1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Cryptographic API. 4 * 5 * s390 implementation of the DES Cipher Algorithm. 6 * 7 * Copyright IBM Corp. 2003, 2011 8 * Author(s): Thomas Spatzier 9 * Jan Glauber (jan.glauber@de.ibm.com) 10 */ 11 12 #include <linux/init.h> 13 #include <linux/module.h> 14 #include <linux/cpufeature.h> 15 #include <linux/crypto.h> 16 #include <linux/fips.h> 17 #include <linux/mutex.h> 18 #include <crypto/algapi.h> 19 #include <crypto/internal/des.h> 20 #include <asm/cpacf.h> 21 22 #define DES3_KEY_SIZE (3 * DES_KEY_SIZE) 23 24 static u8 *ctrblk; 25 static DEFINE_MUTEX(ctrblk_lock); 26 27 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions; 28 29 struct s390_des_ctx { 30 u8 iv[DES_BLOCK_SIZE]; 31 u8 key[DES3_KEY_SIZE]; 32 }; 33 34 static int des_setkey(struct crypto_tfm *tfm, const u8 *key, 35 unsigned int key_len) 36 { 37 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 38 int err; 39 40 err = crypto_des_verify_key(tfm, key); 41 if (err) 42 return err; 43 44 memcpy(ctx->key, key, key_len); 45 return 0; 46 } 47 48 static void s390_des_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 49 { 50 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 51 52 cpacf_km(CPACF_KM_DEA, ctx->key, out, in, DES_BLOCK_SIZE); 53 } 54 55 static void s390_des_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 56 { 57 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 58 59 cpacf_km(CPACF_KM_DEA | CPACF_DECRYPT, 60 ctx->key, out, in, DES_BLOCK_SIZE); 61 } 62 63 static struct crypto_alg des_alg = { 64 .cra_name = "des", 65 .cra_driver_name = "des-s390", 66 .cra_priority = 300, 67 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 68 .cra_blocksize = DES_BLOCK_SIZE, 69 .cra_ctxsize = sizeof(struct s390_des_ctx), 70 .cra_module = THIS_MODULE, 71 .cra_u = { 72 .cipher = { 73 .cia_min_keysize = DES_KEY_SIZE, 74 .cia_max_keysize = DES_KEY_SIZE, 75 .cia_setkey = des_setkey, 76 .cia_encrypt = s390_des_encrypt, 77 .cia_decrypt = s390_des_decrypt, 78 } 79 } 80 }; 81 82 static int ecb_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 83 struct blkcipher_walk *walk) 84 { 85 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 86 unsigned int nbytes, n; 87 int ret; 88 89 ret = blkcipher_walk_virt(desc, walk); 90 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 91 /* only use complete blocks */ 92 n = nbytes & ~(DES_BLOCK_SIZE - 1); 93 cpacf_km(fc, ctx->key, walk->dst.virt.addr, 94 walk->src.virt.addr, n); 95 ret = blkcipher_walk_done(desc, walk, nbytes - n); 96 } 97 return ret; 98 } 99 100 static int cbc_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 101 struct blkcipher_walk *walk) 102 { 103 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 104 unsigned int nbytes, n; 105 int ret; 106 struct { 107 u8 iv[DES_BLOCK_SIZE]; 108 u8 key[DES3_KEY_SIZE]; 109 } param; 110 111 ret = blkcipher_walk_virt(desc, walk); 112 memcpy(param.iv, walk->iv, DES_BLOCK_SIZE); 113 memcpy(param.key, ctx->key, DES3_KEY_SIZE); 114 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 115 /* only use complete blocks */ 116 n = nbytes & ~(DES_BLOCK_SIZE - 1); 117 cpacf_kmc(fc, ¶m, walk->dst.virt.addr, 118 walk->src.virt.addr, n); 119 ret = blkcipher_walk_done(desc, walk, nbytes - n); 120 } 121 memcpy(walk->iv, param.iv, DES_BLOCK_SIZE); 122 return ret; 123 } 124 125 static int ecb_des_encrypt(struct blkcipher_desc *desc, 126 struct scatterlist *dst, struct scatterlist *src, 127 unsigned int nbytes) 128 { 129 struct blkcipher_walk walk; 130 131 blkcipher_walk_init(&walk, dst, src, nbytes); 132 return ecb_desall_crypt(desc, CPACF_KM_DEA, &walk); 133 } 134 135 static int ecb_des_decrypt(struct blkcipher_desc *desc, 136 struct scatterlist *dst, struct scatterlist *src, 137 unsigned int nbytes) 138 { 139 struct blkcipher_walk walk; 140 141 blkcipher_walk_init(&walk, dst, src, nbytes); 142 return ecb_desall_crypt(desc, CPACF_KM_DEA | CPACF_DECRYPT, &walk); 143 } 144 145 static struct crypto_alg ecb_des_alg = { 146 .cra_name = "ecb(des)", 147 .cra_driver_name = "ecb-des-s390", 148 .cra_priority = 400, /* combo: des + ecb */ 149 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 150 .cra_blocksize = DES_BLOCK_SIZE, 151 .cra_ctxsize = sizeof(struct s390_des_ctx), 152 .cra_type = &crypto_blkcipher_type, 153 .cra_module = THIS_MODULE, 154 .cra_u = { 155 .blkcipher = { 156 .min_keysize = DES_KEY_SIZE, 157 .max_keysize = DES_KEY_SIZE, 158 .setkey = des_setkey, 159 .encrypt = ecb_des_encrypt, 160 .decrypt = ecb_des_decrypt, 161 } 162 } 163 }; 164 165 static int cbc_des_encrypt(struct blkcipher_desc *desc, 166 struct scatterlist *dst, struct scatterlist *src, 167 unsigned int nbytes) 168 { 169 struct blkcipher_walk walk; 170 171 blkcipher_walk_init(&walk, dst, src, nbytes); 172 return cbc_desall_crypt(desc, CPACF_KMC_DEA, &walk); 173 } 174 175 static int cbc_des_decrypt(struct blkcipher_desc *desc, 176 struct scatterlist *dst, struct scatterlist *src, 177 unsigned int nbytes) 178 { 179 struct blkcipher_walk walk; 180 181 blkcipher_walk_init(&walk, dst, src, nbytes); 182 return cbc_desall_crypt(desc, CPACF_KMC_DEA | CPACF_DECRYPT, &walk); 183 } 184 185 static struct crypto_alg cbc_des_alg = { 186 .cra_name = "cbc(des)", 187 .cra_driver_name = "cbc-des-s390", 188 .cra_priority = 400, /* combo: des + cbc */ 189 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 190 .cra_blocksize = DES_BLOCK_SIZE, 191 .cra_ctxsize = sizeof(struct s390_des_ctx), 192 .cra_type = &crypto_blkcipher_type, 193 .cra_module = THIS_MODULE, 194 .cra_u = { 195 .blkcipher = { 196 .min_keysize = DES_KEY_SIZE, 197 .max_keysize = DES_KEY_SIZE, 198 .ivsize = DES_BLOCK_SIZE, 199 .setkey = des_setkey, 200 .encrypt = cbc_des_encrypt, 201 .decrypt = cbc_des_decrypt, 202 } 203 } 204 }; 205 206 /* 207 * RFC2451: 208 * 209 * For DES-EDE3, there is no known need to reject weak or 210 * complementation keys. Any weakness is obviated by the use of 211 * multiple keys. 212 * 213 * However, if the first two or last two independent 64-bit keys are 214 * equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the 215 * same as DES. Implementers MUST reject keys that exhibit this 216 * property. 217 * 218 * In fips mode additinally check for all 3 keys are unique. 219 * 220 */ 221 static int des3_setkey(struct crypto_tfm *tfm, const u8 *key, 222 unsigned int key_len) 223 { 224 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 225 int err; 226 227 err = crypto_des3_ede_verify_key(tfm, key); 228 if (err) 229 return err; 230 231 memcpy(ctx->key, key, key_len); 232 return 0; 233 } 234 235 static void des3_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 236 { 237 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 238 239 cpacf_km(CPACF_KM_TDEA_192, ctx->key, dst, src, DES_BLOCK_SIZE); 240 } 241 242 static void des3_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 243 { 244 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); 245 246 cpacf_km(CPACF_KM_TDEA_192 | CPACF_DECRYPT, 247 ctx->key, dst, src, DES_BLOCK_SIZE); 248 } 249 250 static struct crypto_alg des3_alg = { 251 .cra_name = "des3_ede", 252 .cra_driver_name = "des3_ede-s390", 253 .cra_priority = 300, 254 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 255 .cra_blocksize = DES_BLOCK_SIZE, 256 .cra_ctxsize = sizeof(struct s390_des_ctx), 257 .cra_module = THIS_MODULE, 258 .cra_u = { 259 .cipher = { 260 .cia_min_keysize = DES3_KEY_SIZE, 261 .cia_max_keysize = DES3_KEY_SIZE, 262 .cia_setkey = des3_setkey, 263 .cia_encrypt = des3_encrypt, 264 .cia_decrypt = des3_decrypt, 265 } 266 } 267 }; 268 269 static int ecb_des3_encrypt(struct blkcipher_desc *desc, 270 struct scatterlist *dst, struct scatterlist *src, 271 unsigned int nbytes) 272 { 273 struct blkcipher_walk walk; 274 275 blkcipher_walk_init(&walk, dst, src, nbytes); 276 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192, &walk); 277 } 278 279 static int ecb_des3_decrypt(struct blkcipher_desc *desc, 280 struct scatterlist *dst, struct scatterlist *src, 281 unsigned int nbytes) 282 { 283 struct blkcipher_walk walk; 284 285 blkcipher_walk_init(&walk, dst, src, nbytes); 286 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192 | CPACF_DECRYPT, 287 &walk); 288 } 289 290 static struct crypto_alg ecb_des3_alg = { 291 .cra_name = "ecb(des3_ede)", 292 .cra_driver_name = "ecb-des3_ede-s390", 293 .cra_priority = 400, /* combo: des3 + ecb */ 294 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 295 .cra_blocksize = DES_BLOCK_SIZE, 296 .cra_ctxsize = sizeof(struct s390_des_ctx), 297 .cra_type = &crypto_blkcipher_type, 298 .cra_module = THIS_MODULE, 299 .cra_u = { 300 .blkcipher = { 301 .min_keysize = DES3_KEY_SIZE, 302 .max_keysize = DES3_KEY_SIZE, 303 .setkey = des3_setkey, 304 .encrypt = ecb_des3_encrypt, 305 .decrypt = ecb_des3_decrypt, 306 } 307 } 308 }; 309 310 static int cbc_des3_encrypt(struct blkcipher_desc *desc, 311 struct scatterlist *dst, struct scatterlist *src, 312 unsigned int nbytes) 313 { 314 struct blkcipher_walk walk; 315 316 blkcipher_walk_init(&walk, dst, src, nbytes); 317 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192, &walk); 318 } 319 320 static int cbc_des3_decrypt(struct blkcipher_desc *desc, 321 struct scatterlist *dst, struct scatterlist *src, 322 unsigned int nbytes) 323 { 324 struct blkcipher_walk walk; 325 326 blkcipher_walk_init(&walk, dst, src, nbytes); 327 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192 | CPACF_DECRYPT, 328 &walk); 329 } 330 331 static struct crypto_alg cbc_des3_alg = { 332 .cra_name = "cbc(des3_ede)", 333 .cra_driver_name = "cbc-des3_ede-s390", 334 .cra_priority = 400, /* combo: des3 + cbc */ 335 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 336 .cra_blocksize = DES_BLOCK_SIZE, 337 .cra_ctxsize = sizeof(struct s390_des_ctx), 338 .cra_type = &crypto_blkcipher_type, 339 .cra_module = THIS_MODULE, 340 .cra_u = { 341 .blkcipher = { 342 .min_keysize = DES3_KEY_SIZE, 343 .max_keysize = DES3_KEY_SIZE, 344 .ivsize = DES_BLOCK_SIZE, 345 .setkey = des3_setkey, 346 .encrypt = cbc_des3_encrypt, 347 .decrypt = cbc_des3_decrypt, 348 } 349 } 350 }; 351 352 static unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes) 353 { 354 unsigned int i, n; 355 356 /* align to block size, max. PAGE_SIZE */ 357 n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(DES_BLOCK_SIZE - 1); 358 memcpy(ctrptr, iv, DES_BLOCK_SIZE); 359 for (i = (n / DES_BLOCK_SIZE) - 1; i > 0; i--) { 360 memcpy(ctrptr + DES_BLOCK_SIZE, ctrptr, DES_BLOCK_SIZE); 361 crypto_inc(ctrptr + DES_BLOCK_SIZE, DES_BLOCK_SIZE); 362 ctrptr += DES_BLOCK_SIZE; 363 } 364 return n; 365 } 366 367 static int ctr_desall_crypt(struct blkcipher_desc *desc, unsigned long fc, 368 struct blkcipher_walk *walk) 369 { 370 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm); 371 u8 buf[DES_BLOCK_SIZE], *ctrptr; 372 unsigned int n, nbytes; 373 int ret, locked; 374 375 locked = mutex_trylock(&ctrblk_lock); 376 377 ret = blkcipher_walk_virt_block(desc, walk, DES_BLOCK_SIZE); 378 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) { 379 n = DES_BLOCK_SIZE; 380 if (nbytes >= 2*DES_BLOCK_SIZE && locked) 381 n = __ctrblk_init(ctrblk, walk->iv, nbytes); 382 ctrptr = (n > DES_BLOCK_SIZE) ? ctrblk : walk->iv; 383 cpacf_kmctr(fc, ctx->key, walk->dst.virt.addr, 384 walk->src.virt.addr, n, ctrptr); 385 if (ctrptr == ctrblk) 386 memcpy(walk->iv, ctrptr + n - DES_BLOCK_SIZE, 387 DES_BLOCK_SIZE); 388 crypto_inc(walk->iv, DES_BLOCK_SIZE); 389 ret = blkcipher_walk_done(desc, walk, nbytes - n); 390 } 391 if (locked) 392 mutex_unlock(&ctrblk_lock); 393 /* final block may be < DES_BLOCK_SIZE, copy only nbytes */ 394 if (nbytes) { 395 cpacf_kmctr(fc, ctx->key, buf, walk->src.virt.addr, 396 DES_BLOCK_SIZE, walk->iv); 397 memcpy(walk->dst.virt.addr, buf, nbytes); 398 crypto_inc(walk->iv, DES_BLOCK_SIZE); 399 ret = blkcipher_walk_done(desc, walk, 0); 400 } 401 return ret; 402 } 403 404 static int ctr_des_encrypt(struct blkcipher_desc *desc, 405 struct scatterlist *dst, struct scatterlist *src, 406 unsigned int nbytes) 407 { 408 struct blkcipher_walk walk; 409 410 blkcipher_walk_init(&walk, dst, src, nbytes); 411 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA, &walk); 412 } 413 414 static int ctr_des_decrypt(struct blkcipher_desc *desc, 415 struct scatterlist *dst, struct scatterlist *src, 416 unsigned int nbytes) 417 { 418 struct blkcipher_walk walk; 419 420 blkcipher_walk_init(&walk, dst, src, nbytes); 421 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA | CPACF_DECRYPT, &walk); 422 } 423 424 static struct crypto_alg ctr_des_alg = { 425 .cra_name = "ctr(des)", 426 .cra_driver_name = "ctr-des-s390", 427 .cra_priority = 400, /* combo: des + ctr */ 428 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 429 .cra_blocksize = 1, 430 .cra_ctxsize = sizeof(struct s390_des_ctx), 431 .cra_type = &crypto_blkcipher_type, 432 .cra_module = THIS_MODULE, 433 .cra_u = { 434 .blkcipher = { 435 .min_keysize = DES_KEY_SIZE, 436 .max_keysize = DES_KEY_SIZE, 437 .ivsize = DES_BLOCK_SIZE, 438 .setkey = des_setkey, 439 .encrypt = ctr_des_encrypt, 440 .decrypt = ctr_des_decrypt, 441 } 442 } 443 }; 444 445 static int ctr_des3_encrypt(struct blkcipher_desc *desc, 446 struct scatterlist *dst, struct scatterlist *src, 447 unsigned int nbytes) 448 { 449 struct blkcipher_walk walk; 450 451 blkcipher_walk_init(&walk, dst, src, nbytes); 452 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192, &walk); 453 } 454 455 static int ctr_des3_decrypt(struct blkcipher_desc *desc, 456 struct scatterlist *dst, struct scatterlist *src, 457 unsigned int nbytes) 458 { 459 struct blkcipher_walk walk; 460 461 blkcipher_walk_init(&walk, dst, src, nbytes); 462 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192 | CPACF_DECRYPT, 463 &walk); 464 } 465 466 static struct crypto_alg ctr_des3_alg = { 467 .cra_name = "ctr(des3_ede)", 468 .cra_driver_name = "ctr-des3_ede-s390", 469 .cra_priority = 400, /* combo: des3 + ede */ 470 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER, 471 .cra_blocksize = 1, 472 .cra_ctxsize = sizeof(struct s390_des_ctx), 473 .cra_type = &crypto_blkcipher_type, 474 .cra_module = THIS_MODULE, 475 .cra_u = { 476 .blkcipher = { 477 .min_keysize = DES3_KEY_SIZE, 478 .max_keysize = DES3_KEY_SIZE, 479 .ivsize = DES_BLOCK_SIZE, 480 .setkey = des3_setkey, 481 .encrypt = ctr_des3_encrypt, 482 .decrypt = ctr_des3_decrypt, 483 } 484 } 485 }; 486 487 static struct crypto_alg *des_s390_algs_ptr[8]; 488 static int des_s390_algs_num; 489 490 static int des_s390_register_alg(struct crypto_alg *alg) 491 { 492 int ret; 493 494 ret = crypto_register_alg(alg); 495 if (!ret) 496 des_s390_algs_ptr[des_s390_algs_num++] = alg; 497 return ret; 498 } 499 500 static void des_s390_exit(void) 501 { 502 while (des_s390_algs_num--) 503 crypto_unregister_alg(des_s390_algs_ptr[des_s390_algs_num]); 504 if (ctrblk) 505 free_page((unsigned long) ctrblk); 506 } 507 508 static int __init des_s390_init(void) 509 { 510 int ret; 511 512 /* Query available functions for KM, KMC and KMCTR */ 513 cpacf_query(CPACF_KM, &km_functions); 514 cpacf_query(CPACF_KMC, &kmc_functions); 515 cpacf_query(CPACF_KMCTR, &kmctr_functions); 516 517 if (cpacf_test_func(&km_functions, CPACF_KM_DEA)) { 518 ret = des_s390_register_alg(&des_alg); 519 if (ret) 520 goto out_err; 521 ret = des_s390_register_alg(&ecb_des_alg); 522 if (ret) 523 goto out_err; 524 } 525 if (cpacf_test_func(&kmc_functions, CPACF_KMC_DEA)) { 526 ret = des_s390_register_alg(&cbc_des_alg); 527 if (ret) 528 goto out_err; 529 } 530 if (cpacf_test_func(&km_functions, CPACF_KM_TDEA_192)) { 531 ret = des_s390_register_alg(&des3_alg); 532 if (ret) 533 goto out_err; 534 ret = des_s390_register_alg(&ecb_des3_alg); 535 if (ret) 536 goto out_err; 537 } 538 if (cpacf_test_func(&kmc_functions, CPACF_KMC_TDEA_192)) { 539 ret = des_s390_register_alg(&cbc_des3_alg); 540 if (ret) 541 goto out_err; 542 } 543 544 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA) || 545 cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { 546 ctrblk = (u8 *) __get_free_page(GFP_KERNEL); 547 if (!ctrblk) { 548 ret = -ENOMEM; 549 goto out_err; 550 } 551 } 552 553 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA)) { 554 ret = des_s390_register_alg(&ctr_des_alg); 555 if (ret) 556 goto out_err; 557 } 558 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { 559 ret = des_s390_register_alg(&ctr_des3_alg); 560 if (ret) 561 goto out_err; 562 } 563 564 return 0; 565 out_err: 566 des_s390_exit(); 567 return ret; 568 } 569 570 module_cpu_feature_match(MSA, des_s390_init); 571 module_exit(des_s390_exit); 572 573 MODULE_ALIAS_CRYPTO("des"); 574 MODULE_ALIAS_CRYPTO("des3_ede"); 575 576 MODULE_LICENSE("GPL"); 577 MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms"); 578