigned char y_src[64];
|
|
+ unsigned char d_src[64];
|
|
+ } ed448;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ int rc;
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+
|
|
+ memcpy(param.ed448.x_src, x_src, 57);
|
|
+ memcpy(param.ed448.y_src, y_src, 57);
|
|
+ memcpy(param.ed448.d_src, d_src, 57);
|
|
+ s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src);
|
|
+ s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src);
|
|
+ s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src);
|
|
+
|
|
+ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, ¶m.ed448) ? 0 : 1;
|
|
+ if (rc == 1) {
|
|
+ s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst);
|
|
+ s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst);
|
|
+ memcpy(x_dst, param.ed448.x_dst, 57);
|
|
+ memcpy(y_dst, param.ed448.y_dst, 57);
|
|
+ }
|
|
+
|
|
+ OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src));
|
|
+ return rc;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
|
|
+{
|
|
+ static const unsigned char generator[] = {
|
|
+ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
+ };
|
|
+ ECX_KEY *key;
|
|
+ unsigned char *privkey = NULL, *pubkey;
|
|
+
|
|
+ key = OPENSSL_zalloc(sizeof(*key));
|
|
+ if (key == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ pubkey = key->pubkey;
|
|
+
|
|
+ privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN);
|
|
+ if (privkey == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ privkey[0] &= 248;
|
|
+ privkey[31] &= 127;
|
|
+ privkey[31] |= 64;
|
|
+
|
|
+ if (s390x_x25519_mul(pubkey, generator, privkey) != 1)
|
|
+ goto err;
|
|
+
|
|
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
|
|
+ return 1;
|
|
+ err:
|
|
+ OPENSSL_secure_clear_free(privkey, X25519_KEYLEN);
|
|
+ key->privkey = NULL;
|
|
+ OPENSSL_free(key);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
|
|
+{
|
|
+ static const unsigned char generator[] = {
|
|
+ 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
+ };
|
|
+ ECX_KEY *key;
|
|
+ unsigned char *privkey = NULL, *pubkey;
|
|
+
|
|
+ key = OPENSSL_zalloc(sizeof(*key));
|
|
+ if (key == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ pubkey = key->pubkey;
|
|
+
|
|
+ privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN);
|
|
+ if (privkey == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ privkey[0] &= 252;
|
|
+ privkey[55] |= 128;
|
|
+
|
|
+ if (s390x_x448_mul(pubkey, generator, privkey) != 1)
|
|
+ goto err;
|
|
+
|
|
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
|
|
+ return 1;
|
|
+ err:
|
|
+ OPENSSL_secure_clear_free(privkey, X448_KEYLEN);
|
|
+ key->privkey = NULL;
|
|
+ OPENSSL_free(key);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
|
|
+{
|
|
+ static const unsigned char generator_x[] = {
|
|
+ 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
|
|
+ 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
|
|
+ 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21
|
|
+ };
|
|
+ static const unsigned char generator_y[] = {
|
|
+ 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
|
|
+ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
|
|
+ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
|
|
+ };
|
|
+ unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH];
|
|
+ ECX_KEY *key;
|
|
+ unsigned char *privkey = NULL, *pubkey;
|
|
+
|
|
+ key = OPENSSL_zalloc(sizeof(*key));
|
|
+ if (key == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ pubkey = key->pubkey;
|
|
+
|
|
+ privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN);
|
|
+ if (privkey == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ SHA512(privkey, 32, buff);
|
|
+ buff[0] &= 248;
|
|
+ buff[31] &= 63;
|
|
+ buff[31] |= 64;
|
|
+
|
|
+ if (s390x_ed25519_mul(x_dst, pubkey,
|
|
+ generator_x, generator_y, buff) != 1)
|
|
+ goto err;
|
|
+
|
|
+ pubkey[31] |= ((x_dst[0] & 0x01) << 7);
|
|
+
|
|
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
|
|
+ return 1;
|
|
+ err:
|
|
+ OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN);
|
|
+ key->privkey = NULL;
|
|
+ OPENSSL_free(key);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
|
|
+{
|
|
+ static const unsigned char generator_x[] = {
|
|
+ 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b,
|
|
+ 0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12,
|
|
+ 0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47,
|
|
+ 0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22,
|
|
+ 0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00
|
|
+ };
|
|
+ static const unsigned char generator_y[] = {
|
|
+ 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e,
|
|
+ 0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a,
|
|
+ 0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c,
|
|
+ 0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88,
|
|
+ 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00
|
|
+ };
|
|
+ unsigned char x_dst[57], buff[114];
|
|
+ ECX_KEY *key;
|
|
+ unsigned char *privkey = NULL, *pubkey;
|
|
+ EVP_MD_CTX *hashctx = NULL;
|
|
+
|
|
+ key = OPENSSL_zalloc(sizeof(*key));
|
|
+ if (key == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ pubkey = key->pubkey;
|
|
+
|
|
+ privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN);
|
|
+ if (privkey == NULL) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ hashctx = EVP_MD_CTX_new();
|
|
+ if (hashctx == NULL)
|
|
+ goto err;
|
|
+ if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
|
|
+ goto err;
|
|
+ if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
|
|
+ goto err;
|
|
+ if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)
|
|
+ goto err;
|
|
+
|
|
+ buff[0] &= -4;
|
|
+ buff[55] |= 0x80;
|
|
+ buff[56] = 0;
|
|
+
|
|
+ if (s390x_ed448_mul(x_dst, pubkey,
|
|
+ generator_x, generator_y, buff) != 1)
|
|
+ goto err;
|
|
+
|
|
+ pubkey[56] |= ((x_dst[0] & 0x01) << 7);
|
|
+
|
|
+ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
|
|
+ EVP_MD_CTX_free(hashctx);
|
|
+ return 1;
|
|
+ err:
|
|
+ OPENSSL_secure_clear_free(privkey, ED448_KEYLEN);
|
|
+ key->privkey = NULL;
|
|
+ OPENSSL_free(key);
|
|
+ EVP_MD_CTX_free(hashctx);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
|
|
+ size_t *keylen)
|
|
+{
|
|
+ const unsigned char *privkey, *pubkey;
|
|
+
|
|
+ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
|
|
+ return 0;
|
|
+
|
|
+ if (key != NULL)
|
|
+ return s390x_x25519_mul(key, pubkey, privkey);
|
|
+
|
|
+ *keylen = X25519_KEYLEN;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
|
|
+ size_t *keylen)
|
|
+{
|
|
+ const unsigned char *privkey, *pubkey;
|
|
+
|
|
+ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
|
|
+ return 0;
|
|
+
|
|
+ if (key != NULL)
|
|
+ return s390x_x448_mul(key, pubkey, privkey);
|
|
+
|
|
+ *keylen = X448_KEYLEN;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx,
|
|
+ unsigned char *sig, size_t *siglen,
|
|
+ const unsigned char *tbs,
|
|
+ size_t tbslen)
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char sig[64];
|
|
+ unsigned char priv[32];
|
|
+ } ed25519;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
|
|
+ int rc;
|
|
+
|
|
+ if (sig == NULL) {
|
|
+ *siglen = ED25519_SIGSIZE;
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
+ if (*siglen < ED25519_SIGSIZE) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+ memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
|
|
+
|
|
+ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, ¶m.ed25519, tbs, tbslen);
|
|
+ OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
|
|
+ if (rc != 0)
|
|
+ return 0;
|
|
+
|
|
+ s390x_flip_endian32(sig, param.ed25519.sig);
|
|
+ s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
|
|
+
|
|
+ *siglen = ED25519_SIGSIZE;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx,
|
|
+ unsigned char *sig, size_t *siglen,
|
|
+ const unsigned char *tbs,
|
|
+ size_t tbslen)
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char sig[128];
|
|
+ unsigned char priv[64];
|
|
+ } ed448;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
|
|
+ int rc;
|
|
+
|
|
+ if (sig == NULL) {
|
|
+ *siglen = ED448_SIGSIZE;
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
+ if (*siglen < ED448_SIGSIZE) {
|
|
+ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+ memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
|
|
+
|
|
+ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, ¶m.ed448, tbs, tbslen);
|
|
+ OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
|
|
+ if (rc != 0)
|
|
+ return 0;
|
|
+
|
|
+ s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
|
|
+ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
|
|
+ memcpy(sig, param.ed448.sig, 57);
|
|
+ memcpy(sig + 57, param.ed448.sig + 64, 57);
|
|
+
|
|
+ *siglen = ED448_SIGSIZE;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx,
|
|
+ const unsigned char *sig,
|
|
+ size_t siglen,
|
|
+ const unsigned char *tbs,
|
|
+ size_t tbslen)
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char sig[64];
|
|
+ unsigned char pub[32];
|
|
+ } ed25519;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
|
|
+
|
|
+ if (siglen != ED25519_SIGSIZE)
|
|
+ return 0;
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+ s390x_flip_endian32(param.ed25519.sig, sig);
|
|
+ s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
|
|
+ s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
|
|
+
|
|
+ return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
|
|
+ ¶m.ed25519, tbs, tbslen) == 0 ? 1 : 0;
|
|
+}
|
|
+
|
|
+static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx,
|
|
+ const unsigned char *sig,
|
|
+ size_t siglen,
|
|
+ const unsigned char *tbs,
|
|
+ size_t tbslen)
|
|
+{
|
|
+ union {
|
|
+ struct {
|
|
+ unsigned char sig[128];
|
|
+ unsigned char pub[64];
|
|
+ } ed448;
|
|
+ unsigned long long buff[512];
|
|
+ } param;
|
|
+ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
|
|
+
|
|
+ if (siglen != ED448_SIGSIZE)
|
|
+ return 0;
|
|
+
|
|
+ memset(¶m, 0, sizeof(param));
|
|
+ memcpy(param.ed448.sig, sig, 57);
|
|
+ s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
|
|
+ memcpy(param.ed448.sig + 64, sig + 57, 57);
|
|
+ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
|
|
+ memcpy(param.ed448.pub, edkey->pubkey, 57);
|
|
+ s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
|
|
+
|
|
+ return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
|
|
+ ¶m.ed448, tbs, tbslen) == 0 ? 1 : 0;
|
|
+}
|
|
+
|
|
+static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = {
|
|
+ EVP_PKEY_X25519,
|
|
+ 0, 0, 0, 0, 0, 0, 0,
|
|
+ s390x_pkey_ecx_keygen25519,
|
|
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
+ s390x_pkey_ecx_derive25519,
|
|
+ pkey_ecx_ctrl,
|
|
+ 0
|
|
+};
|
|
+
|
|
+static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = {
|
|
+ EVP_PKEY_X448,
|
|
+ 0, 0, 0, 0, 0, 0, 0,
|
|
+ s390x_pkey_ecx_keygen448,
|
|
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
+ s390x_pkey_ecx_derive448,
|
|
+ pkey_ecx_ctrl,
|
|
+ 0
|
|
+};
|
|
+static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = {
|
|
+ EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
|
|
+ 0, 0, 0, 0, 0, 0,
|
|
+ s390x_pkey_ecd_keygen25519,
|
|
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
+ pkey_ecd_ctrl,
|
|
+ 0,
|
|
+ s390x_pkey_ecd_digestsign25519,
|
|
+ s390x_pkey_ecd_digestverify25519
|
|
+};
|
|
+
|
|
+static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = {
|
|
+ EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
|
|
+ 0, 0, 0, 0, 0, 0,
|
|
+ s390x_pkey_ecd_keygen448,
|
|
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
+ pkey_ecd_ctrl,
|
|
+ 0,
|
|
+ s390x_pkey_ecd_digestsign448,
|
|
+ s390x_pkey_ecd_digestverify448
|
|
+};
|
|
+#endif
|
|
+
|
|
+const EVP_PKEY_METHOD *ecx25519_pkey_method(void)
|
|
+{
|
|
+#ifdef S390X_EC_ASM
|
|
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519))
|
|
+ return &ecx25519_s390x_pkey_meth;
|
|
+#endif
|
|
+ return &ecx25519_pkey_meth;
|
|
+}
|
|
+
|
|
+const EVP_PKEY_METHOD *ecx448_pkey_method(void)
|
|
+{
|
|
+#ifdef S390X_EC_ASM
|
|
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448))
|
|
+ return &ecx448_s390x_pkey_meth;
|
|
+#endif
|
|
+ return &ecx448_pkey_meth;
|
|
+}
|
|
+
|
|
+const EVP_PKEY_METHOD *ed25519_pkey_method(void)
|
|
+{
|
|
+#ifdef S390X_EC_ASM
|
|
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
|
|
+ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
|
|
+ && OPENSSL_s390xcap_P.kdsa[0]
|
|
+ & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519))
|
|
+ return &ed25519_s390x_pkey_meth;
|
|
+#endif
|
|
+ return &ed25519_pkey_meth;
|
|
+}
|
|
+
|
|
+const EVP_PKEY_METHOD *ed448_pkey_method(void)
|
|
+{
|
|
+#ifdef S390X_EC_ASM
|
|
+ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
|
|
+ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448)
|
|
+ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448))
|
|
+ return &ed448_s390x_pkey_meth;
|
|
+#endif
|
|
+ return &ed448_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/err/openssl.txt
|
|
--- openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc 2019-11-20 11:36:02.158861012 +0100
|
|
+++ openssl-1.1.1c/crypto/err/openssl.txt 2019-11-20 11:36:02.196860345 +0100
|
|
@@ -495,6 +495,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
|
|
EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup
|
|
EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new
|
|
EC_F_ECDSA_VERIFY:253:ECDSA_verify
|
|
+EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup
|
|
+EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig
|
|
+EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig
|
|
+EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig
|
|
+EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig
|
|
EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
|
|
EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
|
|
EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
|
|
@@ -656,6 +661,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_
|
|
EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey
|
|
EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode
|
|
EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key
|
|
+EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup
|
|
EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
|
|
EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
|
|
EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
|
|
@@ -671,6 +677,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_
|
|
EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
|
|
EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
|
|
EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
|
|
+EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519
|
|
+EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448
|
|
+EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519
|
|
+EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448
|
|
+EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519
|
|
+EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448
|
|
EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
|
|
ENGINE_F_DIGEST_UPDATE:198:digest_update
|
|
ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
|
|
@@ -2149,6 +2161,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma
|
|
EC_R_CANNOT_INVERT:165:cannot invert
|
|
EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
|
|
EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
|
|
+EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa
|
|
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
|
|
EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
|
|
EC_R_DECODE_ERROR:142:decode error
|
|
diff -up openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1c/crypto/evp/pmeth_lib.c
|
|
--- openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc 2019-11-20 11:36:02.105861942 +0100
|
|
+++ openssl-1.1.1c/crypto/evp/pmeth_lib.c 2019-11-20 11:36:02.197860328 +0100
|
|
@@ -17,60 +17,67 @@
|
|
#include "internal/evp_int.h"
|
|
#include "internal/numbers.h"
|
|
|
|
+typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void);
|
|
typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
|
|
|
|
static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
|
|
|
|
/* This array needs to be in order of NIDs */
|
|
-static const EVP_PKEY_METHOD *standard_methods[] = {
|
|
+static pmeth_fn standard_methods[] = {
|
|
#ifndef OPENSSL_NO_RSA
|
|
- &rsa_pkey_meth,
|
|
+ rsa_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_DH
|
|
- &dh_pkey_meth,
|
|
+ dh_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_DSA
|
|
- &dsa_pkey_meth,
|
|
+ dsa_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_EC
|
|
- &ec_pkey_meth,
|
|
+ ec_pkey_method,
|
|
#endif
|
|
- &hmac_pkey_meth,
|
|
+ hmac_pkey_method,
|
|
#ifndef OPENSSL_NO_CMAC
|
|
- &cmac_pkey_meth,
|
|
+ cmac_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_RSA
|
|
- &rsa_pss_pkey_meth,
|
|
+ rsa_pss_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_DH
|
|
- &dhx_pkey_meth,
|
|
+ dhx_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_SCRYPT
|
|
- &scrypt_pkey_meth,
|
|
+ scrypt_pkey_method,
|
|
#endif
|
|
- &tls1_prf_pkey_meth,
|
|
+ tls1_prf_pkey_method,
|
|
#ifndef OPENSSL_NO_EC
|
|
- &ecx25519_pkey_meth,
|
|
- &ecx448_pkey_meth,
|
|
+ ecx25519_pkey_method,
|
|
+ ecx448_pkey_method,
|
|
#endif
|
|
- &hkdf_pkey_meth,
|
|
+ hkdf_pkey_method,
|
|
#ifndef OPENSSL_NO_POLY1305
|
|
- &poly1305_pkey_meth,
|
|
+ poly1305_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_SIPHASH
|
|
- &siphash_pkey_meth,
|
|
+ siphash_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_EC
|
|
- &ed25519_pkey_meth,
|
|
- &ed448_pkey_meth,
|
|
+ ed25519_pkey_method,
|
|
+ ed448_pkey_method,
|
|
#endif
|
|
#ifndef OPENSSL_NO_SM2
|
|
- &sm2_pkey_meth,
|
|
+ sm2_pkey_method,
|
|
#endif
|
|
};
|
|
|
|
-DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
|
|
- pmeth);
|
|
+DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
|
|
+
|
|
+static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b)
|
|
+{
|
|
+ return ((*a)->pkey_id - ((**b)())->pkey_id);
|
|
+}
|
|
+
|
|
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
|
|
|
|
static int pmeth_cmp(const EVP_PKEY_METHOD *const *a,
|
|
const EVP_PKEY_METHOD *const *b)
|
|
@@ -78,13 +85,11 @@ static int pmeth_cmp(const EVP_PKEY_METH
|
|
return ((*a)->pkey_id - (*b)->pkey_id);
|
|
}
|
|
|
|
-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
|
|
- pmeth);
|
|
-
|
|
const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type)
|
|
{
|
|
+ pmeth_fn *ret;
|
|
EVP_PKEY_METHOD tmp;
|
|
- const EVP_PKEY_METHOD *t = &tmp, **ret;
|
|
+ const EVP_PKEY_METHOD *t = &tmp;
|
|
tmp.pkey_id = type;
|
|
if (app_pkey_methods) {
|
|
int idx;
|
|
@@ -92,12 +97,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_fin
|
|
if (idx >= 0)
|
|
return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx);
|
|
}
|
|
- ret = OBJ_bsearch_pmeth(&t, standard_methods,
|
|
- sizeof(standard_methods) /
|
|
- sizeof(EVP_PKEY_METHOD *));
|
|
+ ret = OBJ_bsearch_pmeth_func(&t, standard_methods,
|
|
+ sizeof(standard_methods) /
|
|
+ sizeof(pmeth_fn));
|
|
if (!ret || !*ret)
|
|
return NULL;
|
|
- return *ret;
|
|
+ return (**ret)();
|
|
}
|
|
|
|
static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
|
|
@@ -348,7 +353,7 @@ size_t EVP_PKEY_meth_get_count(void)
|
|
const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx)
|
|
{
|
|
if (idx < OSSL_NELEM(standard_methods))
|
|
- return standard_methods[idx];
|
|
+ return (standard_methods[idx])();
|
|
if (app_pkey_methods == NULL)
|
|
return NULL;
|
|
idx -= OSSL_NELEM(standard_methods);
|
|
diff -up openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/hmac/hm_pmeth.c
|
|
--- openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc 2019-11-20 11:36:02.115861766 +0100
|
|
+++ openssl-1.1.1c/crypto/hmac/hm_pmeth.c 2019-11-20 11:36:02.197860328 +0100
|
|
@@ -210,3 +210,8 @@ const EVP_PKEY_METHOD hmac_pkey_meth = {
|
|
pkey_hmac_ctrl,
|
|
pkey_hmac_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *hmac_pkey_method(void)
|
|
+{
|
|
+ return &hmac_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.s390x-ecc openssl-1.1.1c/crypto/include/internal/evp_int.h
|
|
--- openssl-1.1.1c/crypto/include/internal/evp_int.h.s390x-ecc 2019-11-20 11:36:02.158861012 +0100
|
|
+++ openssl-1.1.1c/crypto/include/internal/evp_int.h 2019-11-20 11:36:02.197860328 +0100
|
|
@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE
|
|
#define EVP_ENCODE_CTX_NO_NEWLINES 1
|
|
/* Use the SRP base64 alphabet instead of the standard one */
|
|
#define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2
|
|
+
|
|
+const EVP_PKEY_METHOD *cmac_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *dh_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *dhx_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *dsa_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *ec_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *sm2_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *ecx448_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *ed25519_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *ed448_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *hmac_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *rsa_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *scrypt_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *hkdf_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *poly1305_pkey_method(void);
|
|
+const EVP_PKEY_METHOD *siphash_pkey_method(void);
|
|
diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/hkdf.c
|
|
--- openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc 2019-11-20 11:36:02.148861187 +0100
|
|
+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-20 11:36:02.198860310 +0100
|
|
@@ -233,6 +233,11 @@ const EVP_KDF_METHOD hkdf_kdf_meth = {
|
|
kdf_hkdf_derive
|
|
};
|
|
|
|
+const EVP_PKEY_METHOD *hkdf_pkey_method(void)
|
|
+{
|
|
+ return &hkdf_pkey_meth;
|
|
+}
|
|
+
|
|
static int HKDF(const EVP_MD *evp_md,
|
|
const unsigned char *salt, size_t salt_len,
|
|
const unsigned char *key, size_t key_len,
|
|
diff -up openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1c/crypto/kdf/scrypt.c
|
|
--- openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc 2019-11-20 11:36:02.149861170 +0100
|
|
+++ openssl-1.1.1c/crypto/kdf/scrypt.c 2019-11-20 11:36:02.198860310 +0100
|
|
@@ -503,4 +503,9 @@ static int scrypt_alg(const char *pass,
|
|
return rv;
|
|
}
|
|
|
|
+const EVP_PKEY_METHOD *scrypt_pkey_method(void)
|
|
+{
|
|
+ return &scrypt_pkey_meth;
|
|
+}
|
|
+
|
|
#endif
|
|
diff -up openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/tls1_prf.c
|
|
--- openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc 2019-11-20 11:36:02.149861170 +0100
|
|
+++ openssl-1.1.1c/crypto/kdf/tls1_prf.c 2019-11-20 11:36:02.198860310 +0100
|
|
@@ -168,6 +168,11 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth =
|
|
kdf_tls1_prf_derive
|
|
};
|
|
|
|
+const EVP_PKEY_METHOD *tls1_prf_pkey_method(void)
|
|
+{
|
|
+ return &tls1_prf_pkey_meth;
|
|
+}
|
|
+
|
|
static int tls1_prf_P_hash(const EVP_MD *md,
|
|
const unsigned char *sec, size_t sec_len,
|
|
const unsigned char *seed, size_t seed_len,
|
|
diff -up openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c
|
|
--- openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c 2019-11-20 11:36:02.199860293 +0100
|
|
@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth
|
|
pkey_poly1305_ctrl,
|
|
pkey_poly1305_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *poly1305_pkey_method(void)
|
|
+{
|
|
+ return &poly1305_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/rsa/rsa_pmeth.c
|
|
--- openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc 2019-11-20 11:36:02.117861731 +0100
|
|
+++ openssl-1.1.1c/crypto/rsa/rsa_pmeth.c 2019-11-20 11:36:02.199860293 +0100
|
|
@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
|
|
pkey_rsa_ctrl_str
|
|
};
|
|
|
|
+const EVP_PKEY_METHOD *rsa_pkey_method(void)
|
|
+{
|
|
+ return &rsa_pkey_meth;
|
|
+}
|
|
+
|
|
/*
|
|
* Called for PSS sign or verify initialisation: checks PSS parameter
|
|
* sanity and sets any restrictions on key usage.
|
|
@@ -859,3 +864,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth
|
|
pkey_rsa_ctrl,
|
|
pkey_rsa_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *rsa_pss_pkey_method(void)
|
|
+{
|
|
+ return &rsa_pss_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1c/crypto/s390x_arch.h
|
|
--- openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc 2019-11-20 11:36:01.867866116 +0100
|
|
+++ openssl-1.1.1c/crypto/s390x_arch.h 2019-11-20 11:36:02.199860293 +0100
|
|
@@ -26,6 +26,12 @@ void s390x_kmf(const unsigned char *in,
|
|
unsigned int fc, void *param);
|
|
void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
|
|
size_t len, unsigned char *out, unsigned int fc, void *param);
|
|
+int s390x_pcc(unsigned int fc, void *param);
|
|
+int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
|
|
+ size_t len);
|
|
+
|
|
+void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]);
|
|
+void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]);
|
|
|
|
/*
|
|
* The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
|
|
@@ -45,6 +51,8 @@ struct OPENSSL_s390xcap_st {
|
|
unsigned long long kmf[2];
|
|
unsigned long long prno[2];
|
|
unsigned long long kma[2];
|
|
+ unsigned long long pcc[2];
|
|
+ unsigned long long kdsa[2];
|
|
};
|
|
|
|
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
|
|
@@ -66,11 +74,14 @@ extern struct OPENSSL_s390xcap_st OPENSS
|
|
# define S390X_KMF 0x90
|
|
# define S390X_PRNO 0xa0
|
|
# define S390X_KMA 0xb0
|
|
+# define S390X_PCC 0xc0
|
|
+# define S390X_KDSA 0xd0
|
|
|
|
/* Facility Bit Numbers */
|
|
# define S390X_VX 129
|
|
# define S390X_VXD 134
|
|
# define S390X_VXE 135
|
|
+# define S390X_MSA9 155 /* message-security-assist-ext. 9 */
|
|
|
|
/* Function Codes */
|
|
|
|
@@ -94,10 +105,32 @@ extern struct OPENSSL_s390xcap_st OPENSS
|
|
/* prno */
|
|
# define S390X_TRNG 114
|
|
|
|
+/* pcc */
|
|
+# define S390X_SCALAR_MULTIPLY_P256 64
|
|
+# define S390X_SCALAR_MULTIPLY_P384 65
|
|
+# define S390X_SCALAR_MULTIPLY_P521 66
|
|
+# define S390X_SCALAR_MULTIPLY_ED25519 72
|
|
+# define S390X_SCALAR_MULTIPLY_ED448 73
|
|
+# define S390X_SCALAR_MULTIPLY_X25519 80
|
|
+# define S390X_SCALAR_MULTIPLY_X448 81
|
|
+
|
|
+/* kdsa */
|
|
+# define S390X_ECDSA_VERIFY_P256 1
|
|
+# define S390X_ECDSA_VERIFY_P384 2
|
|
+# define S390X_ECDSA_VERIFY_P521 3
|
|
+# define S390X_ECDSA_SIGN_P256 9
|
|
+# define S390X_ECDSA_SIGN_P384 10
|
|
+# define S390X_ECDSA_SIGN_P521 11
|
|
+# define S390X_EDDSA_VERIFY_ED25519 32
|
|
+# define S390X_EDDSA_VERIFY_ED448 36
|
|
+# define S390X_EDDSA_SIGN_ED25519 40
|
|
+# define S390X_EDDSA_SIGN_ED448 44
|
|
+
|
|
/* Register 0 Flags */
|
|
# define S390X_DECRYPT 0x80
|
|
# define S390X_KMA_LPC 0x100
|
|
# define S390X_KMA_LAAD 0x200
|
|
# define S390X_KMA_HS 0x400
|
|
+# define S390X_KDSA_D 0x80
|
|
|
|
#endif
|
|
diff -up openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1c/crypto/s390xcpuid.pl
|
|
--- openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/s390xcpuid.pl 2019-11-20 11:36:02.199860293 +0100
|
|
@@ -58,6 +58,10 @@ OPENSSL_s390x_facilities:
|
|
stg %r0,S390X_PRNO+8(%r4)
|
|
stg %r0,S390X_KMA(%r4)
|
|
stg %r0,S390X_KMA+8(%r4)
|
|
+ stg %r0,S390X_PCC(%r4)
|
|
+ stg %r0,S390X_PCC+8(%r4)
|
|
+ stg %r0,S390X_KDSA(%r4)
|
|
+ stg %r0,S390X_KDSA+8(%r4)
|
|
|
|
.long 0xb2b04000 # stfle 0(%r4)
|
|
brc 8,.Ldone
|
|
@@ -68,6 +72,7 @@ OPENSSL_s390x_facilities:
|
|
.long 0xb2b04000 # stfle 0(%r4)
|
|
.Ldone:
|
|
lmg %r2,%r3,S390X_STFLE(%r4)
|
|
+
|
|
tmhl %r2,0x4000 # check for message-security-assist
|
|
jz .Lret
|
|
|
|
@@ -91,6 +96,13 @@ OPENSSL_s390x_facilities:
|
|
la %r1,S390X_KMAC(%r4)
|
|
.long 0xb91e0042 # kmac %r4,%r2
|
|
|
|
+ tmhh %r3,0x0008 # check for message-security-assist-3
|
|
+ jz .Lret
|
|
+
|
|
+ lghi %r0,S390X_QUERY # query pcc capability vector
|
|
+ la %r1,S390X_PCC(%r4)
|
|
+ .long 0xb92c0000 # pcc
|
|
+
|
|
tmhh %r3,0x0004 # check for message-security-assist-4
|
|
jz .Lret
|
|
|
|
@@ -114,6 +126,7 @@ OPENSSL_s390x_facilities:
|
|
.long 0xb93c0042 # prno %r4,%r2
|
|
|
|
lg %r2,S390X_STFLE+16(%r4)
|
|
+
|
|
tmhl %r2,0x2000 # check for message-security-assist-8
|
|
jz .Lret
|
|
|
|
@@ -121,6 +134,13 @@ OPENSSL_s390x_facilities:
|
|
la %r1,S390X_KMA(%r4)
|
|
.long 0xb9294022 # kma %r2,%r4,%r2
|
|
|
|
+ tmhl %r2,0x0010 # check for message-security-assist-9
|
|
+ jz .Lret
|
|
+
|
|
+ lghi %r0,S390X_QUERY # query kdsa capability vector
|
|
+ la %r1,S390X_KDSA(%r4)
|
|
+ .long 0xb93a0002 # kdsa %r0,%r2
|
|
+
|
|
.Lret:
|
|
br $ra
|
|
.size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities
|
|
@@ -411,6 +431,113 @@ s390x_kma:
|
|
___
|
|
}
|
|
|
|
+################
|
|
+# int s390x_pcc(unsigned int fc, void *param)
|
|
+{
|
|
+my ($fc,$param) = map("%r$_",(2..3));
|
|
+$code.=<<___;
|
|
+.globl s390x_pcc
|
|
+.type s390x_pcc,\@function
|
|
+.align 16
|
|
+s390x_pcc:
|
|
+ lr %r0,$fc
|
|
+ l${g}r %r1,$param
|
|
+ lhi %r2,0
|
|
+
|
|
+ .long 0xb92c0000 # pcc
|
|
+ brc 1,.-4 # pay attention to "partial completion"
|
|
+ brc 7,.Lpcc_err # if CC==0 return 0, else return 1
|
|
+.Lpcc_out:
|
|
+ br $ra
|
|
+.Lpcc_err:
|
|
+ lhi %r2,1
|
|
+ j .Lpcc_out
|
|
+.size s390x_pcc,.-s390x_pcc
|
|
+___
|
|
+}
|
|
+
|
|
+################
|
|
+# int s390x_kdsa(unsigned int fc, void *param,
|
|
+# const unsigned char *in, size_t len)
|
|
+{
|
|
+my ($fc,$param,$in,$len) = map("%r$_",(2..5));
|
|
+$code.=<<___;
|
|
+.globl s390x_kdsa
|
|
+.type s390x_kdsa,\@function
|
|
+.align 16
|
|
+s390x_kdsa:
|
|
+ lr %r0,$fc
|
|
+ l${g}r %r1,$param
|
|
+ lhi %r2,0
|
|
+
|
|
+ .long 0xb93a0004 # kdsa %r0,$in
|
|
+ brc 1,.-4 # pay attention to "partial completion"
|
|
+ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1
|
|
+.Lkdsa_out:
|
|
+ br $ra
|
|
+.Lkdsa_err:
|
|
+ lhi %r2,1
|
|
+ j .Lkdsa_out
|
|
+.size s390x_kdsa,.-s390x_kdsa
|
|
+___
|
|
+}
|
|
+
|
|
+################
|
|
+# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32])
|
|
+{
|
|
+my ($dst,$src) = map("%r$_",(2..3));
|
|
+$code.=<<___;
|
|
+.globl s390x_flip_endian32
|
|
+.type s390x_flip_endian32,\@function
|
|
+.align 16
|
|
+s390x_flip_endian32:
|
|
+ lrvg %r0,0(%r0,$src)
|
|
+ lrvg %r1,8(%r0,$src)
|
|
+ lrvg %r4,16(%r0,$src)
|
|
+ lrvg %r5,24(%r0,$src)
|
|
+ stg %r0,24(%r0,$dst)
|
|
+ stg %r1,16(%r0,$dst)
|
|
+ stg %r4,8(%r0,$dst)
|
|
+ stg %r5,0(%r0,$dst)
|
|
+ br $ra
|
|
+.size s390x_flip_endian32,.-s390x_flip_endian32
|
|
+___
|
|
+}
|
|
+
|
|
+################
|
|
+# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64])
|
|
+{
|
|
+my ($dst,$src) = map("%r$_",(2..3));
|
|
+$code.=<<___;
|
|
+.globl s390x_flip_endian64
|
|
+.type s390x_flip_endian64,\@function
|
|
+.align 16
|
|
+s390x_flip_endian64:
|
|
+ stmg %r6,%r9,6*$SIZE_T($sp)
|
|
+
|
|
+ lrvg %r0,0(%r0,$src)
|
|
+ lrvg %r1,8(%r0,$src)
|
|
+ lrvg %r4,16(%r0,$src)
|
|
+ lrvg %r5,24(%r0,$src)
|
|
+ lrvg %r6,32(%r0,$src)
|
|
+ lrvg %r7,40(%r0,$src)
|
|
+ lrvg %r8,48(%r0,$src)
|
|
+ lrvg %r9,56(%r0,$src)
|
|
+ stg %r0,56(%r0,$dst)
|
|
+ stg %r1,48(%r0,$dst)
|
|
+ stg %r4,40(%r0,$dst)
|
|
+ stg %r5,32(%r0,$dst)
|
|
+ stg %r6,24(%r0,$dst)
|
|
+ stg %r7,16(%r0,$dst)
|
|
+ stg %r8,8(%r0,$dst)
|
|
+ stg %r9,0(%r0,$dst)
|
|
+
|
|
+ lmg %r6,%r9,6*$SIZE_T($sp)
|
|
+ br $ra
|
|
+.size s390x_flip_endian64,.-s390x_flip_endian64
|
|
+___
|
|
+}
|
|
+
|
|
$code.=<<___;
|
|
.section .init
|
|
brasl $ra,OPENSSL_cpuid_setup
|
|
diff -up openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/siphash/siphash_pmeth.c
|
|
--- openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/siphash/siphash_pmeth.c 2019-11-20 11:36:02.200860275 +0100
|
|
@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth
|
|
pkey_siphash_ctrl,
|
|
pkey_siphash_ctrl_str
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *siphash_pkey_method(void)
|
|
+{
|
|
+ return &siphash_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/sm2/sm2_pmeth.c
|
|
--- openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/sm2/sm2_pmeth.c 2019-11-20 11:36:02.200860275 +0100
|
|
@@ -323,3 +323,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
|
|
|
|
pkey_sm2_digest_custom
|
|
};
|
|
+
|
|
+const EVP_PKEY_METHOD *sm2_pkey_method(void)
|
|
+{
|
|
+ return &sm2_pkey_meth;
|
|
+}
|
|
diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc openssl-1.1.1c/include/internal/constant_time_locl.h
|
|
--- openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc 2019-11-20 11:36:02.176860696 +0100
|
|
+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-11-20 11:36:02.200860275 +0100
|
|
@@ -347,6 +347,34 @@ static ossl_inline void constant_time_co
|
|
}
|
|
|
|
/*
|
|
+ * mask must be 0xFF or 0x00.
|
|
+ * "constant time" is per len.
|
|
+ *
|
|
+ * if (mask) {
|
|
+ * unsigned char tmp[len];
|
|
+ *
|
|
+ * memcpy(tmp, a, len);
|
|
+ * memcpy(a, b);
|
|
+ * memcpy(b, tmp);
|
|
+ * }
|
|
+ */
|
|
+static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
|
|
+ unsigned char *a,
|
|
+ unsigned char *b,
|
|
+ size_t len)
|
|
+{
|
|
+ size_t i;
|
|
+ unsigned char tmp;
|
|
+
|
|
+ for (i = 0; i < len; i++) {
|
|
+ tmp = a[i] ^ b[i];
|
|
+ tmp &= mask;
|
|
+ a[i] ^= tmp;
|
|
+ b[i] ^= tmp;
|
|
+ }
|
|
+}
|
|
+
|
|
+/*
|
|
* table is a two dimensional array of bytes. Each row has rowsize elements.
|
|
* Copies row number idx into out. rowsize and numrows are not considered
|
|
* private.
|
|
diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include/openssl/ecerr.h
|
|
--- openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/include/openssl/ecerr.h 2019-11-20 11:36:02.200860275 +0100
|
|
@@ -38,6 +38,11 @@ int ERR_load_EC_strings(void);
|
|
# define EC_F_ECDSA_SIGN_SETUP 248
|
|
# define EC_F_ECDSA_SIG_NEW 265
|
|
# define EC_F_ECDSA_VERIFY 253
|
|
+# define EC_F_ECDSA_SIMPLE_SIGN_SETUP 310
|
|
+# define EC_F_ECDSA_SIMPLE_SIGN_SIG 311
|
|
+# define EC_F_ECDSA_SIMPLE_VERIFY_SIG 312
|
|
+# define EC_F_ECDSA_S390X_NISTP_SIGN_SIG 313
|
|
+# define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG 314
|
|
# define EC_F_ECD_ITEM_VERIFY 270
|
|
# define EC_F_ECKEY_PARAM2TYPE 223
|
|
# define EC_F_ECKEY_PARAM_DECODE 212
|
|
@@ -181,6 +186,7 @@ int ERR_load_EC_strings(void);
|
|
# define EC_F_O2I_ECPUBLICKEY 152
|
|
# define EC_F_OLD_EC_PRIV_DECODE 222
|
|
# define EC_F_OSSL_ECDH_COMPUTE_KEY 247
|
|
+# define EC_F_OSSL_ECDSA_SIGN_SETUP 300
|
|
# define EC_F_OSSL_ECDSA_SIGN_SIG 249
|
|
# define EC_F_OSSL_ECDSA_VERIFY_SIG 250
|
|
# define EC_F_PKEY_ECD_CTRL 271
|
|
@@ -196,6 +202,12 @@ int ERR_load_EC_strings(void);
|
|
# define EC_F_PKEY_EC_KEYGEN 199
|
|
# define EC_F_PKEY_EC_PARAMGEN 219
|
|
# define EC_F_PKEY_EC_SIGN 218
|
|
+# define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519 320
|
|
+# define EC_F_S390X_PKEY_ECD_DIGESTSIGN448 321
|
|
+# define EC_F_S390X_PKEY_ECD_KEYGEN25519 322
|
|
+# define EC_F_S390X_PKEY_ECD_KEYGEN448 323
|
|
+# define EC_F_S390X_PKEY_ECX_KEYGEN25519 324
|
|
+# define EC_F_S390X_PKEY_ECX_KEYGEN448 325
|
|
# define EC_F_VALIDATE_ECX_DERIVE 278
|
|
|
|
/*
|
|
@@ -208,6 +220,7 @@ int ERR_load_EC_strings(void);
|
|
# define EC_R_CANNOT_INVERT 165
|
|
# define EC_R_COORDINATES_OUT_OF_RANGE 146
|
|
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
|
|
+# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170
|
|
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
|
|
# define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
|
|
# define EC_R_DECODE_ERROR 142
|
|
diff -up openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt
|
|
--- openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt 2019-11-20 11:36:02.203860223 +0100
|
|
@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb
|
|
|
|
PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw
|
|
|
|
+PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
|
+
|
|
Derive=Alice-448
|
|
PeerKey=Bob-448-PUBLIC
|
|
SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
|
|
@@ -830,6 +832,11 @@ Derive=Bob-448-Raw
|
|
PeerKey=Alice-448-PUBLIC-Raw
|
|
SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
|
|
|
|
+# Self-generated non-canonical
|
|
+Derive=Alice-448-Raw
|
|
+PeerKey=Bob-448-PUBLIC-Raw-NonCanonical
|
|
+SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb
|
|
+
|
|
# Illegal sign/verify operations with X448 key
|
|
|
|
Sign=Alice-448
|