[18.04 FEAT] Add support for CPACF enhancements to openssl

------- Comment From <email address hidden> 2018-01-17 06:43 EDT-------
Since today, this function is upstream accepted .
We would like to provide a backport to openssl 1.0.2.
Can we go ahead with this procedure?

Will it be accepted into upstream 1.0.2 series? e.g. 1.0.2o? We have cherrypicked hw optimisations into openssl before, but I'm not sure what is the current policy around it. Do you have links to patches in the current openssl master for the security team to check over them?

------- Comment From <email address hidden> 2018-01-19 08:29 EDT-------
> Will it be accepted into upstream 1.0.2 series?

No, new features are not accepted for 1.0.2.

openssl/master commits:

https://github.com/openssl/openssl/commit/96530eea93d27e536f4e93956256cf8dcda7d469
https://github.com/openssl/openssl/commit/e21a84308c02df63715f8867beb4a2b1036bcb35
https://github.com/openssl/openssl/commit/1c3a23e44648524755b74595ad816f5cc881102c
https://github.com/openssl/openssl/commit/bc4e831ccd81a1d22a7462df645c884ce33ea7c0

------- Comment From <email address hidden> 2018-02-05 07:22 EDT-------
Attached backports for ubuntu 18.04 openssl 1.0.2n.

------- Comment (attachment only) From <email address hidden> 2018-02-05 07:20 EDT-------

------- Comment (attachment only) From <email address hidden> 2018-02-05 07:20 EDT-------

------- Comment From <email address hidden> 2018-02-05 07:37 EDT-------
... patches are still being tested.

So, the current plan is as follows:

18.04 LTS GA to ship with both openssl 1.1.0 and 1.0.2.

OpenSSL 1.1.0 will be the default and majority packages will use it.

When I say majority, i mean:
* everything in main
* except for openssh & possibly strongswan

About 1/4 of package in universe will be using 1.0.2 openssl.

If and when, OpenSSL 1.1.1 with TLS v1.3 is released, security team will be evaluating if we can integrate it, and into which releases.

For completeness of coverage, and consistent libssl/libcrypto performance, I think it does make sense to integrate the 1.0.2 patches backports - would you agree?

------- Comment From <email address hidden> 2018-02-06 03:08 EDT-------
I agree - it would make sense to integrate the backports.

In 18.04 LTS, openssl-ibmca will only be available as an engine for openssl1.1.0, and it will not be available for openssl1.0.2. openssl1.1.0 is the default openssl provide, and will be used by most packages in the archive. Thus, as far as I understand, there is little value in shipping this patch set for 1.0.2. I will upload this patchset for 1.1.0 however, such that we can get this support in with the default openssl.

------- Comment From <email address hidden> 2018-02-27 08:54 EDT-------
testing of the 1.0.2 backports is complete.

openssl-ibmca is not needed/completely independent of this patch set.

ack!

This bug was fixed in the package openssl1.0 - 1.0.2n-1ubuntu4

---------------
openssl1.0 (1.0.2n-1ubuntu4) bionic; urgency=medium

  * s390x: Add support for CPACF enhancements to openssl, for IBM z14. LP:
    #1743750

 -- Dimitri John Ledkov <email address hidden> Wed, 28 Feb 2018 14:52:10 +0000

This bug was fixed in the package openssl - 1.1.0g-2ubuntu2

---------------
openssl (1.1.0g-2ubuntu2) bionic; urgency=medium

  * s390x: Add support for CPACF enhancements to openssl, for IBM z14. LP:
    #1743750

 -- Dimitri John Ledkov <email address hidden> Tue, 27 Feb 2018 13:01:19 +0000

------- Comment From <email address hidden> 2018-03-05 04:59 EDT-------
IBM bugzilla status -> closed, Backports accepted for 1.0.2 and 1.1.0 -> Fix Released in bionic