1 /* 2 * Cryptographic API. 3 * 4 * s390 implementation of the DES Cipher Algorithm. 5 * 6 * Copyright IBM Corp. 2003, 2011 7 * Author(s): Thomas Spatzier 8 * Jan Glauber (jan.glauber@de.ibm.com) 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License as published by 12 * the Free Software Foundation; either version 2 of the License, or 13 * (at your option) any later version. 14 * 15 */ 16 17 #include <linux/init.h> 18 #include <linux/module.h> 19 #include <linux/cpufeature.h> 20 #include <linux/crypto.h> 21 #include <crypto/algapi.h> 22 #include <crypto/des.h> 23 #include <asm/cpacf.h> 24 25 #define DES3_KEY_SIZE (3 * DES_KEY_SIZE) 26 27 static u8 *ctrblk; 28 static DEFINE_SPINLOCK(ctrblk_lock); 29 30 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions; 31 32 struct s390_des_ctx { 33 u8 iv[DES_BLOCK_SIZE]; 34 u8 key[DES3_KEY_SIZE]; 35 }; 36 37 static int des_setkey(struct crypto_tfm *tfm, const u8 *key, 38 unsigned int key_len) 39 { 40 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 41 u32 tmp[DES_EXPKEY_WORDS]; 42 43 /* check for weak keys */ 44 if (!des_ekey(tmp, key) && 45 (tfm->crt_flags & CRYPTO_TFM_REQ_WEAK_KEY)) { 46 tfm->crt_flags |= CRYPTO_TFM_RES_WEAK_KEY; 47 return -EINVAL; 48 } 49 50 memcpy(ctx->key, key, key_len); 51 return 0; 52 } 53 54 static void des_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 55 { 56 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 57 58 cpacf_km(CPACF_KM_DEA, ctx->key, out, in, DES_BLOCK_SIZE); 59 } 60 61 static void des_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 62 { 63 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 64 65 cpacf_km(CPACF_KM_DEA | CPACF_DECRYPT, 66 ctx->key, out, in, DES_BLOCK_SIZE); 67 } 68 69 static struct crypto_alg des_alg = { 70 .cra_name = "des", 71 .cra_driver_name = "des-s390", 72 .cra_priority = 300, 73 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 74 .cra_blocksize = DES_BLOCK_SIZE, 75 .cra_ctxsize = sizeof(struct s390_des_ctx), 76 .cra_module = THIS_MODULE, 77 .cra_u = { 78 .cipher = { 79 .cia_min_keysize = DES_KEY_SIZE, 80 .cia_max_keysize = DES_KEY_SIZE, 81 .cia_setkey = des_setkey, 82 .cia_encrypt = des_encrypt, 83 .cia_decrypt = des_decrypt, 84 } 85 } 86 }; 87 88 static int ecb_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 89 struct blkcipher_walk *walk) 90 { 91 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 92 unsigned int nbytes, n; 93 int ret; 94 95 ret = blkcipher_walk_virt(desc, walk); 96 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 97 /* only use complete blocks */ 98 n = nbytes & ~(DES_BLOCK_SIZE - 1); 99 cpacf_km(fc, ctx->key, walk->dst.virt.addr, 100 walk->src.virt.addr, n); 101 ret = blkcipher_walk_done(desc, walk, nbytes - n); 102 } 103 return ret; 104 } 105 106 static int cbc_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 107 struct blkcipher_walk *walk) 108 { 109 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 110 unsigned int nbytes, n; 111 int ret; 112 struct { 113 u8 iv[DES_BLOCK_SIZE]; 114 u8 key[DES3_KEY_SIZE]; 115 } param; 116 117 ret = blkcipher_walk_virt(desc, walk); 118 memcpy(param.iv, walk->iv, DES_BLOCK_SIZE); 119 memcpy(param.key, ctx->key, DES3_KEY_SIZE); 120 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 121 /* only use complete blocks */ 122 n = nbytes & ~(DES_BLOCK_SIZE - 1); 123 cpacf_kmc(fc, ¶m, walk->dst.virt.addr, 124 walk->src.virt.addr, n); 125 ret = blkcipher_walk_done(desc, walk, nbytes - n); 126 } 127 memcpy(walk->iv, param.iv, DES_BLOCK_SIZE); 128 return ret; 129 } 130 131 static int ecb_des_encrypt(struct blkcipher_desc *desc, 132 struct scatterlist *dst, struct scatterlist *src, 133 unsigned int nbytes) 134 { 135 struct blkcipher_walk walk; 136 137 blkcipher_walk_init(&walk, dst, src, nbytes); 138 return ecb_desall_crypt(desc, CPACF_KM_DEA, &walk); 139 } 140 141 static int ecb_des_decrypt(struct blkcipher_desc *desc, 142 struct scatterlist *dst, struct scatterlist *src, 143 unsigned int nbytes) 144 { 145 struct blkcipher_walk walk; 146 147 blkcipher_walk_init(&walk, dst, src, nbytes); 148 return ecb_desall_crypt(desc, CPACF_KM_DEA | CPACF_DECRYPT, &walk); 149 } 150 151 static struct crypto_alg ecb_des_alg = { 152 .cra_name = "ecb(des)", 153 .cra_driver_name = "ecb-des-s390", 154 .cra_priority = 400, /* combo: des + ecb */ 155 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 156 .cra_blocksize = DES_BLOCK_SIZE, 157 .cra_ctxsize = sizeof(struct s390_des_ctx), 158 .cra_type = &crypto_blkcipher_type, 159 .cra_module = THIS_MODULE, 160 .cra_u = { 161 .blkcipher = { 162 .min_keysize = DES_KEY_SIZE, 163 .max_keysize = DES_KEY_SIZE, 164 .setkey = des_setkey, 165 .encrypt = ecb_des_encrypt, 166 .decrypt = ecb_des_decrypt, 167 } 168 } 169 }; 170 171 static int cbc_des_encrypt(struct blkcipher_desc *desc, 172 struct scatterlist *dst, struct scatterlist *src, 173 unsigned int nbytes) 174 { 175 struct blkcipher_walk walk; 176 177 blkcipher_walk_init(&walk, dst, src, nbytes); 178 return cbc_desall_crypt(desc, CPACF_KMC_DEA, &walk); 179 } 180 181 static int cbc_des_decrypt(struct blkcipher_desc *desc, 182 struct scatterlist *dst, struct scatterlist *src, 183 unsigned int nbytes) 184 { 185 struct blkcipher_walk walk; 186 187 blkcipher_walk_init(&walk, dst, src, nbytes); 188 return cbc_desall_crypt(desc, CPACF_KMC_DEA | CPACF_DECRYPT, &walk); 189 } 190 191 static struct crypto_alg cbc_des_alg = { 192 .cra_name = "cbc(des)", 193 .cra_driver_name = "cbc-des-s390", 194 .cra_priority = 400, /* combo: des + cbc */ 195 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 196 .cra_blocksize = DES_BLOCK_SIZE, 197 .cra_ctxsize = sizeof(struct s390_des_ctx), 198 .cra_type = &crypto_blkcipher_type, 199 .cra_module = THIS_MODULE, 200 .cra_u = { 201 .blkcipher = { 202 .min_keysize = DES_KEY_SIZE, 203 .max_keysize = DES_KEY_SIZE, 204 .ivsize = DES_BLOCK_SIZE, 205 .setkey = des_setkey, 206 .encrypt = cbc_des_encrypt, 207 .decrypt = cbc_des_decrypt, 208 } 209 } 210 }; 211 212 /* 213 * RFC2451: 214 * 215 * For DES-EDE3, there is no known need to reject weak or 216 * complementation keys. Any weakness is obviated by the use of 217 * multiple keys. 218 * 219 * However, if the first two or last two independent 64-bit keys are 220 * equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the 221 * same as DES. Implementers MUST reject keys that exhibit this 222 * property. 223 * 224 */ 225 static int des3_setkey(struct crypto_tfm *tfm, const u8 *key, 226 unsigned int key_len) 227 { 228 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 229 230 if (!(crypto_memneq(key, &key[DES_KEY_SIZE], DES_KEY_SIZE) && 231 crypto_memneq(&key[DES_KEY_SIZE], &key[DES_KEY_SIZE * 2], 232 DES_KEY_SIZE)) && 233 (tfm->crt_flags & CRYPTO_TFM_REQ_WEAK_KEY)) { 234 tfm->crt_flags |= CRYPTO_TFM_RES_WEAK_KEY; 235 return -EINVAL; 236 } 237 memcpy(ctx->key, key, key_len); 238 return 0; 239 } 240 241 static void des3_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 242 { 243 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 244 245 cpacf_km(CPACF_KM_TDEA_192, ctx->key, dst, src, DES_BLOCK_SIZE); 246 } 247 248 static void des3_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 249 { 250 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 251 252 cpacf_km(CPACF_KM_TDEA_192 | CPACF_DECRYPT, 253 ctx->key, dst, src, DES_BLOCK_SIZE); 254 } 255 256 static struct crypto_alg des3_alg = { 257 .cra_name = "des3_ede", 258 .cra_driver_name = "des3_ede-s390", 259 .cra_priority = 300, 260 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 261 .cra_blocksize = DES_BLOCK_SIZE, 262 .cra_ctxsize = sizeof(struct s390_des_ctx), 263 .cra_module = THIS_MODULE, 264 .cra_u = { 265 .cipher = { 266 .cia_min_keysize = DES3_KEY_SIZE, 267 .cia_max_keysize = DES3_KEY_SIZE, 268 .cia_setkey = des3_setkey, 269 .cia_encrypt = des3_encrypt, 270 .cia_decrypt = des3_decrypt, 271 } 272 } 273 }; 274 275 static int ecb_des3_encrypt(struct blkcipher_desc *desc, 276 struct scatterlist *dst, struct scatterlist *src, 277 unsigned int nbytes) 278 { 279 struct blkcipher_walk walk; 280 281 blkcipher_walk_init(&walk, dst, src, nbytes); 282 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192, &walk); 283 } 284 285 static int ecb_des3_decrypt(struct blkcipher_desc *desc, 286 struct scatterlist *dst, struct scatterlist *src, 287 unsigned int nbytes) 288 { 289 struct blkcipher_walk walk; 290 291 blkcipher_walk_init(&walk, dst, src, nbytes); 292 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192 | CPACF_DECRYPT, 293 &walk); 294 } 295 296 static struct crypto_alg ecb_des3_alg = { 297 .cra_name = "ecb(des3_ede)", 298 .cra_driver_name = "ecb-des3_ede-s390", 299 .cra_priority = 400, /* combo: des3 + ecb */ 300 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 301 .cra_blocksize = DES_BLOCK_SIZE, 302 .cra_ctxsize = sizeof(struct s390_des_ctx), 303 .cra_type = &crypto_blkcipher_type, 304 .cra_module = THIS_MODULE, 305 .cra_u = { 306 .blkcipher = { 307 .min_keysize = DES3_KEY_SIZE, 308 .max_keysize = DES3_KEY_SIZE, 309 .setkey = des3_setkey, 310 .encrypt = ecb_des3_encrypt, 311 .decrypt = ecb_des3_decrypt, 312 } 313 } 314 }; 315 316 static int cbc_des3_encrypt(struct blkcipher_desc *desc, 317 struct scatterlist *dst, struct scatterlist *src, 318 unsigned int nbytes) 319 { 320 struct blkcipher_walk walk; 321 322 blkcipher_walk_init(&walk, dst, src, nbytes); 323 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192, &walk); 324 } 325 326 static int cbc_des3_decrypt(struct blkcipher_desc *desc, 327 struct scatterlist *dst, struct scatterlist *src, 328 unsigned int nbytes) 329 { 330 struct blkcipher_walk walk; 331 332 blkcipher_walk_init(&walk, dst, src, nbytes); 333 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192 | CPACF_DECRYPT, 334 &walk); 335 } 336 337 static struct crypto_alg cbc_des3_alg = { 338 .cra_name = "cbc(des3_ede)", 339 .cra_driver_name = "cbc-des3_ede-s390", 340 .cra_priority = 400, /* combo: des3 + cbc */ 341 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 342 .cra_blocksize = DES_BLOCK_SIZE, 343 .cra_ctxsize = sizeof(struct s390_des_ctx), 344 .cra_type = &crypto_blkcipher_type, 345 .cra_module = THIS_MODULE, 346 .cra_u = { 347 .blkcipher = { 348 .min_keysize = DES3_KEY_SIZE, 349 .max_keysize = DES3_KEY_SIZE, 350 .ivsize = DES_BLOCK_SIZE, 351 .setkey = des3_setkey, 352 .encrypt = cbc_des3_encrypt, 353 .decrypt = cbc_des3_decrypt, 354 } 355 } 356 }; 357 358 static unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes) 359 { 360 unsigned int i, n; 361 362 /* align to block size, max. PAGE_SIZE */ 363 n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(DES_BLOCK_SIZE - 1); 364 memcpy(ctrptr, iv, DES_BLOCK_SIZE); 365 for (i = (n / DES_BLOCK_SIZE) - 1; i > 0; i--) { 366 memcpy(ctrptr + DES_BLOCK_SIZE, ctrptr, DES_BLOCK_SIZE); 367 crypto_inc(ctrptr + DES_BLOCK_SIZE, DES_BLOCK_SIZE); 368 ctrptr += DES_BLOCK_SIZE; 369 } 370 return n; 371 } 372 373 static int ctr_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 374 struct blkcipher_walk *walk) 375 { 376 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 377 u8 buf[DES_BLOCK_SIZE], *ctrptr; 378 unsigned int n, nbytes; 379 int ret, locked; 380 381 locked = spin_trylock(&ctrblk_lock); 382 383 ret = blkcipher_walk_virt_block(desc, walk, DES_BLOCK_SIZE); 384 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 385 n = DES_BLOCK_SIZE; 386 if (nbytes >= 2*DES_BLOCK_SIZE && locked) 387 n = __ctrblk_init(ctrblk, walk->iv, nbytes); 388 ctrptr = (n > DES_BLOCK_SIZE) ? ctrblk : walk->iv; 389 cpacf_kmctr(fc, ctx->key, walk->dst.virt.addr, 390 walk->src.virt.addr, n, ctrptr); 391 if (ctrptr == ctrblk) 392 memcpy(walk->iv, ctrptr + n - DES_BLOCK_SIZE, 393 DES_BLOCK_SIZE); 394 crypto_inc(walk->iv, DES_BLOCK_SIZE); 395 ret = blkcipher_walk_done(desc, walk, nbytes - n); 396 } 397 if (locked) 398 spin_unlock(&ctrblk_lock); 399 /* final block may be < DES_BLOCK_SIZE, copy only nbytes */ 400 if (nbytes) { 401 cpacf_kmctr(fc, ctx->key, buf, walk->src.virt.addr, 402 DES_BLOCK_SIZE, walk->iv); 403 memcpy(walk->dst.virt.addr, buf, nbytes); 404 crypto_inc(walk->iv, DES_BLOCK_SIZE); 405 ret = blkcipher_walk_done(desc, walk, 0); 406 } 407 return ret; 408 } 409 410 static int ctr_des_encrypt(struct blkcipher_desc *desc, 411 struct scatterlist *dst, struct scatterlist *src, 412 unsigned int nbytes) 413 { 414 struct blkcipher_walk walk; 415 416 blkcipher_walk_init(&walk, dst, src, nbytes); 417 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA, &walk); 418 } 419 420 static int ctr_des_decrypt(struct blkcipher_desc *desc, 421 struct scatterlist *dst, struct scatterlist *src, 422 unsigned int nbytes) 423 { 424 struct blkcipher_walk walk; 425 426 blkcipher_walk_init(&walk, dst, src, nbytes); 427 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA | CPACF_DECRYPT, &walk); 428 } 429 430 static struct crypto_alg ctr_des_alg = { 431 .cra_name = "ctr(des)", 432 .cra_driver_name = "ctr-des-s390", 433 .cra_priority = 400, /* combo: des + ctr */ 434 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 435 .cra_blocksize = 1, 436 .cra_ctxsize = sizeof(struct s390_des_ctx), 437 .cra_type = &crypto_blkcipher_type, 438 .cra_module = THIS_MODULE, 439 .cra_u = { 440 .blkcipher = { 441 .min_keysize = DES_KEY_SIZE, 442 .max_keysize = DES_KEY_SIZE, 443 .ivsize = DES_BLOCK_SIZE, 444 .setkey = des_setkey, 445 .encrypt = ctr_des_encrypt, 446 .decrypt = ctr_des_decrypt, 447 } 448 } 449 }; 450 451 static int ctr_des3_encrypt(struct blkcipher_desc *desc, 452 struct scatterlist *dst, struct scatterlist *src, 453 unsigned int nbytes) 454 { 455 struct blkcipher_walk walk; 456 457 blkcipher_walk_init(&walk, dst, src, nbytes); 458 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192, &walk); 459 } 460 461 static int ctr_des3_decrypt(struct blkcipher_desc *desc, 462 struct scatterlist *dst, struct scatterlist *src, 463 unsigned int nbytes) 464 { 465 struct blkcipher_walk walk; 466 467 blkcipher_walk_init(&walk, dst, src, nbytes); 468 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192 | CPACF_DECRYPT, 469 &walk); 470 } 471 472 static struct crypto_alg ctr_des3_alg = { 473 .cra_name = "ctr(des3_ede)", 474 .cra_driver_name = "ctr-des3_ede-s390", 475 .cra_priority = 400, /* combo: des3 + ede */ 476 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 477 .cra_blocksize = 1, 478 .cra_ctxsize = sizeof(struct s390_des_ctx), 479 .cra_type = &crypto_blkcipher_type, 480 .cra_module = THIS_MODULE, 481 .cra_u = { 482 .blkcipher = { 483 .min_keysize = DES3_KEY_SIZE, 484 .max_keysize = DES3_KEY_SIZE, 485 .ivsize = DES_BLOCK_SIZE, 486 .setkey = des3_setkey, 487 .encrypt = ctr_des3_encrypt, 488 .decrypt = ctr_des3_decrypt, 489 } 490 } 491 }; 492 493 static struct crypto_alg *des_s390_algs_ptr[8]; 494 static int des_s390_algs_num; 495 496 static int des_s390_register_alg(struct crypto_alg *alg) 497 { 498 int ret; 499 500 ret = crypto_register_alg(alg); 501 if (!ret) 502 des_s390_algs_ptr[des_s390_algs_num++] = alg; 503 return ret; 504 } 505 506 static void des_s390_exit(void) 507 { 508 while (des_s390_algs_num--) 509 crypto_unregister_alg(des_s390_algs_ptr[des_s390_algs_num]); 510 if (ctrblk) 511 free_page((unsigned long) ctrblk); 512 } 513 514 static int __init des_s390_init(void) 515 { 516 int ret; 517 518 /* Query available functions for KM, KMC and KMCTR */ 519 cpacf_query(CPACF_KM, &km_functions); 520 cpacf_query(CPACF_KMC, &kmc_functions); 521 cpacf_query(CPACF_KMCTR, &kmctr_functions); 522 523 if (cpacf_test_func(&km_functions, CPACF_KM_DEA)) { 524 ret = des_s390_register_alg(&des_alg); 525 if (ret) 526 goto out_err; 527 ret = des_s390_register_alg(&ecb_des_alg); 528 if (ret) 529 goto out_err; 530 } 531 if (cpacf_test_func(&kmc_functions, CPACF_KMC_DEA)) { 532 ret = des_s390_register_alg(&cbc_des_alg); 533 if (ret) 534 goto out_err; 535 } 536 if (cpacf_test_func(&km_functions, CPACF_KM_TDEA_192)) { 537 ret = des_s390_register_alg(&des3_alg); 538 if (ret) 539 goto out_err; 540 ret = des_s390_register_alg(&ecb_des3_alg); 541 if (ret) 542 goto out_err; 543 } 544 if (cpacf_test_func(&kmc_functions, CPACF_KMC_TDEA_192)) { 545 ret = des_s390_register_alg(&cbc_des3_alg); 546 if (ret) 547 goto out_err; 548 } 549 550 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA) || 551 cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { 552 ctrblk = (u8 *) __get_free_page(GFP_KERNEL); 553 if (!ctrblk) { 554 ret = -ENOMEM; 555 goto out_err; 556 } 557 } 558 559 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA)) { 560 ret = des_s390_register_alg(&ctr_des_alg); 561 if (ret) 562 goto out_err; 563 } 564 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { 565 ret = des_s390_register_alg(&ctr_des3_alg); 566 if (ret) 567 goto out_err; 568 } 569 570 return 0; 571 out_err: 572 des_s390_exit(); 573 return ret; 574 } 575 576 module_cpu_feature_match(MSA, des_s390_init); 577 module_exit(des_s390_exit); 578 579 MODULE_ALIAS_CRYPTO("des"); 580 MODULE_ALIAS_CRYPTO("des3_ede"); 581 582 MODULE_LICENSE("GPL"); 583 MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms"); 584