[openssl] master update

patrick.steuer at de.ibm.com patrick.steuer at de.ibm.com
Wed Sep 25 13:54:11 UTC 2019


The branch master has been updated
       via  19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9 (commit)
       via  2281be2ed4a7df462677661d30b13826ae6b3e26 (commit)
       via  ac037dc874a721ca81a33b4314e26cef4a7e8d48 (commit)
       via  b3681e2641999be6c1f70e66497fe384d683a07e (commit)
      from  e6879a31ef597f1b9608c7897087203d829d47c2 (commit)


- Log -----------------------------------------------------------------
commit 19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date:   Thu Sep 19 15:31:27 2019 +0200

    s390x assembly pack: accelerate X25519, X448, Ed25519 and Ed448
    
    using PCC and KDSA instructions.
    
    Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10004)

commit 2281be2ed4a7df462677661d30b13826ae6b3e26
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date:   Tue Sep 24 14:44:27 2019 +0200

    s390x assembly pack: cleanse only sensitive fields
    
    of instruction parameter blocks.
    
    Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10004)

commit ac037dc874a721ca81a33b4314e26cef4a7e8d48
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date:   Tue Sep 24 23:20:00 2019 +0200

    s390x assembly pack: fix OPENSSL_s390xcap z15 cpu mask
    
    Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10004)

commit b3681e2641999be6c1f70e66497fe384d683a07e
Author: Patrick Steuer <patrick.steuer at de.ibm.com>
Date:   Tue Sep 24 23:03:19 2019 +0200

    s390x assembly pack: fix msa3 stfle bit detection
    
    Signed-off-by: Patrick Steuer <patrick.steuer at de.ibm.com>
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10004)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                           |   4 +
 crypto/dh/dh_pmeth.c              |  14 +-
 crypto/dsa/dsa_pmeth.c            |   7 +-
 crypto/ec/build.info              |   2 +-
 crypto/ec/ec_curve.c              |  12 +-
 crypto/ec/ec_lcl.h                |   2 +-
 crypto/ec/ec_pmeth.c              |   7 +-
 crypto/ec/ecp_s390x_nistp.c       |   4 +-
 crypto/ec/ecx_meth.c              | 672 +++++++++++++++++++++++++++++++++++++-
 crypto/err/openssl.txt            |   6 +
 crypto/evp/pkey_kdf.c             |  20 +-
 crypto/evp/pkey_mac.c             |  28 +-
 crypto/evp/pmeth_lib.c            |  65 ++--
 crypto/include/internal/evp_int.h |  37 ++-
 crypto/rsa/rsa_pmeth.c            |  14 +-
 crypto/s390x_arch.h               |  11 +
 crypto/s390xcap.c                 |  20 +-
 crypto/s390xcpuid.pl              |  58 +++-
 crypto/sm2/sm2_pmeth.c            |   7 +-
 doc/man3/OPENSSL_s390xcap.pod     |   8 +
 include/openssl/ecerr.h           |   6 +
 21 files changed, 921 insertions(+), 83 deletions(-)

diff --git a/CHANGES b/CHANGES
index c32f768fc8..a4672fa21a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
 
  Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
 
+  *) s390x assembly pack: add hardware-support for P-256, P-384, P-521,
+     X25519, X448, Ed25519 and Ed448.
+     [Patrick Steuer]
+
   *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
      the first value.
      [Jon Spillett]
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index f630fd3eea..4676a222e2 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -478,7 +478,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
     return 0;
 }
 
-const EVP_PKEY_METHOD dh_pkey_meth = {
+static const EVP_PKEY_METHOD dh_pkey_meth = {
     EVP_PKEY_DH,
     0,
     pkey_dh_init,
@@ -512,7 +512,12 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
     pkey_dh_ctrl_str
 };
 
-const EVP_PKEY_METHOD dhx_pkey_meth = {
+const EVP_PKEY_METHOD *dh_pkey_method(void)
+{
+    return &dh_pkey_meth;
+}
+
+static const EVP_PKEY_METHOD dhx_pkey_meth = {
     EVP_PKEY_DHX,
     0,
     pkey_dh_init,
@@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = {
     pkey_dh_ctrl,
     pkey_dh_ctrl_str
 };
+
+const EVP_PKEY_METHOD *dhx_pkey_method(void)
+{
+    return &dhx_pkey_meth;
+}
diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index a21e01015b..496063d876 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -239,7 +239,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     return DSA_generate_key(pkey->pkey.dsa);
 }
 
-const EVP_PKEY_METHOD dsa_pkey_meth = {
+static const EVP_PKEY_METHOD dsa_pkey_meth = {
     EVP_PKEY_DSA,
     EVP_PKEY_FLAG_AUTOARGLEN,
     pkey_dsa_init,
@@ -271,3 +271,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
     pkey_dsa_ctrl,
     pkey_dsa_ctrl_str
 };
+
+const EVP_PKEY_METHOD *dsa_pkey_method(void)
+{
+    return &dsa_pkey_meth;
+}
diff --git a/crypto/ec/build.info b/crypto/ec/build.info
index 2befa3e77f..d140b5d64b 100644
--- a/crypto/ec/build.info
+++ b/crypto/ec/build.info
@@ -19,7 +19,7 @@ IF[{- !$disabled{asm} -}]
   $ECASM_mips64=
 
   $ECASM_s390x=ecp_s390x_nistp.c
-  $ECDEF_s390x=S390X_NISTP_ASM
+  $ECDEF_s390x=S390X_EC_ASM
 
   $ECASM_armv4=ecp_nistz256.c ecp_nistz256-armv4.S
   $ECDEF_armv4=ECP_NISTZ256_ASM
diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
index f3a526f126..bf10938664 100644
--- a/crypto/ec/ec_curve.c
+++ b/crypto/ec/ec_curve.c
@@ -2829,7 +2829,7 @@ static const ec_list_element curve_list[] = {
 # endif
     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
     {NID_secp384r1, &_EC_NIST_PRIME_384.h,
-# if defined(S390X_NISTP_ASM)
+# if defined(S390X_EC_ASM)
      EC_GFp_s390x_nistp384_method,
 # else
      0,
@@ -2837,7 +2837,7 @@ static const ec_list_element curve_list[] = {
      "NIST/SECG curve over a 384 bit prime field"},
 
     {NID_secp521r1, &_EC_NIST_PRIME_521.h,
-# if defined(S390X_NISTP_ASM)
+# if defined(S390X_EC_ASM)
      EC_GFp_s390x_nistp521_method,
 # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
      EC_GFp_nistp521_method,
@@ -2852,7 +2852,7 @@ static const ec_list_element curve_list[] = {
     {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
 # if defined(ECP_NISTZ256_ASM)
      EC_GFp_nistz256_method,
-# elif defined(S390X_NISTP_ASM)
+# elif defined(S390X_EC_ASM)
      EC_GFp_s390x_nistp256_method,
 # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
      EC_GFp_nistp256_method,
@@ -2922,14 +2922,14 @@ static const ec_list_element curve_list[] = {
      "SECG curve over a 256 bit prime field"},
     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
     {NID_secp384r1, &_EC_NIST_PRIME_384.h,
-# if defined(S390X_NISTP_ASM)
+# if defined(S390X_EC_ASM)
      EC_GFp_s390x_nistp384_method,
 # else
      0,
 # endif
      "NIST/SECG curve over a 384 bit prime field"},
     {NID_secp521r1, &_EC_NIST_PRIME_521.h,
-# if defined(S390X_NISTP_ASM)
+# if defined(S390X_EC_ASM)
      EC_GFp_s390x_nistp521_method,
 # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
      EC_GFp_nistp521_method,
@@ -2953,7 +2953,7 @@ static const ec_list_element curve_list[] = {
     {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
 # if defined(ECP_NISTZ256_ASM)
      EC_GFp_nistz256_method,
-# elif defined(S390X_NISTP_ASM)
+# elif defined(S390X_EC_ASM)
      EC_GFp_s390x_nistp256_method,
 # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
      EC_GFp_nistp256_method,
diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index 5dd4d0318c..b33d30982c 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -597,7 +597,7 @@ int ec_group_simple_order_bits(const EC_GROUP *group);
  */
 const EC_METHOD *EC_GFp_nistz256_method(void);
 #endif
-#ifdef S390X_NISTP_ASM
+#ifdef S390X_EC_ASM
 const EC_METHOD *EC_GFp_s390x_nistp256_method(void);
 const EC_METHOD *EC_GFp_s390x_nistp384_method(void);
 const EC_METHOD *EC_GFp_s390x_nistp521_method(void);
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index e581741fca..ded2858ee4 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -437,7 +437,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     return ret ? EC_KEY_generate_key(ec) : 0;
 }
 
-const EVP_PKEY_METHOD ec_pkey_meth = {
+static const EVP_PKEY_METHOD ec_pkey_meth = {
     EVP_PKEY_EC,
     0,
     pkey_ec_init,
@@ -475,3 +475,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = {
     pkey_ec_ctrl,
     pkey_ec_ctrl_str
 };
+
+const EVP_PKEY_METHOD *ec_pkey_method(void)
+{
+    return &ec_pkey_meth;
+}
diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
index be81f0b8f0..9533698b0f 100644
--- a/crypto/ec/ecp_s390x_nistp.c
+++ b/crypto/ec/ecp_s390x_nistp.c
@@ -110,7 +110,7 @@ ret:
     /* Otherwise use default. */
     if (rc == -1)
         rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
-    OPENSSL_cleanse(param, sizeof(param));
+    OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
     BN_CTX_end(ctx);
     BN_CTX_free(new_ctx);
     return rc;
@@ -203,7 +203,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
 
     ok = 1;
 ret:
-    OPENSSL_cleanse(param, sizeof(param));
+    OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
     if (ok != 1) {
         ECDSA_SIG_free(sig);
         sig = NULL;
diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c
index b88139218a..aaaca64426 100644
--- a/crypto/ec/ecx_meth.c
+++ b/crypto/ec/ecx_meth.c
@@ -719,7 +719,7 @@ static int pkey_ecx_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
     return -2;
 }
 
-const EVP_PKEY_METHOD ecx25519_pkey_meth = {
+static const EVP_PKEY_METHOD ecx25519_pkey_meth = {
     EVP_PKEY_X25519,
     0, 0, 0, 0, 0, 0, 0,
     pkey_ecx_keygen,
@@ -729,7 +729,7 @@ const EVP_PKEY_METHOD ecx25519_pkey_meth = {
     0
 };
 
-const EVP_PKEY_METHOD ecx448_pkey_meth = {
+static const EVP_PKEY_METHOD ecx448_pkey_meth = {
     EVP_PKEY_X448,
     0, 0, 0, 0, 0, 0, 0,
     pkey_ecx_keygen,
@@ -830,7 +830,7 @@ static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
     return -2;
 }
 
-const EVP_PKEY_METHOD ed25519_pkey_meth = {
+static const EVP_PKEY_METHOD ed25519_pkey_meth = {
     EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
     0, 0, 0, 0, 0, 0,
     pkey_ecx_keygen,
@@ -841,7 +841,7 @@ const EVP_PKEY_METHOD ed25519_pkey_meth = {
     pkey_ecd_digestverify25519
 };
 
-const EVP_PKEY_METHOD ed448_pkey_meth = {
+static const EVP_PKEY_METHOD ed448_pkey_meth = {
     EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
     0, 0, 0, 0, 0, 0,
     pkey_ecx_keygen,
@@ -851,3 +851,667 @@ const EVP_PKEY_METHOD ed448_pkey_meth = {
     pkey_ecd_digestsign448,
     pkey_ecd_digestverify448
 };
+
+#ifdef S390X_EC_ASM
+# include "s390x_arch.h"
+
+static void s390x_x25519_mod_p(unsigned char u[32])
+{
+    unsigned char u_red[32];
+    unsigned int c = 0;
+    int i;
+
+    memcpy(u_red, u, sizeof(u_red));
+
+    c += (unsigned int)u_red[31] + 19;
+    u_red[31] = (unsigned char)c;
+    c >>= 8;
+
+    for (i = 30; c > 0 && i >= 0; i--) {
+        c += (unsigned int)u_red[i];
+        u_red[i] = (unsigned char)c;
+        c >>= 8;
+    }
+
+    if (u_red[0] & 0x80) {
+        u_red[0] &= 0x7f;
+        memcpy(u, u_red, sizeof(u_red));
+    }
+}
+
+static void s390x_x448_mod_p(unsigned char u[56])
+{
+    unsigned char u_red[56];
+    unsigned int c = 0;
+    int i;
+
+    memcpy(u_red, u, sizeof(u_red));
+
+    c += (unsigned int)u_red[55] + 1;
+    u_red[55] = (unsigned char)c;
+    c >>= 8;
+
+    for (i = 54; i >= 28; i--) {
+        c += (unsigned int)u_red[i];
+        u_red[i] = (unsigned char)c;
+        c >>= 8;
+    }
+
+    c += (unsigned int)u_red[27] + 1;
+    u_red[27] = (unsigned char)c;
+    c >>= 8;
+
+    for (i = 26; c > 0 && i >= 0; i--) {
+        c += (unsigned int)u_red[i];
+        u_red[i] = (unsigned char)c;
+        c >>= 8;
+    }
+
+    if (u_red[0] & 0x80) {
+        u_red[0] &= 0x7f;
+        memcpy(u, u_red, sizeof(u_red));
+    }
+}
+
+static int s390x_x25519_mul(unsigned char u_dst[32],
+                            const unsigned char u_src[32],
+                            const unsigned char d_src[32])
+{
+    union {
+        struct {
+            unsigned char u_dst[32];
+            unsigned char u_src[32];
+            unsigned char d_src[32];
+        } x25519;
+        unsigned long long buff[512];
+    } param;
+    int rc;
+
+    memset(&param, 0, sizeof(param));
+
+    s390x_flip_endian32(param.x25519.u_src, u_src);
+    param.x25519.u_src[0] &= 0x7f;
+    s390x_x25519_mod_p(param.x25519.u_src);
+
+    s390x_flip_endian32(param.x25519.d_src, d_src);
+    param.x25519.d_src[31] &= 248;
+    param.x25519.d_src[0] &= 127;
+    param.x25519.d_src[0] |= 64;
+
+    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, &param.x25519) ? 0 : 1;
+    if (rc == 1)
+        s390x_flip_endian32(u_dst, param.x25519.u_dst);
+
+    OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src));
+    return rc;
+}
+
+static int s390x_x448_mul(unsigned char u_dst[56],
+                          const unsigned char u_src[56],
+                          const unsigned char d_src[56])
+{
+    union {
+        struct {
+            unsigned char u_dst[64];
+            unsigned char u_src[64];
+            unsigned char d_src[64];
+        } x448;
+        unsigned long long buff[512];
+    } param;
+    int rc;
+
+    memset(&param, 0, sizeof(param));
+
+    memcpy(param.x448.u_src, u_src, 56);
+    memcpy(param.x448.d_src, d_src, 56);
+
+    s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
+    s390x_x448_mod_p(param.x448.u_src);
+
+    s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
+    param.x448.d_src[63] &= 252;
+    param.x448.d_src[8] |= 128;
+
+    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, &param.x448) ? 0 : 1;
+    if (rc == 1) {
+        s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst);
+        memcpy(u_dst, param.x448.u_dst, 56);
+    }
+
+    OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src));
+    return rc;
+}
+
+static int s390x_ed25519_mul(unsigned char x_dst[32],
+                             unsigned char y_dst[32],
+                             const unsigned char x_src[32],
+                             const unsigned char y_src[32],
+                             const unsigned char d_src[32])
+{
+    union {
+        struct {
+            unsigned char x_dst[32];
+            unsigned char y_dst[32];
+            unsigned char x_src[32];
+            unsigned char y_src[32];
+            unsigned char d_src[32];
+        } ed25519;
+        unsigned long long buff[512];
+    } param;
+    int rc;
+
+    memset(&param, 0, sizeof(param));
+
+    s390x_flip_endian32(param.ed25519.x_src, x_src);
+    s390x_flip_endian32(param.ed25519.y_src, y_src);
+    s390x_flip_endian32(param.ed25519.d_src, d_src);
+
+    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, &param.ed25519) ? 0 : 1;
+    if (rc == 1) {
+        s390x_flip_endian32(x_dst, param.ed25519.x_dst);
+        s390x_flip_endian32(y_dst, param.ed25519.y_dst);
+    }
+
+    OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src));
+    return rc;
+}
+
+static int s390x_ed448_mul(unsigned char x_dst[57],
+                           unsigned char y_dst[57],
+                           const unsigned char x_src[57],
+                           const unsigned char y_src[57],
+                           const unsigned char d_src[57])
+{
+    union {
+        struct {
+            unsigned char x_dst[64];
+            unsigned char y_dst[64];
+            unsigned char x_src[64];
+            unsigned char y_src[64];
+            unsigned char d_src[64];
+        } ed448;
+        unsigned long long buff[512];
+    } param;
+    int rc;
+
+    memset(&param, 0, sizeof(param));
+
+    memcpy(param.ed448.x_src, x_src, 57);
+    memcpy(param.ed448.y_src, y_src, 57);
+    memcpy(param.ed448.d_src, d_src, 57);
+    s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src);
+    s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src);
+    s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src);
+
+    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, &param.ed448) ? 0 : 1;
+    if (rc == 1) {
+        s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst);
+        s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst);
+        memcpy(x_dst, param.ed448.x_dst, 57);
+        memcpy(y_dst, param.ed448.y_dst, 57);
+    }
+
+    OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src));
+    return rc;
+}
+
+static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+    static const unsigned char generator[] = {
+        0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+    ECX_KEY *key;
+    unsigned char *privkey = NULL, *pubkey;
+
+    key = OPENSSL_zalloc(sizeof(*key));
+    if (key == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    pubkey = key->pubkey;
+
+    privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN);
+    if (privkey == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0)
+        goto err;
+
+    privkey[0] &= 248;
+    privkey[31] &= 127;
+    privkey[31] |= 64;
+
+    if (s390x_x25519_mul(pubkey, generator, privkey) != 1)
+        goto err;
+
+    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+    return 1;
+ err:
+    OPENSSL_secure_clear_free(privkey, X25519_KEYLEN);
+    key->privkey = NULL;
+    OPENSSL_free(key);
+    return 0;
+}
+
+static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+    static const unsigned char generator[] = {
+        0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+    ECX_KEY *key;
+    unsigned char *privkey = NULL, *pubkey;
+
+    key = OPENSSL_zalloc(sizeof(*key));
+    if (key == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    pubkey = key->pubkey;
+
+    privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN);
+    if (privkey == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0)
+        goto err;
+
+    privkey[0] &= 252;
+    privkey[55] |= 128;
+
+    if (s390x_x448_mul(pubkey, generator, privkey) != 1)
+        goto err;
+
+    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+    return 1;
+ err:
+    OPENSSL_secure_clear_free(privkey, X448_KEYLEN);
+    key->privkey = NULL;
+    OPENSSL_free(key);
+    return 0;
+}
+
+static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+    static const unsigned char generator_x[] = {
+        0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
+        0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
+        0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21
+    };
+    static const unsigned char generator_y[] = {
+        0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+    };
+    unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH];
+    ECX_KEY *key;
+    unsigned char *privkey = NULL, *pubkey;
+
+    key = OPENSSL_zalloc(sizeof(*key));
+    if (key == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    pubkey = key->pubkey;
+
+    privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN);
+    if (privkey == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0)
+        goto err;
+
+    SHA512(privkey, 32, buff);
+    buff[0] &= 248;
+    buff[31] &= 63;
+    buff[31] |= 64;
+
+    if (s390x_ed25519_mul(x_dst, pubkey,
+                          generator_x, generator_y, buff) != 1)
+        goto err;
+
+    pubkey[31] |= ((x_dst[0] & 0x01) << 7);
+
+    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+    return 1;
+ err:
+    OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN);
+    key->privkey = NULL;
+    OPENSSL_free(key);
+    return 0;
+}
+
+static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+{
+    static const unsigned char generator_x[] = {
+        0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b,
+        0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12,
+        0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47,
+        0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22,
+        0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00
+    };
+    static const unsigned char generator_y[] = {
+        0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e,
+        0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a,
+        0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c,
+        0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88,
+        0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00
+    };
+    unsigned char x_dst[57], buff[114];
+    ECX_KEY *key;
+    unsigned char *privkey = NULL, *pubkey;
+    EVP_MD_CTX *hashctx = NULL;
+
+    key = OPENSSL_zalloc(sizeof(*key));
+    if (key == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    pubkey = key->pubkey;
+
+    privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN);
+    if (privkey == NULL) {
+        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0)
+        goto err;
+
+    hashctx = EVP_MD_CTX_new();
+    if (hashctx == NULL)
+        goto err;
+    if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
+        goto err;
+    if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
+        goto err;
+    if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)
+        goto err;
+
+    buff[0] &= -4;
+    buff[55] |= 0x80;
+    buff[56] = 0;
+
+    if (s390x_ed448_mul(x_dst, pubkey,
+                        generator_x, generator_y, buff) != 1)
+        goto err;
+
+    pubkey[56] |= ((x_dst[0] & 0x01) << 7);
+
+    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
+    EVP_MD_CTX_free(hashctx);
+    return 1;
+ err:
+    OPENSSL_secure_clear_free(privkey, ED448_KEYLEN);
+    key->privkey = NULL;
+    OPENSSL_free(key);
+    EVP_MD_CTX_free(hashctx);
+    return 0;
+}
+
+static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
+                                      size_t *keylen)
+{
+    const unsigned char *privkey, *pubkey;
+
+    if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
+        return 0;
+
+    if (key != NULL)
+        return s390x_x25519_mul(key, pubkey, privkey);
+
+    *keylen = X25519_KEYLEN;
+    return 1;
+}
+
+static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
+                                      size_t *keylen)
+{
+    const unsigned char *privkey, *pubkey;
+
+    if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
+        return 0;
+
+    if (key != NULL)
+        return s390x_x448_mul(key, pubkey, privkey);
+
+    *keylen = X448_KEYLEN;
+    return 1;
+}
+
+static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx,
+                                          unsigned char *sig, size_t *siglen,
+                                          const unsigned char *tbs,
+                                          size_t tbslen)
+{
+    union {
+        struct {
+            unsigned char sig[64];
+            unsigned char priv[32];
+        } ed25519;
+        unsigned long long buff[512];
+    } param;
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+    int rc;
+
+    if (sig == NULL) {
+        *siglen = ED25519_SIGSIZE;
+        return 1;
+    }
+
+    if (*siglen < ED25519_SIGSIZE) {
+        ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
+        return 0;
+    }
+
+    memset(&param, 0, sizeof(param));
+    memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
+
+    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
+    OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
+    if (rc != 0)
+        return 0;
+
+    s390x_flip_endian32(sig, param.ed25519.sig);
+    s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
+
+    *siglen = ED25519_SIGSIZE;
+    return 1;
+}
+
+static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx,
+                                        unsigned char *sig, size_t *siglen,
+                                        const unsigned char *tbs,
+                                        size_t tbslen)
+{
+    union {
+        struct {
+            unsigned char sig[128];
+            unsigned char priv[64];
+        } ed448;
+        unsigned long long buff[512];
+    } param;
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+    int rc;
+
+    if (sig == NULL) {
+        *siglen = ED448_SIGSIZE;
+        return 1;
+    }
+
+    if (*siglen < ED448_SIGSIZE) {
+        ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
+        return 0;
+    }
+
+    memset(&param, 0, sizeof(param));
+    memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
+
+    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
+    OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
+    if (rc != 0)
+        return 0;
+
+    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
+    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
+    memcpy(sig, param.ed448.sig, 57);
+    memcpy(sig + 57, param.ed448.sig + 64, 57);
+
+    *siglen = ED448_SIGSIZE;
+    return 1;
+}
+
+static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx,
+                                            const unsigned char *sig,
+                                            size_t siglen,
+                                            const unsigned char *tbs,
+                                            size_t tbslen)
+{
+    union {
+        struct {
+            unsigned char sig[64];
+            unsigned char pub[32];
+        } ed25519;
+        unsigned long long buff[512];
+    } param;
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+    if (siglen != ED25519_SIGSIZE)
+        return 0;
+
+    memset(&param, 0, sizeof(param));
+    s390x_flip_endian32(param.ed25519.sig, sig);
+    s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
+    s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
+
+    return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
+                      &param.ed25519, tbs, tbslen) == 0 ? 1 : 0;
+}
+
+static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx,
+                                          const unsigned char *sig,
+                                          size_t siglen,
+                                          const unsigned char *tbs,
+                                          size_t tbslen)
+{
+    union {
+        struct {
+            unsigned char sig[128];
+            unsigned char pub[64];
+        } ed448;
+        unsigned long long buff[512];
+    } param;
+    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
+
+    if (siglen != ED448_SIGSIZE)
+        return 0;
+
+    memset(&param, 0, sizeof(param));
+    memcpy(param.ed448.sig, sig, 57);
+    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
+    memcpy(param.ed448.sig + 64, sig + 57, 57);
+    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
+    memcpy(param.ed448.pub, edkey->pubkey, 57);
+    s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
+
+    return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
+                      &param.ed448, tbs, tbslen) == 0 ? 1 : 0;
+}
+
+static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = {
+    EVP_PKEY_X25519,
+    0, 0, 0, 0, 0, 0, 0,
+    s390x_pkey_ecx_keygen25519,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    s390x_pkey_ecx_derive25519,
+    pkey_ecx_ctrl,
+    0
+};
+
+static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = {
+    EVP_PKEY_X448,
+    0, 0, 0, 0, 0, 0, 0,
+    s390x_pkey_ecx_keygen448,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    s390x_pkey_ecx_derive448,
+    pkey_ecx_ctrl,
+    0
+};
+static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = {
+    EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+    0, 0, 0, 0, 0, 0,
+    s390x_pkey_ecd_keygen25519,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    pkey_ecd_ctrl,
+    0,
+    s390x_pkey_ecd_digestsign25519,
+    s390x_pkey_ecd_digestverify25519
+};
+
+static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = {
+    EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+    0, 0, 0, 0, 0, 0,
+    s390x_pkey_ecd_keygen448,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    pkey_ecd_ctrl,
+    0,
+    s390x_pkey_ecd_digestsign448,
+    s390x_pkey_ecd_digestverify448
+};
+#endif
+
+const EVP_PKEY_METHOD *ecx25519_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519))
+        return &ecx25519_s390x_pkey_meth;
+#endif
+    return &ecx25519_pkey_meth;
+}
+
+const EVP_PKEY_METHOD *ecx448_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448))
+        return &ecx448_s390x_pkey_meth;
+#endif
+    return &ecx448_pkey_meth;
+}
+
+const EVP_PKEY_METHOD *ed25519_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
+        && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
+        && OPENSSL_s390xcap_P.kdsa[0]
+            & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519))
+        return &ed25519_s390x_pkey_meth;
+#endif
+    return &ed25519_pkey_meth;
+}
+
+const EVP_PKEY_METHOD *ed448_pkey_method(void)
+{
+#ifdef S390X_EC_ASM
+    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
+        && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448)
+        && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448))
+        return &ed448_s390x_pkey_meth;
+#endif
+    return &ed448_pkey_meth;
+}
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 700f1da20f..bca1c7b71d 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -737,6 +737,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_derive
 EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
 EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
 EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
+EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519
+EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448
+EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519
+EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448
+EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519
+EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448
 EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
 ENGINE_F_DIGEST_UPDATE:198:digest_update
 ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
diff --git a/crypto/evp/pkey_kdf.c b/crypto/evp/pkey_kdf.c
index f32d2131a7..98bf5c6660 100644
--- a/crypto/evp/pkey_kdf.c
+++ b/crypto/evp/pkey_kdf.c
@@ -307,7 +307,7 @@ static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
 }
 
 #ifndef OPENSSL_NO_SCRYPT
-const EVP_PKEY_METHOD scrypt_pkey_meth = {
+static const EVP_PKEY_METHOD scrypt_pkey_meth = {
     EVP_PKEY_SCRYPT,
     0,
     pkey_kdf_init,
@@ -336,9 +336,14 @@ const EVP_PKEY_METHOD scrypt_pkey_meth = {
     pkey_kdf_ctrl,
     pkey_kdf_ctrl_str
 };
+
+const EVP_PKEY_METHOD *scrypt_pkey_method(void)
+{
+    return &scrypt_pkey_meth;
+}
 #endif
 
-const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
+static const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
     EVP_PKEY_TLS1_PRF,
     0,
     pkey_kdf_init,
@@ -368,7 +373,12 @@ const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
     pkey_kdf_ctrl_str
 };
 
-const EVP_PKEY_METHOD hkdf_pkey_meth = {
+const EVP_PKEY_METHOD *tls1_prf_pkey_method(void)
+{
+    return &tls1_prf_pkey_meth;
+}
+
+static const EVP_PKEY_METHOD hkdf_pkey_meth = {
     EVP_PKEY_HKDF,
     0,
     pkey_kdf_init,
@@ -398,3 +408,7 @@ const EVP_PKEY_METHOD hkdf_pkey_meth = {
     pkey_kdf_ctrl_str
 };
 
+const EVP_PKEY_METHOD *hkdf_pkey_method(void)
+{
+    return &hkdf_pkey_meth;
+}
diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c
index 5f33b4e421..9853e09cf1 100644
--- a/crypto/evp/pkey_mac.c
+++ b/crypto/evp/pkey_mac.c
@@ -461,7 +461,7 @@ static int pkey_mac_ctrl_str(EVP_PKEY_CTX *ctx,
     return ok;
 }
 
-const EVP_PKEY_METHOD cmac_pkey_meth = {
+static const EVP_PKEY_METHOD cmac_pkey_meth = {
     EVP_PKEY_CMAC,
     EVP_PKEY_FLAG_SIGCTX_CUSTOM,
     pkey_mac_init,
@@ -494,7 +494,12 @@ const EVP_PKEY_METHOD cmac_pkey_meth = {
     pkey_mac_ctrl_str
 };
 
-const EVP_PKEY_METHOD hmac_pkey_meth = {
+const EVP_PKEY_METHOD *cmac_pkey_method(void)
+{
+    return &cmac_pkey_meth;
+}
+
+static const EVP_PKEY_METHOD hmac_pkey_meth = {
     EVP_PKEY_HMAC,
     0,
     pkey_mac_init,
@@ -527,7 +532,12 @@ const EVP_PKEY_METHOD hmac_pkey_meth = {
     pkey_mac_ctrl_str
 };
 
-const EVP_PKEY_METHOD siphash_pkey_meth = {
+const EVP_PKEY_METHOD *hmac_pkey_method(void)
+{
+    return &hmac_pkey_meth;
+}
+
+static const EVP_PKEY_METHOD siphash_pkey_meth = {
     EVP_PKEY_SIPHASH,
     EVP_PKEY_FLAG_SIGCTX_CUSTOM,
     pkey_mac_init,
@@ -560,7 +570,12 @@ const EVP_PKEY_METHOD siphash_pkey_meth = {
     pkey_mac_ctrl_str
 };
 
-const EVP_PKEY_METHOD poly1305_pkey_meth = {
+const EVP_PKEY_METHOD *siphash_pkey_method(void)
+{
+    return &siphash_pkey_meth;
+}
+
+static const EVP_PKEY_METHOD poly1305_pkey_meth = {
     EVP_PKEY_POLY1305,
     EVP_PKEY_FLAG_SIGCTX_CUSTOM,
     pkey_mac_init,
@@ -592,3 +607,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth = {
     pkey_mac_ctrl,
     pkey_mac_ctrl_str
 };
+
+const EVP_PKEY_METHOD *poly1305_pkey_method(void)
+{
+    return &poly1305_pkey_meth;
+}
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 2be51f155f..8b386cf19f 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -22,60 +22,67 @@
 #include "internal/provider.h"
 #include "evp_locl.h"
 
+typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void);
 typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
 
 static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
 
 /* This array needs to be in order of NIDs */
-static const EVP_PKEY_METHOD *standard_methods[] = {
+static pmeth_fn standard_methods[] = {
 #ifndef OPENSSL_NO_RSA
-    &rsa_pkey_meth,
+    rsa_pkey_method,
 #endif
 #ifndef OPENSSL_NO_DH
-    &dh_pkey_meth,
+    dh_pkey_method,
 #endif
 #ifndef OPENSSL_NO_DSA
-    &dsa_pkey_meth,
+    dsa_pkey_method,
 #endif
 #ifndef OPENSSL_NO_EC
-    &ec_pkey_meth,
+    ec_pkey_method,
 #endif
-    &hmac_pkey_meth,
+    hmac_pkey_method,
 #ifndef OPENSSL_NO_CMAC
-    &cmac_pkey_meth,
+    cmac_pkey_method,
 #endif
 #ifndef OPENSSL_NO_RSA
-    &rsa_pss_pkey_meth,
+    rsa_pss_pkey_method,
 #endif
 #ifndef OPENSSL_NO_DH
-    &dhx_pkey_meth,
+    dhx_pkey_method,
 #endif
 #ifndef OPENSSL_NO_SCRYPT
-    &scrypt_pkey_meth,
+    scrypt_pkey_method,
 #endif
-    &tls1_prf_pkey_meth,
+    tls1_prf_pkey_method,
 #ifndef OPENSSL_NO_EC
-    &ecx25519_pkey_meth,
-    &ecx448_pkey_meth,
+    ecx25519_pkey_method,
+    ecx448_pkey_method,
 #endif
-    &hkdf_pkey_meth,
+    hkdf_pkey_method,
 #ifndef OPENSSL_NO_POLY1305
-    &poly1305_pkey_meth,
+    poly1305_pkey_method,
 #endif
 #ifndef OPENSSL_NO_SIPHASH
-    &siphash_pkey_meth,
+    siphash_pkey_method,
 #endif
 #ifndef OPENSSL_NO_EC
-    &ed25519_pkey_meth,
-    &ed448_pkey_meth,
+    ed25519_pkey_method,
+    ed448_pkey_method,
 #endif
 #ifndef OPENSSL_NO_SM2
-    &sm2_pkey_meth,
+    sm2_pkey_method,
 #endif
 };
 
-DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
-                           pmeth);
+DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
+
+static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b)
+{
+    return ((*a)->pkey_id - ((**b)())->pkey_id);
+}
+
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
 
 static int pmeth_cmp(const EVP_PKEY_METHOD *const *a,
                      const EVP_PKEY_METHOD *const *b)
@@ -83,13 +90,11 @@ static int pmeth_cmp(const EVP_PKEY_METHOD *const *a,
     return ((*a)->pkey_id - (*b)->pkey_id);
 }
 
-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
-                             pmeth);
-
 const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type)
 {
+    pmeth_fn *ret;
     EVP_PKEY_METHOD tmp;
-    const EVP_PKEY_METHOD *t = &tmp, **ret;
+    const EVP_PKEY_METHOD *t = &tmp;
     tmp.pkey_id = type;
     if (app_pkey_methods) {
         int idx;
@@ -97,12 +102,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type)
         if (idx >= 0)
             return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx);
     }
-    ret = OBJ_bsearch_pmeth(&t, standard_methods,
-                            sizeof(standard_methods) /
-                            sizeof(EVP_PKEY_METHOD *));
+    ret = OBJ_bsearch_pmeth_func(&t, standard_methods,
+                                 sizeof(standard_methods) /
+                                 sizeof(pmeth_fn));
     if (!ret || !*ret)
         return NULL;
-    return *ret;
+    return (**ret)();
 }
 
 static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
@@ -411,7 +416,7 @@ size_t EVP_PKEY_meth_get_count(void)
 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx)
 {
     if (idx < OSSL_NELEM(standard_methods))
-        return standard_methods[idx];
+        return (standard_methods[idx])();
     if (app_pkey_methods == NULL)
         return NULL;
     idx -= OSSL_NELEM(standard_methods);
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
index f1fb67207f..b9dc95164c 100644
--- a/crypto/include/internal/evp_int.h
+++ b/crypto/include/internal/evp_int.h
@@ -109,24 +109,24 @@ DEFINE_STACK_OF_CONST(EVP_PKEY_METHOD)
 
 void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
 
-extern const EVP_PKEY_METHOD cmac_pkey_meth;
-extern const EVP_PKEY_METHOD dh_pkey_meth;
-extern const EVP_PKEY_METHOD dhx_pkey_meth;
-extern const EVP_PKEY_METHOD dsa_pkey_meth;
-extern const EVP_PKEY_METHOD ec_pkey_meth;
-extern const EVP_PKEY_METHOD sm2_pkey_meth;
-extern const EVP_PKEY_METHOD ecx25519_pkey_meth;
-extern const EVP_PKEY_METHOD ecx448_pkey_meth;
-extern const EVP_PKEY_METHOD ed25519_pkey_meth;
-extern const EVP_PKEY_METHOD ed448_pkey_meth;
-extern const EVP_PKEY_METHOD hmac_pkey_meth;
-extern const EVP_PKEY_METHOD rsa_pkey_meth;
-extern const EVP_PKEY_METHOD rsa_pss_pkey_meth;
-extern const EVP_PKEY_METHOD scrypt_pkey_meth;
-extern const EVP_PKEY_METHOD tls1_prf_pkey_meth;
-extern const EVP_PKEY_METHOD hkdf_pkey_meth;
-extern const EVP_PKEY_METHOD poly1305_pkey_meth;
-extern const EVP_PKEY_METHOD siphash_pkey_meth;
+const EVP_PKEY_METHOD *cmac_pkey_method(void);
+const EVP_PKEY_METHOD *dh_pkey_method(void);
+const EVP_PKEY_METHOD *dhx_pkey_method(void);
+const EVP_PKEY_METHOD *dsa_pkey_method(void);
+const EVP_PKEY_METHOD *ec_pkey_method(void);
+const EVP_PKEY_METHOD *sm2_pkey_method(void);
+const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
+const EVP_PKEY_METHOD *ecx448_pkey_method(void);
+const EVP_PKEY_METHOD *ed25519_pkey_method(void);
+const EVP_PKEY_METHOD *ed448_pkey_method(void);
+const EVP_PKEY_METHOD *hmac_pkey_method(void);
+const EVP_PKEY_METHOD *rsa_pkey_method(void);
+const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
+const EVP_PKEY_METHOD *scrypt_pkey_method(void);
+const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
+const EVP_PKEY_METHOD *hkdf_pkey_method(void);
+const EVP_PKEY_METHOD *poly1305_pkey_method(void);
+const EVP_PKEY_METHOD *siphash_pkey_method(void);
 
 struct evp_mac_st {
     OSSL_PROVIDER *prov;
@@ -493,6 +493,7 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
 
 #define X25519_KEYLEN        32
 #define X448_KEYLEN          56
+#define ED25519_KEYLEN       32
 #define ED448_KEYLEN         57
 
 #define MAX_KEYLEN  ED448_KEYLEN
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index bd0870b48d..993c2cea4b 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -755,7 +755,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     return ret;
 }
 
-const EVP_PKEY_METHOD rsa_pkey_meth = {
+static const EVP_PKEY_METHOD rsa_pkey_meth = {
     EVP_PKEY_RSA,
     EVP_PKEY_FLAG_AUTOARGLEN,
     pkey_rsa_init,
@@ -790,6 +790,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
     pkey_rsa_ctrl_str
 };
 
+const EVP_PKEY_METHOD *rsa_pkey_method(void)
+{
+    return &rsa_pkey_meth;
+}
+
 /*
  * Called for PSS sign or verify initialisation: checks PSS parameter
  * sanity and sets any restrictions on key usage.
@@ -837,7 +842,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *ctx)
     return 1;
 }
 
-const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
+static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
     EVP_PKEY_RSA_PSS,
     EVP_PKEY_FLAG_AUTOARGLEN,
     pkey_rsa_init,
@@ -860,3 +865,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
     pkey_rsa_ctrl,
     pkey_rsa_ctrl_str
 };
+
+const EVP_PKEY_METHOD *rsa_pss_pkey_method(void)
+{
+    return &rsa_pss_pkey_meth;
+}
diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h
index bb69ed02c1..77f327d4de 100644
--- a/crypto/s390x_arch.h
+++ b/crypto/s390x_arch.h
@@ -30,6 +30,9 @@ int s390x_pcc(unsigned int fc, void *param);
 int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
                size_t len);
 
+void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]);
+void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]);
+
 /*
  * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
  * the STFLE instruction followed by the 64-bit word pairs returned by
@@ -123,6 +126,10 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
 # define S390X_SCALAR_MULTIPLY_P256     64
 # define S390X_SCALAR_MULTIPLY_P384     65
 # define S390X_SCALAR_MULTIPLY_P521     66
+# define S390X_SCALAR_MULTIPLY_ED25519  72
+# define S390X_SCALAR_MULTIPLY_ED448    73
+# define S390X_SCALAR_MULTIPLY_X25519   80
+# define S390X_SCALAR_MULTIPLY_X448     81
 
 /* kdsa */
 # define S390X_ECDSA_VERIFY_P256        1
@@ -131,6 +138,10 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
 # define S390X_ECDSA_SIGN_P256          9
 # define S390X_ECDSA_SIGN_P384          10
 # define S390X_ECDSA_SIGN_P521          11
+# define S390X_EDDSA_VERIFY_ED25519     32
+# define S390X_EDDSA_VERIFY_ED448       36
+# define S390X_EDDSA_SIGN_ED25519       40
+# define S390X_EDDSA_SIGN_ED448         44
 
 /* Register 0 Flags */
 # define S390X_DECRYPT          0x80
diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c
index 5123e14fa6..64de9d0168 100644
--- a/crypto/s390xcap.c
+++ b/crypto/s390xcap.c
@@ -578,7 +578,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap)
                        S390X_CAPBIT(S390X_VX)
                        | S390X_CAPBIT(S390X_VXD)
                        | S390X_CAPBIT(S390X_VXE)
-                       | S390X_CAPBIT(S390X_MSA8),
+                       | S390X_CAPBIT(S390X_MSA8)
+                       | S390X_CAPBIT(S390X_MSA9),
                        0ULL},
         /*.kimd   = */{S390X_CAPBIT(S390X_QUERY)
                        | S390X_CAPBIT(S390X_SHA_1)
@@ -642,18 +643,25 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap)
                        | S390X_CAPBIT(S390X_AES_192)
                        | S390X_CAPBIT(S390X_AES_256),
                        0ULL},
-        /*.pcc    = */{S390X_CAPBIT(S390X_QUERY)
-                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
+        /*.pcc    = */{S390X_CAPBIT(S390X_QUERY),
+                       S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
                        | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
-                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521),
-                       0ULL},
+                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)
+                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
+                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
+                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)
+                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)},
         /*.kdsa   = */{S390X_CAPBIT(S390X_QUERY)
                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521)
                        | S390X_CAPBIT(S390X_ECDSA_SIGN_P256)
                        | S390X_CAPBIT(S390X_ECDSA_SIGN_P384)
-                       | S390X_CAPBIT(S390X_ECDSA_SIGN_P521),
+                       | S390X_CAPBIT(S390X_ECDSA_SIGN_P521)
+                       | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519)
+                       | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448)
+                       | S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
+                       | S390X_CAPBIT(S390X_EDDSA_SIGN_ED448),
                        0ULL},
     };
 
diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl
index 36f742068b..0f63f7edcb 100755
--- a/crypto/s390xcpuid.pl
+++ b/crypto/s390xcpuid.pl
@@ -109,7 +109,7 @@ OPENSSL_s390x_functions:
 	la	%r1,S390X_KMAC(%r4)
 	.long	0xb91e0042		# kmac %r4,%r2
 
-	tmhh	%r3,0x0003		# check for message-security-assist-3
+	tmhh	%r3,0x0008		# check for message-security-assist-3
 	jz	.Lret
 
 	lghi	%r0,S390X_QUERY		# query pcc capability vector
@@ -495,6 +495,62 @@ s390x_kdsa:
 ___
 }
 
+################
+# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32])
+{
+my ($dst,$src) = map("%r$_",(2..3));
+$code.=<<___;
+.globl	s390x_flip_endian32
+.type	s390x_flip_endian32,\@function
+.align	16
+s390x_flip_endian32:
+	lrvg	%r0,0(%r0,$src)
+	lrvg	%r1,8(%r0,$src)
+	lrvg	%r4,16(%r0,$src)
+	lrvg	%r5,24(%r0,$src)
+	stg	%r0,24(%r0,$dst)
+	stg	%r1,16(%r0,$dst)
+	stg	%r4,8(%r0,$dst)
+	stg	%r5,0(%r0,$dst)
+	br	$ra
+.size	s390x_flip_endian32,.-s390x_flip_endian32
+___
+}
+
+################
+# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64])
+{
+my ($dst,$src) = map("%r$_",(2..3));
+$code.=<<___;
+.globl	s390x_flip_endian64
+.type	s390x_flip_endian64,\@function
+.align	16
+s390x_flip_endian64:
+	stmg	%r6,%r9,6*$SIZE_T($sp)
+
+	lrvg	%r0,0(%r0,$src)
+	lrvg	%r1,8(%r0,$src)
+	lrvg	%r4,16(%r0,$src)
+	lrvg	%r5,24(%r0,$src)
+	lrvg	%r6,32(%r0,$src)
+	lrvg	%r7,40(%r0,$src)
+	lrvg	%r8,48(%r0,$src)
+	lrvg	%r9,56(%r0,$src)
+	stg	%r0,56(%r0,$dst)
+	stg	%r1,48(%r0,$dst)
+	stg	%r4,40(%r0,$dst)
+	stg	%r5,32(%r0,$dst)
+	stg	%r6,24(%r0,$dst)
+	stg	%r7,16(%r0,$dst)
+	stg	%r8,8(%r0,$dst)
+	stg	%r9,0(%r0,$dst)
+
+	lmg	%r6,%r9,6*$SIZE_T($sp)
+	br	$ra
+.size	s390x_flip_endian64,.-s390x_flip_endian64
+___
+}
+
 $code.=<<___;
 .section	.init
 	brasl	$ra,OPENSSL_cpuid_setup
diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
index 56e015d94e..7613e333ec 100644
--- a/crypto/sm2/sm2_pmeth.c
+++ b/crypto/sm2/sm2_pmeth.c
@@ -309,7 +309,7 @@ static int pkey_sm2_digest_custom(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)
     return EVP_DigestUpdate(mctx, z, (size_t)mdlen);
 }
 
-const EVP_PKEY_METHOD sm2_pkey_meth = {
+static const EVP_PKEY_METHOD sm2_pkey_meth = {
     EVP_PKEY_SM2,
     0,
     pkey_sm2_init,
@@ -349,3 +349,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
 
     pkey_sm2_digest_custom
 };
+
+const EVP_PKEY_METHOD *sm2_pkey_method(void)
+{
+    return &sm2_pkey_meth;
+}
diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
index 1f4ee85fdf..172cf60309 100644
--- a/doc/man3/OPENSSL_s390xcap.pod
+++ b/doc/man3/OPENSSL_s390xcap.pod
@@ -145,6 +145,10 @@ the numbering is continuous across 64-bit mask boundaries.
       # 64    1<<63    PCC-Scalar-Multiply-P256
       # 65    1<<62    PCC-Scalar-Multiply-P384
       # 66    1<<61    PCC-Scalar-Multiply-P521
+      # 72    1<<55    PCC-Scalar-Multiply-Ed25519
+      # 73    1<<54    PCC-Scalar-Multiply-Ed448
+      # 80    1<<47    PCC-Scalar-Multiply-X25519
+      # 81    1<<46    PCC-Scalar-Multiply-X448
 
  kdsa :
       #  1    1<<62    KDSA-ECDSA-Verify-P256
@@ -153,6 +157,10 @@ the numbering is continuous across 64-bit mask boundaries.
       #  9    1<<54    KDSA-ECDSA-Sign-P256
       # 10    1<<53    KDSA-ECDSA-Sign-P384
       # 11    1<<52    KDSA-ECDSA-Sign-P521
+      # 32    1<<31    KDSA-EdDSA-Verify-Ed25519
+      # 36    1<<27    KDSA-EdDSA-Verify-Ed448
+      # 40    1<<23    KDSA-EdDSA-Sign-Ed25519
+      # 44    1<<19    KDSA-EdDSA-Sign-Ed448
       :
 
 =head1 RETURN VALUES
diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
index 95723ec94b..50e23bb1e8 100644
--- a/include/openssl/ecerr.h
+++ b/include/openssl/ecerr.h
@@ -211,6 +211,12 @@ int ERR_load_EC_strings(void);
 #   define EC_F_PKEY_EC_KEYGEN                              0
 #   define EC_F_PKEY_EC_PARAMGEN                            0
 #   define EC_F_PKEY_EC_SIGN                                0
+#   define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519              0
+#   define EC_F_S390X_PKEY_ECD_DIGESTSIGN448                0
+#   define EC_F_S390X_PKEY_ECD_KEYGEN25519                  0
+#   define EC_F_S390X_PKEY_ECD_KEYGEN448                    0
+#   define EC_F_S390X_PKEY_ECX_KEYGEN25519                  0
+#   define EC_F_S390X_PKEY_ECX_KEYGEN448                    0
 #   define EC_F_VALIDATE_ECX_DERIVE                         0
 # endif
 


More information about the openssl-commits mailing list