IBM Support

PJ45130: z/TPF Cryptographic and security enhancements.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • See Problem Summary.
    

Local fix

  • n/a
    

Problem summary

  • APAR NUMBER:  PJ45130
    PRODUCT:  z/TPF
    FUNCTIONAL AREA:  Cryptography
    SHIPPED IN YEAR:  2019
    
    ABSTRACT:
    z/TPF Cryptographic and security enhancements.
    
    PACKAGE CONTENTS:
    Source Segments:
    (C) base/cntl/tpf_app_base.cntl
    (C) base/cntl/tpf_app_base_ux.cntl
    (C) base/cp/ct15.cpy
    (C) base/cp/ctin.cpy
    (C) base/cp/ctsm.cpy
    (C) base/exp/CTAL.exp
    (C) base/include/tpf/c_ck2sn.h
    (C) base/include/tpf/icpacf.h
    (C) base/include/tpf/i_netd.h
    (C) base/include/tpf/tpfapi.h
    (C) base/macro/ck2sn.mac
    (C) base/macro/dltec.mac
    (C) base/macro/icpac.mac
    (C) base/macro/icpacf.mac
    (C) base/macro/issky.mac
    (C) base/macro/izarch.mac
    (C) base/macro/snakey.mac
    (C) base/ol/jra2.pli
    (C) base/ol/jrs3.pli
    (C) base/openssl/crypto/md32_common.h
    (C) base/openssl/crypto/sha/sha1dgst.c
    (C) base/openssl/crypto/sha/sha256.c
    (C) base/openssl/crypto/sha/sha_dgst.c
    (C) base/openssl/crypto/sha/sha_locl.h
    (O) base/openssl/cryu.mak
    (C) base/openssl/tpfssl/crypt2.c
    (O) base/openssl/tpfssl/cryu.c
    (N) base/openssl/tpfssl/cryuci.c
    (C) base/openssl/tpfssl/csslmt.c
    (C) base/openssl/tpfssl/headers/openssl/md32_common.h
    (C) base/openssl/tpfssl/tpf_ssl_cryp.c
    (N) base/rt/ccryph.asm
    (C) base/rt/cdecrypt.asm
    (C) base/rt/cdefsforasm.c
    (C) base/rt/cencrypt.asm
    (C) base/rt/cinet7.c
    (C) base/rt/cinetc.c
    (N) base/rt/crandtrue.asm
    (C) base/rt/cry3.c
    (C) base/rt/cry4.asm
    (C) base/rt/cry6.asm
    (C) base/rt/cryi.asm
    (O) base/rt/cryk.asm
    (O) base/rt/cryk.mak
    (C) base/rt/crypt.c
    (C) base/rt/cryt.asm
    (C) base/rt/csk0.asm
    (C) base/rt/ctal.mak
    (N) base/rt/ctpfrand.asm
    (C) base/rt/httpc_daemon_master.c
    (C) base/rt/jcs0.asm
    (N) base/rt/tpf_getSeed.c
    (N) base/rt/urnd.c
    (N) base/rt/urnd.mak
    
    Object Only Binaries:
    (C) base/oco/lib/libcpcrypto.a
    (C) base/oco/lib/libcpkey2.a
    (C) base/oco/load/CKY3.so
    (C) base/oco/load/CPK3.so
    
    Configuration Independent Binaries:
    (C) base/lib/libCDEFSFORASM.so
    (C) base/lib/libCLTC.so
    (C) base/load/CDEFSFORASM.so
    (C) base/load/CLTC.so
    (C) base/load/CLTZ.so
    (C) base/load/CRY3.so
    (C) base/load/CRY4.so
    (C) base/load/CRYI.so
    (O) base/load/CRYK.so
    (C) base/load/CSK0.so
    (C) base/obj/cdefsforasm.o
    (C) base/obj/cinet7.o
    (C) base/obj/cinetc.o
    (C) base/obj/cry3.o
    (C) base/obj/cry4.o
    (C) base/obj/cryi.o
    (O) base/obj/cryk.o
    (C) base/obj/csk0.o
    (C) base/openssl/lib/libCRYP.so
    (O) base/openssl/lib/libCRYU.so
    (C) base/openssl/lib/libCSSL.so
    (C) base/openssl/load/CRYP.so
    (O) base/openssl/load/CRYU.so
    (C) base/openssl/load/CSL2.so
    (C) base/openssl/load/CSSL.so
    (C) base/openssl/obj/crypt2.o
    (O) base/openssl/obj/cryu.o
    (C) base/openssl/obj/csslmt.o
    (C) base/openssl/obj/sha1dgst.o
    (C) base/openssl/obj/sha256.o
    (C) base/openssl/obj/sha_dgst.o
    (C) base/openssl/obj/tpf_ssl_cryp.o
    
    Support Files:
    base/lst/cdefsforasm.lst
    base/lst/cinet7.lst
    base/lst/cinetc.lst
    base/lst/cry3.lst
    base/lst/cry4.lst
    base/lst/cryi.lst
    base/lst/csk0.lst
    base/lst/CDEFSFORASM.map
    base/lst/CLTC.map
    base/lst/CLTZ.map
    base/lst/CRY3.map
    base/lst/CRY4.map
    base/lst/CRYI.map
    base/lst/CSK0.map
    base/openssl/lst/crypt2.lst
    base/openssl/lst/csslmt.lst
    base/openssl/lst/CRYP.map
    base/openssl/lst/CSL2.map
    base/openssl/lst/CSSL.map
    base/openssl/lst/sha1dgst.lst
    base/openssl/lst/sha256.lst
    base/openssl/lst/sha_dgst.lst
    base/openssl/lst/tpf_ssl_cryp.lst
    
    OTHER BINARIES TO BUILD: YES
    (C) <sys>/lib/libCHTD.so
    (N) <sys>/lib/libURND.so
    (C) <sys>/load/CHTD.so
    (C) <sys>/load/CPS0.so
    (C) <sys>/load/CRY6.so
    (C) <sys>/load/CRYT.so
    (C) <sys>/load/JCS0.so
    (N) <sys>/load/URND.so
    (C) <sys>/obj/ccctin.o
    (N) <sys>/obj/ccryph.o
    (C) <sys>/obj/cctcp3.o
    (C) <sys>/obj/cdecrypt.o
    (C) <sys>/obj/cencrypt.o
    (N) <sys>/obj/crandtrue.o
    (C) <sys>/obj/cry6.o
    (C) <sys>/obj/crypt.o
    (C) <sys>/obj/cryt.o
    (N) <sys>/obj/cryuci.o
    (N) <sys>/obj/ctpfrand.o
    (C) <sys>/obj/httpc_daemon_master.o
    (C) <sys>/obj/jcs0.o
    (N) <sys>/obj/tpf_getSeed.o
    (N) <sys>/obj/urnd.o
    (C) <sys>/stdlib/libCTAL.so
    (C) <sys>/stdload/CTAL.so
    (C) os390/bin/amx1.pds
    (C) os390/bin/dataread.pds
    (C) os390/bin/ppcp.pds
    (C) os390/bin/sadump.obj
    (C) os390/obj/amx1.o
    (C) os390/obj/ccmcdc.o
    (C) os390/obj/jra2.o
    (C) os390/obj/jrs3.o
    (C) os390/obj/sadump.o
    (C) os390/obj/stpp.o
    (C) <sys>/load/IPAT.so
    (C) <sys>/stdlib/libTPFSTUB.so
    (C) <sys>/stdload/TPFSTUB.so
    (C) <sys>/obj/ipat.o
    
    COMMENTS:
    z/TPF supports various APIs that drive cryptographic operations
    through the Central Processor Assist for Cryptographic
    Functions (CPACF) hardware while encrypting/decrypting data,
    performing OpenSSL operations, and creating various message
    digests, such as SHA-1 (160-bit) and SHA-2 (256-bit). Although
    the CPACF hardware accelerates the performance of these APIs,
    the z/TPF code, which sets up the interface with the CPACF
    hardware, can be optimized to further enhance the performance
    of the APIs.
    
    In addition, z/TPF does not currently support the creation of
    SHA-2 512-bit message digests, which provide better message
    integrity than the SHA-1 or SHA-2 256-bit message digests.
    
    z/TPF currently does not support the creation of
    hardware-generated random numbers even though the latest IBM
    processors supported by z/TPF have the ability to create random
    numbers.
    
    There are also issues with the z/TPF cryptographic and security
    support:
     (1) A CTL-3 fixed point divide exception occurs out of program
    cryt.asm, when CPACF statistics are calculated using 4 byte
    fields instead of 8 byte fields and 31-bit assembler
    instructions instead of 64-bit assembler instructions.
     (2) For SSL_accept errors, the INET0142E message needs to
    include additional information on the cause of the error and
    remote system attempting to connect to the z/TPF SSL server.
    

Problem conclusion

  • SOLUTION:
    Cryptographic and security enhancements improve the performance
    and security of the z/TPF system. This APAR provides the
    following enhancements:
     (1) Improved performance of the secure key encrypt and decrypt
    APIs (tpf_encrypt_data and tpf_decrypt_data), z/TPF SHA message
    digest APIs, z/TPFDF encryption, and OpenSSL session
    processing.
     (2) z/TPF APIs that support the SHA-2 512-bit algorithm that
    is in IBM Z hardware.
     (3) A z/TPF API to create a hardware-generated random number
    that conforms to the National Institute of Standards and
    Technology (NIST) special publication 800-90A when support for
    random number generation on the IBM processor is available.
    This support is available only for IBM zEnterprise EC12 (zEC12)
    or later.
    
    Cryptographic and security enhancements improve the performance
    of cryptographic operations that are processed in the Central
    Processor Assist for Cryptographic Functions (CPACF) hardware
    by optimizing the z/TPF code that interfaces with it.
    
    z/TPF applications can create SHA-2 512-bit message digests by
    using z/TPF APIs. These APIs use the CPACF hardware accelerator
    to increase the performance of the creation of the message
    digests.
    
    The following changes have been made to address issues with the
    z/TPF cryptographic and security code:
     (1) While calculating CPACF statistics, z/TPF will now use 8
    byte fields and 64-bit instructions to do the calculations.
     (2) Additional diagnostic information will be included in the
    INET0142E error message in the event of an SSL_accept error
    from a z/TPF SSL server.
    
    COREQS: NO
    None.
    
    MIGRATION CONSIDERATIONS: YES
    Functional, automation, and operation changes:
    The following commands have changed:ZCPAC
                                         ZNKEY
     The following message has changed: INET0142E
     The following online messages are now obsolete: CPAC0010W,
    CPAC0014W
    
    Application programming interface (API) changes:
    New C/C++ language functions: tpf_random
                                   tpf_SHA512_Digest
                                   tpf_SHA512_Final
                                   tpf_SHA512_Init
                                   tpf_SHA512_Update
    
    User exit changes:
    New user exit for ECB-controlled programs: URND - z/TPF
    tpf_random user exit
    
    Hardware, software, and configuration changes:
    The random number is generated on z/TPF by using the hardware
    deterministic random number generator (DRNG) that is available
    on the IBM zEnterprise EC12 (zEC12) or later. The seed for the
    generator is provided by the hardware true random number
    generator (TRNG), which is available on the IBM z14 (z14)
    processor or later. In the event the IBM z14 is not available
    to provide the seed for the random number generator, the URND
    user exit must be coded to provide the seed.
    
    Communications changes:
    You can use the ZNKEY RANDSEED command to change the frequency
    that the tpf_random function is issued before reseeding occurs.
    Frequent reseeding improves security but sacrifices some
    performance.  Less frequent reseeding results in better
    performance but is less secure. The default value is 1024.
    
    If you were to change the default value for RANDSEED with the
    ZNKEY RANDSEED command, you must change the RANDSEED value for
    the SNAKEY macro in the local_mod version of ctk2.asm to ensure
    that subsequent loads of keypoint 2 set the desired value for
    RANDSEED instead of the default value.
    
    Installation validation:
    Enter ZCPAC QUERY to display whether various features of the
    CPACF hardware are installed on the current processor. The
    display should include SHA-512, DRNG (the hardware
    deterministic random number generator, and TRNG (the hardware
    true random number generator). ZCPAC DISPLAY STATS should show
    statistics for the SHA-512 cipher algorithm.
    
    Performance or tuning changes:
    An increase in the performance of cryptographic operations that
    are processed in the CPACF hardware for encryption/decryption
    APIs, message digest APIs, and OpenSSL operations on the z/TPF
    system is anticipated with APAR PJ45130 installed.
    
    Coexistence, migration, and fallback considerations:
    Data collection RTC tapes created without APAR PJ45130
    installed can be processed with the data reduction changes from
    APAR PJ45130. However, data collection RTC tapes created with
    APAR PJ45130 installed need to run with the data reduction
    changes from APAR PJ45130.
    
    
    
    BUILD COMMANDS AND INSTRUCTIONS: YES
    #maketpf commands for linux
    maketpf -f CDEFSFORASM cdefsforasm.o
    maketpf -f CTAL ccryph.o cdecrypt.o cencrypt.o crandtrue.o
    crypt.o cryuci.o ctpfrand.o tpf_getSeed.o
    maketpf -f CPS0 ccctin.o cctcp3.o
    maketpf -f URND urnd.o
    maketpf -f CSK0 csk0.o
    maketpf -f CHTD httpc_daemon_master.o
    maketpf -f CLTC cinetc.o
    maketpf -f CLTZ cinet7.o
    maketpf -f CRYP crypt2.o sha1dgst.o sha256.o sha_dgst.o
    tpf_ssl_cryp.o
    maketpf -f CSSL crypt2.o sha1dgst.o sha256.o sha_dgst.o
    tpf_ssl_cryp.o
    maketpf -f CSL2 csslmt.o
    maketpf -f CRY3 cry3.o
    maketpf -f CRYI cryi.o
    maketpf -f CRY4 cry4.o
    maketpf -f CRY6 cry6.o
    maketpf -f CRYT cryt.o
    maketpf -f JCS0 jcs0.o
    maketpf CDEFSFORASM link TPF_VERIFY_LINK_REFS=NO
    maketpf -f TPFSTUB
    maketpf CTAL link TPF_VERIFY_LINK_REFS=NO
    maketpf CPS0 link
    maketpf -f IPAT
    maketpf URND link TPF_VERIFY_LINK_REFS=NO
    maketpf CSK0 link
    maketpf CHTD link TPF_VERIFY_LINK_REFS=NO
    maketpf CLTC link TPF_VERIFY_LINK_REFS=NO
    maketpf CLTZ link
    maketpf CRYP link
    maketpf CSSL link
    maketpf CSL2 link
    maketpf CRY3 link
    maketpf CRYI link
    maketpf CRY4 link
    maketpf CRY6 link
    maketpf CRYT link
    maketpf JCS0 link
    maketpf CDEFSFORASM link
    maketpf CTAL link
    maketpf URND link
    maketpf CHTD link
    maketpf CLTC link
    #maketpf commands for z/OS
    maketpf -f amx1 amx1.o
    maketpf -f ppcp ccmcdc.o stpp.o
    maketpf -f sadump sadump.o
    maketpf -f dataread jra2.o jrs3.o
    maketpf amx1 link
    maketpf ppcp link
    maketpf sadump link
    maketpf dataread link
    
    UPDATED INFORMATION UNITS: YES
    z/TPF and z/TPFDF Migration Guide: PUT 2 and Later
    z/TPF and z/TPFDF System Installation and Support Reference
    z/TPF C/C++ Language Support User's Guide
    z/TPF General Services
    z/TPF Messages (Online, SQLCODEs, and errno Values)
    z/TPF Operations
    z/TPF Program Development Support Reference
    z/TPF Security
    z/TPF System Performance and Measurement Reference
    
    See your IBM representative if you need additional information.
    
    DOWNLOAD INSTRUCTIONS:
    https://www.ibm.com/support/docview.wss?uid=swg27049604
    
    APAR URL:
    https://transfer.boulder.ibm.com/2019/PJ45130.tar.gz
    

Temporary fix

Comments

APAR Information

  • APAR number

    PJ45130

  • Reported component name

    Z/TPF

  • Reported component ID

    5748T1501

  • Reported release

    110

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-12-19

  • Closed date

    2019-04-22

  • Last modified date

    2019-04-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    Z/TPF

  • Fixed component ID

    5748T1501

Applicable component levels



Document information

More support for: TPF
z/TPF

Software version: 110

Reference #: PJ45130

Modified date: 22 April 2019