public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: pull some fixes and improvements from RHEL-8
Date: Tue, 09 Jun 2026 12:44:44 GMT [thread overview]
Message-ID: <178100908455.1.17353932276976211492.rpms-openssl-1e6a98d9e90a@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 1e6a98d9e90acffa4e2de6a0d4e5f23d6b16d4b1
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2020-05-18T13:26:53+02:00
Stats : +4011/-3 in 5 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/1e6a98d9e90acffa4e2de6a0d4e5f23d6b16d4b1?branch=rebase_40beta
Log:
pull some fixes and improvements from RHEL-8
---
diff --git a/openssl-1.1.1-arm-update.patch b/openssl-1.1.1-arm-update.patch
new file mode 100644
index 0000000..998905f
--- /dev/null
+++ b/openssl-1.1.1-arm-update.patch
@@ -0,0 +1,1434 @@
+diff -up openssl-1.1.1c/crypto/aes/asm/aesv8-armx.pl.arm-update openssl-1.1.1c/crypto/aes/asm/aesv8-armx.pl
+--- openssl-1.1.1c/crypto/aes/asm/aesv8-armx.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/aes/asm/aesv8-armx.pl 2019-11-20 11:36:22.389506155 +0100
+@@ -27,44 +27,72 @@
+ # CBC encrypt case. On Cortex-A57 parallelizable mode performance
+ # seems to be limited by sheer amount of NEON instructions...
+ #
++# April 2019
++#
++# Key to performance of parallelize-able modes is round instruction
++# interleaving. But which factor to use? There is optimal one for
++# each combination of instruction latency and issue rate, beyond
++# which increasing interleave factor doesn't pay off. While on cons
++# side we have code size increase and resource waste on platforms for
++# which interleave factor is too high. In other words you want it to
++# be just right. So far interleave factor of 3x was serving well all
++# platforms. But for ThunderX2 optimal interleave factor was measured
++# to be 5x...
++#
+ # Performance in cycles per byte processed with 128-bit key:
+ #
+ # CBC enc CBC dec CTR
+ # Apple A7 2.39 1.20 1.20
+-# Cortex-A53 1.32 1.29 1.46
+-# Cortex-A57(*) 1.95 0.85 0.93
+-# Denver 1.96 0.86 0.80
+-# Mongoose 1.33 1.20 1.20
+-# Kryo 1.26 0.94 1.00
++# Cortex-A53 1.32 1.17/1.29(**) 1.36/1.46
++# Cortex-A57(*) 1.95 0.82/0.85 0.89/0.93
++# Cortex-A72 1.33 0.85/0.88 0.92/0.96
++# Denver 1.96 0.65/0.86 0.76/0.80
++# Mongoose 1.33 1.23/1.20 1.30/1.20
++# Kryo 1.26 0.87/0.94 1.00/1.00
++# ThunderX2 5.95 1.25 1.30
+ #
+ # (*) original 3.64/1.34/1.32 results were for r0p0 revision
+ # and are still same even for updated module;
++# (**) numbers after slash are for 32-bit code, which is 3x-
++# interleaved;
+
+-$flavour = shift;
+-$output = shift;
++# $output is the last argument if it looks like a file (it has an extension)
++# $flavour is the first argument if it doesn't look like a file
++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
+
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+-open OUT,"| \"$^X\" $xlate $flavour $output";
++open OUT,"| \"$^X\" $xlate $flavour \"$output\""
++ or die "can't call $xlate: $!";
+ *STDOUT=*OUT;
+
+ $prefix="aes_v8";
+
++$_byte = ($flavour =~ /win/ ? "DCB" : ".byte");
++
+ $code=<<___;
+ #include "arm_arch.h"
+
+ #if __ARM_MAX_ARCH__>=7
+-.text
+ ___
+-$code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/);
++$code.=".arch armv8-a+crypto\n.text\n" if ($flavour =~ /64/);
+ $code.=<<___ if ($flavour !~ /64/);
+ .arch armv7-a // don't confuse not-so-latest binutils with argv8 :-)
+ .fpu neon
++#ifdef __thumb2__
++.syntax unified
++.thumb
++# define INST(a,b,c,d) $_byte c,d|0xc,a,b
++#else
+ .code 32
+-#undef __thumb2__
++# define INST(a,b,c,d) $_byte a,b,c,d
++#endif
++
++.text
+ ___
+
+ # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
+@@ -514,6 +542,13 @@ $code.=<<___;
+ ___
+ {
+ my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
++
++my ($dat3,$in3,$tmp3); # used only in 64-bit mode
++my ($dat4,$in4,$tmp4);
++if ($flavour =~ /64/) {
++ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23));
++}
++
+ $code.=<<___;
+ .align 5
+ .Lcbc_dec:
+@@ -530,7 +565,196 @@ $code.=<<___;
+ vorr $in0,$dat,$dat
+ vorr $in1,$dat1,$dat1
+ vorr $in2,$dat2,$dat2
++___
++$code.=<<___ if ($flavour =~ /64/);
++ cmp $len,#32
++ b.lo .Loop3x_cbc_dec
++
++ vld1.8 {$dat3},[$inp],#16
++ vld1.8 {$dat4},[$inp],#16
++ sub $len,$len,#32 // bias
++ mov $cnt,$rounds
++ vorr $in3,$dat3,$dat3
++ vorr $in4,$dat4,$dat4
++
++.Loop5x_cbc_dec:
++ aesd $dat0,q8
++ aesimc $dat0,$dat0
++ aesd $dat1,q8
++ aesimc $dat1,$dat1
++ aesd $dat2,q8
++ aesimc $dat2,$dat2
++ aesd $dat3,q8
++ aesimc $dat3,$dat3
++ aesd $dat4,q8
++ aesimc $dat4,$dat4
++ vld1.32 {q8},[$key_],#16
++ subs $cnt,$cnt,#2
++ aesd $dat0,q9
++ aesimc $dat0,$dat0
++ aesd $dat1,q9
++ aesimc $dat1,$dat1
++ aesd $dat2,q9
++ aesimc $dat2,$dat2
++ aesd $dat3,q9
++ aesimc $dat3,$dat3
++ aesd $dat4,q9
++ aesimc $dat4,$dat4
++ vld1.32 {q9},[$key_],#16
++ b.gt .Loop5x_cbc_dec
++
++ aesd $dat0,q8
++ aesimc $dat0,$dat0
++ aesd $dat1,q8
++ aesimc $dat1,$dat1
++ aesd $dat2,q8
++ aesimc $dat2,$dat2
++ aesd $dat3,q8
++ aesimc $dat3,$dat3
++ aesd $dat4,q8
++ aesimc $dat4,$dat4
++ cmp $len,#0x40 // because .Lcbc_tail4x
++ sub $len,$len,#0x50
++
++ aesd $dat0,q9
++ aesimc $dat0,$dat0
++ aesd $dat1,q9
++ aesimc $dat1,$dat1
++ aesd $dat2,q9
++ aesimc $dat2,$dat2
++ aesd $dat3,q9
++ aesimc $dat3,$dat3
++ aesd $dat4,q9
++ aesimc $dat4,$dat4
++ csel x6,xzr,$len,gt // borrow x6, $cnt, "gt" is not typo
++ mov $key_,$key
++
++ aesd $dat0,q10
++ aesimc $dat0,$dat0
++ aesd $dat1,q10
++ aesimc $dat1,$dat1
++ aesd $dat2,q10
++ aesimc $dat2,$dat2
++ aesd $dat3,q10
++ aesimc $dat3,$dat3
++ aesd $dat4,q10
++ aesimc $dat4,$dat4
++ add $inp,$inp,x6 // $inp is adjusted in such way that
++ // at exit from the loop $dat1-$dat4
++ // are loaded with last "words"
++ add x6,$len,#0x60 // because .Lcbc_tail4x
++
++ aesd $dat0,q11
++ aesimc $dat0,$dat0
++ aesd $dat1,q11
++ aesimc $dat1,$dat1
++ aesd $dat2,q11
++ aesimc $dat2,$dat2
++ aesd $dat3,q11
++ aesimc $dat3,$dat3
++ aesd $dat4,q11
++ aesimc $dat4,$dat4
++
++ aesd $dat0,q12
++ aesimc $dat0,$dat0
++ aesd $dat1,q12
++ aesimc $dat1,$dat1
++ aesd $dat2,q12
++ aesimc $dat2,$dat2
++ aesd $dat3,q12
++ aesimc $dat3,$dat3
++ aesd $dat4,q12
++ aesimc $dat4,$dat4
++
++ aesd $dat0,q13
++ aesimc $dat0,$dat0
++ aesd $dat1,q13
++ aesimc $dat1,$dat1
++ aesd $dat2,q13
++ aesimc $dat2,$dat2
++ aesd $dat3,q13
++ aesimc $dat3,$dat3
++ aesd $dat4,q13
++ aesimc $dat4,$dat4
++
++ aesd $dat0,q14
++ aesimc $dat0,$dat0
++ aesd $dat1,q14
++ aesimc $dat1,$dat1
++ aesd $dat2,q14
++ aesimc $dat2,$dat2
++ aesd $dat3,q14
++ aesimc $dat3,$dat3
++ aesd $dat4,q14
++ aesimc $dat4,$dat4
++
++ veor $tmp0,$ivec,$rndlast
++ aesd $dat0,q15
++ veor $tmp1,$in0,$rndlast
++ vld1.8 {$in0},[$inp],#16
++ aesd $dat1,q15
++ veor $tmp2,$in1,$rndlast
++ vld1.8 {$in1},[$inp],#16
++ aesd $dat2,q15
++ veor $tmp3,$in2,$rndlast
++ vld1.8 {$in2},[$inp],#16
++ aesd $dat3,q15
++ veor $tmp4,$in3,$rndlast
++ vld1.8 {$in3},[$inp],#16
++ aesd $dat4,q15
++ vorr $ivec,$in4,$in4
++ vld1.8 {$in4},[$inp],#16
++ cbz x6,.Lcbc_tail4x
++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
++ veor $tmp0,$tmp0,$dat0
++ vorr $dat0,$in0,$in0
++ veor $tmp1,$tmp1,$dat1
++ vorr $dat1,$in1,$in1
++ veor $tmp2,$tmp2,$dat2
++ vorr $dat2,$in2,$in2
++ veor $tmp3,$tmp3,$dat3
++ vorr $dat3,$in3,$in3
++ veor $tmp4,$tmp4,$dat4
++ vst1.8 {$tmp0},[$out],#16
++ vorr $dat4,$in4,$in4
++ vst1.8 {$tmp1},[$out],#16
++ mov $cnt,$rounds
++ vst1.8 {$tmp2},[$out],#16
++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
++ vst1.8 {$tmp3},[$out],#16
++ vst1.8 {$tmp4},[$out],#16
++ b.hs .Loop5x_cbc_dec
++
++ add $len,$len,#0x50
++ cbz $len,.Lcbc_done
++
++ add $cnt,$rounds,#2
++ subs $len,$len,#0x30
++ vorr $dat0,$in2,$in2
++ vorr $in0,$in2,$in2
++ vorr $dat1,$in3,$in3
++ vorr $in1,$in3,$in3
++ vorr $dat2,$in4,$in4
++ vorr $in2,$in4,$in4
++ b.lo .Lcbc_dec_tail
++
++ b .Loop3x_cbc_dec
+
++.align 4
++.Lcbc_tail4x:
++ veor $tmp1,$tmp0,$dat1
++ veor $tmp2,$tmp2,$dat2
++ veor $tmp3,$tmp3,$dat3
++ veor $tmp4,$tmp4,$dat4
++ vst1.8 {$tmp1},[$out],#16
++ vst1.8 {$tmp2},[$out],#16
++ vst1.8 {$tmp3},[$out],#16
++ vst1.8 {$tmp4},[$out],#16
++
++ b .Lcbc_done
++.align 4
++___
++$code.=<<___;
+ .Loop3x_cbc_dec:
+ aesd $dat0,q8
+ aesimc $dat0,$dat0
+@@ -691,6 +915,9 @@ my $step="x12"; # aliases with $tctr2
+ my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
+ my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
+
++# used only in 64-bit mode...
++my ($dat3,$dat4,$in3,$in4)=map("q$_",(16..23));
++
+ my ($dat,$tmp)=($dat0,$tmp0);
+
+ ### q8-q15 preloaded key schedule
+@@ -743,6 +970,175 @@ $code.=<<___;
+ rev $tctr2, $ctr
+ sub $len,$len,#3 // bias
+ vmov.32 ${dat2}[3],$tctr2
++___
++$code.=<<___ if ($flavour =~ /64/);
++ cmp $len,#2
++ b.lo .Loop3x_ctr32
++
++ add w13,$ctr,#1
++ add w14,$ctr,#2
++ vorr $dat3,$dat0,$dat0
++ rev w13,w13
++ vorr $dat4,$dat0,$dat0
++ rev w14,w14
++ vmov.32 ${dat3}[3],w13
++ sub $len,$len,#2 // bias
++ vmov.32 ${dat4}[3],w14
++ add $ctr,$ctr,#2
++ b .Loop5x_ctr32
++
++.align 4
++.Loop5x_ctr32:
++ aese $dat0,q8
++ aesmc $dat0,$dat0
++ aese $dat1,q8
++ aesmc $dat1,$dat1
++ aese $dat2,q8
++ aesmc $dat2,$dat2
++ aese $dat3,q8
++ aesmc $dat3,$dat3
++ aese $dat4,q8
++ aesmc $dat4,$dat4
++ vld1.32 {q8},[$key_],#16
++ subs $cnt,$cnt,#2
++ aese $dat0,q9
++ aesmc $dat0,$dat0
++ aese $dat1,q9
++ aesmc $dat1,$dat1
++ aese $dat2,q9
++ aesmc $dat2,$dat2
++ aese $dat3,q9
++ aesmc $dat3,$dat3
++ aese $dat4,q9
++ aesmc $dat4,$dat4
++ vld1.32 {q9},[$key_],#16
++ b.gt .Loop5x_ctr32
++
++ mov $key_,$key
++ aese $dat0,q8
++ aesmc $dat0,$dat0
++ aese $dat1,q8
++ aesmc $dat1,$dat1
++ aese $dat2,q8
++ aesmc $dat2,$dat2
++ aese $dat3,q8
++ aesmc $dat3,$dat3
++ aese $dat4,q8
++ aesmc $dat4,$dat4
++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
++
++ aese $dat0,q9
++ aesmc $dat0,$dat0
++ aese $dat1,q9
++ aesmc $dat1,$dat1
++ aese $dat2,q9
++ aesmc $dat2,$dat2
++ aese $dat3,q9
++ aesmc $dat3,$dat3
++ aese $dat4,q9
++ aesmc $dat4,$dat4
++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
++
++ aese $dat0,q12
++ aesmc $dat0,$dat0
++ add $tctr0,$ctr,#1
++ add $tctr1,$ctr,#2
++ aese $dat1,q12
++ aesmc $dat1,$dat1
++ add $tctr2,$ctr,#3
++ add w13,$ctr,#4
++ aese $dat2,q12
++ aesmc $dat2,$dat2
++ add w14,$ctr,#5
++ rev $tctr0,$tctr0
++ aese $dat3,q12
++ aesmc $dat3,$dat3
++ rev $tctr1,$tctr1
++ rev $tctr2,$tctr2
++ aese $dat4,q12
++ aesmc $dat4,$dat4
++ rev w13,w13
++ rev w14,w14
++
++ aese $dat0,q13
++ aesmc $dat0,$dat0
++ aese $dat1,q13
++ aesmc $dat1,$dat1
++ aese $dat2,q13
++ aesmc $dat2,$dat2
++ aese $dat3,q13
++ aesmc $dat3,$dat3
++ aese $dat4,q13
++ aesmc $dat4,$dat4
++
++ aese $dat0,q14
++ aesmc $dat0,$dat0
++ vld1.8 {$in0},[$inp],#16
++ aese $dat1,q14
++ aesmc $dat1,$dat1
++ vld1.8 {$in1},[$inp],#16
++ aese $dat2,q14
++ aesmc $dat2,$dat2
++ vld1.8 {$in2},[$inp],#16
++ aese $dat3,q14
++ aesmc $dat3,$dat3
++ vld1.8 {$in3},[$inp],#16
++ aese $dat4,q14
++ aesmc $dat4,$dat4
++ vld1.8 {$in4},[$inp],#16
++
++ aese $dat0,q15
++ veor $in0,$in0,$rndlast
++ aese $dat1,q15
++ veor $in1,$in1,$rndlast
++ aese $dat2,q15
++ veor $in2,$in2,$rndlast
++ aese $dat3,q15
++ veor $in3,$in3,$rndlast
++ aese $dat4,q15
++ veor $in4,$in4,$rndlast
++
++ veor $in0,$in0,$dat0
++ vorr $dat0,$ivec,$ivec
++ veor $in1,$in1,$dat1
++ vorr $dat1,$ivec,$ivec
++ veor $in2,$in2,$dat2
++ vorr $dat2,$ivec,$ivec
++ veor $in3,$in3,$dat3
++ vorr $dat3,$ivec,$ivec
++ veor $in4,$in4,$dat4
++ vorr $dat4,$ivec,$ivec
++
++ vst1.8 {$in0},[$out],#16
++ vmov.32 ${dat0}[3],$tctr0
++ vst1.8 {$in1},[$out],#16
++ vmov.32 ${dat1}[3],$tctr1
++ vst1.8 {$in2},[$out],#16
++ vmov.32 ${dat2}[3],$tctr2
++ vst1.8 {$in3},[$out],#16
++ vmov.32 ${dat3}[3],w13
++ vst1.8 {$in4},[$out],#16
++ vmov.32 ${dat4}[3],w14
++
++ mov $cnt,$rounds
++ cbz $len,.Lctr32_done
++
++ add $ctr,$ctr,#5
++ subs $len,$len,#5
++ b.hs .Loop5x_ctr32
++
++ add $len,$len,#5
++ sub $ctr,$ctr,#5
++
++ cmp $len,#2
++ mov $step,#16
++ cclr $step,lo
++ b.ls .Lctr32_tail
++
++ sub $len,$len,#3 // bias
++ add $ctr,$ctr,#3
++___
++$code.=<<___;
+ b .Loop3x_ctr32
+
+ .align 4
+@@ -955,7 +1351,7 @@ if ($flavour =~ /64/) { ######## 64-bi
+ # since ARMv7 instructions are always encoded little-endian.
+ # correct solution is to use .inst directive, but older
+ # assemblers don't implement it:-(
+- sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
++ sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s",
+ $word&0xff,($word>>8)&0xff,
+ ($word>>16)&0xff,($word>>24)&0xff,
+ $mnemonic,$arg;
+@@ -996,14 +1392,17 @@ if ($flavour =~ /64/) { ######## 64-bi
+ s/\],#[0-9]+/]!/o;
+
+ s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
+- s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or
++ s/cclr\s+([^,]+),\s*([a-z]+)/mov.$2 $1,#0/o or
+ s/vtbl\.8\s+(.*)/unvtbl($1)/geo or
+ s/vdup\.32\s+(.*)/unvdup32($1)/geo or
+ s/vmov\.32\s+(.*)/unvmov32($1)/geo or
+ s/^(\s+)b\./$1b/o or
+- s/^(\s+)mov\./$1mov/o or
+ s/^(\s+)ret/$1bx\tlr/o;
+
++ if (s/^(\s+)mov\.([a-z]+)/$1mov$2/) {
++ print " it $2\n";
++ }
++
+ print $_,"\n";
+ }
+ }
+diff -up openssl-1.1.1c/crypto/aes/asm/vpaes-armv8.pl.arm-update openssl-1.1.1c/crypto/aes/asm/vpaes-armv8.pl
+--- openssl-1.1.1c/crypto/aes/asm/vpaes-armv8.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/aes/asm/vpaes-armv8.pl 2019-11-20 11:36:22.389506155 +0100
+@@ -30,6 +30,7 @@
+ # Denver(***) 16.6(**) 15.1/17.8(**) [8.80/9.93 ]
+ # Apple A7(***) 22.7(**) 10.9/14.3 [8.45/10.0 ]
+ # Mongoose(***) 26.3(**) 21.0/25.0(**) [13.3/16.8 ]
++# ThunderX2(***) 39.4(**) 33.8/48.6(**)
+ #
+ # (*) ECB denotes approximate result for parallelizable modes
+ # such as CBC decrypt, CTR, etc.;
+diff -up openssl-1.1.1c/crypto/chacha/asm/chacha-armv8.pl.arm-update openssl-1.1.1c/crypto/chacha/asm/chacha-armv8.pl
+--- openssl-1.1.1c/crypto/chacha/asm/chacha-armv8.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/chacha/asm/chacha-armv8.pl 2019-11-21 16:44:50.814651553 +0100
+@@ -18,32 +18,44 @@
+ #
+ # ChaCha20 for ARMv8.
+ #
++# April 2019
++#
++# Replace 3xNEON+1xIALU code path with 4+1. 4+1 is actually fastest
++# option on most(*), but not all, processors, yet 6+2 is retained.
++# This is because penalties are considered tolerable in comparison to
++# improvement on processors where 6+2 helps. Most notably +37% on
++# ThunderX2. It's server-oriented processor which will have to serve
++# as many requests as possible. While others are mostly clients, when
++# performance doesn't have to be absolute top-notch, just fast enough,
++# as majority of time is spent "entertaining" relatively slow human.
++#
+ # Performance in cycles per byte out of large buffer.
+ #
+-# IALU/gcc-4.9 3xNEON+1xIALU 6xNEON+2xIALU
++# IALU/gcc-4.9 4xNEON+1xIALU 6xNEON+2xIALU
+ #
+-# Apple A7 5.50/+49% 3.33 1.70
+-# Cortex-A53 8.40/+80% 4.72 4.72(*)
+-# Cortex-A57 8.06/+43% 4.90 4.43(**)
+-# Denver 4.50/+82% 2.63 2.67(*)
+-# X-Gene 9.50/+46% 8.82 8.89(*)
+-# Mongoose 8.00/+44% 3.64 3.25
+-# Kryo 8.17/+50% 4.83 4.65
++# Apple A7 5.50/+49% 2.72 1.60
++# Cortex-A53 8.40/+80% 4.06 4.45(*)
++# Cortex-A57 8.06/+43% 4.15 4.40(*)
++# Denver 4.50/+82% 2.30 2.70(*)
++# X-Gene 9.50/+46% 8.20 8.90(*)
++# Mongoose 8.00/+44% 2.74 3.12(*)
++# Kryo 8.17/+50% 4.47 4.65(*)
++# ThunderX2 7.22/+48% 5.64 4.10
+ #
+-# (*) it's expected that doubling interleave factor doesn't help
+-# all processors, only those with higher NEON latency and
+-# higher instruction issue rate;
+-# (**) expected improvement was actually higher;
++# (*) slower than 4+1:-(
+
+-$flavour=shift;
+-$output=shift;
++# $output is the last argument if it looks like a file (it has an extension)
++# $flavour is the first argument if it doesn't look like a file
++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
+
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+-open OUT,"| \"$^X\" $xlate $flavour $output";
++open OUT,"| \"$^X\" $xlate $flavour \"$output\""
++ or die "can't call $xlate: $!";
+ *STDOUT=*OUT;
+
+ sub AUTOLOAD() # thunk [simplified] x86-style perlasm
+@@ -120,41 +132,36 @@ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)
+ }
+
+ $code.=<<___;
+-#include "arm_arch.h"
++#ifndef __KERNEL__
++# include "arm_arch.h"
++.extern OPENSSL_armcap_P
++#endif
+
+ .text
+
+-.extern OPENSSL_armcap_P
+-
+ .align 5
+ .Lsigma:
+ .quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral
+ .Lone:
+-.long 1,0,0,0
+-.LOPENSSL_armcap_P:
+-#ifdef __ILP32__
+-.long OPENSSL_armcap_P-.
+-#else
+-.quad OPENSSL_armcap_P-.
+-#endif
+-.asciz "ChaCha20 for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
++.long 1,2,3,4
++.Lrot24:
++.long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f
++.asciz "ChaCha20 for ARMv8, CRYPTOGAMS by \@dot-asm"
+
+ .globl ChaCha20_ctr32
+ .type ChaCha20_ctr32,%function
+ .align 5
+ ChaCha20_ctr32:
+ cbz $len,.Labort
+- adr @x[0],.LOPENSSL_armcap_P
+ cmp $len,#192
+ b.lo .Lshort
+-#ifdef __ILP32__
+- ldrsw @x[1],[@x[0]]
+-#else
+- ldr @x[1],[@x[0]]
+-#endif
+- ldr w17,[@x[1],@x[0]]
++
++#ifndef __KERNEL__
++ adrp x17,OPENSSL_armcap_P
++ ldr w17,[x17,#:lo12:OPENSSL_armcap_P]
+ tst w17,#ARMV7_NEON
+- b.ne ChaCha20_neon
++ b.ne .LChaCha20_neon
++#endif
+
+ .Lshort:
+ .inst 0xd503233f // paciasp
+@@ -173,7 +180,7 @@ ChaCha20_ctr32:
+ ldp @d[2],@d[3],[$key] // load key
+ ldp @d[4],@d[5],[$key,#16]
+ ldp @d[6],@d[7],[$ctr] // load counter
+-#ifdef __ARMEB__
++#ifdef __AARCH64EB__
+ ror @d[2],@d[2],#32
+ ror @d[3],@d[3],#32
+ ror @d[4],@d[4],#32
+@@ -242,7 +249,7 @@ $code.=<<___;
+ add @x[14],@x[14],@x[15],lsl#32
+ ldp @x[13],@x[15],[$inp,#48]
+ add $inp,$inp,#64
+-#ifdef __ARMEB__
++#ifdef __AARCH64EB__
+ rev @x[0],@x[0]
+ rev @x[2],@x[2]
+ rev @x[4],@x[4]
+@@ -299,7 +306,7 @@ $code.=<<___;
+ add @x[10],@x[10],@x[11],lsl#32
+ add @x[12],@x[12],@x[13],lsl#32
+ add @x[14],@x[14],@x[15],lsl#32
+-#ifdef __ARMEB__
++#ifdef __AARCH64EB__
+ rev @x[0],@x[0]
+ rev @x[2],@x[2]
+ rev @x[4],@x[4]
+@@ -340,46 +347,91 @@ $code.=<<___;
+ ___
+
+ {{{
+-my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2,$T0,$T1,$T2,$T3) =
+- map("v$_.4s",(0..7,16..23));
+-my (@K)=map("v$_.4s",(24..30));
+-my $ONE="v31.4s";
++my @K = map("v$_.4s",(0..3));
++my ($xt0,$xt1,$xt2,$xt3, $CTR,$ROT24) = map("v$_.4s",(4..9));
++my @X = map("v$_.4s",(16,20,24,28, 17,21,25,29, 18,22,26,30, 19,23,27,31));
++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
++ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = @X;
+
+-sub NEONROUND {
+-my $odd = pop;
+-my ($a,$b,$c,$d,$t)=@_;
++sub NEON_lane_ROUND {
++my ($a0,$b0,$c0,$d0)=@_;
++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
++my @x=map("'$_'",@X);
+
+ (
+- "&add ('$a','$a','$b')",
+- "&eor ('$d','$d','$a')",
+- "&rev32_16 ('$d','$d')", # vrot ($d,16)
+-
+- "&add ('$c','$c','$d')",
+- "&eor ('$t','$b','$c')",
+- "&ushr ('$b','$t',20)",
+- "&sli ('$b','$t',12)",
+-
+- "&add ('$a','$a','$b')",
+- "&eor ('$t','$d','$a')",
+- "&ushr ('$d','$t',24)",
+- "&sli ('$d','$t',8)",
+-
+- "&add ('$c','$c','$d')",
+- "&eor ('$t','$b','$c')",
+- "&ushr ('$b','$t',25)",
+- "&sli ('$b','$t',7)",
+-
+- "&ext ('$c','$c','$c',8)",
+- "&ext ('$d','$d','$d',$odd?4:12)",
+- "&ext ('$b','$b','$b',$odd?12:4)"
++ "&add (@x[$a0],@x[$a0],@x[$b0])", # Q1
++ "&add (@x[$a1],@x[$a1],@x[$b1])", # Q2
++ "&add (@x[$a2],@x[$a2],@x[$b2])", # Q3
++ "&add (@x[$a3],@x[$a3],@x[$b3])", # Q4
++ "&eor (@x[$d0],@x[$d0],@x[$a0])",
++ "&eor (@x[$d1],@x[$d1],@x[$a1])",
++ "&eor (@x[$d2],@x[$d2],@x[$a2])",
++ "&eor (@x[$d3],@x[$d3],@x[$a3])",
++ "&rev32_16 (@x[$d0],@x[$d0])",
++ "&rev32_16 (@x[$d1],@x[$d1])",
++ "&rev32_16 (@x[$d2],@x[$d2])",
++ "&rev32_16 (@x[$d3],@x[$d3])",
++
++ "&add (@x[$c0],@x[$c0],@x[$d0])",
++ "&add (@x[$c1],@x[$c1],@x[$d1])",
++ "&add (@x[$c2],@x[$c2],@x[$d2])",
++ "&add (@x[$c3],@x[$c3],@x[$d3])",
++ "&eor ('$xt0',@x[$b0],@x[$c0])",
++ "&eor ('$xt1',@x[$b1],@x[$c1])",
++ "&eor ('$xt2',@x[$b2],@x[$c2])",
++ "&eor ('$xt3',@x[$b3],@x[$c3])",
++ "&ushr (@x[$b0],'$xt0',20)",
++ "&ushr (@x[$b1],'$xt1',20)",
++ "&ushr (@x[$b2],'$xt2',20)",
++ "&ushr (@x[$b3],'$xt3',20)",
++ "&sli (@x[$b0],'$xt0',12)",
++ "&sli (@x[$b1],'$xt1',12)",
++ "&sli (@x[$b2],'$xt2',12)",
++ "&sli (@x[$b3],'$xt3',12)",
++
++ "&add (@x[$a0],@x[$a0],@x[$b0])",
++ "&add (@x[$a1],@x[$a1],@x[$b1])",
++ "&add (@x[$a2],@x[$a2],@x[$b2])",
++ "&add (@x[$a3],@x[$a3],@x[$b3])",
++ "&eor ('$xt0',@x[$d0],@x[$a0])",
++ "&eor ('$xt1',@x[$d1],@x[$a1])",
++ "&eor ('$xt2',@x[$d2],@x[$a2])",
++ "&eor ('$xt3',@x[$d3],@x[$a3])",
++ "&tbl (@x[$d0],'{$xt0}','$ROT24')",
++ "&tbl (@x[$d1],'{$xt1}','$ROT24')",
++ "&tbl (@x[$d2],'{$xt2}','$ROT24')",
++ "&tbl (@x[$d3],'{$xt3}','$ROT24')",
++
++ "&add (@x[$c0],@x[$c0],@x[$d0])",
++ "&add (@x[$c1],@x[$c1],@x[$d1])",
++ "&add (@x[$c2],@x[$c2],@x[$d2])",
++ "&add (@x[$c3],@x[$c3],@x[$d3])",
++ "&eor ('$xt0',@x[$b0],@x[$c0])",
++ "&eor ('$xt1',@x[$b1],@x[$c1])",
++ "&eor ('$xt2',@x[$b2],@x[$c2])",
++ "&eor ('$xt3',@x[$b3],@x[$c3])",
++ "&ushr (@x[$b0],'$xt0',25)",
++ "&ushr (@x[$b1],'$xt1',25)",
++ "&ushr (@x[$b2],'$xt2',25)",
++ "&ushr (@x[$b3],'$xt3',25)",
++ "&sli (@x[$b0],'$xt0',7)",
++ "&sli (@x[$b1],'$xt1',7)",
++ "&sli (@x[$b2],'$xt2',7)",
++ "&sli (@x[$b3],'$xt3',7)"
+ );
+ }
+
+ $code.=<<___;
+
++#ifdef __KERNEL__
++.globl ChaCha20_neon
++#endif
+ .type ChaCha20_neon,%function
+ .align 5
+ ChaCha20_neon:
++.LChaCha20_neon:
+ .inst 0xd503233f // paciasp
+ stp x29,x30,[sp,#-96]!
+ add x29,sp,#0
+@@ -402,8 +454,9 @@ ChaCha20_neon:
+ ld1 {@K[1],@K[2]},[$key]
+ ldp @d[6],@d[7],[$ctr] // load counter
+ ld1 {@K[3]},[$ctr]
+- ld1 {$ONE},[@x[0]]
+-#ifdef __ARMEB__
++ stp d8,d9,[sp] // meet ABI requirements
++ ld1 {$CTR,$ROT24},[@x[0]]
++#ifdef __AARCH64EB__
+ rev64 @K[0],@K[0]
+ ror @d[2],@d[2],#32
+ ror @d[3],@d[3],#32
+@@ -412,115 +465,129 @@ ChaCha20_neon:
+ ror @d[6],@d[6],#32
+ ror @d[7],@d[7],#32
+ #endif
+- add @K[3],@K[3],$ONE // += 1
+- add @K[4],@K[3],$ONE
+- add @K[5],@K[4],$ONE
+- shl $ONE,$ONE,#2 // 1 -> 4
+
+ .Loop_outer_neon:
+- mov.32 @x[0],@d[0] // unpack key block
+- lsr @x[1],@d[0],#32
+- mov $A0,@K[0]
+- mov.32 @x[2],@d[1]
+- lsr @x[3],@d[1],#32
+- mov $A1,@K[0]
+- mov.32 @x[4],@d[2]
+- lsr @x[5],@d[2],#32
+- mov $A2,@K[0]
+- mov.32 @x[6],@d[3]
+- mov $B0,@K[1]
+- lsr @x[7],@d[3],#32
+- mov $B1,@K[1]
+- mov.32 @x[8],@d[4]
+- mov $B2,@K[1]
+- lsr @x[9],@d[4],#32
+- mov $D0,@K[3]
+- mov.32 @x[10],@d[5]
+- mov $D1,@K[4]
+- lsr @x[11],@d[5],#32
+- mov $D2,@K[5]
+- mov.32 @x[12],@d[6]
+- mov $C0,@K[2]
+- lsr @x[13],@d[6],#32
+- mov $C1,@K[2]
+- mov.32 @x[14],@d[7]
+- mov $C2,@K[2]
+- lsr @x[15],@d[7],#32
++ dup $xa0,@{K[0]}[0] // unpack key block
++ mov.32 @x[0],@d[0]
++ dup $xa1,@{K[0]}[1]
++ lsr @x[1],@d[0],#32
++ dup $xa2,@{K[0]}[2]
++ mov.32 @x[2],@d[1]
++ dup $xa3,@{K[0]}[3]
++ lsr @x[3],@d[1],#32
++ dup $xb0,@{K[1]}[0]
++ mov.32 @x[4],@d[2]
++ dup $xb1,@{K[1]}[1]
++ lsr @x[5],@d[2],#32
++ dup $xb2,@{K[1]}[2]
++ mov.32 @x[6],@d[3]
++ dup $xb3,@{K[1]}[3]
++ lsr @x[7],@d[3],#32
++ dup $xd0,@{K[3]}[0]
++ mov.32 @x[8],@d[4]
++ dup $xd1,@{K[3]}[1]
++ lsr @x[9],@d[4],#32
++ dup $xd2,@{K[3]}[2]
++ mov.32 @x[10],@d[5]
++ dup $xd3,@{K[3]}[3]
++ lsr @x[11],@d[5],#32
++ add $xd0,$xd0,$CTR
++ mov.32 @x[12],@d[6]
++ dup $xc0,@{K[2]}[0]
++ lsr @x[13],@d[6],#32
++ dup $xc1,@{K[2]}[1]
++ mov.32 @x[14],@d[7]
++ dup $xc2,@{K[2]}[2]
++ lsr @x[15],@d[7],#32
++ dup $xc3,@{K[2]}[3]
+
+ mov $ctr,#10
+- subs $len,$len,#256
++ subs $len,$len,#320
+ .Loop_neon:
+ sub $ctr,$ctr,#1
+ ___
+- my @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,0);
+- my @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,0);
+- my @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,0);
+- my @thread3=&ROUND(0,4,8,12);
+-
+- foreach (@thread0) {
+- eval; eval(shift(@thread3));
+- eval(shift(@thread1)); eval(shift(@thread3));
+- eval(shift(@thread2)); eval(shift(@thread3));
+- }
+-
+- @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,1);
+- @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,1);
+- @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,1);
+- @thread3=&ROUND(0,5,10,15);
++ my @plus_one=&ROUND(0,4,8,12);
++ foreach (&NEON_lane_ROUND(0,4,8,12)) { eval; eval(shift(@plus_one)); }
+
+- foreach (@thread0) {
+- eval; eval(shift(@thread3));
+- eval(shift(@thread1)); eval(shift(@thread3));
+- eval(shift(@thread2)); eval(shift(@thread3));
+- }
++ @plus_one=&ROUND(0,5,10,15);
++ foreach (&NEON_lane_ROUND(0,5,10,15)) { eval; eval(shift(@plus_one)); }
+ $code.=<<___;
+ cbnz $ctr,.Loop_neon
+
+- add.32 @x[0],@x[0],@d[0] // accumulate key block
+- add $A0,$A0,@K[0]
+- add @x[1],@x[1],@d[0],lsr#32
+- add $A1,$A1,@K[0]
+- add.32 @x[2],@x[2],@d[1]
+- add $A2,$A2,@K[0]
+- add @x[3],@x[3],@d[1],lsr#32
+- add $C0,$C0,@K[2]
+- add.32 @x[4],@x[4],@d[2]
+- add $C1,$C1,@K[2]
+- add @x[5],@x[5],@d[2],lsr#32
+- add $C2,$C2,@K[2]
+- add.32 @x[6],@x[6],@d[3]
+- add $D0,$D0,@K[3]
+- add @x[7],@x[7],@d[3],lsr#32
+- add.32 @x[8],@x[8],@d[4]
+- add $D1,$D1,@K[4]
+- add @x[9],@x[9],@d[4],lsr#32
+- add.32 @x[10],@x[10],@d[5]
+- add $D2,$D2,@K[5]
+- add @x[11],@x[11],@d[5],lsr#32
+- add.32 @x[12],@x[12],@d[6]
+- add $B0,$B0,@K[1]
+- add @x[13],@x[13],@d[6],lsr#32
+- add.32 @x[14],@x[14],@d[7]
+- add $B1,$B1,@K[1]
+- add @x[15],@x[15],@d[7],lsr#32
+- add $B2,$B2,@K[1]
++ add $xd0,$xd0,$CTR
++
++ zip1 $xt0,$xa0,$xa1 // transpose data
++ zip1 $xt1,$xa2,$xa3
++ zip2 $xt2,$xa0,$xa1
++ zip2 $xt3,$xa2,$xa3
++ zip1.64 $xa0,$xt0,$xt1
++ zip2.64 $xa1,$xt0,$xt1
++ zip1.64 $xa2,$xt2,$xt3
++ zip2.64 $xa3,$xt2,$xt3
++
++ zip1 $xt0,$xb0,$xb1
++ zip1 $xt1,$xb2,$xb3
++ zip2 $xt2,$xb0,$xb1
++ zip2 $xt3,$xb2,$xb3
++ zip1.64 $xb0,$xt0,$xt1
++ zip2.64 $xb1,$xt0,$xt1
++ zip1.64 $xb2,$xt2,$xt3
++ zip2.64 $xb3,$xt2,$xt3
++
++ zip1 $xt0,$xc0,$xc1
++ add.32 @x[0],@x[0],@d[0] // accumulate key block
++ zip1 $xt1,$xc2,$xc3
++ add @x[1],@x[1],@d[0],lsr#32
++ zip2 $xt2,$xc0,$xc1
++ add.32 @x[2],@x[2],@d[1]
++ zip2 $xt3,$xc2,$xc3
++ add @x[3],@x[3],@d[1],lsr#32
++ zip1.64 $xc0,$xt0,$xt1
++ add.32 @x[4],@x[4],@d[2]
++ zip2.64 $xc1,$xt0,$xt1
++ add @x[5],@x[5],@d[2],lsr#32
++ zip1.64 $xc2,$xt2,$xt3
++ add.32 @x[6],@x[6],@d[3]
++ zip2.64 $xc3,$xt2,$xt3
++ add @x[7],@x[7],@d[3],lsr#32
++
++ zip1 $xt0,$xd0,$xd1
++ add.32 @x[8],@x[8],@d[4]
++ zip1 $xt1,$xd2,$xd3
++ add @x[9],@x[9],@d[4],lsr#32
++ zip2 $xt2,$xd0,$xd1
++ add.32 @x[10],@x[10],@d[5]
++ zip2 $xt3,$xd2,$xd3
++ add @x[11],@x[11],@d[5],lsr#32
++ zip1.64 $xd0,$xt0,$xt1
++ add.32 @x[12],@x[12],@d[6]
++ zip2.64 $xd1,$xt0,$xt1
++ add @x[13],@x[13],@d[6],lsr#32
++ zip1.64 $xd2,$xt2,$xt3
++ add.32 @x[14],@x[14],@d[7]
++ zip2.64 $xd3,$xt2,$xt3
++ add @x[15],@x[15],@d[7],lsr#32
+
+ b.lo .Ltail_neon
+
+ add @x[0],@x[0],@x[1],lsl#32 // pack
+ add @x[2],@x[2],@x[3],lsl#32
+ ldp @x[1],@x[3],[$inp,#0] // load input
++ add $xa0,$xa0,@K[0] // accumulate key block
+ add @x[4],@x[4],@x[5],lsl#32
+ add @x[6],@x[6],@x[7],lsl#32
+ ldp @x[5],@x[7],[$inp,#16]
++ add $xb0,$xb0,@K[1]
+ add @x[8],@x[8],@x[9],lsl#32
+ add @x[10],@x[10],@x[11],lsl#32
+ ldp @x[9],@x[11],[$inp,#32]
++ add $xc0,$xc0,@K[2]
+ add @x[12],@x[12],@x[13],lsl#32
+ add @x[14],@x[14],@x[15],lsl#32
+ ldp @x[13],@x[15],[$inp,#48]
++ add $xd0,$xd0,@K[3]
+ add $inp,$inp,#64
+-#ifdef __ARMEB__
++#ifdef __AARCH64EB__
+ rev @x[0],@x[0]
+ rev @x[2],@x[2]
+ rev @x[4],@x[4]
+@@ -530,48 +597,68 @@ $code.=<<___;
+ rev @x[12],@x[12]
+ rev @x[14],@x[14]
+ #endif
+- ld1.8 {$T0-$T3},[$inp],#64
++ ld1.8 {$xt0-$xt3},[$inp],#64
+ eor @x[0],@x[0],@x[1]
++ add $xa1,$xa1,@K[0]
+ eor @x[2],@x[2],@x[3]
++ add $xb1,$xb1,@K[1]
+ eor @x[4],@x[4],@x[5]
++ add $xc1,$xc1,@K[2]
+ eor @x[6],@x[6],@x[7]
++ add $xd1,$xd1,@K[3]
+ eor @x[8],@x[8],@x[9]
+- eor $A0,$A0,$T0
++ eor $xa0,$xa0,$xt0
++ movi $xt0,#5
+ eor @x[10],@x[10],@x[11]
+- eor $B0,$B0,$T1
++ eor $xb0,$xb0,$xt1
+ eor @x[12],@x[12],@x[13]
+- eor $C0,$C0,$T2
++ eor $xc0,$xc0,$xt2
+ eor @x[14],@x[14],@x[15]
+- eor $D0,$D0,$T3
+- ld1.8 {$T0-$T3},[$inp],#64
++ eor $xd0,$xd0,$xt3
++ add $CTR,$CTR,$xt0 // += 5
++ ld1.8 {$xt0-$xt3},[$inp],#64
+
+ stp @x[0],@x[2],[$out,#0] // store output
+- add @d[6],@d[6],#4 // increment counter
++ add @d[6],@d[6],#5 // increment counter
+ stp @x[4],@x[6],[$out,#16]
+- add @K[3],@K[3],$ONE // += 4
+ stp @x[8],@x[10],[$out,#32]
+- add @K[4],@K[4],$ONE
+ stp @x[12],@x[14],[$out,#48]
+- add @K[5],@K[5],$ONE
+ add $out,$out,#64
+
+- st1.8 {$A0-$D0},[$out],#64
+- ld1.8 {$A0-$D0},[$inp],#64
+-
+- eor $A1,$A1,$T0
+- eor $B1,$B1,$T1
+- eor $C1,$C1,$T2
+- eor $D1,$D1,$T3
+- st1.8 {$A1-$D1},[$out],#64
+-
+- eor $A2,$A2,$A0
+- eor $B2,$B2,$B0
+- eor $C2,$C2,$C0
+- eor $D2,$D2,$D0
+- st1.8 {$A2-$D2},[$out],#64
++ st1.8 {$xa0-$xd0},[$out],#64
++ add $xa2,$xa2,@K[0]
++ add $xb2,$xb2,@K[1]
++ add $xc2,$xc2,@K[2]
++ add $xd2,$xd2,@K[3]
++ ld1.8 {$xa0-$xd0},[$inp],#64
++
++ eor $xa1,$xa1,$xt0
++ eor $xb1,$xb1,$xt1
++ eor $xc1,$xc1,$xt2
++ eor $xd1,$xd1,$xt3
++ st1.8 {$xa1-$xd1},[$out],#64
++ add $xa3,$xa3,@K[0]
++ add $xb3,$xb3,@K[1]
++ add $xc3,$xc3,@K[2]
++ add $xd3,$xd3,@K[3]
++ ld1.8 {$xa1-$xd1},[$inp],#64
++
++ eor $xa2,$xa2,$xa0
++ eor $xb2,$xb2,$xb0
++ eor $xc2,$xc2,$xc0
++ eor $xd2,$xd2,$xd0
++ st1.8 {$xa2-$xd2},[$out],#64
++
++ eor $xa3,$xa3,$xa1
++ eor $xb3,$xb3,$xb1
++ eor $xc3,$xc3,$xc1
++ eor $xd3,$xd3,$xd1
++ st1.8 {$xa3-$xd3},[$out],#64
+
+ b.hi .Loop_outer_neon
+
++ ldp d8,d9,[sp] // meet ABI requirements
++
+ ldp x19,x20,[x29,#16]
+ add sp,sp,#64
+ ldp x21,x22,[x29,#32]
+@@ -582,8 +669,10 @@ $code.=<<___;
+ .inst 0xd50323bf // autiasp
+ ret
+
++.align 4
+ .Ltail_neon:
+- add $len,$len,#256
++ add $len,$len,#320
++ ldp d8,d9,[sp] // meet ABI requirements
+ cmp $len,#64
+ b.lo .Less_than_64
+
+@@ -600,7 +689,7 @@ $code.=<<___;
+ add @x[14],@x[14],@x[15],lsl#32
+ ldp @x[13],@x[15],[$inp,#48]
+ add $inp,$inp,#64
+-#ifdef __ARMEB__
++#ifdef __AARCH64EB__
+ rev @x[0],@x[0]
+ rev @x[2],@x[2]
+ rev @x[4],@x[4]
+@@ -620,48 +709,68 @@ $code.=<<___;
+ eor @x[14],@x[14],@x[15]
+
+ stp @x[0],@x[2],[$out,#0] // store output
+- add @d[6],@d[6],#4 // increment counter
++ add $xa0,$xa0,@K[0] // accumulate key block
+ stp @x[4],@x[6],[$out,#16]
++ add $xb0,$xb0,@K[1]
+ stp @x[8],@x[10],[$out,#32]
++ add $xc0,$xc0,@K[2]
+ stp @x[12],@x[14],[$out,#48]
++ add $xd0,$xd0,@K[3]
+ add $out,$out,#64
+ b.eq .Ldone_neon
+ sub $len,$len,#64
+ cmp $len,#64
+- b.lo .Less_than_128
++ b.lo .Last_neon
+
+- ld1.8 {$T0-$T3},[$inp],#64
+- eor $A0,$A0,$T0
+- eor $B0,$B0,$T1
+- eor $C0,$C0,$T2
+- eor $D0,$D0,$T3
+- st1.8 {$A0-$D0},[$out],#64
++ ld1.8 {$xt0-$xt3},[$inp],#64
++ eor $xa0,$xa0,$xt0
++ eor $xb0,$xb0,$xt1
++ eor $xc0,$xc0,$xt2
++ eor $xd0,$xd0,$xt3
++ st1.8 {$xa0-$xd0},[$out],#64
+ b.eq .Ldone_neon
++
++ add $xa0,$xa1,@K[0]
++ add $xb0,$xb1,@K[1]
+ sub $len,$len,#64
++ add $xc0,$xc1,@K[2]
+ cmp $len,#64
+- b.lo .Less_than_192
++ add $xd0,$xd1,@K[3]
++ b.lo .Last_neon
+
+- ld1.8 {$T0-$T3},[$inp],#64
+- eor $A1,$A1,$T0
+- eor $B1,$B1,$T1
+- eor $C1,$C1,$T2
+- eor $D1,$D1,$T3
+- st1.8 {$A1-$D1},[$out],#64
++ ld1.8 {$xt0-$xt3},[$inp],#64
++ eor $xa1,$xa0,$xt0
++ eor $xb1,$xb0,$xt1
++ eor $xc1,$xc0,$xt2
++ eor $xd1,$xd0,$xt3
++ st1.8 {$xa1-$xd1},[$out],#64
+ b.eq .Ldone_neon
++
++ add $xa0,$xa2,@K[0]
++ add $xb0,$xb2,@K[1]
+ sub $len,$len,#64
++ add $xc0,$xc2,@K[2]
++ cmp $len,#64
++ add $xd0,$xd2,@K[3]
++ b.lo .Last_neon
+
+- st1.8 {$A2-$D2},[sp]
+- b .Last_neon
++ ld1.8 {$xt0-$xt3},[$inp],#64
++ eor $xa2,$xa0,$xt0
++ eor $xb2,$xb0,$xt1
++ eor $xc2,$xc0,$xt2
++ eor $xd2,$xd0,$xt3
++ st1.8 {$xa2-$xd2},[$out],#64
++ b.eq .Ldone_neon
+
+-.Less_than_128:
+- st1.8 {$A0-$D0},[sp]
+- b .Last_neon
+-.Less_than_192:
+- st1.8 {$A1-$D1},[sp]
+- b .Last_neon
++ add $xa0,$xa3,@K[0]
++ add $xb0,$xb3,@K[1]
++ add $xc0,$xc3,@K[2]
++ add $xd0,$xd3,@K[3]
++ sub $len,$len,#64
+
+-.align 4
+ .Last_neon:
++ st1.8 {$xa0-$xd0},[sp]
++
+ sub $out,$out,#1
+ add $inp,$inp,$len
+ add $out,$out,$len
+@@ -694,9 +803,41 @@ $code.=<<___;
+ .size ChaCha20_neon,.-ChaCha20_neon
+ ___
+ {
++my @K = map("v$_.4s",(0..6));
+ my ($T0,$T1,$T2,$T3,$T4,$T5)=@K;
+ my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2,
+- $A3,$B3,$C3,$D3,$A4,$B4,$C4,$D4,$A5,$B5,$C5,$D5) = map("v$_.4s",(0..23));
++ $A3,$B3,$C3,$D3,$A4,$B4,$C4,$D4,$A5,$B5,$C5,$D5) = map("v$_.4s",(8..31));
++my $rot24 = @K[6];
++my $ONE = "v7.4s";
++
++sub NEONROUND {
++my $odd = pop;
++my ($a,$b,$c,$d,$t)=@_;
++
++ (
++ "&add ('$a','$a','$b')",
++ "&eor ('$d','$d','$a')",
++ "&rev32_16 ('$d','$d')", # vrot ($d,16)
++
++ "&add ('$c','$c','$d')",
++ "&eor ('$t','$b','$c')",
++ "&ushr ('$b','$t',20)",
++ "&sli ('$b','$t',12)",
++
++ "&add ('$a','$a','$b')",
++ "&eor ('$d','$d','$a')",
++ "&tbl ('$d','{$d}','$rot24')",
++
++ "&add ('$c','$c','$d')",
++ "&eor ('$t','$b','$c')",
++ "&ushr ('$b','$t',25)",
++ "&sli ('$b','$t',7)",
++
++ "&ext ('$c','$c','$c',8)",
++ "&ext ('$d','$d','$d',$odd?4:12)",
++ "&ext ('$b','$b','$b',$odd?12:4)"
++ );
++}
+
+ $code.=<<___;
+ .type ChaCha20_512_neon,%function
+@@ -716,6 +857,7 @@ ChaCha20_512_neon:
+ .L512_or_more_neon:
+ sub sp,sp,#128+64
+
++ eor $ONE,$ONE,$ONE
+ ldp @d[0],@d[1],[@x[0]] // load sigma
+ ld1 {@K[0]},[@x[0]],#16
+ ldp @d[2],@d[3],[$key] // load key
+@@ -723,8 +865,9 @@ ChaCha20_512_neon:
+ ld1 {@K[1],@K[2]},[$key]
+ ldp @d[6],@d[7],[$ctr] // load counter
+ ld1 {@K[3]},[$ctr]
+- ld1 {$ONE},[@x[0]]
+-#ifdef __ARMEB__
++ ld1 {$ONE}[0],[@x[0]]
++ add $key,@x[0],#16 // .Lrot24
++#ifdef __AARCH64EB__
+ rev64 @K[0],@K[0]
+ ror @d[2],@d[2],#32
+ ror @d[3],@d[3],#32
+@@ -791,9 +934,10 @@ ChaCha20_512_neon:
+ mov $C4,@K[2]
+ stp @K[3],@K[4],[sp,#48] // off-load key block, variable part
+ mov $C5,@K[2]
+- str @K[5],[sp,#80]
++ stp @K[5],@K[6],[sp,#80]
+
+ mov $ctr,#5
++ ld1 {$rot24},[$key]
+ subs $len,$len,#512
+ .Loop_upper_neon:
+ sub $ctr,$ctr,#1
+@@ -866,7 +1010,7 @@ $code.=<<___;
+ add @x[14],@x[14],@x[15],lsl#32
+ ldp @x[13],@x[15],[$inp,#48]
+ add $inp,$inp,#64
+-#ifdef __ARMEB__
++#ifdef __AARCH64EB__
+ rev @x[0],@x[0]
+ rev @x[2],@x[2]
+ rev @x[4],@x[4]
+@@ -955,6 +1099,7 @@ $code.=<<___;
+ add.32 @x[2],@x[2],@d[1]
+ ldp @K[4],@K[5],[sp,#64]
+ add @x[3],@x[3],@d[1],lsr#32
++ ldr @K[6],[sp,#96]
+ add $A0,$A0,@K[0]
+ add.32 @x[4],@x[4],@d[2]
+ add $A1,$A1,@K[0]
+@@ -1007,7 +1152,7 @@ $code.=<<___;
+ add $inp,$inp,#64
+ add $B5,$B5,@K[1]
+
+-#ifdef __ARMEB__
++#ifdef __AARCH64EB__
+ rev @x[0],@x[0]
+ rev @x[2],@x[2]
+ rev @x[4],@x[4]
+@@ -1085,26 +1230,26 @@ $code.=<<___;
+ b.hs .Loop_outer_512_neon
+
+ adds $len,$len,#512
+- ushr $A0,$ONE,#2 // 4 -> 1
++ ushr $ONE,$ONE,#1 // 4 -> 2
+
+- ldp d8,d9,[sp,#128+0] // meet ABI requirements
+ ldp d10,d11,[sp,#128+16]
+ ldp d12,d13,[sp,#128+32]
+ ldp d14,d15,[sp,#128+48]
+
+- stp @K[0],$ONE,[sp,#0] // wipe off-load area
+- stp @K[0],$ONE,[sp,#32]
+- stp @K[0],$ONE,[sp,#64]
++ stp @K[0],@K[0],[sp,#0] // wipe off-load area
++ stp @K[0],@K[0],[sp,#32]
++ stp @K[0],@K[0],[sp,#64]
+
+ b.eq .Ldone_512_neon
+
++ sub $key,$key,#16 // .Lone
+ cmp $len,#192
+- sub @K[3],@K[3],$A0 // -= 1
+- sub @K[4],@K[4],$A0
+- sub @K[5],@K[5],$A0
+ add sp,sp,#128
++ sub @K[3],@K[3],$ONE // -= 2
++ ld1 {$CTR,$ROT24},[$key]
+ b.hs .Loop_outer_neon
+
++ ldp d8,d9,[sp,#0] // meet ABI requirements
+ eor @K[1],@K[1],@K[1]
+ eor @K[2],@K[2],@K[2]
+ eor @K[3],@K[3],@K[3]
+@@ -1114,6 +1259,7 @@ $code.=<<___;
+ b .Loop_outer
+
+ .Ldone_512_neon:
++ ldp d8,d9,[sp,#128+0] // meet ABI requirements
+ ldp x19,x20,[x29,#16]
+ add sp,sp,#128+64
+ ldp x21,x22,[x29,#32]
+@@ -1132,9 +1278,11 @@ foreach (split("\n",$code)) {
+ s/\`([^\`]*)\`/eval $1/geo;
+
+ (s/\b([a-z]+)\.32\b/$1/ and (s/x([0-9]+)/w$1/g or 1)) or
+- (m/\b(eor|ext|mov)\b/ and (s/\.4s/\.16b/g or 1)) or
++ (m/\b(eor|ext|mov|tbl)\b/ and (s/\.4s/\.16b/g or 1)) or
+ (s/\b((?:ld|st)1)\.8\b/$1/ and (s/\.4s/\.16b/g or 1)) or
+ (m/\b(ld|st)[rp]\b/ and (s/v([0-9]+)\.4s/q$1/g or 1)) or
++ (m/\b(dup|ld1)\b/ and (s/\.4(s}?\[[0-3]\])/.$1/g or 1)) or
++ (s/\b(zip[12])\.64\b/$1/ and (s/\.4s/\.2d/g or 1)) or
+ (s/\brev32\.16\b/rev32/ and (s/\.4s/\.8h/g or 1));
+
+ #s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo;
+diff -up openssl-1.1.1c/crypto/modes/asm/ghashv8-armx.pl.arm-update openssl-1.1.1c/crypto/modes/asm/ghashv8-armx.pl
+--- openssl-1.1.1c/crypto/modes/asm/ghashv8-armx.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/modes/asm/ghashv8-armx.pl 2019-11-20 11:36:22.389506155 +0100
+@@ -42,6 +42,7 @@
+ # Denver 0.51 0.65 6.02
+ # Mongoose 0.65 1.10 8.06
+ # Kryo 0.76 1.16 8.00
++# ThunderX2 1.05
+ #
+ # (*) presented for reference/comparison purposes;
+
+diff -up openssl-1.1.1c/crypto/poly1305/asm/poly1305-armv8.pl.arm-update openssl-1.1.1c/crypto/poly1305/asm/poly1305-armv8.pl
+--- openssl-1.1.1c/crypto/poly1305/asm/poly1305-armv8.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/poly1305/asm/poly1305-armv8.pl 2019-11-20 11:36:22.390506137 +0100
+@@ -29,6 +29,7 @@
+ # X-Gene 2.13/+68% 2.27
+ # Mongoose 1.77/+75% 1.12
+ # Kryo 2.70/+55% 1.13
++# ThunderX2 1.17/+95% 1.36
+ #
+ # (*) estimate based on resources availability is less than 1.0,
+ # i.e. measured result is worse than expected, presumably binary
+diff -up openssl-1.1.1c/crypto/sha/asm/keccak1600-armv8.pl.arm-update openssl-1.1.1c/crypto/sha/asm/keccak1600-armv8.pl
+--- openssl-1.1.1c/crypto/sha/asm/keccak1600-armv8.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/sha/asm/keccak1600-armv8.pl 2019-11-20 11:36:22.390506137 +0100
+@@ -51,6 +51,7 @@
+ # Kryo 12
+ # Denver 7.8
+ # Apple A7 7.2
++# ThunderX2 9.7
+ #
+ # (*) Corresponds to SHA3-256. No improvement coefficients are listed
+ # because they vary too much from compiler to compiler. Newer
+diff -up openssl-1.1.1c/crypto/sha/asm/sha1-armv8.pl.arm-update openssl-1.1.1c/crypto/sha/asm/sha1-armv8.pl
+--- openssl-1.1.1c/crypto/sha/asm/sha1-armv8.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/sha/asm/sha1-armv8.pl 2019-11-20 11:36:22.390506137 +0100
+@@ -27,6 +27,7 @@
+ # X-Gene 8.80 (+200%)
+ # Mongoose 2.05 6.50 (+160%)
+ # Kryo 1.88 8.00 (+90%)
++# ThunderX2 2.64 6.36 (+150%)
+ #
+ # (*) Software results are presented mostly for reference purposes.
+ # (**) Keep in mind that Denver relies on binary translation, which
+diff -up openssl-1.1.1c/crypto/sha/asm/sha512-armv8.pl.arm-update openssl-1.1.1c/crypto/sha/asm/sha512-armv8.pl
+--- openssl-1.1.1c/crypto/sha/asm/sha512-armv8.pl.arm-update 2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/crypto/sha/asm/sha512-armv8.pl 2019-11-20 11:36:22.390506137 +0100
+@@ -28,6 +28,7 @@
+ # X-Gene 20.0 (+100%) 12.8 (+300%(***))
+ # Mongoose 2.36 13.0 (+50%) 8.36 (+33%)
+ # Kryo 1.92 17.4 (+30%) 11.2 (+8%)
++# ThunderX2 2.54 13.2 (+40%) 8.40 (+18%)
+ #
+ # (*) Software SHA256 results are of lesser relevance, presented
+ # mostly for informational purposes.
diff --git a/openssl-1.1.1-edk2-build.patch b/openssl-1.1.1-edk2-build.patch
new file mode 100644
index 0000000..b13708e
--- /dev/null
+++ b/openssl-1.1.1-edk2-build.patch
@@ -0,0 +1,57 @@
+diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
+--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
++++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
+@@ -12,6 +12,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+ #include <openssl/kdf.h>
++#include "internal/numbers.h"
+ #include "crypto/evp.h"
+
+ static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
+diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
+--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
++++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
+@@ -13,6 +13,7 @@
+ #include <openssl/hmac.h>
+ #include <openssl/kdf.h>
+ #include <openssl/evp.h>
++#include "internal/numbers.h"
+ #include "internal/cryptlib.h"
+ #include "crypto/evp.h"
+ #include "kdf_local.h"
+diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
+--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
++++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
+@@ -20,7 +20,7 @@
+ #include "crypto/fips.h"
+ #include <stdio.h>
+ #include "internal/dso.h"
+-#ifdef __linux
++#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
+ # include <sys/syscall.h>
+ # include <sys/random.h>
+ # ifdef DEVRANDOM_WAIT
+diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
+--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
++++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
+@@ -50,10 +50,6 @@
+ #include <openssl/opensslconf.h>
+ #include <openssl/evp.h>
+
+-#ifndef OPENSSL_FIPS
+-# error FIPS is disabled.
+-#endif
+-
+ #ifdef OPENSSL_FIPS
+
+ int FIPS_module_mode_set(int onoff);
+@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
+
+ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+
++#else
++
++# define fips_in_post() 0
++
+ #endif
diff --git a/openssl-1.1.1-fips-curves.patch b/openssl-1.1.1-fips-curves.patch
new file mode 100644
index 0000000..33e9fc5
--- /dev/null
+++ b/openssl-1.1.1-fips-curves.patch
@@ -0,0 +1,200 @@
+diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
+--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
++++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
+@@ -13,6 +13,7 @@
+ #include <openssl/err.h>
+ #include <openssl/obj_mac.h>
+ #include <openssl/opensslconf.h>
++#include <openssl/crypto.h>
+ #include "internal/nelem.h"
+
+ typedef struct {
+@@ -237,6 +238,7 @@ static const struct {
+
+ typedef struct _ec_list_element_st {
+ int nid;
++ int fips_allowed;
+ const EC_CURVE_DATA *data;
+ const EC_METHOD *(*meth) (void);
+ const char *comment;
+@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
+ /* prime field curves */
+ /* secg curves */
+ #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
++ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
+ "NIST/SECG curve over a 224 bit prime field"},
+ #else
+- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
++ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
+ "NIST/SECG curve over a 224 bit prime field"},
+ #endif
+- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
++ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
+ "SECG curve over a 256 bit prime field"},
+ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
++ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
+ # if defined(S390X_EC_ASM)
+ EC_GFp_s390x_nistp384_method,
+ # else
+ 0,
+ # endif
+ "NIST/SECG curve over a 384 bit prime field"},
+- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
++ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
+ # if defined(S390X_EC_ASM)
+ EC_GFp_s390x_nistp521_method,
+ # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
+ # endif
+ "NIST/SECG curve over a 521 bit prime field"},
+ /* X9.62 curves */
+- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
++ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+ EC_GFp_nistz256_method,
+ # elif defined(S390X_EC_ASM)
+@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
+
+ for (i = 0; i < curve_list_length; i++)
+ if (curve_list[i].nid == nid) {
++ if (!curve_list[i].fips_allowed && FIPS_mode()) {
++ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
++ return NULL;
++ }
+ ret = ec_group_new_from_data(curve_list[i]);
+ break;
+ }
+@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
+
+ size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
+ {
+- size_t i, min;
++ size_t i, j, num;
++ int fips_mode = FIPS_mode();
+
+- if (r == NULL || nitems == 0)
+- return curve_list_length;
++ num = curve_list_length;
++ if (fips_mode)
++ for (i = 0; i < curve_list_length; i++) {
++ if (!curve_list[i].fips_allowed)
++ --num;
++ }
+
+- min = nitems < curve_list_length ? nitems : curve_list_length;
++ if (r == NULL || nitems == 0) {
++ return num;
++ }
+
+- for (i = 0; i < min; i++) {
+- r[i].nid = curve_list[i].nid;
+- r[i].comment = curve_list[i].comment;
++ for (i = 0, j = 0; i < curve_list_length; i++) {
++ if (j >= nitems)
++ break;
++ if (!fips_mode || curve_list[i].fips_allowed) {
++ r[j].nid = curve_list[i].nid;
++ r[j].comment = curve_list[i].comment;
++ ++j;
++ }
+ }
+
+- return curve_list_length;
++ return num;
+ }
+
+ /* Functions to translate between common NIST curve names and NIDs */
+diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
+@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
+ #endif
+ };
+
++static const uint16_t tls12_fips_sigalgs[] = {
++#ifndef OPENSSL_NO_EC
++ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
++ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
++ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
++#endif
++
++ TLSEXT_SIGALG_rsa_pss_pss_sha256,
++ TLSEXT_SIGALG_rsa_pss_pss_sha384,
++ TLSEXT_SIGALG_rsa_pss_pss_sha512,
++ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
++ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
++ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
++
++ TLSEXT_SIGALG_rsa_pkcs1_sha256,
++ TLSEXT_SIGALG_rsa_pkcs1_sha384,
++ TLSEXT_SIGALG_rsa_pkcs1_sha512,
++
++#ifndef OPENSSL_NO_EC
++ TLSEXT_SIGALG_ecdsa_sha224,
++#endif
++ TLSEXT_SIGALG_rsa_pkcs1_sha224,
++#ifndef OPENSSL_NO_DSA
++ TLSEXT_SIGALG_dsa_sha224,
++ TLSEXT_SIGALG_dsa_sha256,
++ TLSEXT_SIGALG_dsa_sha384,
++ TLSEXT_SIGALG_dsa_sha512,
++#endif
++};
++
+ #ifndef OPENSSL_NO_EC
+ static const uint16_t suiteb_sigalgs[] = {
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
+@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
+ }
+ if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
+ return NULL;
++ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
++ return NULL;
+ if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
+
+@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
+ } else if (s->cert->conf_sigalgs) {
+ *psigs = s->cert->conf_sigalgs;
+ return s->cert->conf_sigalgslen;
++ } else if (FIPS_mode()) {
++ *psigs = tls12_fips_sigalgs;
++ return OSSL_NELEM(tls12_fips_sigalgs);
+ } else {
+ *psigs = tls12_sigalgs;
+ return OSSL_NELEM(tls12_sigalgs);
+@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
+ if (s->cert->conf_sigalgs) {
+ sigs = s->cert->conf_sigalgs;
+ siglen = s->cert->conf_sigalgslen;
++ } else if (FIPS_mode()) {
++ sigs = tls12_fips_sigalgs;
++ siglen = OSSL_NELEM(tls12_fips_sigalgs);
+ } else {
+ sigs = tls12_sigalgs;
+ siglen = OSSL_NELEM(tls12_sigalgs);
+@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
+ if (lu->sig == NID_id_GostR3410_2012_256
+ || lu->sig == NID_id_GostR3410_2012_512
+ || lu->sig == NID_id_GostR3410_2001) {
++ if (FIPS_mode())
++ return 0;
+ /* We never allow GOST sig algs on the server with TLSv1.3 */
+ if (s->server && SSL_IS_TLS13(s))
+ return 0;
+@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
+ const uint16_t *sent_sigs;
+ size_t sent_sigslen;
+
++ if (fatalerrs && FIPS_mode()) {
++ /* There are no suitable legacy algorithms in FIPS mode */
++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
++ SSL_F_TLS_CHOOSE_SIGALG,
++ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
++ return 0;
++ }
+ if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
+ if (!fatalerrs)
+ return 1;
diff --git a/openssl-1.1.1-s390x-ecc.patch b/openssl-1.1.1-s390x-ecc.patch
new file mode 100644
index 0000000..6b5963f
--- /dev/null
+++ b/openssl-1.1.1-s390x-ecc.patch
@@ -0,0 +1,2306 @@
+diff -up openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1g/Configurations/00-base-templates.conf
+--- openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/Configurations/00-base-templates.conf 2020-05-18 12:45:40.855234262 +0200
+@@ -289,6 +289,7 @@ my %targets=(
+ template => 1,
+ cpuid_asm_src => "s390xcap.c s390xcpuid.S",
+ bn_asm_src => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
++ ec_asm_src => "ecp_s390x_nistp.c",
+ aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake",
+ sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
+ rc4_asm_src => "rc4-s390x.s",
+diff -up openssl-1.1.1g/Configure.s390x-ecc openssl-1.1.1g/Configure
+--- openssl-1.1.1g/Configure.s390x-ecc 2020-05-18 12:45:40.781233618 +0200
++++ openssl-1.1.1g/Configure 2020-05-18 12:45:40.856234270 +0200
+@@ -1398,6 +1398,9 @@ unless ($disabled{asm}) {
+ if ($target{ec_asm_src} =~ /ecp_nistz256/) {
+ push @{$config{lib_defines}}, "ECP_NISTZ256_ASM";
+ }
++ if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) {
++ push @{$config{lib_defines}}, "S390X_EC_ASM";
++ }
+ if ($target{ec_asm_src} =~ /x25519/) {
+ push @{$config{lib_defines}}, "X25519_ASM";
+ }
+diff -up openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/cmac/cm_pmeth.c
+--- openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200
++++ openssl-1.1.1g/crypto/cmac/cm_pmeth.c 2020-05-18 12:45:42.661249957 +0200
+@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = {
+ pkey_cmac_ctrl,
+ pkey_cmac_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *cmac_pkey_method(void)
++{
++ return &cmac_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dh/dh_pmeth.c
+--- openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200
++++ openssl-1.1.1g/crypto/dh/dh_pmeth.c 2020-05-18 12:45:42.661249957 +0200
+@@ -512,6 +512,11 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
+ pkey_dh_ctrl_str
+ };
+
++const EVP_PKEY_METHOD *dh_pkey_method(void)
++{
++ return &dh_pkey_meth;
++}
++
+ const EVP_PKEY_METHOD dhx_pkey_meth = {
+ EVP_PKEY_DHX,
+ EVP_PKEY_FLAG_FIPS,
+@@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = {
+ pkey_dh_ctrl,
+ pkey_dh_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *dhx_pkey_method(void)
++{
++ return &dhx_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dsa/dsa_pmeth.c
+--- openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.783233636 +0200
++++ openssl-1.1.1g/crypto/dsa/dsa_pmeth.c 2020-05-18 12:45:42.662249966 +0200
+@@ -271,3 +271,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
+ pkey_dsa_ctrl,
+ pkey_dsa_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *dsa_pkey_method(void)
++{
++ return &dsa_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/ec/build.info.s390x-ecc openssl-1.1.1g/crypto/ec/build.info
+--- openssl-1.1.1g/crypto/ec/build.info.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/build.info 2020-05-18 12:45:42.662249966 +0200
+@@ -26,6 +26,9 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n
+ INCLUDE[ecp_nistz256-armv8.o]=..
+ GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME)
+
++INCLUDE[ecp_s390x_nistp.o]=..
++INCLUDE[ecx_meth.o]=..
++
+ GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME)
+ GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME)
+
+diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_curve.c
+--- openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc 2020-05-18 12:45:40.753233375 +0200
++++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:45:42.663249975 +0200
+@@ -255,20 +255,29 @@ static const ec_list_element curve_list[
+ {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
+ "SECG curve over a 256 bit prime field"},
+ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+- {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
++ {NID_secp384r1, &_EC_NIST_PRIME_384.h,
++# if defined(S390X_EC_ASM)
++ EC_GFp_s390x_nistp384_method,
++# else
++ 0,
++# endif
+ "NIST/SECG curve over a 384 bit prime field"},
+-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+- {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
+- "NIST/SECG curve over a 521 bit prime field"},
+-#else
+- {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
++ {NID_secp521r1, &_EC_NIST_PRIME_521.h,
++# if defined(S390X_EC_ASM)
++ EC_GFp_s390x_nistp521_method,
++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
++ EC_GFp_nistp521_method,
++# else
++ 0,
++# endif
+ "NIST/SECG curve over a 521 bit prime field"},
+-#endif
+ /* X9.62 curves */
+ {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+ EC_GFp_nistz256_method,
+-#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
++# elif defined(S390X_EC_ASM)
++ EC_GFp_s390x_nistp256_method,
++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+ EC_GFp_nistp256_method,
+ #else
+ 0,
+diff -up openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecdsa_ossl.c
+--- openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200
++++ openssl-1.1.1g/crypto/ec/ecdsa_ossl.c 2020-05-18 12:45:42.664249983 +0200
+@@ -18,6 +18,41 @@
+ # include <openssl/fips.h>
+ #endif
+
++int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
++ BIGNUM **rp)
++{
++ if (eckey->group->meth->ecdsa_sign_setup == NULL) {
++ ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
++ return 0;
++ }
++
++ return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
++}
++
++ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
++ const BIGNUM *in_kinv, const BIGNUM *in_r,
++ EC_KEY *eckey)
++{
++ if (eckey->group->meth->ecdsa_sign_sig == NULL) {
++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
++ return NULL;
++ }
++
++ return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
++ in_kinv, in_r, eckey);
++}
++
++int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
++ const ECDSA_SIG *sig, EC_KEY *eckey)
++{
++ if (eckey->group->meth->ecdsa_verify_sig == NULL) {
++ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
++ return 0;
++ }
++
++ return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
++}
++
+ int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
+ unsigned char *sig, unsigned int *siglen,
+ const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
+@@ -149,15 +184,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke
+ return ret;
+ }
+
+-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+- BIGNUM **rp)
++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
++ BIGNUM **rp)
+ {
+ return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
+ }
+
+-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+- const BIGNUM *in_kinv, const BIGNUM *in_r,
+- EC_KEY *eckey)
++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
++ const BIGNUM *in_kinv, const BIGNUM *in_r,
++ EC_KEY *eckey)
+ {
+ int ok = 0, i;
+ BIGNUM *kinv = NULL, *s, *m = NULL;
+@@ -218,25 +253,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+ if (8 * dgst_len > i)
+ dgst_len = (i + 7) / 8;
+ if (!BN_bin2bn(dgst, dgst_len, m)) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ /* If still too long, truncate remaining bits with a shift */
+ if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ do {
+ if (in_kinv == NULL || in_r == NULL) {
+ if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB);
+ goto err;
+ }
+ ckinv = kinv;
+ } else {
+ ckinv = in_kinv;
+ if (BN_copy(ret->r, in_r) == NULL) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
+@@ -250,11 +285,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+ */
+ if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
+ || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!bn_mod_add_fixed_top(s, s, m, order)) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ /*
+@@ -263,7 +298,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+ */
+ if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
+ || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+
+@@ -273,7 +308,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+ * generate new kinv and r values
+ */
+ if (in_kinv != NULL && in_r != NULL) {
+- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
+ goto err;
+ }
+ } else {
+@@ -325,8 +360,8 @@ int ossl_ecdsa_verify(int type, const un
+ return ret;
+ }
+
+-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+- const ECDSA_SIG *sig, EC_KEY *eckey)
++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
++ const ECDSA_SIG *sig, EC_KEY *eckey)
+ {
+ int ret = -1, i;
+ BN_CTX *ctx;
+@@ -346,18 +381,18 @@ int ossl_ecdsa_verify_sig(const unsigned
+ /* check input values */
+ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+ (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
+ return -1;
+ }
+
+ if (!EC_KEY_can_sign(eckey)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
+ return -1;
+ }
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+ return -1;
+ }
+ BN_CTX_start(ctx);
+@@ -366,26 +401,26 @@ int ossl_ecdsa_verify_sig(const unsigned
+ m = BN_CTX_get(ctx);
+ X = BN_CTX_get(ctx);
+ if (X == NULL) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ order = EC_GROUP_get0_order(group);
+ if (order == NULL) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
+ goto err;
+ }
+
+ if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
+ BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
+ BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_BAD_SIGNATURE);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE);
+ ret = 0; /* signature is invalid */
+ goto err;
+ }
+ /* calculate tmp1 = inv(S) mod order */
+ if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ /* digest -> m */
+@@ -396,41 +431,41 @@ int ossl_ecdsa_verify_sig(const unsigned
+ if (8 * dgst_len > i)
+ dgst_len = (i + 7) / 8;
+ if (!BN_bin2bn(dgst, dgst_len, m)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ /* If still too long truncate remaining bits with a shift */
+ if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ /* u1 = m * tmp mod order */
+ if (!BN_mod_mul(u1, m, u2, order, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ /* u2 = r * w mod q */
+ if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ if ((point = EC_POINT_new(group)) == NULL) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
+ goto err;
+ }
+
+ if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
+ goto err;
+ }
+
+ if (!BN_nnmod(u1, X, order, ctx)) {
+- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ /* if the signature is correct u1 is equal to sig->r */
+diff -up openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_err.c
+--- openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ec_err.c 2020-05-18 12:45:42.664249983 +0200
+@@ -31,6 +31,11 @@ static const ERR_STRING_DATA EC_str_func
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0), "ecdsa_simple_sign_setup"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0), "ecdsa_simple_sign_sig"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0), "ecdsa_simple_verify_sig"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0), "ecdsa_s390x_nistp_sign_sig"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0), "ecdsa_s390x_nistp_verify_sig"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM_DECODE, 0), "eckey_param_decode"},
+@@ -266,6 +271,7 @@ static const ERR_STRING_DATA EC_str_func
+ {ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0),
+ "ossl_ecdh_compute_key"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0), "ossl_ecdsa_sign_setup"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0),
+ "ossl_ecdsa_verify_sig"},
+@@ -284,6 +290,12 @@ static const ERR_STRING_DATA EC_str_func
+ {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0), "s390x_pkey_ecd_digestsign25519"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0), "s390x_pkey_ecd_digestsign448"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0), "s390x_pkey_ecd_keygen25519"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0), "s390x_pkey_ecd_keygen448"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0), "s390x_pkey_ecx_keygen25519"},
++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0), "s390x_pkey_ecx_keygen448"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"},
+ {0, NULL}
+ };
+@@ -298,6 +310,8 @@ static const ERR_STRING_DATA EC_str_reas
+ "coordinates out of range"},
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),
+ "curve does not support ecdh"},
++ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA),
++ "curve does not support ecdsa"},
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
+ "curve does not support signing"},
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE),
+diff -up openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc openssl-1.1.1g/crypto/ec/ec_local.h
+--- openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc 2020-05-18 12:45:40.554231646 +0200
++++ openssl-1.1.1g/crypto/ec/ec_local.h 2020-05-18 12:45:44.564266496 +0200
+@@ -179,6 +179,14 @@ struct ec_method_st {
+ /* custom ECDH operation */
+ int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
+ const EC_POINT *pub_key, const EC_KEY *ecdh);
++ /* custom ECDSA */
++ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp,
++ BIGNUM **rp);
++ ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen,
++ const BIGNUM *kinv, const BIGNUM *r,
++ EC_KEY *eckey);
++ int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen,
++ const ECDSA_SIG *sig, EC_KEY *eckey);
+ /* Inverse modulo order */
+ int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
+ const BIGNUM *x, BN_CTX *);
+@@ -587,6 +595,11 @@ int ec_group_simple_order_bits(const EC_
+ */
+ const EC_METHOD *EC_GFp_nistz256_method(void);
+ #endif
++#ifdef S390X_EC_ASM
++const EC_METHOD *EC_GFp_s390x_nistp256_method(void);
++const EC_METHOD *EC_GFp_s390x_nistp384_method(void);
++const EC_METHOD *EC_GFp_s390x_nistp521_method(void);
++#endif
+
+ size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
+ unsigned char *buf, size_t len);
+@@ -651,6 +664,13 @@ int ossl_ecdsa_verify(int type, const un
+ const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
+ int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+ const ECDSA_SIG *sig, EC_KEY *eckey);
++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
++ BIGNUM **rp);
++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
++ const BIGNUM *in_kinv, const BIGNUM *in_r,
++ EC_KEY *eckey);
++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
++ const ECDSA_SIG *sig, EC_KEY *eckey);
+
+ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+ const uint8_t public_key[32], const uint8_t private_key[32]);
+diff -up openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_pmeth.c
+--- openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200
++++ openssl-1.1.1g/crypto/ec/ec_pmeth.c 2020-05-18 12:45:44.565266505 +0200
+@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = {
+ pkey_ec_ctrl,
+ pkey_ec_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *ec_pkey_method(void)
++{
++ return &ec_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_mont.c
+--- openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_mont.c 2020-05-18 12:45:44.567266523 +0200
+@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key,
++ ecdsa_simple_sign_setup,
++ ecdsa_simple_sign_sig,
++ ecdsa_simple_verify_sig,
+ 0, /* field_inverse_mod_ord */
+ ec_GFp_simple_blind_coordinates,
+ ec_GFp_simple_ladder_pre,
+diff -up openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nist.c
+--- openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nist.c 2020-05-18 12:45:44.567266523 +0200
+@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key,
++ ecdsa_simple_sign_setup,
++ ecdsa_simple_sign_sig,
++ ecdsa_simple_verify_sig,
+ 0, /* field_inverse_mod_ord */
+ ec_GFp_simple_blind_coordinates,
+ ec_GFp_simple_ladder_pre,
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp224.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistp224.c 2020-05-18 12:45:44.568266531 +0200
+@@ -292,6 +292,9 @@ const EC_METHOD *EC_GFp_nistp224_method(
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key,
++ ecdsa_simple_sign_setup,
++ ecdsa_simple_sign_sig,
++ ecdsa_simple_verify_sig,
+ 0, /* field_inverse_mod_ord */
+ 0, /* blind_coordinates */
+ 0, /* ladder_pre */
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp256.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistp256.c 2020-05-18 12:45:44.568266531 +0200
+@@ -1829,6 +1829,9 @@ const EC_METHOD *EC_GFp_nistp256_method(
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key,
++ ecdsa_simple_sign_setup,
++ ecdsa_simple_sign_sig,
++ ecdsa_simple_verify_sig,
+ 0, /* field_inverse_mod_ord */
+ 0, /* blind_coordinates */
+ 0, /* ladder_pre */
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp521.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistp521.c 2020-05-18 12:45:44.569266540 +0200
+@@ -1669,6 +1669,9 @@ const EC_METHOD *EC_GFp_nistp521_method(
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key,
++ ecdsa_simple_sign_setup,
++ ecdsa_simple_sign_sig,
++ ecdsa_simple_verify_sig,
+ 0, /* field_inverse_mod_ord */
+ 0, /* blind_coordinates */
+ 0, /* ladder_pre */
+diff -up openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistz256.c
+--- openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_nistz256.c 2020-05-18 12:45:44.570266549 +0200
+@@ -1720,6 +1720,9 @@ const EC_METHOD *EC_GFp_nistz256_method(
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key,
++ ecdsa_simple_sign_setup,
++ ecdsa_simple_sign_sig,
++ ecdsa_simple_verify_sig,
+ ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */
+ 0, /* blind_coordinates */
+ 0, /* ladder_pre */
+diff -up openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c
+--- openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2020-05-18 12:45:44.571266557 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c 2020-05-18 12:45:44.571266557 +0200
+@@ -0,0 +1,394 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include "ec_local.h"
++#include "s390x_arch.h"
++
++/* Size of parameter blocks */
++#define S390X_SIZE_PARAM 4096
++
++/* Size of fields in parameter blocks */
++#define S390X_SIZE_P256 32
++#define S390X_SIZE_P384 48
++#define S390X_SIZE_P521 80
++
++/* Offsets of fields in PCC parameter blocks */
++#define S390X_OFF_RES_X(n) (0 * n)
++#define S390X_OFF_RES_Y(n) (1 * n)
++#define S390X_OFF_SRC_X(n) (2 * n)
++#define S390X_OFF_SRC_Y(n) (3 * n)
++#define S390X_OFF_SCALAR(n) (4 * n)
++
++/* Offsets of fields in KDSA parameter blocks */
++#define S390X_OFF_R(n) (0 * n)
++#define S390X_OFF_S(n) (1 * n)
++#define S390X_OFF_H(n) (2 * n)
++#define S390X_OFF_K(n) (3 * n)
++#define S390X_OFF_X(n) (3 * n)
++#define S390X_OFF_RN(n) (4 * n)
++#define S390X_OFF_Y(n) (4 * n)
++
++static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
++ const BIGNUM *scalar,
++ size_t num, const EC_POINT *points[],
++ const BIGNUM *scalars[],
++ BN_CTX *ctx, unsigned int fc, int len)
++{
++ unsigned char param[S390X_SIZE_PARAM];
++ BIGNUM *x, *y;
++ const EC_POINT *point_ptr = NULL;
++ const BIGNUM *scalar_ptr = NULL;
++ BN_CTX *new_ctx = NULL;
++ int rc = -1;
++
++ if (ctx == NULL) {
++ ctx = new_ctx = BN_CTX_new();
++ if (ctx == NULL)
++ return 0;
++ }
++
++ BN_CTX_start(ctx);
++
++ x = BN_CTX_get(ctx);
++ y = BN_CTX_get(ctx);
++ if (x == NULL || y == NULL) {
++ rc = 0;
++ goto ret;
++ }
++
++ /*
++ * Use PCC for EC keygen and ECDH key derivation:
++ * scalar * generator and scalar * peer public key,
++ * scalar in [0,order).
++ */
++ if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0)
++ || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) {
++
++ if (num == 0) {
++ point_ptr = EC_GROUP_get0_generator(group);
++ scalar_ptr = scalar;
++ } else {
++ point_ptr = points[0];
++ scalar_ptr = scalars[0];
++ }
++
++ if (EC_POINT_is_at_infinity(group, point_ptr) == 1
++ || BN_is_zero(scalar_ptr)) {
++ rc = EC_POINT_set_to_infinity(group, r);
++ goto ret;
++ }
++
++ memset(¶m, 0, sizeof(param));
++
++ if (group->meth->point_get_affine_coordinates(group, point_ptr,
++ x, y, ctx) != 1
++ || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1
++ || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1
++ || BN_bn2binpad(scalar_ptr,
++ param + S390X_OFF_SCALAR(len), len) == -1
++ || s390x_pcc(fc, param) != 0
++ || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL
++ || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL
++ || group->meth->point_set_affine_coordinates(group, r,
++ x, y, ctx) != 1)
++ goto ret;
++
++ rc = 1;
++ }
++
++ret:
++ /* Otherwise use default. */
++ if (rc == -1)
++ rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
++ OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
++ BN_CTX_end(ctx);
++ BN_CTX_free(new_ctx);
++ return rc;
++}
++
++static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
++ int dgstlen,
++ const BIGNUM *kinv,
++ const BIGNUM *r,
++ EC_KEY *eckey,
++ unsigned int fc, int len)
++{
++ unsigned char param[S390X_SIZE_PARAM];
++ int ok = 0;
++ BIGNUM *k;
++ ECDSA_SIG *sig;
++ const EC_GROUP *group;
++ const BIGNUM *privkey;
++ int off;
++
++ group = EC_KEY_get0_group(eckey);
++ privkey = EC_KEY_get0_private_key(eckey);
++ if (group == NULL || privkey == NULL) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS);
++ return NULL;
++ }
++
++ if (!EC_KEY_can_sign(eckey)) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
++ return NULL;
++ }
++
++ k = BN_secure_new();
++ sig = ECDSA_SIG_new();
++ if (k == NULL || sig == NULL) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++ goto ret;
++ }
++
++ sig->r = BN_new();
++ sig->s = BN_new();
++ if (sig->r == NULL || sig->s == NULL) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++ goto ret;
++ }
++
++ memset(param, 0, sizeof(param));
++ off = len - (dgstlen > len ? len : dgstlen);
++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
++
++ if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
++ goto ret;
++ }
++
++ if (r == NULL || kinv == NULL) {
++ /*
++ * Generate random k and copy to param param block. RAND_priv_bytes
++ * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce
++ * because kdsa instruction constructs an in-range, invertible nonce
++ * internally implementing counter-measures for RNG weakness.
++ */
++ if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
++ EC_R_RANDOM_NUMBER_GENERATION_FAILED);
++ goto ret;
++ }
++ } else {
++ /* Reconstruct k = (k^-1)^-1. */
++ if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
++ || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
++ goto ret;
++ }
++ /* Turns KDSA internal nonce-generation off. */
++ fc |= S390X_KDSA_D;
++ }
++
++ if (s390x_kdsa(fc, param, NULL, 0) != 0) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB);
++ goto ret;
++ }
++
++ if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL
++ || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
++ goto ret;
++ }
++
++ ok = 1;
++ret:
++ OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
++ if (ok != 1) {
++ ECDSA_SIG_free(sig);
++ sig = NULL;
++ }
++ BN_clear_free(k);
++ return sig;
++}
++
++static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen,
++ const ECDSA_SIG *sig, EC_KEY *eckey,
++ unsigned int fc, int len)
++{
++ unsigned char param[S390X_SIZE_PARAM];
++ int rc = -1;
++ BN_CTX *ctx;
++ BIGNUM *x, *y;
++ const EC_GROUP *group;
++ const EC_POINT *pubkey;
++ int off;
++
++ group = EC_KEY_get0_group(eckey);
++ pubkey = EC_KEY_get0_public_key(eckey);
++ if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
++ return -1;
++ }
++
++ if (!EC_KEY_can_sign(eckey)) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG,
++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
++ return -1;
++ }
++
++ ctx = BN_CTX_new();
++ if (ctx == NULL) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++ return -1;
++ }
++
++ BN_CTX_start(ctx);
++
++ x = BN_CTX_get(ctx);
++ y = BN_CTX_get(ctx);
++ if (x == NULL || y == NULL) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++ goto ret;
++ }
++
++ memset(param, 0, sizeof(param));
++ off = len - (dgstlen > len ? len : dgstlen);
++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
++
++ if (group->meth->point_get_affine_coordinates(group, pubkey,
++ x, y, ctx) != 1
++ || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1
++ || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1
++ || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1
++ || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) {
++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB);
++ goto ret;
++ }
++
++ rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0;
++ret:
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ return rc;
++}
++
++#define EC_GFP_S390X_NISTP_METHOD(bits) \
++ \
++static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \
++ EC_POINT *r, \
++ const BIGNUM *scalar, \
++ size_t num, \
++ const EC_POINT *points[], \
++ const BIGNUM *scalars[], \
++ BN_CTX *ctx) \
++{ \
++ return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points, \
++ scalars, ctx, \
++ S390X_SCALAR_MULTIPLY_P##bits, \
++ S390X_SIZE_P##bits); \
++} \
++ \
++static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned \
++ char *dgst, \
++ int dgstlen, \
++ const BIGNUM *kinv,\
++ const BIGNUM *r, \
++ EC_KEY *eckey) \
++{ \
++ return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey, \
++ S390X_ECDSA_SIGN_P##bits, \
++ S390X_SIZE_P##bits); \
++} \
++ \
++static int ecdsa_s390x_nistp##bits##_verify_sig(const \
++ unsigned char *dgst, \
++ int dgstlen, \
++ const ECDSA_SIG *sig, \
++ EC_KEY *eckey) \
++{ \
++ return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey, \
++ S390X_ECDSA_VERIFY_P##bits, \
++ S390X_SIZE_P##bits); \
++} \
++ \
++const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \
++{ \
++ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \
++ EC_FLAGS_DEFAULT_OCT, \
++ NID_X9_62_prime_field, \
++ ec_GFp_simple_group_init, \
++ ec_GFp_simple_group_finish, \
++ ec_GFp_simple_group_clear_finish, \
++ ec_GFp_simple_group_copy, \
++ ec_GFp_simple_group_set_curve, \
++ ec_GFp_simple_group_get_curve, \
++ ec_GFp_simple_group_get_degree, \
++ ec_group_simple_order_bits, \
++ ec_GFp_simple_group_check_discriminant, \
++ ec_GFp_simple_point_init, \
++ ec_GFp_simple_point_finish, \
++ ec_GFp_simple_point_clear_finish, \
++ ec_GFp_simple_point_copy, \
++ ec_GFp_simple_point_set_to_infinity, \
++ ec_GFp_simple_set_Jprojective_coordinates_GFp, \
++ ec_GFp_simple_get_Jprojective_coordinates_GFp, \
++ ec_GFp_simple_point_set_affine_coordinates, \
++ ec_GFp_simple_point_get_affine_coordinates, \
++ NULL, /* point_set_compressed_coordinates */ \
++ NULL, /* point2oct */ \
++ NULL, /* oct2point */ \
++ ec_GFp_simple_add, \
++ ec_GFp_simple_dbl, \
++ ec_GFp_simple_invert, \
++ ec_GFp_simple_is_at_infinity, \
++ ec_GFp_simple_is_on_curve, \
++ ec_GFp_simple_cmp, \
++ ec_GFp_simple_make_affine, \
++ ec_GFp_simple_points_make_affine, \
++ ec_GFp_s390x_nistp##bits##_mul, \
++ NULL, /* precompute_mult */ \
++ NULL, /* have_precompute_mult */ \
++ ec_GFp_simple_field_mul, \
++ ec_GFp_simple_field_sqr, \
++ NULL, /* field_div */ \
++ ec_GFp_simple_field_inv, \
++ NULL, /* field_encode */ \
++ NULL, /* field_decode */ \
++ NULL, /* field_set_to_one */ \
++ ec_key_simple_priv2oct, \
++ ec_key_simple_oct2priv, \
++ NULL, /* set_private */ \
++ ec_key_simple_generate_key, \
++ ec_key_simple_check_key, \
++ ec_key_simple_generate_public_key, \
++ NULL, /* keycopy */ \
++ NULL, /* keyfinish */ \
++ ecdh_simple_compute_key, \
++ ecdsa_simple_sign_setup, \
++ ecdsa_s390x_nistp##bits##_sign_sig, \
++ ecdsa_s390x_nistp##bits##_verify_sig, \
++ NULL, /* field_inverse_mod_ord */ \
++ ec_GFp_simple_blind_coordinates, \
++ ec_GFp_simple_ladder_pre, \
++ ec_GFp_simple_ladder_step, \
++ ec_GFp_simple_ladder_post \
++ }; \
++ static const EC_METHOD *ret; \
++ \
++ if ((OPENSSL_s390xcap_P.pcc[1] \
++ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \
++ && (OPENSSL_s390xcap_P.kdsa[0] \
++ & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits)) \
++ && (OPENSSL_s390xcap_P.kdsa[0] \
++ & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits))) \
++ ret = &EC_GFp_s390x_nistp##bits##_meth; \
++ else \
++ ret = EC_GFp_mont_method(); \
++ \
++ return ret; \
++}
++
++EC_GFP_S390X_NISTP_METHOD(256)
++EC_GFP_S390X_NISTP_METHOD(384)
++EC_GFP_S390X_NISTP_METHOD(521)
+diff -up openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_smpl.c
+--- openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc 2020-05-18 12:45:40.769233514 +0200
++++ openssl-1.1.1g/crypto/ec/ecp_smpl.c 2020-05-18 12:45:44.572266566 +0200
+@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo
+ 0, /* keycopy */
+ 0, /* keyfinish */
+ ecdh_simple_compute_key,
++ ecdsa_simple_sign_setup,
++ ecdsa_simple_sign_sig,
++ ecdsa_simple_verify_sig,
+ 0, /* field_inverse_mod_ord */
+ ec_GFp_simple_blind_coordinates,
+ ec_GFp_simple_ladder_pre,
+diff -up openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecx_meth.c
+--- openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/ec/ecx_meth.c 2020-05-18 12:45:44.573266575 +0200
+@@ -20,6 +20,7 @@
+ #define X25519_BITS 253
+ #define X25519_SECURITY_BITS 128
+
++#define ED25519_KEYLEN 32
+ #define ED25519_SIGSIZE 64
+
+ #define X448_BITS 448
+@@ -839,3 +840,666 @@ const EVP_PKEY_METHOD ed448_pkey_meth =
+ pkey_ecd_digestsign448,
+ pkey_ecd_digestverify448
+ };
++
++#ifdef S390X_EC_ASM
++# include "s390x_arch.h"
++# include "internal/constant_time.h"
++
++static void s390x_x25519_mod_p(unsigned char u[32])
++{
++ unsigned char u_red[32];
++ unsigned int c = 0;
++ int i;
++
++ memcpy(u_red, u, sizeof(u_red));
++
++ c += (unsigned int)u_red[31] + 19;
++ u_red[31] = (unsigned char)c;
++ c >>= 8;
++
++ for (i = 30; i >= 0; i--) {
++ c += (unsigned int)u_red[i];
++ u_red[i] = (unsigned char)c;
++ c >>= 8;
++ }
++
++ c = (u_red[0] & 0x80) >> 7;
++ u_red[0] &= 0x7f;
++ constant_time_cond_swap_buff(0 - (unsigned char)c,
++ u, u_red, sizeof(u_red));
++}
++
++static void s390x_x448_mod_p(unsigned char u[56])
++{
++ unsigned char u_red[56];
++ unsigned int c = 0;
++ int i;
++
++ memcpy(u_red, u, sizeof(u_red));
++
++ c += (unsigned int)u_red[55] + 1;
++ u_red[55] = (unsigned char)c;
++ c >>= 8;
++
++ for (i = 54; i >= 28; i--) {
++ c += (unsigned int)u_red[i];
++ u_red[i] = (unsigned char)c;
++ c >>= 8;
++ }
++
++ c += (unsigned int)u_red[27] + 1;
++ u_red[27] = (unsigned char)c;
++ c >>= 8;
++
++ for (i = 26; i >= 0; i--) {
++ c += (unsigned int)u_red[i];
++ u_red[i] = (unsigned char)c;
++ c >>= 8;
++ }
++
++ constant_time_cond_swap_buff(0 - (unsigned char)c,
++ u, u_red, sizeof(u_red));
++}
++
++static int s390x_x25519_mul(unsigned char u_dst[32],
++ const unsigned char u_src[32],
++ const unsigned char d_src[32])
++{
++ union {
++ struct {
++ unsigned char u_dst[32];
++ unsigned char u_src[32];
++ unsigned char d_src[32];
++ } x25519;
++ unsigned long long buff[512];
++ } param;
++ int rc;
++
++ memset(¶m, 0, sizeof(param));
++
++ s390x_flip_endian32(param.x25519.u_src, u_src);
++ param.x25519.u_src[0] &= 0x7f;
++ s390x_x25519_mod_p(param.x25519.u_src);
++
++ s390x_flip_endian32(param.x25519.d_src, d_src);
++ param.x25519.d_src[31] &= 248;
++ param.x25519.d_src[0] &= 127;
++ param.x25519.d_src[0] |= 64;
++
++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, ¶m.x25519) ? 0 : 1;
++ if (rc == 1)
++ s390x_flip_endian32(u_dst, param.x25519.u_dst);
++
++ OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src));
++ return rc;
++}
++
++static int s390x_x448_mul(unsigned char u_dst[56],
++ const unsigned char u_src[56],
++ const unsigned char d_src[56])
++{
++ union {
++ struct {
++ unsigned char u_dst[64];
++ unsigned char u_src[64];
++ unsigned char d_src[64];
++ } x448;
++ unsigned long long buff[512];
++ } param;
++ int rc;
++
++ memset(¶m, 0, sizeof(param));
++
++ memcpy(param.x448.u_src, u_src, 56);
++ memcpy(param.x448.d_src, d_src, 56);
++
++ s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
++ s390x_x448_mod_p(param.x448.u_src + 8);
++
++ s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
++ param.x448.d_src[63] &= 252;
++ param.x448.d_src[8] |= 128;
++
++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, ¶m.x448) ? 0 : 1;
++ if (rc == 1) {
++ s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst);
++ memcpy(u_dst, param.x448.u_dst, 56);
++ }
++
++ OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src));
++ return rc;
++}
++
++static int s390x_ed25519_mul(unsigned char x_dst[32],
++ unsigned char y_dst[32],
++ const unsigned char x_src[32],
++ const unsigned char y_src[32],
++ const unsigned char d_src[32])
++{
++ union {
++ struct {
++ unsigned char x_dst[32];
++ unsigned char y_dst[32];
++ unsigned char x_src[32];
++ unsigned char y_src[32];
++ unsigned char d_src[32];
++ } ed25519;
++ unsigned long long buff[512];
++ } param;
++ int rc;
++
++ memset(¶m, 0, sizeof(param));
++
++ s390x_flip_endian32(param.ed25519.x_src, x_src);
++ s390x_flip_endian32(param.ed25519.y_src, y_src);
++ s390x_flip_endian32(param.ed25519.d_src, d_src);
++
++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, ¶m.ed25519) ? 0 : 1;
++ if (rc == 1) {
++ s390x_flip_endian32(x_dst, param.ed25519.x_dst);
++ s390x_flip_endian32(y_dst, param.ed25519.y_dst);
++ }
++
++ OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src));
++ return rc;
++}
++
++static int s390x_ed448_mul(unsigned char x_dst[57],
++ unsigned char y_dst[57],
++ const unsigned char x_src[57],
++ const unsigned char y_src[57],
++ const unsigned char d_src[57])
++{
++ union {
++ struct {
++ unsigned char x_dst[64];
++ unsigned char y_dst[64];
++ unsigned char x_src[64];
++ unsigned char y_src[64];
++ unsigned char d_src[64];
++ } ed448;
++ unsigned long long buff[512];
++ } param;
++ int rc;
++
++ memset(¶m, 0, sizeof(param));
++
++ memcpy(param.ed448.x_src, x_src, 57);
++ memcpy(param.ed448.y_src, y_src, 57);
++ memcpy(param.ed448.d_src, d_src, 57);
++ s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src);
++ s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src);
++ s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src);
++
++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, ¶m.ed448) ? 0 : 1;
++ if (rc == 1) {
++ s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst);
++ s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst);
++ memcpy(x_dst, param.ed448.x_dst, 57);
++ memcpy(y_dst, param.ed448.y_dst, 57);
++ }
++
++ OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src));
++ return rc;
++}
++
++static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++ static const unsigned char generator[] = {
++ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
++ };
++ ECX_KEY *key;
++ unsigned char *privkey = NULL, *pubkey;
++
++ key = OPENSSL_zalloc(sizeof(*key));
++ if (key == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ pubkey = key->pubkey;
++
++ privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN);
++ if (privkey == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0)
++ goto err;
++
++ privkey[0] &= 248;
++ privkey[31] &= 127;
++ privkey[31] |= 64;
++
++ if (s390x_x25519_mul(pubkey, generator, privkey) != 1)
++ goto err;
++
++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++ return 1;
++ err:
++ OPENSSL_secure_clear_free(privkey, X25519_KEYLEN);
++ key->privkey = NULL;
++ OPENSSL_free(key);
++ return 0;
++}
++
++static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++ static const unsigned char generator[] = {
++ 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
++ };
++ ECX_KEY *key;
++ unsigned char *privkey = NULL, *pubkey;
++
++ key = OPENSSL_zalloc(sizeof(*key));
++ if (key == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ pubkey = key->pubkey;
++
++ privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN);
++ if (privkey == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0)
++ goto err;
++
++ privkey[0] &= 252;
++ privkey[55] |= 128;
++
++ if (s390x_x448_mul(pubkey, generator, privkey) != 1)
++ goto err;
++
++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++ return 1;
++ err:
++ OPENSSL_secure_clear_free(privkey, X448_KEYLEN);
++ key->privkey = NULL;
++ OPENSSL_free(key);
++ return 0;
++}
++
++static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++ static const unsigned char generator_x[] = {
++ 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
++ 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
++ 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21
++ };
++ static const unsigned char generator_y[] = {
++ 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
++ };
++ unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH];
++ ECX_KEY *key;
++ unsigned char *privkey = NULL, *pubkey;
++
++ key = OPENSSL_zalloc(sizeof(*key));
++ if (key == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ pubkey = key->pubkey;
++
++ privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN);
++ if (privkey == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0)
++ goto err;
++
++ SHA512(privkey, 32, buff);
++ buff[0] &= 248;
++ buff[31] &= 63;
++ buff[31] |= 64;
++
++ if (s390x_ed25519_mul(x_dst, pubkey,
++ generator_x, generator_y, buff) != 1)
++ goto err;
++
++ pubkey[31] |= ((x_dst[0] & 0x01) << 7);
++
++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++ return 1;
++ err:
++ OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN);
++ key->privkey = NULL;
++ OPENSSL_free(key);
++ return 0;
++}
++
++static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++ static const unsigned char generator_x[] = {
++ 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b,
++ 0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12,
++ 0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47,
++ 0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22,
++ 0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00
++ };
++ static const unsigned char generator_y[] = {
++ 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e,
++ 0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a,
++ 0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c,
++ 0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88,
++ 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00
++ };
++ unsigned char x_dst[57], buff[114];
++ ECX_KEY *key;
++ unsigned char *privkey = NULL, *pubkey;
++ EVP_MD_CTX *hashctx = NULL;
++
++ key = OPENSSL_zalloc(sizeof(*key));
++ if (key == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ pubkey = key->pubkey;
++
++ privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN);
++ if (privkey == NULL) {
++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0)
++ goto err;
++
++ hashctx = EVP_MD_CTX_new();
++ if (hashctx == NULL)
++ goto err;
++ if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
++ goto err;
++ if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
++ goto err;
++ if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)
++ goto err;
++
++ buff[0] &= -4;
++ buff[55] |= 0x80;
++ buff[56] = 0;
++
++ if (s390x_ed448_mul(x_dst, pubkey,
++ generator_x, generator_y, buff) != 1)
++ goto err;
++
++ pubkey[56] |= ((x_dst[0] & 0x01) << 7);
++
++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++ EVP_MD_CTX_free(hashctx);
++ return 1;
++ err:
++ OPENSSL_secure_clear_free(privkey, ED448_KEYLEN);
++ key->privkey = NULL;
++ OPENSSL_free(key);
++ EVP_MD_CTX_free(hashctx);
++ return 0;
++}
++
++static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
++ size_t *keylen)
++{
++ const unsigned char *privkey, *pubkey;
++
++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
++ return 0;
++
++ if (key != NULL)
++ return s390x_x25519_mul(key, pubkey, privkey);
++
++ *keylen = X25519_KEYLEN;
++ return 1;
++}
++
++static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
++ size_t *keylen)
++{
++ const unsigned char *privkey, *pubkey;
++
++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
++ return 0;
++
++ if (key != NULL)
++ return s390x_x448_mul(key, pubkey, privkey);
++
++ *keylen = X448_KEYLEN;
++ return 1;
++}
++
++static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx,
++ unsigned char *sig, size_t *siglen,
++ const unsigned char *tbs,
++ size_t tbslen)
++{
++ union {
++ struct {
++ unsigned char sig[64];
++ unsigned char priv[32];
++ } ed25519;
++ unsigned long long buff[512];
++ } param;
++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++ int rc;
++
++ if (sig == NULL) {
++ *siglen = ED25519_SIGSIZE;
++ return 1;
++ }
++
++ if (*siglen < ED25519_SIGSIZE) {
++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
++ return 0;
++ }
++
++ memset(¶m, 0, sizeof(param));
++ memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
++
++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, ¶m.ed25519, tbs, tbslen);
++ OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
++ if (rc != 0)
++ return 0;
++
++ s390x_flip_endian32(sig, param.ed25519.sig);
++ s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
++
++ *siglen = ED25519_SIGSIZE;
++ return 1;
++}
++
++static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx,
++ unsigned char *sig, size_t *siglen,
++ const unsigned char *tbs,
++ size_t tbslen)
++{
++ union {
++ struct {
++ unsigned char sig[128];
++ unsigned char priv[64];
++ } ed448;
++ unsigned long long buff[512];
++ } param;
++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++ int rc;
++
++ if (sig == NULL) {
++ *siglen = ED448_SIGSIZE;
++ return 1;
++ }
++
++ if (*siglen < ED448_SIGSIZE) {
++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
++ return 0;
++ }
++
++ memset(¶m, 0, sizeof(param));
++ memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
++
++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, ¶m.ed448, tbs, tbslen);
++ OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
++ if (rc != 0)
++ return 0;
++
++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
++ memcpy(sig, param.ed448.sig, 57);
++ memcpy(sig + 57, param.ed448.sig + 64, 57);
++
++ *siglen = ED448_SIGSIZE;
++ return 1;
++}
++
++static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx,
++ const unsigned char *sig,
++ size_t siglen,
++ const unsigned char *tbs,
++ size_t tbslen)
++{
++ union {
++ struct {
++ unsigned char sig[64];
++ unsigned char pub[32];
++ } ed25519;
++ unsigned long long buff[512];
++ } param;
++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++
++ if (siglen != ED25519_SIGSIZE)
++ return 0;
++
++ memset(¶m, 0, sizeof(param));
++ s390x_flip_endian32(param.ed25519.sig, sig);
++ s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
++ s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
++
++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
++ ¶m.ed25519, tbs, tbslen) == 0 ? 1 : 0;
++}
++
++static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx,
++ const unsigned char *sig,
++ size_t siglen,
++ const unsigned char *tbs,
++ size_t tbslen)
++{
++ union {
++ struct {
++ unsigned char sig[128];
++ unsigned char pub[64];
++ } ed448;
++ unsigned long long buff[512];
++ } param;
++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++
++ if (siglen != ED448_SIGSIZE)
++ return 0;
++
++ memset(¶m, 0, sizeof(param));
++ memcpy(param.ed448.sig, sig, 57);
++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
++ memcpy(param.ed448.sig + 64, sig + 57, 57);
++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
++ memcpy(param.ed448.pub, edkey->pubkey, 57);
++ s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
++
++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
++ ¶m.ed448, tbs, tbslen) == 0 ? 1 : 0;
++}
++
++static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = {
++ EVP_PKEY_X25519,
++ 0, 0, 0, 0, 0, 0, 0,
++ s390x_pkey_ecx_keygen25519,
++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++ s390x_pkey_ecx_derive25519,
++ pkey_ecx_ctrl,
++ 0
++};
++
++static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = {
++ EVP_PKEY_X448,
++ 0, 0, 0, 0, 0, 0, 0,
++ s390x_pkey_ecx_keygen448,
++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++ s390x_pkey_ecx_derive448,
++ pkey_ecx_ctrl,
++ 0
++};
++static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = {
++ EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
++ 0, 0, 0, 0, 0, 0,
++ s390x_pkey_ecd_keygen25519,
++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++ pkey_ecd_ctrl,
++ 0,
++ s390x_pkey_ecd_digestsign25519,
++ s390x_pkey_ecd_digestverify25519
++};
++
++static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = {
++ EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
++ 0, 0, 0, 0, 0, 0,
++ s390x_pkey_ecd_keygen448,
++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++ pkey_ecd_ctrl,
++ 0,
++ s390x_pkey_ecd_digestsign448,
++ s390x_pkey_ecd_digestverify448
++};
++#endif
++
++const EVP_PKEY_METHOD *ecx25519_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519))
++ return &ecx25519_s390x_pkey_meth;
++#endif
++ return &ecx25519_pkey_meth;
++}
++
++const EVP_PKEY_METHOD *ecx448_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448))
++ return &ecx448_s390x_pkey_meth;
++#endif
++ return &ecx448_pkey_meth;
++}
++
++const EVP_PKEY_METHOD *ed25519_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
++ && OPENSSL_s390xcap_P.kdsa[0]
++ & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519))
++ return &ed25519_s390x_pkey_meth;
++#endif
++ return &ed25519_pkey_meth;
++}
++
++const EVP_PKEY_METHOD *ed448_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448)
++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448))
++ return &ed448_s390x_pkey_meth;
++#endif
++ return &ed448_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1g/crypto/err/openssl.txt
+--- openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc 2020-05-18 12:45:40.834234079 +0200
++++ openssl-1.1.1g/crypto/err/openssl.txt 2020-05-18 12:45:44.575266592 +0200
+@@ -496,6 +496,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
+ EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup
+ EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new
+ EC_F_ECDSA_VERIFY:253:ECDSA_verify
++EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup
++EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig
++EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig
++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig
++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig
+ EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
+ EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
+ EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
+@@ -657,6 +662,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_
+ EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey
+ EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode
+ EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key
++EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup
+ EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
+ EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
+ EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
+@@ -672,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_
+ EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
+ EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
+ EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
++EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519
++EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448
++EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519
++EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448
++EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519
++EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448
+ EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
+ ENGINE_F_DIGEST_UPDATE:198:digest_update
+ ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
+@@ -2160,6 +2172,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma
+ EC_R_CANNOT_INVERT:165:cannot invert
+ EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
+ EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
++EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa
+ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
+ EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
+ EC_R_DECODE_ERROR:142:decode error
+diff -up openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1g/crypto/evp/pmeth_lib.c
+--- openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc 2020-05-18 12:45:40.787233671 +0200
++++ openssl-1.1.1g/crypto/evp/pmeth_lib.c 2020-05-18 12:45:44.576266601 +0200
+@@ -17,60 +17,67 @@
+ #include "crypto/evp.h"
+ #include "internal/numbers.h"
+
++typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void);
+ typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
+
+ static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
+
+ /* This array needs to be in order of NIDs */
+-static const EVP_PKEY_METHOD *standard_methods[] = {
++static pmeth_fn standard_methods[] = {
+ #ifndef OPENSSL_NO_RSA
+- &rsa_pkey_meth,
++ rsa_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_DH
+- &dh_pkey_meth,
++ dh_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_DSA
+- &dsa_pkey_meth,
++ dsa_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_EC
+- &ec_pkey_meth,
++ ec_pkey_method,
+ #endif
+- &hmac_pkey_meth,
++ hmac_pkey_method,
+ #ifndef OPENSSL_NO_CMAC
+- &cmac_pkey_meth,
++ cmac_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_RSA
+- &rsa_pss_pkey_meth,
++ rsa_pss_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_DH
+- &dhx_pkey_meth,
++ dhx_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_SCRYPT
+- &scrypt_pkey_meth,
++ scrypt_pkey_method,
+ #endif
+- &tls1_prf_pkey_meth,
++ tls1_prf_pkey_method,
+ #ifndef OPENSSL_NO_EC
+- &ecx25519_pkey_meth,
+- &ecx448_pkey_meth,
++ ecx25519_pkey_method,
++ ecx448_pkey_method,
+ #endif
+- &hkdf_pkey_meth,
++ hkdf_pkey_method,
+ #ifndef OPENSSL_NO_POLY1305
+- &poly1305_pkey_meth,
++ poly1305_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_SIPHASH
+- &siphash_pkey_meth,
++ siphash_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_EC
+- &ed25519_pkey_meth,
+- &ed448_pkey_meth,
++ ed25519_pkey_method,
++ ed448_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_SM2
+- &sm2_pkey_meth,
++ sm2_pkey_method,
+ #endif
+ };
+
+-DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
+- pmeth);
++DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
++
++static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b)
++{
++ return ((*a)->pkey_id - ((**b)())->pkey_id);
++}
++
++IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
+
+ static int pmeth_cmp(const EVP_PKEY_METHOD *const *a,
+ const EVP_PKEY_METHOD *const *b)
+@@ -78,13 +85,11 @@ static int pmeth_cmp(const EVP_PKEY_METH
+ return ((*a)->pkey_id - (*b)->pkey_id);
+ }
+
+-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
+- pmeth);
+-
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type)
+ {
++ pmeth_fn *ret;
+ EVP_PKEY_METHOD tmp;
+- const EVP_PKEY_METHOD *t = &tmp, **ret;
++ const EVP_PKEY_METHOD *t = &tmp;
+ tmp.pkey_id = type;
+ if (app_pkey_methods) {
+ int idx;
+@@ -92,12 +97,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_fin
+ if (idx >= 0)
+ return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx);
+ }
+- ret = OBJ_bsearch_pmeth(&t, standard_methods,
+- sizeof(standard_methods) /
+- sizeof(EVP_PKEY_METHOD *));
++ ret = OBJ_bsearch_pmeth_func(&t, standard_methods,
++ sizeof(standard_methods) /
++ sizeof(pmeth_fn));
+ if (!ret || !*ret)
+ return NULL;
+- return *ret;
++ return (**ret)();
+ }
+
+ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
+@@ -348,7 +353,7 @@ size_t EVP_PKEY_meth_get_count(void)
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx)
+ {
+ if (idx < OSSL_NELEM(standard_methods))
+- return standard_methods[idx];
++ return (standard_methods[idx])();
+ if (app_pkey_methods == NULL)
+ return NULL;
+ idx -= OSSL_NELEM(standard_methods);
+diff -up openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/hmac/hm_pmeth.c
+--- openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.796233749 +0200
++++ openssl-1.1.1g/crypto/hmac/hm_pmeth.c 2020-05-18 12:45:44.576266601 +0200
+@@ -210,3 +210,8 @@ const EVP_PKEY_METHOD hmac_pkey_meth = {
+ pkey_hmac_ctrl,
+ pkey_hmac_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *hmac_pkey_method(void)
++{
++ return &hmac_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/hkdf.c
+--- openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc 2020-05-18 12:45:40.826234009 +0200
++++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:45:44.577266609 +0200
+@@ -233,6 +233,11 @@ const EVP_KDF_METHOD hkdf_kdf_meth = {
+ kdf_hkdf_derive
+ };
+
++const EVP_PKEY_METHOD *hkdf_pkey_method(void)
++{
++ return &hkdf_pkey_meth;
++}
++
+ static int HKDF(const EVP_MD *evp_md,
+ const unsigned char *salt, size_t salt_len,
+ const unsigned char *key, size_t key_len,
+diff -up openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1g/crypto/kdf/scrypt.c
+--- openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc 2020-05-18 12:45:40.827234018 +0200
++++ openssl-1.1.1g/crypto/kdf/scrypt.c 2020-05-18 12:45:44.578266618 +0200
+@@ -504,4 +504,9 @@ static int scrypt_alg(const char *pass,
+ return rv;
+ }
+
++const EVP_PKEY_METHOD *scrypt_pkey_method(void)
++{
++ return &scrypt_pkey_meth;
++}
++
+ #endif
+diff -up openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/tls1_prf.c
+--- openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc 2020-05-18 12:45:40.828234027 +0200
++++ openssl-1.1.1g/crypto/kdf/tls1_prf.c 2020-05-18 12:45:44.578266618 +0200
+@@ -168,6 +168,11 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth =
+ kdf_tls1_prf_derive
+ };
+
++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void)
++{
++ return &tls1_prf_pkey_meth;
++}
++
+ static int tls1_prf_P_hash(const EVP_MD *md,
+ const unsigned char *sec, size_t sec_len,
+ const unsigned char *seed, size_t seed_len,
+diff -up openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c
+--- openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c 2020-05-18 12:45:44.579266627 +0200
+@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth
+ pkey_poly1305_ctrl,
+ pkey_poly1305_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *poly1305_pkey_method(void)
++{
++ return &poly1305_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/rsa/rsa_pmeth.c
+--- openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.798233766 +0200
++++ openssl-1.1.1g/crypto/rsa/rsa_pmeth.c 2020-05-18 12:45:44.580266635 +0200
+@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
+ pkey_rsa_ctrl_str
+ };
+
++const EVP_PKEY_METHOD *rsa_pkey_method(void)
++{
++ return &rsa_pkey_meth;
++}
++
+ /*
+ * Called for PSS sign or verify initialisation: checks PSS parameter
+ * sanity and sets any restrictions on key usage.
+@@ -859,3 +864,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth
+ pkey_rsa_ctrl,
+ pkey_rsa_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void)
++{
++ return &rsa_pss_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1g/crypto/s390x_arch.h
+--- openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc 2020-05-18 12:45:40.603232072 +0200
++++ openssl-1.1.1g/crypto/s390x_arch.h 2020-05-18 12:45:44.580266635 +0200
+@@ -26,6 +26,12 @@ void s390x_kmf(const unsigned char *in,
+ unsigned int fc, void *param);
+ void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
+ size_t len, unsigned char *out, unsigned int fc, void *param);
++int s390x_pcc(unsigned int fc, void *param);
++int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
++ size_t len);
++
++void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]);
++void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]);
+
+ /*
+ * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
+@@ -45,6 +51,8 @@ struct OPENSSL_s390xcap_st {
+ unsigned long long kmf[2];
+ unsigned long long prno[2];
+ unsigned long long kma[2];
++ unsigned long long pcc[2];
++ unsigned long long kdsa[2];
+ };
+
+ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
+@@ -66,11 +74,14 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_KMF 0x90
+ # define S390X_PRNO 0xa0
+ # define S390X_KMA 0xb0
++# define S390X_PCC 0xc0
++# define S390X_KDSA 0xd0
+
+ /* Facility Bit Numbers */
+ # define S390X_VX 129
+ # define S390X_VXD 134
+ # define S390X_VXE 135
++# define S390X_MSA9 155 /* message-security-assist-ext. 9 */
+
+ /* Function Codes */
+
+@@ -94,10 +105,32 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ /* prno */
+ # define S390X_TRNG 114
+
++/* pcc */
++# define S390X_SCALAR_MULTIPLY_P256 64
++# define S390X_SCALAR_MULTIPLY_P384 65
++# define S390X_SCALAR_MULTIPLY_P521 66
++# define S390X_SCALAR_MULTIPLY_ED25519 72
++# define S390X_SCALAR_MULTIPLY_ED448 73
++# define S390X_SCALAR_MULTIPLY_X25519 80
++# define S390X_SCALAR_MULTIPLY_X448 81
++
++/* kdsa */
++# define S390X_ECDSA_VERIFY_P256 1
++# define S390X_ECDSA_VERIFY_P384 2
++# define S390X_ECDSA_VERIFY_P521 3
++# define S390X_ECDSA_SIGN_P256 9
++# define S390X_ECDSA_SIGN_P384 10
++# define S390X_ECDSA_SIGN_P521 11
++# define S390X_EDDSA_VERIFY_ED25519 32
++# define S390X_EDDSA_VERIFY_ED448 36
++# define S390X_EDDSA_SIGN_ED25519 40
++# define S390X_EDDSA_SIGN_ED448 44
++
+ /* Register 0 Flags */
+ # define S390X_DECRYPT 0x80
+ # define S390X_KMA_LPC 0x100
+ # define S390X_KMA_LAAD 0x200
+ # define S390X_KMA_HS 0x400
++# define S390X_KDSA_D 0x80
+
+ #endif
+diff -up openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1g/crypto/s390xcpuid.pl
+--- openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/s390xcpuid.pl 2020-05-18 12:45:44.581266644 +0200
+@@ -58,6 +58,10 @@ OPENSSL_s390x_facilities:
+ stg %r0,S390X_PRNO+8(%r4)
+ stg %r0,S390X_KMA(%r4)
+ stg %r0,S390X_KMA+8(%r4)
++ stg %r0,S390X_PCC(%r4)
++ stg %r0,S390X_PCC+8(%r4)
++ stg %r0,S390X_KDSA(%r4)
++ stg %r0,S390X_KDSA+8(%r4)
+
+ .long 0xb2b04000 # stfle 0(%r4)
+ brc 8,.Ldone
+@@ -68,6 +72,7 @@ OPENSSL_s390x_facilities:
+ .long 0xb2b04000 # stfle 0(%r4)
+ .Ldone:
+ lmg %r2,%r3,S390X_STFLE(%r4)
++
+ tmhl %r2,0x4000 # check for message-security-assist
+ jz .Lret
+
+@@ -91,6 +96,13 @@ OPENSSL_s390x_facilities:
+ la %r1,S390X_KMAC(%r4)
+ .long 0xb91e0042 # kmac %r4,%r2
+
++ tmhh %r3,0x0008 # check for message-security-assist-3
++ jz .Lret
++
++ lghi %r0,S390X_QUERY # query pcc capability vector
++ la %r1,S390X_PCC(%r4)
++ .long 0xb92c0000 # pcc
++
+ tmhh %r3,0x0004 # check for message-security-assist-4
+ jz .Lret
+
+@@ -114,6 +126,7 @@ OPENSSL_s390x_facilities:
+ .long 0xb93c0042 # prno %r4,%r2
+
+ lg %r2,S390X_STFLE+16(%r4)
++
+ tmhl %r2,0x2000 # check for message-security-assist-8
+ jz .Lret
+
+@@ -121,6 +134,13 @@ OPENSSL_s390x_facilities:
+ la %r1,S390X_KMA(%r4)
+ .long 0xb9294022 # kma %r2,%r4,%r2
+
++ tmhl %r2,0x0010 # check for message-security-assist-9
++ jz .Lret
++
++ lghi %r0,S390X_QUERY # query kdsa capability vector
++ la %r1,S390X_KDSA(%r4)
++ .long 0xb93a0002 # kdsa %r0,%r2
++
+ .Lret:
+ br $ra
+ .size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities
+@@ -411,6 +431,113 @@ s390x_kma:
+ ___
+ }
+
++################
++# int s390x_pcc(unsigned int fc, void *param)
++{
++my ($fc,$param) = map("%r$_",(2..3));
++$code.=<<___;
++.globl s390x_pcc
++.type s390x_pcc,\@function
++.align 16
++s390x_pcc:
++ lr %r0,$fc
++ l${g}r %r1,$param
++ lhi %r2,0
++
++ .long 0xb92c0000 # pcc
++ brc 1,.-4 # pay attention to "partial completion"
++ brc 7,.Lpcc_err # if CC==0 return 0, else return 1
++.Lpcc_out:
++ br $ra
++.Lpcc_err:
++ lhi %r2,1
++ j .Lpcc_out
++.size s390x_pcc,.-s390x_pcc
++___
++}
++
++################
++# int s390x_kdsa(unsigned int fc, void *param,
++# const unsigned char *in, size_t len)
++{
++my ($fc,$param,$in,$len) = map("%r$_",(2..5));
++$code.=<<___;
++.globl s390x_kdsa
++.type s390x_kdsa,\@function
++.align 16
++s390x_kdsa:
++ lr %r0,$fc
++ l${g}r %r1,$param
++ lhi %r2,0
++
++ .long 0xb93a0004 # kdsa %r0,$in
++ brc 1,.-4 # pay attention to "partial completion"
++ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1
++.Lkdsa_out:
++ br $ra
++.Lkdsa_err:
++ lhi %r2,1
++ j .Lkdsa_out
++.size s390x_kdsa,.-s390x_kdsa
++___
++}
++
++################
++# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32])
++{
++my ($dst,$src) = map("%r$_",(2..3));
++$code.=<<___;
++.globl s390x_flip_endian32
++.type s390x_flip_endian32,\@function
++.align 16
++s390x_flip_endian32:
++ lrvg %r0,0(%r0,$src)
++ lrvg %r1,8(%r0,$src)
++ lrvg %r4,16(%r0,$src)
++ lrvg %r5,24(%r0,$src)
++ stg %r0,24(%r0,$dst)
++ stg %r1,16(%r0,$dst)
++ stg %r4,8(%r0,$dst)
++ stg %r5,0(%r0,$dst)
++ br $ra
++.size s390x_flip_endian32,.-s390x_flip_endian32
++___
++}
++
++################
++# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64])
++{
++my ($dst,$src) = map("%r$_",(2..3));
++$code.=<<___;
++.globl s390x_flip_endian64
++.type s390x_flip_endian64,\@function
++.align 16
++s390x_flip_endian64:
++ stmg %r6,%r9,6*$SIZE_T($sp)
++
++ lrvg %r0,0(%r0,$src)
++ lrvg %r1,8(%r0,$src)
++ lrvg %r4,16(%r0,$src)
++ lrvg %r5,24(%r0,$src)
++ lrvg %r6,32(%r0,$src)
++ lrvg %r7,40(%r0,$src)
++ lrvg %r8,48(%r0,$src)
++ lrvg %r9,56(%r0,$src)
++ stg %r0,56(%r0,$dst)
++ stg %r1,48(%r0,$dst)
++ stg %r4,40(%r0,$dst)
++ stg %r5,32(%r0,$dst)
++ stg %r6,24(%r0,$dst)
++ stg %r7,16(%r0,$dst)
++ stg %r8,8(%r0,$dst)
++ stg %r9,0(%r0,$dst)
++
++ lmg %r6,%r9,6*$SIZE_T($sp)
++ br $ra
++.size s390x_flip_endian64,.-s390x_flip_endian64
++___
++}
++
+ $code.=<<___;
+ .section .init
+ brasl $ra,OPENSSL_cpuid_setup
+diff -up openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/siphash/siphash_pmeth.c
+--- openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/siphash/siphash_pmeth.c 2020-05-18 12:45:44.581266644 +0200
+@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth
+ pkey_siphash_ctrl,
+ pkey_siphash_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *siphash_pkey_method(void)
++{
++ return &siphash_pkey_meth;
++}
+diff -up openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/sm2/sm2_pmeth.c
+--- openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/sm2/sm2_pmeth.c 2020-05-18 12:45:44.582266653 +0200
+@@ -327,3 +327,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
+
+ pkey_sm2_digest_custom
+ };
++
++const EVP_PKEY_METHOD *sm2_pkey_method(void)
++{
++ return &sm2_pkey_meth;
++}
+diff -up openssl-1.1.1g/include/crypto/evp.h.s390x-ecc openssl-1.1.1g/include/crypto/evp.h
+--- openssl-1.1.1g/include/crypto/evp.h.s390x-ecc 2020-05-18 12:45:40.834234079 +0200
++++ openssl-1.1.1g/include/crypto/evp.h 2020-05-18 12:45:44.577266609 +0200
+@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE
+ #define EVP_ENCODE_CTX_NO_NEWLINES 1
+ /* Use the SRP base64 alphabet instead of the standard one */
+ #define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2
++
++const EVP_PKEY_METHOD *cmac_pkey_method(void);
++const EVP_PKEY_METHOD *dh_pkey_method(void);
++const EVP_PKEY_METHOD *dhx_pkey_method(void);
++const EVP_PKEY_METHOD *dsa_pkey_method(void);
++const EVP_PKEY_METHOD *ec_pkey_method(void);
++const EVP_PKEY_METHOD *sm2_pkey_method(void);
++const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
++const EVP_PKEY_METHOD *ecx448_pkey_method(void);
++const EVP_PKEY_METHOD *ed25519_pkey_method(void);
++const EVP_PKEY_METHOD *ed448_pkey_method(void);
++const EVP_PKEY_METHOD *hmac_pkey_method(void);
++const EVP_PKEY_METHOD *rsa_pkey_method(void);
++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
++const EVP_PKEY_METHOD *scrypt_pkey_method(void);
++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
++const EVP_PKEY_METHOD *hkdf_pkey_method(void);
++const EVP_PKEY_METHOD *poly1305_pkey_method(void);
++const EVP_PKEY_METHOD *siphash_pkey_method(void);
+diff -up openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc openssl-1.1.1g/include/internal/constant_time.h
+--- openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/include/internal/constant_time.h 2020-05-18 12:45:44.582266653 +0200
+@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co
+ }
+
+ /*
++ * mask must be 0xFF or 0x00.
++ * "constant time" is per len.
++ *
++ * if (mask) {
++ * unsigned char tmp[len];
++ *
++ * memcpy(tmp, a, len);
++ * memcpy(a, b);
++ * memcpy(b, tmp);
++ * }
++ */
++static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
++ unsigned char *a,
++ unsigned char *b,
++ size_t len)
++{
++ size_t i;
++ unsigned char tmp;
++
++ for (i = 0; i < len; i++) {
++ tmp = a[i] ^ b[i];
++ tmp &= mask;
++ a[i] ^= tmp;
++ b[i] ^= tmp;
++ }
++}
++
++/*
+ * table is a two dimensional array of bytes. Each row has rowsize elements.
+ * Copies row number idx into out. rowsize and numrows are not considered
+ * private.
+diff -up openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1g/include/openssl/ecerr.h
+--- openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/include/openssl/ecerr.h 2020-05-18 12:45:44.583266662 +0200
+@@ -42,6 +42,11 @@ int ERR_load_EC_strings(void);
+ # define EC_F_ECDSA_SIGN_SETUP 248
+ # define EC_F_ECDSA_SIG_NEW 265
+ # define EC_F_ECDSA_VERIFY 253
++# define EC_F_ECDSA_SIMPLE_SIGN_SETUP 310
++# define EC_F_ECDSA_SIMPLE_SIGN_SIG 311
++# define EC_F_ECDSA_SIMPLE_VERIFY_SIG 312
++# define EC_F_ECDSA_S390X_NISTP_SIGN_SIG 313
++# define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG 314
+ # define EC_F_ECD_ITEM_VERIFY 270
+ # define EC_F_ECKEY_PARAM2TYPE 223
+ # define EC_F_ECKEY_PARAM_DECODE 212
+@@ -185,6 +190,7 @@ int ERR_load_EC_strings(void);
+ # define EC_F_O2I_ECPUBLICKEY 152
+ # define EC_F_OLD_EC_PRIV_DECODE 222
+ # define EC_F_OSSL_ECDH_COMPUTE_KEY 247
++# define EC_F_OSSL_ECDSA_SIGN_SETUP 300
+ # define EC_F_OSSL_ECDSA_SIGN_SIG 249
+ # define EC_F_OSSL_ECDSA_VERIFY_SIG 250
+ # define EC_F_PKEY_ECD_CTRL 271
+@@ -200,6 +206,12 @@ int ERR_load_EC_strings(void);
+ # define EC_F_PKEY_EC_KEYGEN 199
+ # define EC_F_PKEY_EC_PARAMGEN 219
+ # define EC_F_PKEY_EC_SIGN 218
++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519 320
++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN448 321
++# define EC_F_S390X_PKEY_ECD_KEYGEN25519 322
++# define EC_F_S390X_PKEY_ECD_KEYGEN448 323
++# define EC_F_S390X_PKEY_ECX_KEYGEN25519 324
++# define EC_F_S390X_PKEY_ECX_KEYGEN448 325
+ # define EC_F_VALIDATE_ECX_DERIVE 278
+
+ /*
+@@ -212,6 +224,7 @@ int ERR_load_EC_strings(void);
+ # define EC_R_CANNOT_INVERT 165
+ # define EC_R_COORDINATES_OUT_OF_RANGE 146
+ # define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
++# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170
+ # define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
+ # define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
+ # define EC_R_DECODE_ERROR 142
+diff -up openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt
+--- openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt 2020-05-18 12:45:44.590266722 +0200
+@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb
+
+ PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw
+
++PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
++
+ Derive=Alice-448
+ PeerKey=Bob-448-PUBLIC
+ SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+@@ -830,6 +832,11 @@ Derive=Bob-448-Raw
+ PeerKey=Alice-448-PUBLIC-Raw
+ SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+
++# Self-generated non-canonical
++Derive=Alice-448-Raw
++PeerKey=Bob-448-PUBLIC-Raw-NonCanonical
++SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb
++
+ # Illegal sign/verify operations with X448 key
+
+ Sign=Alice-448
diff --git a/openssl.spec b/openssl.spec
index e4c2cba..522055c 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1g
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -62,12 +62,16 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
+Patch51: openssl-1.1.1-intel-cet.patch
Patch60: openssl-1.1.1-krb5-kdf.patch
-Patch61: openssl-1.1.1-intel-cet.patch
+Patch61: openssl-1.1.1-edk2-build.patch
+Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
# Backported fixes including security fixes
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
+Patch55: openssl-1.1.1-arm-update.patch
+Patch56: openssl-1.1.1-s390x-ecc.patch
License: OpenSSL
URL: http://www.openssl.org/
@@ -166,10 +170,14 @@ cp %{SOURCE13} test/
%patch48 -p1 -b .fips-post-rand
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
+%patch51 -p1 -b .intel-cet
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
+%patch55 -p1 -b .arm-update
+%patch56 -p1 -b .s390x-ecc
%patch60 -p1 -b .krb5-kdf
-%patch61 -p1 -b .intel-cet
+%patch61 -p1 -b .edk2-build
+%patch62 -p1 -b .fips-curves
%patch65 -p1 -b .drbg-selftest
@@ -457,6 +465,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
+* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-3
+- pull some fixes and improvements from RHEL-8
+
* Fri May 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-2
- FIPS module installed state definition is modified
reply other threads:[~2026-06-09 12:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100908455.1.17353932276976211492.rpms-openssl-1e6a98d9e90a@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox