Hello community, here is the log from the commit of package openssl-1_1_0 for openSUSE:Factory checked in at 2018-01-13 21:35:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_1_0 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_1_0.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1_0" Sat Jan 13 21:35:01 2018 rev:10 rq:563410 version:1.1.0g Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_1_0/openssl-1_1_0.changes 2017-12-03 10:08:12.254369699 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-1_1_0.new/openssl-1_1_0.changes 2018-01-13 21:35:16.564671035 +0100 @@ -1,0 +2,17 @@ +Tue Jan 9 17:37:39 UTC 2018 - vci...@suse.com + +- Add support for s390x CPACF enhancements (fate#321518) + patches taken from https://github.com/openssl/openssl/pull/2859: + * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch + * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch + * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch + * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch + * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch + * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch + * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + +------------------------------------------------------------------- New: ---- 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1_0.spec ++++++ --- /var/tmp/diff_new_pack.DHMBuP/_old 2018-01-13 21:35:17.532625716 +0100 +++ /var/tmp/diff_new_pack.DHMBuP/_new 2018-01-13 21:35:17.532625716 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl-1_1_0 # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -62,6 +62,18 @@ Patch59: openssl-fips-clearerror.patch Patch60: openssl-fips-dont-fall-back-to-default-digest.patch Patch61: openssl-disable_rsa_keygen_tests_with_small_modulus.patch +# FATE#321518 Add support for s390x CPACF enhancements (https://fate.suse.com/321518) +Patch62: 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch +Patch63: 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch +Patch64: 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch +Patch65: 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch +Patch66: 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch +Patch67: 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch +Patch68: 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch +Patch69: 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch +Patch70: 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch +Patch71: 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch +Patch72: 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch BuildRequires: bc BuildRequires: ed BuildRequires: pkgconfig ++++++ 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch ++++++ >From 7b46a0ed5938e28d974757db44cc9d299ad5cb4e Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Thu, 23 Feb 2017 14:03:39 +0100 Subject: [PATCH 02/44] crypto/modes/asm/ghash-s390x.pl: fix gcm_gmult_4bit KIMD code path. gcm_gmult_4bit KIMD code path assumed that that Xi is processed. However, with iv lengths not equal to 12, the function is also used to process Yi, resulting in wrong ghash computation. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/modes/asm/ghash-s390x.pl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/crypto/modes/asm/ghash-s390x.pl b/crypto/modes/asm/ghash-s390x.pl index f8b038c708..6dbb8232d6 100644 --- a/crypto/modes/asm/ghash-s390x.pl +++ b/crypto/modes/asm/ghash-s390x.pl @@ -95,14 +95,23 @@ $code.=<<___ if(!$softonly && 0); # hardware is slow for single block... lg %r1,24(%r1) # load second word of kimd capabilities vector tmhh %r1,0x4000 # check for function 65 jz .Lsoft_gmult + lghi %r1,-16 stg %r0,16($sp) # arrange 16 bytes of zero input stg %r0,24($sp) + la $Htbl,0(%r1,$Htbl) # H lies right before Htable + lghi %r0,65 # function 65 - la %r1,0($Xi) # H lies right after Xi in gcm128_context + la %r1,32($sp) + mvc 32(16,$sp),0($Xi) # copy Xi/Yi + mvc 48(16,$sp),0($Htbl) # copy H la $inp,16($sp) lghi $len,16 .long 0xb93e0004 # kimd %r0,$inp brc 1,.-4 # pay attention to "partial completion" + + mvc 0(16,$Xi),32($sp) + xc 32(32,$sp),32($sp) # wipe stack + br %r14 .align 32 .Lsoft_gmult: -- 2.13.6 ++++++ 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch ++++++ >From 3e1c11dd482dd4626989bb6d84fc708d9bb95219 Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Mon, 30 Jan 2017 17:37:54 +0100 Subject: [PATCH 04/44] s390x assembly pack: add OPENSSL_s390xcap environment variable. The OPENSSL_s390xcap environment variable is used to set bits in the s390x capability vector to zero. This simplifies testing of different code paths. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/s390x_arch.h | 28 ++++++++++++++++++++++++++++ crypto/s390xcap.c | 33 +++++++++++++++++++++++++++++---- 2 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 crypto/s390x_arch.h Index: openssl-1.1.0g/crypto/s390x_arch.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.0g/crypto/s390x_arch.h 2018-01-10 15:26:40.291112320 +0100 @@ -0,0 +1,28 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef S390X_ARCH_H +# define S390X_ARCH_H + +# include <stdint.h> + +/* + * The elements of OPENSSL_s390xcap_P are the doublewords returned by the STFLE + * instruction followed by the doubleword pairs returned by instructions' QUERY + * functions. If STFLE returns fewer doublewords or an instruction is not + * supported, the corresponding element is zero. The order is as follows: + * + * STFLE:STFLE.KIMD:KIMD:KM:KM:KMC:KMC:KMCTR:KMCTR + */ +# define S390X_STFLE_DWORDS 2 +# define S390X_QUERY_DWORDS 8 +# define S390X_CAP_DWORDS (S390X_STFLE_DWORDS + S390X_QUERY_DWORDS) +extern unsigned long long OPENSSL_s390xcap_P[]; + +#endif Index: openssl-1.1.0g/crypto/s390xcap.c =================================================================== --- openssl-1.1.0g.orig/crypto/s390xcap.c 2017-11-02 15:29:03.000000000 +0100 +++ openssl-1.1.0g/crypto/s390xcap.c 2018-01-10 15:27:42.988113439 +0100 @@ -14,6 +14,7 @@ #include <signal.h> unsigned long long OPENSSL_s390xcap_P[10]; +#include "s390x_arch.h" static sigjmp_buf ill_jmp; static void ill_handler(int sig) @@ -21,17 +22,21 @@ static void ill_handler(int sig) siglongjmp(ill_jmp, sig); } -unsigned long OPENSSL_s390x_facilities(void); +void OPENSSL_s390x_facilities(void); void OPENSSL_cpuid_setup(void) { sigset_t oset; struct sigaction ill_act, oact; + uint64_t vec; + char *env; + int off; + int i; if (OPENSSL_s390xcap_P[0]) return; - OPENSSL_s390xcap_P[0] = 1UL << (8 * sizeof(unsigned long) - 1); + OPENSSL_s390xcap_P[0] = 1ULL << (8 * sizeof(uint64_t) - 1); memset(&ill_act, 0, sizeof(ill_act)); ill_act.sa_handler = ill_handler; @@ -47,4 +52,26 @@ void OPENSSL_cpuid_setup(void) sigaction(SIGILL, &oact, NULL); sigprocmask(SIG_SETMASK, &oset, NULL); + + if ((env = getenv("OPENSSL_s390xcap")) != NULL) { + for (i = 0; i < S390X_CAP_DWORDS; i++) { + off = (env[0] == '~') ? 1 : 0; + + if (sscanf(env + off, "%llx", (unsigned long long *)&vec) == 1) + OPENSSL_s390xcap_P[i] &= off ? ~vec : vec; + + if (i == S390X_STFLE_DWORDS - 1) + env = strchr(env, '.'); + else + env = strpbrk(env, ":."); + + if (env == NULL) + break; + + if (env[0] == '.') + i = S390X_STFLE_DWORDS - 1; + + env++; + } + } } ++++++ 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch ++++++ >From 79310b18d90badd58595cf2fff40591ad76c301a Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Tue, 31 Jan 2017 12:43:35 +0100 Subject: [PATCH 05/44] s390x assembly pack: add OPENSSL_s390xcap man page. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- doc/man3/OPENSSL_s390xcap.pod | 94 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 doc/man3/OPENSSL_s390xcap.pod diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod new file mode 100644 index 0000000000..de56c7cf55 --- /dev/null +++ b/doc/man3/OPENSSL_s390xcap.pod @@ -0,0 +1,94 @@ +=pod + +=head1 NAME + +OPENSSL_s390xcap - the z processor capabilities vector + +=head1 SYNOPSIS + + env OPENSSL_s390xcap=... <application> + +=head1 DESCRIPTION + +libcrypto supports z architecture instruction set extensions. These +extensions are denoted by individual bits in the capability vector. +When libcrypto is initialized, the bits returned by the STFLE instruction +and by the QUERY functions are stored in the vector. + +The OPENSSL_s390xcap environment variable can be set before starting an +application to affect capability detection. It is specified by a +colon-separated list of 64-bit values in hexadecimal notation, the 0x +prefix being optional. The ~ prefix means bitwise NOT and a point +indicates the end of the STFLE bits respectively the beginning of the +QUERY bits. + +After initialization, the capability vector is ANDed bitwise with the +corresponding parts of the environment variable. + +The following bits are significant: + +. + +=over + +=item #60 KIMD-SHA-512 + +=item #61 KIMD-SHA-256 + +=item #62 KIMD-SHA-1 + +=back + +: + +=over + +=item #62 KIMD-GHASH + +=back + +: + +=over + +=item #11 KM-XTS-AES-256 + +=item #13 KM-XTS-AES-128 + +=item #43 KM-AES-256 + +=item #44 KM-AES-192 + +=item #45 KM-AES-128 + +=back + +: +: + +=over + +=item #43 KMC-AES-256 + +=item #44 KMC-AES-192 + +=item #45 KMC-AES-128 + +=back + +=head1 EXAMPLES + +OPENSSL_s390xcap=.0:0 disables KIMD. + +OPENSSL_s390xcap=.::~0x2800 disables KM-XTS-AES. + +=head1 COPYRIGHT + +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut -- 2.13.6 ++++++ 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch ++++++ >From 9c59438dadc2b8026c058deb0759da78de1bb7ba Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Fri, 10 Feb 2017 19:43:08 +0100 Subject: [PATCH 06/44] s390x assembly pack: extended s390x capability vector (STFLE). Extended the s390x capability vector to store the longer facility list available from z13 onwards. The bits indicating the vector extensions are set to zero, if the kernel does not enable the vector facility. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/aes/asm/aes-s390x.pl | 10 +++++----- crypto/modes/asm/ghash-s390x.pl | 4 ++-- crypto/s390x_arch.h | 9 +++++++-- crypto/s390xcap.c | 31 +++++++++++++++++++++++++++++++ crypto/s390xcpuid.S | 14 +++++++++----- crypto/sha/asm/sha1-s390x.pl | 4 ++-- crypto/sha/asm/sha512-s390x.pl | 4 ++-- 7 files changed, 58 insertions(+), 18 deletions(-) Index: openssl-1.1.0g/crypto/aes/asm/aes-s390x.pl =================================================================== --- openssl-1.1.0g.orig/crypto/aes/asm/aes-s390x.pl 2018-01-10 17:13:05.962202226 +0100 +++ openssl-1.1.0g/crypto/aes/asm/aes-s390x.pl 2018-01-10 17:22:31.466891754 +0100 @@ -823,8 +823,8 @@ $code.=<<___ if (!$softonly); larl %r1,OPENSSL_s390xcap_P llihh %r0,0x8000 srlg %r0,%r0,0(%r5) - ng %r0,32(%r1) # check availability of both km... - ng %r0,48(%r1) # ...and kmc support for given key length + ng %r0,40(%r1) # check availability of both km... + ng %r0,56(%r1) # ...and kmc support for given key length jz .Lekey_internal lmg %r0,%r1,0($inp) # just copy 128 bits... @@ -1442,7 +1442,7 @@ $code.=<<___ if (!$softonly && 0);# kmct larl %r1,OPENSSL_s390xcap_P llihh %r0,0x8000 # check if kmctr supports the function code srlg %r0,%r0,0($s0) - ng %r0,64(%r1) # check kmctr capability vector + ng %r0,72(%r1) # check kmctr capability vector lgr %r0,$s0 lgr %r1,$s1 jz .Lctr32_km_loop @@ -1592,7 +1592,7 @@ $code.=<<___ if(1); larl %r1,OPENSSL_s390xcap_P llihh %r0,0x8000 srlg %r0,%r0,32($s1) # check for 32+function code - ng %r0,32(%r1) # check km capability vector + ng %r0,40(%r1) # check km capability vector lgr %r0,$s0 # restore the function code la %r1,0($key1) # restore $key1 jz .Lxts_km_vanilla Index: openssl-1.1.0g/crypto/modes/asm/ghash-s390x.pl =================================================================== --- openssl-1.1.0g.orig/crypto/modes/asm/ghash-s390x.pl 2018-01-10 17:13:05.962202226 +0100 +++ openssl-1.1.0g/crypto/modes/asm/ghash-s390x.pl 2018-01-10 17:13:07.430224756 +0100 @@ -89,7 +89,7 @@ ___ $code.=<<___ if(!$softonly && 0); # hardware is slow for single block... larl %r1,OPENSSL_s390xcap_P lghi %r0,0 - lg %r1,24(%r1) # load second word of kimd capabilities vector + lg %r1,32(%r1) # load second word of kimd capabilities vector tmhh %r1,0x4000 # check for function 65 jz .Lsoft_gmult lghi %r1,-16 @@ -132,7 +132,7 @@ gcm_ghash_4bit: ___ $code.=<<___ if(!$softonly); larl %r1,OPENSSL_s390xcap_P - lg %r0,24(%r1) # load second word of kimd capabilities vector + lg %r0,32(%r1) # load second word of kimd capabilities vector tmhh %r0,0x4000 # check for function 65 jz .Lsoft_ghash lghi %r0,65 # function 65 Index: openssl-1.1.0g/crypto/s390x_arch.h =================================================================== --- openssl-1.1.0g.orig/crypto/s390x_arch.h 2018-01-10 17:13:05.962202226 +0100 +++ openssl-1.1.0g/crypto/s390x_arch.h 2018-01-10 17:13:07.430224756 +0100 @@ -18,11 +18,16 @@ * functions. If STFLE returns fewer doublewords or an instruction is not * supported, the corresponding element is zero. The order is as follows: * - * STFLE:STFLE.KIMD:KIMD:KM:KM:KMC:KMC:KMCTR:KMCTR + * STFLE:STFLE:STFLE.KIMD:KIMD:KM:KM:KMC:KMC:KMCTR:KMCTR */ -# define S390X_STFLE_DWORDS 2 +# define S390X_STFLE_DWORDS 3 # define S390X_QUERY_DWORDS 8 # define S390X_CAP_DWORDS (S390X_STFLE_DWORDS + S390X_QUERY_DWORDS) extern unsigned long long OPENSSL_s390xcap_P[]; +/* OPENSSL_s390xcap_P[2] flags */ +# define S390X_STFLE_VXE (1ULL << 56) +# define S390X_STFLE_VXD (1ULL << 57) +# define S390X_STFLE_VX (1ULL << 62) + #endif Index: openssl-1.1.0g/crypto/s390xcap.c =================================================================== --- openssl-1.1.0g.orig/crypto/s390xcap.c 2018-01-10 17:13:05.962202226 +0100 +++ openssl-1.1.0g/crypto/s390xcap.c 2018-01-10 17:13:07.430224756 +0100 @@ -22,6 +22,31 @@ static void ill_handler(int sig) siglongjmp(ill_jmp, sig); } +/*- + * os-specific function to check if "vector enablement control"-bit and + * "AFP register control"-bit in control register 0 are set. + */ +static int vx_enabled(void) +{ +#if defined(OPENSSL_SYS_LINUX) + FILE *fd; + char buf[4096]; + + if ((fd = fopen("/proc/cpuinfo", "r")) == NULL) + return 0; + + buf[0] = '\0'; + + while ((fgets(buf, sizeof(buf), fd) != NULL) + && (strstr(buf, "features") != buf)); + + fclose(fd); + return (strstr(buf, " vx ") != NULL) ? 1 : 0; +#else + return 0; +#endif +} + void OPENSSL_s390x_facilities(void); void OPENSSL_cpuid_setup(void) @@ -53,6 +78,12 @@ void OPENSSL_cpuid_setup(void) sigaction(SIGILL, &oact, NULL); sigprocmask(SIG_SETMASK, &oset, NULL); + /* protection against disabled vector facility */ + if (!vx_enabled()) { + OPENSSL_s390xcap_P[2] &= ~(S390X_STFLE_VXE | S390X_STFLE_VXD | + S390X_STFLE_VX); + } + if ((env = getenv("OPENSSL_s390xcap")) != NULL) { for (i = 0; i < S390X_CAP_DWORDS; i++) { off = (env[0] == '~') ? 1 : 0; Index: openssl-1.1.0g/crypto/s390xcpuid.S =================================================================== --- openssl-1.1.0g.orig/crypto/s390xcpuid.S 2018-01-10 17:13:05.962202226 +0100 +++ openssl-1.1.0g/crypto/s390xcpuid.S 2018-01-10 17:13:07.430224756 +0100 @@ -21,33 +21,37 @@ OPENSSL_s390x_facilities: stg %r0,56(%r4) stg %r0,64(%r4) stg %r0,72(%r4) + stg %r0,80(%r4) .long 0xb2b04000 # stfle 0(%r4) brc 8,.Ldone lghi %r0,1 .long 0xb2b04000 # stfle 0(%r4) + brc 8,.Ldone + lghi %r0,2 + .long 0xb2b04000 # stfle 0(%r4) .Ldone: lmg %r2,%r3,0(%r4) tmhl %r2,0x4000 # check for message-security-assist jz .Lret lghi %r0,0 # query kimd capabilities - la %r1,16(%r4) + la %r1,24(%r4) .long 0xb93e0002 # kimd %r0,%r2 lghi %r0,0 # query km capability vector - la %r1,32(%r4) + la %r1,40(%r4) .long 0xb92e0042 # km %r4,%r2 lghi %r0,0 # query kmc capability vector - la %r1,48(%r4) + la %r1,56(%r4) .long 0xb92f0042 # kmc %r4,%r2 tmhh %r3,0x0004 # check for message-security-assist-4 jz .Lret lghi %r0,0 # query kmctr capability vector - la %r1,64(%r4) + la %r1,72(%r4) .long 0xb92d2042 # kmctr %r4,%r2,%r2 .Lret: Index: openssl-1.1.0g/crypto/sha/asm/sha1-s390x.pl =================================================================== --- openssl-1.1.0g.orig/crypto/sha/asm/sha1-s390x.pl 2018-01-10 17:13:05.962202226 +0100 +++ openssl-1.1.0g/crypto/sha/asm/sha1-s390x.pl 2018-01-10 17:13:07.430224756 +0100 @@ -172,7 +172,7 @@ sha1_block_data_order: ___ $code.=<<___ if ($kimdfunc); larl %r1,OPENSSL_s390xcap_P - lg %r0,16(%r1) # check kimd capabilities + lg %r0,24(%r1) # check kimd capabilities tmhh %r0,`0x8000>>$kimdfunc` jz .Lsoftware lghi %r0,$kimdfunc Index: openssl-1.1.0g/crypto/sha/asm/sha512-s390x.pl =================================================================== --- openssl-1.1.0g.orig/crypto/sha/asm/sha512-s390x.pl 2018-01-10 17:13:05.962202226 +0100 +++ openssl-1.1.0g/crypto/sha/asm/sha512-s390x.pl 2018-01-10 17:13:07.430224756 +0100 @@ -244,7 +244,7 @@ $Func: ___ $code.=<<___ if ($kimdfunc); larl %r1,OPENSSL_s390xcap_P - lg %r0,16(%r1) # check kimd capabilities + lg %r0,24(%r1) # check kimd capabilities tmhh %r0,`0x8000>>$kimdfunc` jz .Lsoftware lghi %r0,$kimdfunc ++++++ 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch ++++++ >From 29039576b1512a3508d40929dad605cefe806186 Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Thu, 16 Feb 2017 09:05:28 +0100 Subject: [PATCH 07/44] crypto/evp/e_aes.c: add foundations for extended s390x support. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/evp/e_aes.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++++ crypto/s390x_arch.h | 10 +++ 2 files changed, 185 insertions(+) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 802b1d814d..d5932e1c64 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -950,6 +950,181 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; } +#elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && !defined(AES_SOFTONLY) +/* + * IBM S390X support + */ +# include "s390x_arch.h" + +/*- + * If KM and KMC support the function code, AES_KEY structure holds + * key/function code (instead of key schedule/number of rounds). + */ +# define S390X_AES_FC (((AES_KEY *)(key))->rounds) + +# define S390X_aes_128_CAPABLE ((OPENSSL_s390xcap_P[5]&S390X_KM_AES_128)&&\ + (OPENSSL_s390xcap_P[7]&S390X_KMC_AES_128)) +# define S390X_aes_192_CAPABLE ((OPENSSL_s390xcap_P[5]&S390X_KM_AES_192)&&\ + (OPENSSL_s390xcap_P[7]&S390X_KMC_AES_192)) +# define S390X_aes_256_CAPABLE ((OPENSSL_s390xcap_P[5]&S390X_KM_AES_256)&&\ + (OPENSSL_s390xcap_P[7]&S390X_KMC_AES_256)) + +# define s390x_aes_init_key aes_init_key +static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc); + +# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */ +# define S390X_aes_192_cbc_CAPABLE 1 +# define S390X_aes_256_cbc_CAPABLE 1 + +# define s390x_aes_cbc_cipher aes_cbc_cipher +static int s390x_aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_ecb_CAPABLE 0 +# define S390X_aes_192_ecb_CAPABLE 0 +# define S390X_aes_256_ecb_CAPABLE 0 + +# define s390x_aes_ecb_cipher aes_ecb_cipher +static int s390x_aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_ofb_CAPABLE 0 +# define S390X_aes_192_ofb_CAPABLE 0 +# define S390X_aes_256_ofb_CAPABLE 0 + +# define s390x_aes_ofb_cipher aes_ofb_cipher +static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_cfb_CAPABLE 0 +# define S390X_aes_192_cfb_CAPABLE 0 +# define S390X_aes_256_cfb_CAPABLE 0 + +# define s390x_aes_cfb_cipher aes_cfb_cipher +static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_cfb8_CAPABLE 0 +# define S390X_aes_192_cfb8_CAPABLE 0 +# define S390X_aes_256_cfb8_CAPABLE 0 + +# define s390x_aes_cfb8_cipher aes_cfb8_cipher +static int s390x_aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_cfb1_CAPABLE 0 +# define S390X_aes_192_cfb1_CAPABLE 0 +# define S390X_aes_256_cfb1_CAPABLE 0 + +# define s390x_aes_cfb1_cipher aes_cfb1_cipher +static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */ +# define S390X_aes_192_ctr_CAPABLE 1 +# define S390X_aes_256_ctr_CAPABLE 1 + +# define s390x_aes_ctr_cipher aes_ctr_cipher +static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_gcm_CAPABLE 0 +# define S390X_aes_192_gcm_CAPABLE 0 +# define S390X_aes_256_gcm_CAPABLE 0 + +# define s390x_aes_gcm_init_key aes_gcm_init_key +static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc); + +# define s390x_aes_gcm_cipher aes_gcm_cipher +static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */ +# define S390X_aes_256_xts_CAPABLE 1 + +# define s390x_aes_xts_init_key aes_xts_init_key +static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc); + +# define s390x_aes_xts_cipher aes_xts_cipher +static int s390x_aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# define S390X_aes_128_ccm_CAPABLE 0 +# define S390X_aes_192_ccm_CAPABLE 0 +# define S390X_aes_256_ccm_CAPABLE 0 + +# define s390x_aes_ccm_init_key aes_ccm_init_key +static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc); + +# define s390x_aes_ccm_cipher aes_ccm_cipher +static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); + +# ifndef OPENSSL_NO_OCB +# define S390X_aes_128_ocb_CAPABLE 0 +# define S390X_aes_192_ocb_CAPABLE 0 +# define S390X_aes_256_ocb_CAPABLE 0 + +# define s390x_aes_ocb_init_key aes_ocb_init_key +static int s390x_aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc); +# define s390x_aes_ocb_cipher aes_ocb_cipher +static int s390x_aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len); +# endif + +# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ +static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ + nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ + flags|EVP_CIPH_##MODE##_MODE, \ + s390x_aes_init_key, \ + s390x_aes_##mode##_cipher, \ + NULL, \ + sizeof(EVP_AES_KEY), \ + NULL,NULL,NULL,NULL }; \ +static const EVP_CIPHER aes_##keylen##_##mode = { \ + nid##_##keylen##_##nmode,blocksize, \ + keylen/8,ivlen, \ + flags|EVP_CIPH_##MODE##_MODE, \ + aes_init_key, \ + aes_##mode##_cipher, \ + NULL, \ + sizeof(EVP_AES_KEY), \ + NULL,NULL,NULL,NULL }; \ +const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ +{ return S390X_aes_##keylen##_##mode##_CAPABLE?&s390x_aes_##keylen##_##mode: \ + &aes_##keylen##_##mode; } + +# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \ +static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ + nid##_##keylen##_##mode,blocksize, \ + (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ + flags|EVP_CIPH_##MODE##_MODE, \ + s390x_aes_##mode##_init_key, \ + s390x_aes_##mode##_cipher, \ + aes_##mode##_cleanup, \ + sizeof(EVP_AES_##MODE##_CTX), \ + NULL,NULL,aes_##mode##_ctrl,NULL }; \ +static const EVP_CIPHER aes_##keylen##_##mode = { \ + nid##_##keylen##_##mode,blocksize, \ + (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \ + flags|EVP_CIPH_##MODE##_MODE, \ + aes_##mode##_init_key, \ + aes_##mode##_cipher, \ + aes_##mode##_cleanup, \ + sizeof(EVP_AES_##MODE##_CTX), \ + NULL,NULL,aes_##mode##_ctrl,NULL }; \ +const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ +{ return S390X_aes_##keylen##_##mode##_CAPABLE?&s390x_aes_##keylen##_##mode: \ + &aes_##keylen##_##mode; } + #else # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h index 434f8e3f4e..5bf24930ed 100644 --- a/crypto/s390x_arch.h +++ b/crypto/s390x_arch.h @@ -30,4 +30,14 @@ extern uint64_t OPENSSL_s390xcap_P[]; # define S390X_STFLE_VXD (1ULL << 57) # define S390X_STFLE_VX (1ULL << 62) +/* OPENSSL_s390xcap_P[5] flags */ +# define S390X_KM_AES_256 (1ULL << 43) +# define S390X_KM_AES_192 (1ULL << 44) +# define S390X_KM_AES_128 (1ULL << 45) + +/* OPENSSL_s390xcap_P[7] flags */ +# define S390X_KMC_AES_256 (1ULL << 43) +# define S390X_KMC_AES_192 (1ULL << 44) +# define S390X_KMC_AES_128 (1ULL << 45) + #endif -- 2.13.6 ++++++ 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch ++++++ >From 5534badade984ccad7dbe56e17bcf0b2d00820c0 Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Sun, 12 Feb 2017 12:27:00 +0100 Subject: [PATCH 08/44] s390x assembly pack: extended s390x capability vector (KMA). Extended the s390x capability vector to store the doubleword pair returned by the KMA instruction's QUERY function. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/aes/asm/aes-s390x.pl | 2 +- crypto/s390x_arch.h | 9 +++++++-- crypto/s390xcpuid.S | 12 +++++++++++- crypto/sha/asm/sha1-s390x.pl | 2 +- crypto/sha/asm/sha512-s390x.pl | 2 +- 5 files changed, 21 insertions(+), 6 deletions(-) Index: openssl-1.1.0g/crypto/s390x_arch.h =================================================================== --- openssl-1.1.0g.orig/crypto/s390x_arch.h 2018-01-10 15:38:21.714301915 +0100 +++ openssl-1.1.0g/crypto/s390x_arch.h 2018-01-10 15:38:28.942417111 +0100 @@ -18,10 +18,10 @@ * functions. If STFLE returns fewer doublewords or an instruction is not * supported, the corresponding element is zero. The order is as follows: * - * STFLE:STFLE:STFLE.KIMD:KIMD:KM:KM:KMC:KMC:KMCTR:KMCTR + * STFLE:STFLE:STFLE.KIMD:KIMD:KM:KM:KMC:KMC:KMCTR:KMCTR:KMA:KMA */ # define S390X_STFLE_DWORDS 3 -# define S390X_QUERY_DWORDS 8 +# define S390X_QUERY_DWORDS 10 # define S390X_CAP_DWORDS (S390X_STFLE_DWORDS + S390X_QUERY_DWORDS) extern unsigned long long OPENSSL_s390xcap_P[]; @@ -40,4 +40,9 @@ extern unsigned long long OPENSSL_s390xc # define S390X_KMC_AES_192 (1ULL << 44) # define S390X_KMC_AES_128 (1ULL << 45) +/* OPENSSL_s390xcap_P[11] flags */ +# define S390X_KMA_GCM_AES_256 (1ULL << 43) +# define S390X_KMA_GCM_AES_192 (1ULL << 44) +# define S390X_KMA_GCM_AES_128 (1ULL << 45) + #endif Index: openssl-1.1.0g/crypto/s390xcpuid.S =================================================================== --- openssl-1.1.0g.orig/crypto/s390xcpuid.S 2018-01-10 15:38:21.706301789 +0100 +++ openssl-1.1.0g/crypto/s390xcpuid.S 2018-01-10 15:38:21.722302044 +0100 @@ -22,6 +22,8 @@ OPENSSL_s390x_facilities: stg %r0,64(%r4) stg %r0,72(%r4) stg %r0,80(%r4) + stg %r0,88(%r4) + stg %r0,96(%r4) .long 0xb2b04000 # stfle 0(%r4) brc 8,.Ldone @@ -54,6 +56,14 @@ OPENSSL_s390x_facilities: la %r1,72(%r4) .long 0xb92d2042 # kmctr %r4,%r2,%r2 + lg %r2,16(%r4) + tmhl %r2,0x2000 # check for message-security-assist-8 + jz .Lret + + lghi %r0,0 # query kma capability vector + la %r1,88(%r4) + .long 0xb9294022 # kma %r2,%r4,%r2 + .Lret: br %r14 .size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities ++++++ 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch ++++++ >From 6d4165cf2b6c19162fdcc98e0f093b12ce765191 Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Tue, 14 Feb 2017 02:07:37 +0100 Subject: [PATCH 09/44] crypto/aes/asm/aes-s390x.pl: add KMA code path. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/aes/asm/aes-s390x.pl | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl index b546c16025..750f61e87a 100644 --- a/crypto/aes/asm/aes-s390x.pl +++ b/crypto/aes/asm/aes-s390x.pl @@ -1403,7 +1403,39 @@ $code.=<<___ if (!$softonly); clr %r0,%r1 jl .Lctr32_software - stm${g} %r6,$s3,6*$SIZE_T($sp) + stm${g} $s2,$s3,10*$SIZE_T($sp) + llgfr $s2,%r0 + larl %r1,OPENSSL_s390xcap_P + llihh %r0,0x8000 # check if kma supports the function code + srlg %r0,%r0,0($s2) + ng %r0,88(%r1) # check kma capability vector + lgr %r0,$s2 + jz .Lctr32_nokma + + aghi $sp,-112 + lhi %r1,0x0600 + sllg $len,$len,4 + or %r0,%r1 # set HS and LAAD flags + lmg $s2,$s3,0($ivp) + la %r1,0($sp) # prepare parameter block + ahi $s3,-1 # decrement counter + mvc 80(32,$sp),0($key) # copy key + stmg $s2,$s3,64($sp) # copy iv + st $s3,12($sp) # copy counter + lghi $s3,0 # no AAD + + .long 0xb929a042 # kma $out,$s2,$inp + brc 1,.-4 # pay attention to "partial completion" + + xc 80(32,$sp),80($sp) # wipe key copy + la $sp,112($sp) + lm${g} $s2,$s3,10*$SIZE_T($sp) + br $ra + +.align 16 +.Lctr32_nokma: + + stm${g} %r6,$s1,6*$SIZE_T($sp) slgr $out,$inp la %r1,0($key) # %r1 is permanent copy of $key -- 2.13.6 ++++++ 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch ++++++ >From 98100dfe2659b43c1e80c54e5666e6f5d0330759 Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Mon, 13 Feb 2017 16:43:12 +0100 Subject: [PATCH 10/44] doc/man3/OPENSSL_s390xcap.pod: update (KMA). List KMA-GCM-AES bits as significant. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- doc/man3/OPENSSL_s390xcap.pod | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod index de56c7cf55..adf2c02036 100644 --- a/doc/man3/OPENSSL_s390xcap.pod +++ b/doc/man3/OPENSSL_s390xcap.pod @@ -76,6 +76,21 @@ The following bits are significant: =back +: +: +: +: + +=over + +=item #43 KMA-GCM-AES-256 + +=item #44 KMA-GCM-AES-192 + +=item #45 KMA-GCM-AES-128 + +=back + =head1 EXAMPLES OPENSSL_s390xcap=.0:0 disables KIMD. -- 2.13.6 ++++++ 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch ++++++ >From f34474dd00118128ed574e838895167efddf7359 Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Tue, 14 Feb 2017 11:15:51 +0100 Subject: [PATCH 11/44] crypto/aes/asm/aes-s390x.pl: add CFI annotations (KMA code path). Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/aes/asm/aes-s390x.pl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl index 750f61e87a..6cabdf5069 100644 --- a/crypto/aes/asm/aes-s390x.pl +++ b/crypto/aes/asm/aes-s390x.pl @@ -1392,6 +1392,7 @@ $code.=<<___; .type AES_ctr32_encrypt,\@function .align 16 AES_ctr32_encrypt: +.cfi_startproc xgr %r3,%r4 # flip %r3 and %r4, $out and $len xgr %r4,%r3 xgr %r3,%r4 @@ -1404,6 +1405,8 @@ $code.=<<___ if (!$softonly); jl .Lctr32_software stm${g} $s2,$s3,10*$SIZE_T($sp) + .cfi_rel_offset $s2,10*$SIZE_T + .cfi_rel_offset $s3,11*$SIZE_T llgfr $s2,%r0 larl %r1,OPENSSL_s390xcap_P llihh %r0,0x8000 # check if kma supports the function code @@ -1413,6 +1416,7 @@ $code.=<<___ if (!$softonly); jz .Lctr32_nokma aghi $sp,-112 + .cfi_adjust_cfa_offset 112 lhi %r1,0x0600 sllg $len,$len,4 or %r0,%r1 # set HS and LAAD flags @@ -1429,7 +1433,10 @@ $code.=<<___ if (!$softonly); xc 80(32,$sp),80($sp) # wipe key copy la $sp,112($sp) + .cfi_adjust_cfa_offset -112 lm${g} $s2,$s3,10*$SIZE_T($sp) + .cfi_restore $s2 + .cfi_restore $s3 br $ra .align 16 @@ -1594,6 +1601,7 @@ $code.=<<___; lm${g} %r6,$ra,6*$SIZE_T($sp) br $ra +.cfi_endproc .size AES_ctr32_encrypt,.-AES_ctr32_encrypt ___ } -- 2.13.6 ++++++ 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch ++++++ >From acef148f0aac18d78c3c857065b3a1274279b2df Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Sat, 25 Feb 2017 10:05:12 +0100 Subject: [PATCH 12/44] s390x assembly pack: add KMA code path for aes-gcm. Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/aes/asm/aes-s390x.pl | 52 ++++++++++++ crypto/evp/e_aes.c | 200 ++++++++++++++++++++++++++++++++++++++++++-- crypto/modes/gcm128.c | 4 + crypto/s390x_arch.h | 5 ++ 4 files changed, 253 insertions(+), 8 deletions(-) Index: openssl-1.1.0g/crypto/aes/asm/aes-s390x.pl =================================================================== --- openssl-1.1.0g.orig/crypto/aes/asm/aes-s390x.pl 2018-01-09 17:35:12.231011406 +0100 +++ openssl-1.1.0g/crypto/aes/asm/aes-s390x.pl 2018-01-09 17:35:16.795082242 +0100 @@ -2257,6 +2257,58 @@ $code.=<<___; .size AES_xts_decrypt,.-AES_xts_decrypt ___ } + +################ +# void s390x_aes_gcm_blocks(unsigned char *out, GCM128_CONTEXT *ctx, +# const unsigned char *in, size_t len, +# const unsigned char *aad, size_t alen, +# const AES_KEY *key, int enc) +{ +my ($out,$ctx,$in,$len,$aad,$alen,$key,$enc) = map("%r$_",(2..9)); +$code.=<<___ if (!$softonly); +.globl s390x_aes_gcm_blocks +.type s390x_aes_gcm_blocks,\@function +.align 16 +s390x_aes_gcm_blocks: + stm$g $alen,$enc,7*$SIZE_T($sp) + lm$g $alen,$enc,$stdframe($sp) + + aghi $sp,-112 + + lmg %r0,%r1,0($ctx) + ahi %r1,-1 + + mvc 16(32,$sp),64($ctx) # copy Xi/H + #mvc 48(16,$sp),48($ctx) # copy len + mvc 80(32,$sp),0($key) # copy key + st %r1,12($sp) # copy Yi + stmg %r0,%r1,64($sp) + + lhi %r1,128 + l %r0,240($key) # kma capability vector checked by caller + sll $enc,7 + xr $enc,%r1 + or %r0,$enc + + la %r1,0($sp) + + .long 0xb9296024 # kma $out,$aad,$in + brc 1,.-4 # pay attention to "partial completion" + + l %r0,12($sp) + mvc 64(16,$ctx),16($sp) # update Xi + xc 0(112,$sp),0($sp) # wipe stack + + la $sp,112($sp) + ahi %r0,1 + st %r0,12($ctx) + + lm$g $alen,$enc,7*$SIZE_T($sp) + br $ra +.size s390x_aes_gcm_blocks,.-s390x_aes_gcm_blocks +___ +} + $code.=<<___; .string "AES for s390x, CRYPTOGAMS by <appro\@openssl.org>" ___ Index: openssl-1.1.0g/crypto/evp/e_aes.c =================================================================== --- openssl-1.1.0g.orig/crypto/evp/e_aes.c 2018-01-09 17:35:12.199010909 +0100 +++ openssl-1.1.0g/crypto/evp/e_aes.c 2018-01-09 17:35:12.239011531 +0100 @@ -960,7 +960,7 @@ const EVP_CIPHER *EVP_aes_##keylen##_##m * If KM and KMC support the function code, AES_KEY structure holds * key/function code (instead of key schedule/number of rounds). */ -# define S390X_AES_FC (((AES_KEY *)(key))->rounds) +# define S390X_AES_FC(key) (((AES_KEY *)(key))->rounds) # define S390X_aes_128_CAPABLE ((OPENSSL_s390xcap_P[5]&S390X_KM_AES_128)&&\ (OPENSSL_s390xcap_P[7]&S390X_KMC_AES_128)) @@ -969,6 +969,11 @@ const EVP_CIPHER *EVP_aes_##keylen##_##m # define S390X_aes_256_CAPABLE ((OPENSSL_s390xcap_P[5]&S390X_KM_AES_256)&&\ (OPENSSL_s390xcap_P[7]&S390X_KMC_AES_256)) +void s390x_aes_gcm_blocks(unsigned char *out, GCM128_CONTEXT *ctx, + const unsigned char *in, size_t len, + const unsigned char *aad, size_t alen, + const AES_KEY *key, int enc); + # define s390x_aes_init_key aes_init_key static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); @@ -1029,18 +1034,197 @@ static int s390x_aes_cfb1_cipher(EVP_CIP static int s390x_aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len); -# define S390X_aes_128_gcm_CAPABLE 0 -# define S390X_aes_192_gcm_CAPABLE 0 -# define S390X_aes_256_gcm_CAPABLE 0 +# define S390X_aes_128_gcm_CAPABLE (S390X_aes_128_CAPABLE&&\ + OPENSSL_s390xcap_P[17]\ + &S390X_KMA_GCM_AES_128) +# define S390X_aes_192_gcm_CAPABLE (S390X_aes_192_CAPABLE&&\ + OPENSSL_s390xcap_P[17]\ + &S390X_KMA_GCM_AES_192) +# define S390X_aes_256_gcm_CAPABLE (S390X_aes_256_CAPABLE&&\ + OPENSSL_s390xcap_P[17]\ + &S390X_KMA_GCM_AES_256) + +static int s390x_aes_gcm(GCM128_CONTEXT *ctx, const unsigned char *in, + unsigned char *out, size_t len, int enc) +{ + int n; + size_t rem; + u64 mlen = ctx->len.u[1]; + unsigned char tmp; + + mlen += len; + + if (mlen > ((1ULL << 36) - 32) || (sizeof(len) == 8 && mlen < len)) + return -1; + + ctx->len.u[1] = mlen; + + if (ctx->ares) { + (*ctx->gmult)(ctx->Xi.u, ctx->Htable); + ctx->ares = 0; + } + S390X_AES_FC(ctx->key) |= S390X_KMA_LAAD; + n = ctx->mres; + + if (n) { + while (n && len) { + tmp = *in; + *out = tmp ^ ctx->EKi.c[n]; + ctx->Xi.c[n] ^= enc ? *out : tmp; + n = (n + 1) % AES_BLOCK_SIZE; + --len; + ++in; + ++out; + } + if (n == 0) { + (*ctx->gmult)(ctx->Xi.u, ctx->Htable); + } else { + ctx->mres = n; + return 0; + } + } + rem = len % AES_BLOCK_SIZE; + len -= rem; + + s390x_aes_gcm_blocks(out, ctx, in, len, NULL, 0, ctx->key, enc); + + if (rem) { + in += len; + out += len; + (*ctx->block)(ctx->Yi.c, ctx->EKi.c, ctx->key); + ++ctx->Yi.d[3]; + while (rem--) { + tmp = in[n]; + out[n] = tmp ^ ctx->EKi.c[n]; + ctx->Xi.c[n] ^= enc ? out[n] : tmp; + ++n; + } + } + + ctx->mres = n; + return 0; +} -# define s390x_aes_gcm_init_key aes_gcm_init_key static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); + const unsigned char *iv, int enc) +{ + EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); + const int keybitlen = EVP_CIPHER_CTX_key_length(ctx) * 8; + + if (!iv && !key) + return 1; + + if (key) { + AES_set_encrypt_key(key, keybitlen, &gctx->ks.ks); + CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); + S390X_AES_FC(&gctx->ks) |= S390X_KMA_HS; + + if (iv == NULL && gctx->iv_set) + iv = gctx->iv; + + if (iv) { + CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); + gctx->iv_set = 1; + } + gctx->key_set = 1; + } else { + if (gctx->key_set) + CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen); + else + memcpy(gctx->iv, iv, gctx->ivlen); + + gctx->iv_set = 1; + gctx->iv_gen = 0; + } + return 1; +} + +static int s390x_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) +{ + EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); + unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx); + int enc = EVP_CIPHER_CTX_encrypting(ctx); + int rv = -1; + + if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN)) + return -1; + + if (EVP_CIPHER_CTX_ctrl(ctx, enc ? EVP_CTRL_GCM_IV_GEN : + EVP_CTRL_GCM_SET_IV_INV, + EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0) + goto err; + + if (CRYPTO_gcm128_aad(&gctx->gcm, buf, gctx->tls_aad_len)) + goto err; + + in += EVP_GCM_TLS_EXPLICIT_IV_LEN; + out += EVP_GCM_TLS_EXPLICIT_IV_LEN; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; + + if (s390x_aes_gcm(&gctx->gcm, in, out, len, enc)) + goto err; + + if (enc) { + out += len; + CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN); + rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; + } else { + CRYPTO_gcm128_tag(&gctx->gcm, buf, EVP_GCM_TLS_TAG_LEN); + + if (CRYPTO_memcmp(buf, in + len, EVP_GCM_TLS_TAG_LEN)) { + OPENSSL_cleanse(out, len); + goto err; + } + rv = len; + } + err: + gctx->iv_set = 0; + gctx->tls_aad_len = -1; + return rv; +} -# define s390x_aes_gcm_cipher aes_gcm_cipher static int s390x_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); + const unsigned char *in, size_t len) +{ + EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); + unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx); + int enc = EVP_CIPHER_CTX_encrypting(ctx); + + if (!gctx->key_set) + return -1; + + if (gctx->tls_aad_len >= 0) + return s390x_aes_gcm_tls_cipher(ctx, out, in, len); + + if (!gctx->iv_set) + return -1; + + if (in) { + if (out == NULL) { + if (CRYPTO_gcm128_aad(&gctx->gcm, in, len)) + return -1; + } else { + if (s390x_aes_gcm(&gctx->gcm, in, out, len, enc)) + return -1; + } + return len; + } else { + if (enc) { + gctx->taglen = 16; + CRYPTO_gcm128_tag(&gctx->gcm, buf, gctx->taglen); + } else { + if (gctx->taglen < 0) + return -1; + + if (CRYPTO_gcm128_finish(&gctx->gcm, buf, gctx->taglen)) + return -1; + } + gctx->iv_set = 0; + return 0; + } +} # define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */ # define S390X_aes_256_xts_CAPABLE 1 Index: openssl-1.1.0g/crypto/modes/gcm128.c =================================================================== --- openssl-1.1.0g.orig/crypto/modes/gcm128.c 2017-11-02 15:29:03.000000000 +0100 +++ openssl-1.1.0g/crypto/modes/gcm128.c 2018-01-09 17:35:12.239011531 +0100 @@ -817,6 +817,10 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT * ctx->gmult = gcm_gmult_4bit; CTX__GHASH(gcm_ghash_4bit); } +# elif defined(GHASH_ASM) + gcm_init_4bit(ctx->Htable, ctx->H.u); + ctx->gmult = gcm_gmult_4bit; + CTX__GHASH(gcm_ghash_4bit); # else gcm_init_4bit(ctx->Htable, ctx->H.u); # endif Index: openssl-1.1.0g/crypto/s390x_arch.h =================================================================== --- openssl-1.1.0g.orig/crypto/s390x_arch.h 2018-01-09 17:35:12.207011034 +0100 +++ openssl-1.1.0g/crypto/s390x_arch.h 2018-01-09 17:35:12.239011531 +0100 @@ -45,4 +45,9 @@ extern uint64_t OPENSSL_s390xcap_P[]; # define S390X_KMA_GCM_AES_192 (1ULL << 44) # define S390X_KMA_GCM_AES_128 (1ULL << 45) +/* %r0 flags */ +# define S390X_KMA_LPC (1ULL << 8) +# define S390X_KMA_LAAD (1ULL << 9) +# define S390X_KMA_HS (1ULL << 10) + #endif ++++++ 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch ++++++ >From d137c24cbf25bae932dcfc0b58fa667a9ef63bf0 Mon Sep 17 00:00:00 2001 From: Patrick Steuer <patrick.ste...@de.ibm.com> Date: Sun, 26 Feb 2017 22:36:39 +0100 Subject: [PATCH 13/44] crypto/aes/asm/aes-s390x.pl: add CFI annotations (KMA-gcm code path). Signed-off-by: Patrick Steuer <patrick.ste...@de.ibm.com> --- crypto/aes/asm/aes-s390x.pl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl index f23b1231c1..dfe79f84a6 100644 --- a/crypto/aes/asm/aes-s390x.pl +++ b/crypto/aes/asm/aes-s390x.pl @@ -2270,10 +2270,15 @@ $code.=<<___ if (!$softonly); .type s390x_aes_gcm_blocks,\@function .align 16 s390x_aes_gcm_blocks: +.cfi_startproc stm$g $alen,$enc,7*$SIZE_T($sp) + .cfi_rel_offset $alen,7*$SIZE_T + .cfi_rel_offset $key,8*$SIZE_T + .cfi_rel_offset $enc,9*$SIZE_T lm$g $alen,$enc,$stdframe($sp) aghi $sp,-112 + .cfi_adjust_cfa_offset 112 lmg %r0,%r1,0($ctx) ahi %r1,-1 @@ -2300,11 +2305,16 @@ s390x_aes_gcm_blocks: xc 0(112,$sp),0($sp) # wipe stack la $sp,112($sp) + .cfi_adjust_cfa_offset -112 ahi %r0,1 st %r0,12($ctx) lm$g $alen,$enc,7*$SIZE_T($sp) + .cfi_restore $alen + .cfi_restore $key + .cfi_restore $enc br $ra +.cfi_endproc .size s390x_aes_gcm_blocks,.-s390x_aes_gcm_blocks ___ } -- 2.13.6