1 | // SPDX-License-Identifier: GPL-2.0+ |
2 | /* |
3 | * Cryptographic API. |
4 | * |
5 | * s390 implementation of the DES Cipher Algorithm. |
6 | * |
7 | * Copyright IBM Corp. 2003, 2011 |
8 | * Author(s): Thomas Spatzier |
9 | * Jan Glauber (jan.glauber@de.ibm.com) |
10 | */ |
11 | |
12 | #include <linux/init.h> |
13 | #include <linux/module.h> |
14 | #include <linux/cpufeature.h> |
15 | #include <linux/crypto.h> |
16 | #include <linux/fips.h> |
17 | #include <linux/mutex.h> |
18 | #include <crypto/algapi.h> |
19 | #include <crypto/internal/des.h> |
20 | #include <crypto/internal/skcipher.h> |
21 | #include <asm/cpacf.h> |
22 | |
23 | #define DES3_KEY_SIZE (3 * DES_KEY_SIZE) |
24 | |
25 | static u8 *ctrblk; |
26 | static DEFINE_MUTEX(ctrblk_lock); |
27 | |
28 | static cpacf_mask_t km_functions, kmc_functions, kmctr_functions; |
29 | |
30 | struct s390_des_ctx { |
31 | u8 iv[DES_BLOCK_SIZE]; |
32 | u8 key[DES3_KEY_SIZE]; |
33 | }; |
34 | |
35 | static int des_setkey(struct crypto_tfm *tfm, const u8 *key, |
36 | unsigned int key_len) |
37 | { |
38 | struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); |
39 | int err; |
40 | |
41 | err = crypto_des_verify_key(tfm, key); |
42 | if (err) |
43 | return err; |
44 | |
45 | memcpy(ctx->key, key, key_len); |
46 | return 0; |
47 | } |
48 | |
49 | static int des_setkey_skcipher(struct crypto_skcipher *tfm, const u8 *key, |
50 | unsigned int key_len) |
51 | { |
52 | return des_setkey(tfm: crypto_skcipher_tfm(tfm), key, key_len); |
53 | } |
54 | |
55 | static void s390_des_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) |
56 | { |
57 | struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); |
58 | |
59 | cpacf_km(CPACF_KM_DEA, ctx->key, out, in, DES_BLOCK_SIZE); |
60 | } |
61 | |
62 | static void s390_des_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) |
63 | { |
64 | struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); |
65 | |
66 | cpacf_km(CPACF_KM_DEA | CPACF_DECRYPT, |
67 | ctx->key, out, in, DES_BLOCK_SIZE); |
68 | } |
69 | |
70 | static struct crypto_alg des_alg = { |
71 | .cra_name = "des" , |
72 | .cra_driver_name = "des-s390" , |
73 | .cra_priority = 300, |
74 | .cra_flags = CRYPTO_ALG_TYPE_CIPHER, |
75 | .cra_blocksize = DES_BLOCK_SIZE, |
76 | .cra_ctxsize = sizeof(struct s390_des_ctx), |
77 | .cra_module = THIS_MODULE, |
78 | .cra_u = { |
79 | .cipher = { |
80 | .cia_min_keysize = DES_KEY_SIZE, |
81 | .cia_max_keysize = DES_KEY_SIZE, |
82 | .cia_setkey = des_setkey, |
83 | .cia_encrypt = s390_des_encrypt, |
84 | .cia_decrypt = s390_des_decrypt, |
85 | } |
86 | } |
87 | }; |
88 | |
89 | static int ecb_desall_crypt(struct skcipher_request *req, unsigned long fc) |
90 | { |
91 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
92 | struct s390_des_ctx *ctx = crypto_skcipher_ctx(tfm); |
93 | struct skcipher_walk walk; |
94 | unsigned int nbytes, n; |
95 | int ret; |
96 | |
97 | ret = skcipher_walk_virt(walk: &walk, req, atomic: false); |
98 | while ((nbytes = walk.nbytes) != 0) { |
99 | /* only use complete blocks */ |
100 | n = nbytes & ~(DES_BLOCK_SIZE - 1); |
101 | cpacf_km(fc, ctx->key, walk.dst.virt.addr, |
102 | walk.src.virt.addr, n); |
103 | ret = skcipher_walk_done(walk: &walk, err: nbytes - n); |
104 | } |
105 | return ret; |
106 | } |
107 | |
108 | static int cbc_desall_crypt(struct skcipher_request *req, unsigned long fc) |
109 | { |
110 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
111 | struct s390_des_ctx *ctx = crypto_skcipher_ctx(tfm); |
112 | struct skcipher_walk walk; |
113 | unsigned int nbytes, n; |
114 | int ret; |
115 | struct { |
116 | u8 iv[DES_BLOCK_SIZE]; |
117 | u8 key[DES3_KEY_SIZE]; |
118 | } param; |
119 | |
120 | ret = skcipher_walk_virt(walk: &walk, req, atomic: false); |
121 | if (ret) |
122 | return ret; |
123 | memcpy(param.iv, walk.iv, DES_BLOCK_SIZE); |
124 | memcpy(param.key, ctx->key, DES3_KEY_SIZE); |
125 | while ((nbytes = walk.nbytes) != 0) { |
126 | /* only use complete blocks */ |
127 | n = nbytes & ~(DES_BLOCK_SIZE - 1); |
128 | cpacf_kmc(fc, ¶m, walk.dst.virt.addr, |
129 | walk.src.virt.addr, n); |
130 | memcpy(walk.iv, param.iv, DES_BLOCK_SIZE); |
131 | ret = skcipher_walk_done(walk: &walk, err: nbytes - n); |
132 | } |
133 | return ret; |
134 | } |
135 | |
136 | static int ecb_des_encrypt(struct skcipher_request *req) |
137 | { |
138 | return ecb_desall_crypt(req, fc: CPACF_KM_DEA); |
139 | } |
140 | |
141 | static int ecb_des_decrypt(struct skcipher_request *req) |
142 | { |
143 | return ecb_desall_crypt(req, fc: CPACF_KM_DEA | CPACF_DECRYPT); |
144 | } |
145 | |
146 | static struct skcipher_alg ecb_des_alg = { |
147 | .base.cra_name = "ecb(des)" , |
148 | .base.cra_driver_name = "ecb-des-s390" , |
149 | .base.cra_priority = 400, /* combo: des + ecb */ |
150 | .base.cra_blocksize = DES_BLOCK_SIZE, |
151 | .base.cra_ctxsize = sizeof(struct s390_des_ctx), |
152 | .base.cra_module = THIS_MODULE, |
153 | .min_keysize = DES_KEY_SIZE, |
154 | .max_keysize = DES_KEY_SIZE, |
155 | .setkey = des_setkey_skcipher, |
156 | .encrypt = ecb_des_encrypt, |
157 | .decrypt = ecb_des_decrypt, |
158 | }; |
159 | |
160 | static int cbc_des_encrypt(struct skcipher_request *req) |
161 | { |
162 | return cbc_desall_crypt(req, fc: CPACF_KMC_DEA); |
163 | } |
164 | |
165 | static int cbc_des_decrypt(struct skcipher_request *req) |
166 | { |
167 | return cbc_desall_crypt(req, fc: CPACF_KMC_DEA | CPACF_DECRYPT); |
168 | } |
169 | |
170 | static struct skcipher_alg cbc_des_alg = { |
171 | .base.cra_name = "cbc(des)" , |
172 | .base.cra_driver_name = "cbc-des-s390" , |
173 | .base.cra_priority = 400, /* combo: des + cbc */ |
174 | .base.cra_blocksize = DES_BLOCK_SIZE, |
175 | .base.cra_ctxsize = sizeof(struct s390_des_ctx), |
176 | .base.cra_module = THIS_MODULE, |
177 | .min_keysize = DES_KEY_SIZE, |
178 | .max_keysize = DES_KEY_SIZE, |
179 | .ivsize = DES_BLOCK_SIZE, |
180 | .setkey = des_setkey_skcipher, |
181 | .encrypt = cbc_des_encrypt, |
182 | .decrypt = cbc_des_decrypt, |
183 | }; |
184 | |
185 | /* |
186 | * RFC2451: |
187 | * |
188 | * For DES-EDE3, there is no known need to reject weak or |
189 | * complementation keys. Any weakness is obviated by the use of |
190 | * multiple keys. |
191 | * |
192 | * However, if the first two or last two independent 64-bit keys are |
193 | * equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the |
194 | * same as DES. Implementers MUST reject keys that exhibit this |
195 | * property. |
196 | * |
197 | * In fips mode additionally check for all 3 keys are unique. |
198 | * |
199 | */ |
200 | static int des3_setkey(struct crypto_tfm *tfm, const u8 *key, |
201 | unsigned int key_len) |
202 | { |
203 | struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); |
204 | int err; |
205 | |
206 | err = crypto_des3_ede_verify_key(tfm, key); |
207 | if (err) |
208 | return err; |
209 | |
210 | memcpy(ctx->key, key, key_len); |
211 | return 0; |
212 | } |
213 | |
214 | static int des3_setkey_skcipher(struct crypto_skcipher *tfm, const u8 *key, |
215 | unsigned int key_len) |
216 | { |
217 | return des3_setkey(tfm: crypto_skcipher_tfm(tfm), key, key_len); |
218 | } |
219 | |
220 | static void des3_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) |
221 | { |
222 | struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); |
223 | |
224 | cpacf_km(CPACF_KM_TDEA_192, ctx->key, dst, src, DES_BLOCK_SIZE); |
225 | } |
226 | |
227 | static void des3_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) |
228 | { |
229 | struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm); |
230 | |
231 | cpacf_km(CPACF_KM_TDEA_192 | CPACF_DECRYPT, |
232 | ctx->key, dst, src, DES_BLOCK_SIZE); |
233 | } |
234 | |
235 | static struct crypto_alg des3_alg = { |
236 | .cra_name = "des3_ede" , |
237 | .cra_driver_name = "des3_ede-s390" , |
238 | .cra_priority = 300, |
239 | .cra_flags = CRYPTO_ALG_TYPE_CIPHER, |
240 | .cra_blocksize = DES_BLOCK_SIZE, |
241 | .cra_ctxsize = sizeof(struct s390_des_ctx), |
242 | .cra_module = THIS_MODULE, |
243 | .cra_u = { |
244 | .cipher = { |
245 | .cia_min_keysize = DES3_KEY_SIZE, |
246 | .cia_max_keysize = DES3_KEY_SIZE, |
247 | .cia_setkey = des3_setkey, |
248 | .cia_encrypt = des3_encrypt, |
249 | .cia_decrypt = des3_decrypt, |
250 | } |
251 | } |
252 | }; |
253 | |
254 | static int ecb_des3_encrypt(struct skcipher_request *req) |
255 | { |
256 | return ecb_desall_crypt(req, fc: CPACF_KM_TDEA_192); |
257 | } |
258 | |
259 | static int ecb_des3_decrypt(struct skcipher_request *req) |
260 | { |
261 | return ecb_desall_crypt(req, fc: CPACF_KM_TDEA_192 | CPACF_DECRYPT); |
262 | } |
263 | |
264 | static struct skcipher_alg ecb_des3_alg = { |
265 | .base.cra_name = "ecb(des3_ede)" , |
266 | .base.cra_driver_name = "ecb-des3_ede-s390" , |
267 | .base.cra_priority = 400, /* combo: des3 + ecb */ |
268 | .base.cra_blocksize = DES_BLOCK_SIZE, |
269 | .base.cra_ctxsize = sizeof(struct s390_des_ctx), |
270 | .base.cra_module = THIS_MODULE, |
271 | .min_keysize = DES3_KEY_SIZE, |
272 | .max_keysize = DES3_KEY_SIZE, |
273 | .setkey = des3_setkey_skcipher, |
274 | .encrypt = ecb_des3_encrypt, |
275 | .decrypt = ecb_des3_decrypt, |
276 | }; |
277 | |
278 | static int cbc_des3_encrypt(struct skcipher_request *req) |
279 | { |
280 | return cbc_desall_crypt(req, fc: CPACF_KMC_TDEA_192); |
281 | } |
282 | |
283 | static int cbc_des3_decrypt(struct skcipher_request *req) |
284 | { |
285 | return cbc_desall_crypt(req, fc: CPACF_KMC_TDEA_192 | CPACF_DECRYPT); |
286 | } |
287 | |
288 | static struct skcipher_alg cbc_des3_alg = { |
289 | .base.cra_name = "cbc(des3_ede)" , |
290 | .base.cra_driver_name = "cbc-des3_ede-s390" , |
291 | .base.cra_priority = 400, /* combo: des3 + cbc */ |
292 | .base.cra_blocksize = DES_BLOCK_SIZE, |
293 | .base.cra_ctxsize = sizeof(struct s390_des_ctx), |
294 | .base.cra_module = THIS_MODULE, |
295 | .min_keysize = DES3_KEY_SIZE, |
296 | .max_keysize = DES3_KEY_SIZE, |
297 | .ivsize = DES_BLOCK_SIZE, |
298 | .setkey = des3_setkey_skcipher, |
299 | .encrypt = cbc_des3_encrypt, |
300 | .decrypt = cbc_des3_decrypt, |
301 | }; |
302 | |
303 | static unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes) |
304 | { |
305 | unsigned int i, n; |
306 | |
307 | /* align to block size, max. PAGE_SIZE */ |
308 | n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(DES_BLOCK_SIZE - 1); |
309 | memcpy(ctrptr, iv, DES_BLOCK_SIZE); |
310 | for (i = (n / DES_BLOCK_SIZE) - 1; i > 0; i--) { |
311 | memcpy(ctrptr + DES_BLOCK_SIZE, ctrptr, DES_BLOCK_SIZE); |
312 | crypto_inc(a: ctrptr + DES_BLOCK_SIZE, DES_BLOCK_SIZE); |
313 | ctrptr += DES_BLOCK_SIZE; |
314 | } |
315 | return n; |
316 | } |
317 | |
318 | static int ctr_desall_crypt(struct skcipher_request *req, unsigned long fc) |
319 | { |
320 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
321 | struct s390_des_ctx *ctx = crypto_skcipher_ctx(tfm); |
322 | u8 buf[DES_BLOCK_SIZE], *ctrptr; |
323 | struct skcipher_walk walk; |
324 | unsigned int n, nbytes; |
325 | int ret, locked; |
326 | |
327 | locked = mutex_trylock(lock: &ctrblk_lock); |
328 | |
329 | ret = skcipher_walk_virt(walk: &walk, req, atomic: false); |
330 | while ((nbytes = walk.nbytes) >= DES_BLOCK_SIZE) { |
331 | n = DES_BLOCK_SIZE; |
332 | if (nbytes >= 2*DES_BLOCK_SIZE && locked) |
333 | n = __ctrblk_init(ctrptr: ctrblk, iv: walk.iv, nbytes); |
334 | ctrptr = (n > DES_BLOCK_SIZE) ? ctrblk : walk.iv; |
335 | cpacf_kmctr(fc, ctx->key, walk.dst.virt.addr, |
336 | walk.src.virt.addr, n, ctrptr); |
337 | if (ctrptr == ctrblk) |
338 | memcpy(walk.iv, ctrptr + n - DES_BLOCK_SIZE, |
339 | DES_BLOCK_SIZE); |
340 | crypto_inc(a: walk.iv, DES_BLOCK_SIZE); |
341 | ret = skcipher_walk_done(walk: &walk, err: nbytes - n); |
342 | } |
343 | if (locked) |
344 | mutex_unlock(lock: &ctrblk_lock); |
345 | /* final block may be < DES_BLOCK_SIZE, copy only nbytes */ |
346 | if (nbytes) { |
347 | cpacf_kmctr(fc, ctx->key, buf, walk.src.virt.addr, |
348 | DES_BLOCK_SIZE, walk.iv); |
349 | memcpy(walk.dst.virt.addr, buf, nbytes); |
350 | crypto_inc(a: walk.iv, DES_BLOCK_SIZE); |
351 | ret = skcipher_walk_done(walk: &walk, err: 0); |
352 | } |
353 | return ret; |
354 | } |
355 | |
356 | static int ctr_des_crypt(struct skcipher_request *req) |
357 | { |
358 | return ctr_desall_crypt(req, fc: CPACF_KMCTR_DEA); |
359 | } |
360 | |
361 | static struct skcipher_alg ctr_des_alg = { |
362 | .base.cra_name = "ctr(des)" , |
363 | .base.cra_driver_name = "ctr-des-s390" , |
364 | .base.cra_priority = 400, /* combo: des + ctr */ |
365 | .base.cra_blocksize = 1, |
366 | .base.cra_ctxsize = sizeof(struct s390_des_ctx), |
367 | .base.cra_module = THIS_MODULE, |
368 | .min_keysize = DES_KEY_SIZE, |
369 | .max_keysize = DES_KEY_SIZE, |
370 | .ivsize = DES_BLOCK_SIZE, |
371 | .setkey = des_setkey_skcipher, |
372 | .encrypt = ctr_des_crypt, |
373 | .decrypt = ctr_des_crypt, |
374 | .chunksize = DES_BLOCK_SIZE, |
375 | }; |
376 | |
377 | static int ctr_des3_crypt(struct skcipher_request *req) |
378 | { |
379 | return ctr_desall_crypt(req, fc: CPACF_KMCTR_TDEA_192); |
380 | } |
381 | |
382 | static struct skcipher_alg ctr_des3_alg = { |
383 | .base.cra_name = "ctr(des3_ede)" , |
384 | .base.cra_driver_name = "ctr-des3_ede-s390" , |
385 | .base.cra_priority = 400, /* combo: des3 + ede */ |
386 | .base.cra_blocksize = 1, |
387 | .base.cra_ctxsize = sizeof(struct s390_des_ctx), |
388 | .base.cra_module = THIS_MODULE, |
389 | .min_keysize = DES3_KEY_SIZE, |
390 | .max_keysize = DES3_KEY_SIZE, |
391 | .ivsize = DES_BLOCK_SIZE, |
392 | .setkey = des3_setkey_skcipher, |
393 | .encrypt = ctr_des3_crypt, |
394 | .decrypt = ctr_des3_crypt, |
395 | .chunksize = DES_BLOCK_SIZE, |
396 | }; |
397 | |
398 | static struct crypto_alg *des_s390_algs_ptr[2]; |
399 | static int des_s390_algs_num; |
400 | static struct skcipher_alg *des_s390_skciphers_ptr[6]; |
401 | static int des_s390_skciphers_num; |
402 | |
403 | static int des_s390_register_alg(struct crypto_alg *alg) |
404 | { |
405 | int ret; |
406 | |
407 | ret = crypto_register_alg(alg); |
408 | if (!ret) |
409 | des_s390_algs_ptr[des_s390_algs_num++] = alg; |
410 | return ret; |
411 | } |
412 | |
413 | static int des_s390_register_skcipher(struct skcipher_alg *alg) |
414 | { |
415 | int ret; |
416 | |
417 | ret = crypto_register_skcipher(alg); |
418 | if (!ret) |
419 | des_s390_skciphers_ptr[des_s390_skciphers_num++] = alg; |
420 | return ret; |
421 | } |
422 | |
423 | static void des_s390_exit(void) |
424 | { |
425 | while (des_s390_algs_num--) |
426 | crypto_unregister_alg(alg: des_s390_algs_ptr[des_s390_algs_num]); |
427 | while (des_s390_skciphers_num--) |
428 | crypto_unregister_skcipher(alg: des_s390_skciphers_ptr[des_s390_skciphers_num]); |
429 | if (ctrblk) |
430 | free_page((unsigned long) ctrblk); |
431 | } |
432 | |
433 | static int __init des_s390_init(void) |
434 | { |
435 | int ret; |
436 | |
437 | /* Query available functions for KM, KMC and KMCTR */ |
438 | cpacf_query(CPACF_KM, &km_functions); |
439 | cpacf_query(CPACF_KMC, &kmc_functions); |
440 | cpacf_query(CPACF_KMCTR, &kmctr_functions); |
441 | |
442 | if (cpacf_test_func(&km_functions, CPACF_KM_DEA)) { |
443 | ret = des_s390_register_alg(alg: &des_alg); |
444 | if (ret) |
445 | goto out_err; |
446 | ret = des_s390_register_skcipher(alg: &ecb_des_alg); |
447 | if (ret) |
448 | goto out_err; |
449 | } |
450 | if (cpacf_test_func(&kmc_functions, CPACF_KMC_DEA)) { |
451 | ret = des_s390_register_skcipher(alg: &cbc_des_alg); |
452 | if (ret) |
453 | goto out_err; |
454 | } |
455 | if (cpacf_test_func(&km_functions, CPACF_KM_TDEA_192)) { |
456 | ret = des_s390_register_alg(alg: &des3_alg); |
457 | if (ret) |
458 | goto out_err; |
459 | ret = des_s390_register_skcipher(alg: &ecb_des3_alg); |
460 | if (ret) |
461 | goto out_err; |
462 | } |
463 | if (cpacf_test_func(&kmc_functions, CPACF_KMC_TDEA_192)) { |
464 | ret = des_s390_register_skcipher(alg: &cbc_des3_alg); |
465 | if (ret) |
466 | goto out_err; |
467 | } |
468 | |
469 | if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA) || |
470 | cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { |
471 | ctrblk = (u8 *) __get_free_page(GFP_KERNEL); |
472 | if (!ctrblk) { |
473 | ret = -ENOMEM; |
474 | goto out_err; |
475 | } |
476 | } |
477 | |
478 | if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA)) { |
479 | ret = des_s390_register_skcipher(alg: &ctr_des_alg); |
480 | if (ret) |
481 | goto out_err; |
482 | } |
483 | if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) { |
484 | ret = des_s390_register_skcipher(alg: &ctr_des3_alg); |
485 | if (ret) |
486 | goto out_err; |
487 | } |
488 | |
489 | return 0; |
490 | out_err: |
491 | des_s390_exit(); |
492 | return ret; |
493 | } |
494 | |
495 | module_cpu_feature_match(S390_CPU_FEATURE_MSA, des_s390_init); |
496 | module_exit(des_s390_exit); |
497 | |
498 | MODULE_ALIAS_CRYPTO("des" ); |
499 | MODULE_ALIAS_CRYPTO("des3_ede" ); |
500 | |
501 | MODULE_LICENSE("GPL" ); |
502 | MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms" ); |
503 | |