1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Cryptographic API. 4 * 5 * s390 implementation of the DES Cipher Algorithm. 6 * 7 * Copyright IBM Corp. 2003, 2011 8 * Author(s): Thomas Spatzier 9 * Jan Glauber (jan.glauber@de.ibm.com) 10 */ 11 12 #include <linux/init.h> 13 #include <linux/module.h> 14 #include <linux/cpufeature.h> 15 #include <linux/crypto.h> 16 #include <linux/fips.h> 17 #include <crypto/algapi.h> 18 #include <crypto/des.h> 19 #include <asm/cpacf.h> 20 21 #define DES3_KEY_SIZE (3 * DES_KEY_SIZE) 22 23 static u8 *ctrblk; 24 static DEFINE_SPINLOCK(ctrblk_lock); 25 26 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions; 27 28 struct s390_des_ctx { 29 u8 iv[DES_BLOCK_SIZE]; 30 u8 key[DES3_KEY_SIZE]; 31 }; 32 33 static int des_setkey(struct crypto_tfm *tfm, const u8 *key, 34 unsigned int key_len) 35 { 36 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 37 u32 tmp[DES_EXPKEY_WORDS]; 38 39 /* check for weak keys */ 40 if (!des_ekey(tmp, key) && 41 (tfm->crt_flags & CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) { 42 tfm->crt_flags |= CRYPTO_TFM_RES_WEAK_KEY; 43 return -EINVAL; 44 } 45 46 memcpy(ctx->key, key, key_len); 47 return 0; 48 } 49 50 static void des_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 51 { 52 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 53 54 cpacf_km(CPACF_KM_DEA, ctx->key, out, in, DES_BLOCK_SIZE); 55 } 56 57 static void des_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 58 { 59 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 60 61 cpacf_km(CPACF_KM_DEA | CPACF_DECRYPT, 62 ctx->key, out, in, DES_BLOCK_SIZE); 63 } 64 65 static struct crypto_alg des_alg = { 66 .cra_name = "des", 67 .cra_driver_name = "des-s390", 68 .cra_priority = 300, 69 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 70 .cra_blocksize = DES_BLOCK_SIZE, 71 .cra_ctxsize = sizeof(struct s390_des_ctx), 72 .cra_module = THIS_MODULE, 73 .cra_u = { 74 .cipher = { 75 .cia_min_keysize = DES_KEY_SIZE, 76 .cia_max_keysize = DES_KEY_SIZE, 77 .cia_setkey = des_setkey, 78 .cia_encrypt = des_encrypt, 79 .cia_decrypt = des_decrypt, 80 } 81 } 82 }; 83 84 static int ecb_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 85 struct blkcipher_walk *walk) 86 { 87 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 88 unsigned int nbytes, n; 89 int ret; 90 91 ret = blkcipher_walk_virt(desc, walk); 92 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 93 /* only use complete blocks */ 94 n = nbytes & ~(DES_BLOCK_SIZE - 1); 95 cpacf_km(fc, ctx->key, walk->dst.virt.addr, 96 walk->src.virt.addr, n); 97 ret = blkcipher_walk_done(desc, walk, nbytes - n); 98 } 99 return ret; 100 } 101 102 static int cbc_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 103 struct blkcipher_walk *walk) 104 { 105 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 106 unsigned int nbytes, n; 107 int ret; 108 struct { 109 u8 iv[DES_BLOCK_SIZE]; 110 u8 key[DES3_KEY_SIZE]; 111 } param; 112 113 ret = blkcipher_walk_virt(desc, walk); 114 memcpy(param.iv, walk->iv, DES_BLOCK_SIZE); 115 memcpy(param.key, ctx->key, DES3_KEY_SIZE); 116 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 117 /* only use complete blocks */ 118 n = nbytes & ~(DES_BLOCK_SIZE - 1); 119 cpacf_kmc(fc, ¶m, walk->dst.virt.addr, 120 walk->src.virt.addr, n); 121 ret = blkcipher_walk_done(desc, walk, nbytes - n); 122 } 123 memcpy(walk->iv, param.iv, DES_BLOCK_SIZE); 124 return ret; 125 } 126 127 static int ecb_des_encrypt(struct blkcipher_desc *desc, 128 struct scatterlist *dst, struct scatterlist *src, 129 unsigned int nbytes) 130 { 131 struct blkcipher_walk walk; 132 133 blkcipher_walk_init(&walk, dst, src, nbytes); 134 return ecb_desall_crypt(desc, CPACF_KM_DEA, &walk); 135 } 136 137 static int ecb_des_decrypt(struct blkcipher_desc *desc, 138 struct scatterlist *dst, struct scatterlist *src, 139 unsigned int nbytes) 140 { 141 struct blkcipher_walk walk; 142 143 blkcipher_walk_init(&walk, dst, src, nbytes); 144 return ecb_desall_crypt(desc, CPACF_KM_DEA | CPACF_DECRYPT, &walk); 145 } 146 147 static struct crypto_alg ecb_des_alg = { 148 .cra_name = "ecb(des)", 149 .cra_driver_name = "ecb-des-s390", 150 .cra_priority = 400, /* combo: des + ecb */ 151 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 152 .cra_blocksize = DES_BLOCK_SIZE, 153 .cra_ctxsize = sizeof(struct s390_des_ctx), 154 .cra_type = &crypto_blkcipher_type, 155 .cra_module = THIS_MODULE, 156 .cra_u = { 157 .blkcipher = { 158 .min_keysize = DES_KEY_SIZE, 159 .max_keysize = DES_KEY_SIZE, 160 .setkey = des_setkey, 161 .encrypt = ecb_des_encrypt, 162 .decrypt = ecb_des_decrypt, 163 } 164 } 165 }; 166 167 static int cbc_des_encrypt(struct blkcipher_desc *desc, 168 struct scatterlist *dst, struct scatterlist *src, 169 unsigned int nbytes) 170 { 171 struct blkcipher_walk walk; 172 173 blkcipher_walk_init(&walk, dst, src, nbytes); 174 return cbc_desall_crypt(desc, CPACF_KMC_DEA, &walk); 175 } 176 177 static int cbc_des_decrypt(struct blkcipher_desc *desc, 178 struct scatterlist *dst, struct scatterlist *src, 179 unsigned int nbytes) 180 { 181 struct blkcipher_walk walk; 182 183 blkcipher_walk_init(&walk, dst, src, nbytes); 184 return cbc_desall_crypt(desc, CPACF_KMC_DEA | CPACF_DECRYPT, &walk); 185 } 186 187 static struct crypto_alg cbc_des_alg = { 188 .cra_name = "cbc(des)", 189 .cra_driver_name = "cbc-des-s390", 190 .cra_priority = 400, /* combo: des + cbc */ 191 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 192 .cra_blocksize = DES_BLOCK_SIZE, 193 .cra_ctxsize = sizeof(struct s390_des_ctx), 194 .cra_type = &crypto_blkcipher_type, 195 .cra_module = THIS_MODULE, 196 .cra_u = { 197 .blkcipher = { 198 .min_keysize = DES_KEY_SIZE, 199 .max_keysize = DES_KEY_SIZE, 200 .ivsize = DES_BLOCK_SIZE, 201 .setkey = des_setkey, 202 .encrypt = cbc_des_encrypt, 203 .decrypt = cbc_des_decrypt, 204 } 205 } 206 }; 207 208 /* 209 * RFC2451: 210 * 211 * For DES-EDE3, there is no known need to reject weak or 212 * complementation keys. Any weakness is obviated by the use of 213 * multiple keys. 214 * 215 * However, if the first two or last two independent 64-bit keys are 216 * equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the 217 * same as DES. Implementers MUST reject keys that exhibit this 218 * property. 219 * 220 * In fips mode additinally check for all 3 keys are unique. 221 * 222 */ 223 static int des3_setkey(struct crypto_tfm *tfm, const u8 *key, 224 unsigned int key_len) 225 { 226 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 227 int err; 228 229 err = __des3_verify_key(&tfm->crt_flags, key); 230 if (unlikely(err)) 231 return err; 232 233 memcpy(ctx->key, key, key_len); 234 return 0; 235 } 236 237 static void des3_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 238 { 239 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 240 241 cpacf_km(CPACF_KM_TDEA_192, ctx->key, dst, src, DES_BLOCK_SIZE); 242 } 243 244 static void des3_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 245 { 246 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 247 248 cpacf_km(CPACF_KM_TDEA_192 | CPACF_DECRYPT, 249 ctx->key, dst, src, DES_BLOCK_SIZE); 250 } 251 252 static struct crypto_alg des3_alg = { 253 .cra_name = "des3_ede", 254 .cra_driver_name = "des3_ede-s390", 255 .cra_priority = 300, 256 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 257 .cra_blocksize = DES_BLOCK_SIZE, 258 .cra_ctxsize = sizeof(struct s390_des_ctx), 259 .cra_module = THIS_MODULE, 260 .cra_u = { 261 .cipher = { 262 .cia_min_keysize = DES3_KEY_SIZE, 263 .cia_max_keysize = DES3_KEY_SIZE, 264 .cia_setkey = des3_setkey, 265 .cia_encrypt = des3_encrypt, 266 .cia_decrypt = des3_decrypt, 267 } 268 } 269 }; 270 271 static int ecb_des3_encrypt(struct blkcipher_desc *desc, 272 struct scatterlist *dst, struct scatterlist *src, 273 unsigned int nbytes) 274 { 275 struct blkcipher_walk walk; 276 277 blkcipher_walk_init(&walk, dst, src, nbytes); 278 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192, &walk); 279 } 280 281 static int ecb_des3_decrypt(struct blkcipher_desc *desc, 282 struct scatterlist *dst, struct scatterlist *src, 283 unsigned int nbytes) 284 { 285 struct blkcipher_walk walk; 286 287 blkcipher_walk_init(&walk, dst, src, nbytes); 288 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192 | CPACF_DECRYPT, 289 &walk); 290 } 291 292 static struct crypto_alg ecb_des3_alg = { 293 .cra_name = "ecb(des3_ede)", 294 .cra_driver_name = "ecb-des3_ede-s390", 295 .cra_priority = 400, /* combo: des3 + ecb */ 296 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 297 .cra_blocksize = DES_BLOCK_SIZE, 298 .cra_ctxsize = sizeof(struct s390_des_ctx), 299 .cra_type = &crypto_blkcipher_type, 300 .cra_module = THIS_MODULE, 301 .cra_u = { 302 .blkcipher = { 303 .min_keysize = DES3_KEY_SIZE, 304 .max_keysize = DES3_KEY_SIZE, 305 .setkey = des3_setkey, 306 .encrypt = ecb_des3_encrypt, 307 .decrypt = ecb_des3_decrypt, 308 } 309 } 310 }; 311 312 static int cbc_des3_encrypt(struct blkcipher_desc *desc, 313 struct scatterlist *dst, struct scatterlist *src, 314 unsigned int nbytes) 315 { 316 struct blkcipher_walk walk; 317 318 blkcipher_walk_init(&walk, dst, src, nbytes); 319 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192, &walk); 320 } 321 322 static int cbc_des3_decrypt(struct blkcipher_desc *desc, 323 struct scatterlist *dst, struct scatterlist *src, 324 unsigned int nbytes) 325 { 326 struct blkcipher_walk walk; 327 328 blkcipher_walk_init(&walk, dst, src, nbytes); 329 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192 | CPACF_DECRYPT, 330 &walk); 331 } 332 333 static struct crypto_alg cbc_des3_alg = { 334 .cra_name = "cbc(des3_ede)", 335 .cra_driver_name = "cbc-des3_ede-s390", 336 .cra_priority = 400, /* combo: des3 + cbc */ 337 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 338 .cra_blocksize = DES_BLOCK_SIZE, 339 .cra_ctxsize = sizeof(struct s390_des_ctx), 340 .cra_type = &crypto_blkcipher_type, 341 .cra_module = THIS_MODULE, 342 .cra_u = { 343 .blkcipher = { 344 .min_keysize = DES3_KEY_SIZE, 345 .max_keysize = DES3_KEY_SIZE, 346 .ivsize = DES_BLOCK_SIZE, 347 .setkey = des3_setkey, 348 .encrypt = cbc_des3_encrypt, 349 .decrypt = cbc_des3_decrypt, 350 } 351 } 352 }; 353 354 static unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes) 355 { 356 unsigned int i, n; 357 358 /* align to block size, max. PAGE_SIZE */ 359 n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(DES_BLOCK_SIZE - 1); 360 memcpy(ctrptr, iv, DES_BLOCK_SIZE); 361 for (i = (n / DES_BLOCK_SIZE) - 1; i > 0; i--) { 362 memcpy(ctrptr + DES_BLOCK_SIZE, ctrptr, DES_BLOCK_SIZE); 363 crypto_inc(ctrptr + DES_BLOCK_SIZE, DES_BLOCK_SIZE); 364 ctrptr += DES_BLOCK_SIZE; 365 } 366 return n; 367 } 368 369 static int ctr_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 370 struct blkcipher_walk *walk) 371 { 372 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 373 u8 buf[DES_BLOCK_SIZE], *ctrptr; 374 unsigned int n, nbytes; 375 int ret, locked; 376 377 locked = spin_trylock(&ctrblk_lock); 378 379 ret = blkcipher_walk_virt_block(desc, walk, DES_BLOCK_SIZE); 380 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 381 n = DES_BLOCK_SIZE; 382 if (nbytes >= 2*DES_BLOCK_SIZE && locked) 383 n = __ctrblk_init(ctrblk, walk->iv, nbytes); 384 ctrptr = (n > DES_BLOCK_SIZE) ? ctrblk : walk->iv; 385 cpacf_kmctr(fc, ctx->key, walk->dst.virt.addr, 386 walk->src.virt.addr, n, ctrptr); 387 if (ctrptr == ctrblk) 388 memcpy(walk->iv, ctrptr + n - DES_BLOCK_SIZE, 389 DES_BLOCK_SIZE); 390 crypto_inc(walk->iv, DES_BLOCK_SIZE); 391 ret = blkcipher_walk_done(desc, walk, nbytes - n); 392 } 393 if (locked) 394 spin_unlock(&ctrblk_lock); 395 /* final block may be < DES_BLOCK_SIZE, copy only nbytes */ 396 if (nbytes) { 397 cpacf_kmctr(fc, ctx->key, buf, walk->src.virt.addr, 398 DES_BLOCK_SIZE, walk->iv); 399 memcpy(walk->dst.virt.addr, buf, nbytes); 400 crypto_inc(walk->iv, DES_BLOCK_SIZE); 401 ret = blkcipher_walk_done(desc, walk, 0); 402 } 403 return ret; 404 } 405 406 static int ctr_des_encrypt(struct blkcipher_desc *desc, 407 struct scatterlist *dst, struct scatterlist *src, 408 unsigned int nbytes) 409 { 410 struct blkcipher_walk walk; 411 412 blkcipher_walk_init(&walk, dst, src, nbytes); 413 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA, &walk); 414 } 415 416 static int ctr_des_decrypt(struct blkcipher_desc *desc, 417 struct scatterlist *dst, struct scatterlist *src, 418 unsigned int nbytes) 419 { 420 struct blkcipher_walk walk; 421 422 blkcipher_walk_init(&walk, dst, src, nbytes); 423 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA | CPACF_DECRYPT, &walk); 424 } 425 426 static struct crypto_alg ctr_des_alg = { 427 .cra_name = "ctr(des)", 428 .cra_driver_name = "ctr-des-s390", 429 .cra_priority = 400, /* combo: des + ctr */ 430 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 431 .cra_blocksize = 1, 432 .cra_ctxsize = sizeof(struct s390_des_ctx), 433 .cra_type = &crypto_blkcipher_type, 434 .cra_module = THIS_MODULE, 435 .cra_u = { 436 .blkcipher = { 437 .min_keysize = DES_KEY_SIZE, 438 .max_keysize = DES_KEY_SIZE, 439 .ivsize = DES_BLOCK_SIZE, 440 .setkey = des_setkey, 441 .encrypt = ctr_des_encrypt, 442 .decrypt = ctr_des_decrypt, 443 } 444 } 445 }; 446 447 static int ctr_des3_encrypt(struct blkcipher_desc *desc, 448 struct scatterlist *dst, struct scatterlist *src, 449 unsigned int nbytes) 450 { 451 struct blkcipher_walk walk; 452 453 blkcipher_walk_init(&walk, dst, src, nbytes); 454 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192, &walk); 455 } 456 457 static int ctr_des3_decrypt(struct blkcipher_desc *desc, 458 struct scatterlist *dst, struct scatterlist *src, 459 unsigned int nbytes) 460 { 461 struct blkcipher_walk walk; 462 463 blkcipher_walk_init(&walk, dst, src, nbytes); 464 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192 | CPACF_DECRYPT, 465 &walk); 466 } 467 468 static struct crypto_alg ctr_des3_alg = { 469 .cra_name = "ctr(des3_ede)", 470 .cra_driver_name = "ctr-des3_ede-s390", 471 .cra_priority = 400, /* combo: des3 + ede */ 472 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 473 .cra_blocksize = 1, 474 .cra_ctxsize = sizeof(struct s390_des_ctx), 475 .cra_type = &crypto_blkcipher_type, 476 .cra_module = THIS_MODULE, 477 .cra_u = { 478 .blkcipher = { 479 .min_keysize = DES3_KEY_SIZE, 480 .max_keysize = DES3_KEY_SIZE, 481 .ivsize = DES_BLOCK_SIZE, 482 .setkey = des3_setkey, 483 .encrypt = ctr_des3_encrypt, 484 .decrypt = ctr_des3_decrypt, 485 } 486 } 487 }; 488 489 static struct crypto_alg *des_s390_algs_ptr[8]; 490 static int des_s390_algs_num; 491 492 static int des_s390_register_alg(struct crypto_alg *alg) 493 { 494 int ret; 495 496 ret = crypto_register_alg(alg); 497 if (!ret) 498 des_s390_algs_ptr[des_s390_algs_num++] = alg; 499 return ret; 500 } 501 502 static void des_s390_exit(void) 503 { 504 while (des_s390_algs_num--) 505 crypto_unregister_alg(des_s390_algs_ptr[des_s390_algs_num]); 506 if (ctrblk) 507 free_page((unsigned long) ctrblk); 508 } 509 510 static int __init des_s390_init(void) 511 { 512 int ret; 513 514 /* Query available functions for KM, KMC and KMCTR */ 515 cpacf_query(CPACF_KM, &km_functions); 516 cpacf_query(CPACF_KMC, &kmc_functions); 517 cpacf_query(CPACF_KMCTR, &kmctr_functions); 518 519 if (cpacf_test_func(&km_functions, CPACF_KM_DEA)) { 520 ret = des_s390_register_alg(&des_alg); 521 if (ret) 522 goto out_err; 523 ret = des_s390_register_alg(&ecb_des_alg); 524 if (ret) 525 goto out_err; 526 } 527 if (cpacf_test_func(&kmc_functions, CPACF_KMC_DEA)) { 528 ret = des_s390_register_alg(&cbc_des_alg); 529 if (ret) 530 goto out_err; 531 } 532 if (cpacf_test_func(&km_functions, CPACF_KM_TDEA_192)) { 533 ret = des_s390_register_alg(&des3_alg); 534 if (ret) 535 goto out_err; 536 ret = des_s390_register_alg(&ecb_des3_alg); 537 if (ret) 538 goto out_err; 539 } 540 if (cpacf_test_func(&kmc_functions, CPACF_KMC_TDEA_192)) { 541 ret = des_s390_register_alg(&cbc_des3_alg); 542 if (ret) 543 goto out_err; 544 } 545 546 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA) || 547 cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { 548 ctrblk = (u8 *) __get_free_page(GFP_KERNEL); 549 if (!ctrblk) { 550 ret = -ENOMEM; 551 goto out_err; 552 } 553 } 554 555 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA)) { 556 ret = des_s390_register_alg(&ctr_des_alg); 557 if (ret) 558 goto out_err; 559 } 560 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { 561 ret = des_s390_register_alg(&ctr_des3_alg); 562 if (ret) 563 goto out_err; 564 } 565 566 return 0; 567 out_err: 568 des_s390_exit(); 569 return ret; 570 } 571 572 module_cpu_feature_match(MSA, des_s390_init); 573 module_exit(des_s390_exit); 574 575 MODULE_ALIAS_CRYPTO("des"); 576 MODULE_ALIAS_CRYPTO("des3_ede"); 577 578 MODULE_LICENSE("GPL"); 579 MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms"); 580