1 // SPDX-License-Identifier: GPL-2.0+
5 * s390 implementation of the DES Cipher Algorithm.
7 * Copyright IBM Corp. 2003, 2011
8 * Author(s): Thomas Spatzier
9 * Jan Glauber (jan.glauber@de.ibm.com)
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/cpufeature.h>
15 #include <linux/crypto.h>
16 #include <linux/fips.h>
17 #include <linux/mutex.h>
18 #include <crypto/algapi.h>
19 #include <crypto/des.h>
20 #include <asm/cpacf.h>
22 #define DES3_KEY_SIZE (3 * DES_KEY_SIZE)
25 static DEFINE_MUTEX(ctrblk_lock);
27 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions;
30 u8 iv[DES_BLOCK_SIZE];
31 u8 key[DES3_KEY_SIZE];
34 static int des_setkey(struct crypto_tfm *tfm, const u8 *key,
37 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
38 u32 tmp[DES_EXPKEY_WORDS];
40 /* check for weak keys */
41 if (!des_ekey(tmp, key) &&
42 (tfm->crt_flags & CRYPTO_TFM_REQ_WEAK_KEY)) {
43 tfm->crt_flags |= CRYPTO_TFM_RES_WEAK_KEY;
47 memcpy(ctx->key, key, key_len);
51 static void des_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
53 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
55 cpacf_km(CPACF_KM_DEA, ctx->key, out, in, DES_BLOCK_SIZE);
58 static void des_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
60 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
62 cpacf_km(CPACF_KM_DEA | CPACF_DECRYPT,
63 ctx->key, out, in, DES_BLOCK_SIZE);
66 static struct crypto_alg des_alg = {
68 .cra_driver_name = "des-s390",
70 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
71 .cra_blocksize = DES_BLOCK_SIZE,
72 .cra_ctxsize = sizeof(struct s390_des_ctx),
73 .cra_module = THIS_MODULE,
76 .cia_min_keysize = DES_KEY_SIZE,
77 .cia_max_keysize = DES_KEY_SIZE,
78 .cia_setkey = des_setkey,
79 .cia_encrypt = des_encrypt,
80 .cia_decrypt = des_decrypt,
85 static int ecb_desall_crypt(struct blkcipher_desc *desc, unsigned long fc,
86 struct blkcipher_walk *walk)
88 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
89 unsigned int nbytes, n;
92 ret = blkcipher_walk_virt(desc, walk);
93 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) {
94 /* only use complete blocks */
95 n = nbytes & ~(DES_BLOCK_SIZE - 1);
96 cpacf_km(fc, ctx->key, walk->dst.virt.addr,
97 walk->src.virt.addr, n);
98 ret = blkcipher_walk_done(desc, walk, nbytes - n);
103 static int cbc_desall_crypt(struct blkcipher_desc *desc, unsigned long fc,
104 struct blkcipher_walk *walk)
106 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
107 unsigned int nbytes, n;
110 u8 iv[DES_BLOCK_SIZE];
111 u8 key[DES3_KEY_SIZE];
114 ret = blkcipher_walk_virt(desc, walk);
115 memcpy(param.iv, walk->iv, DES_BLOCK_SIZE);
116 memcpy(param.key, ctx->key, DES3_KEY_SIZE);
117 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) {
118 /* only use complete blocks */
119 n = nbytes & ~(DES_BLOCK_SIZE - 1);
120 cpacf_kmc(fc, ¶m, walk->dst.virt.addr,
121 walk->src.virt.addr, n);
122 ret = blkcipher_walk_done(desc, walk, nbytes - n);
124 memcpy(walk->iv, param.iv, DES_BLOCK_SIZE);
128 static int ecb_des_encrypt(struct blkcipher_desc *desc,
129 struct scatterlist *dst, struct scatterlist *src,
132 struct blkcipher_walk walk;
134 blkcipher_walk_init(&walk, dst, src, nbytes);
135 return ecb_desall_crypt(desc, CPACF_KM_DEA, &walk);
138 static int ecb_des_decrypt(struct blkcipher_desc *desc,
139 struct scatterlist *dst, struct scatterlist *src,
142 struct blkcipher_walk walk;
144 blkcipher_walk_init(&walk, dst, src, nbytes);
145 return ecb_desall_crypt(desc, CPACF_KM_DEA | CPACF_DECRYPT, &walk);
148 static struct crypto_alg ecb_des_alg = {
149 .cra_name = "ecb(des)",
150 .cra_driver_name = "ecb-des-s390",
151 .cra_priority = 400, /* combo: des + ecb */
152 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
153 .cra_blocksize = DES_BLOCK_SIZE,
154 .cra_ctxsize = sizeof(struct s390_des_ctx),
155 .cra_type = &crypto_blkcipher_type,
156 .cra_module = THIS_MODULE,
159 .min_keysize = DES_KEY_SIZE,
160 .max_keysize = DES_KEY_SIZE,
161 .setkey = des_setkey,
162 .encrypt = ecb_des_encrypt,
163 .decrypt = ecb_des_decrypt,
168 static int cbc_des_encrypt(struct blkcipher_desc *desc,
169 struct scatterlist *dst, struct scatterlist *src,
172 struct blkcipher_walk walk;
174 blkcipher_walk_init(&walk, dst, src, nbytes);
175 return cbc_desall_crypt(desc, CPACF_KMC_DEA, &walk);
178 static int cbc_des_decrypt(struct blkcipher_desc *desc,
179 struct scatterlist *dst, struct scatterlist *src,
182 struct blkcipher_walk walk;
184 blkcipher_walk_init(&walk, dst, src, nbytes);
185 return cbc_desall_crypt(desc, CPACF_KMC_DEA | CPACF_DECRYPT, &walk);
188 static struct crypto_alg cbc_des_alg = {
189 .cra_name = "cbc(des)",
190 .cra_driver_name = "cbc-des-s390",
191 .cra_priority = 400, /* combo: des + cbc */
192 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
193 .cra_blocksize = DES_BLOCK_SIZE,
194 .cra_ctxsize = sizeof(struct s390_des_ctx),
195 .cra_type = &crypto_blkcipher_type,
196 .cra_module = THIS_MODULE,
199 .min_keysize = DES_KEY_SIZE,
200 .max_keysize = DES_KEY_SIZE,
201 .ivsize = DES_BLOCK_SIZE,
202 .setkey = des_setkey,
203 .encrypt = cbc_des_encrypt,
204 .decrypt = cbc_des_decrypt,
212 * For DES-EDE3, there is no known need to reject weak or
213 * complementation keys. Any weakness is obviated by the use of
216 * However, if the first two or last two independent 64-bit keys are
217 * equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
218 * same as DES. Implementers MUST reject keys that exhibit this
221 * In fips mode additinally check for all 3 keys are unique.
224 static int des3_setkey(struct crypto_tfm *tfm, const u8 *key,
225 unsigned int key_len)
227 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
229 if (!(crypto_memneq(key, &key[DES_KEY_SIZE], DES_KEY_SIZE) &&
230 crypto_memneq(&key[DES_KEY_SIZE], &key[DES_KEY_SIZE * 2],
232 (tfm->crt_flags & CRYPTO_TFM_REQ_WEAK_KEY)) {
233 tfm->crt_flags |= CRYPTO_TFM_RES_WEAK_KEY;
237 /* in fips mode, ensure k1 != k2 and k2 != k3 and k1 != k3 */
239 !(crypto_memneq(key, &key[DES_KEY_SIZE], DES_KEY_SIZE) &&
240 crypto_memneq(&key[DES_KEY_SIZE], &key[DES_KEY_SIZE * 2],
242 crypto_memneq(key, &key[DES_KEY_SIZE * 2], DES_KEY_SIZE))) {
243 tfm->crt_flags |= CRYPTO_TFM_RES_WEAK_KEY;
247 memcpy(ctx->key, key, key_len);
251 static void des3_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
253 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
255 cpacf_km(CPACF_KM_TDEA_192, ctx->key, dst, src, DES_BLOCK_SIZE);
258 static void des3_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
260 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
262 cpacf_km(CPACF_KM_TDEA_192 | CPACF_DECRYPT,
263 ctx->key, dst, src, DES_BLOCK_SIZE);
266 static struct crypto_alg des3_alg = {
267 .cra_name = "des3_ede",
268 .cra_driver_name = "des3_ede-s390",
270 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
271 .cra_blocksize = DES_BLOCK_SIZE,
272 .cra_ctxsize = sizeof(struct s390_des_ctx),
273 .cra_module = THIS_MODULE,
276 .cia_min_keysize = DES3_KEY_SIZE,
277 .cia_max_keysize = DES3_KEY_SIZE,
278 .cia_setkey = des3_setkey,
279 .cia_encrypt = des3_encrypt,
280 .cia_decrypt = des3_decrypt,
285 static int ecb_des3_encrypt(struct blkcipher_desc *desc,
286 struct scatterlist *dst, struct scatterlist *src,
289 struct blkcipher_walk walk;
291 blkcipher_walk_init(&walk, dst, src, nbytes);
292 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192, &walk);
295 static int ecb_des3_decrypt(struct blkcipher_desc *desc,
296 struct scatterlist *dst, struct scatterlist *src,
299 struct blkcipher_walk walk;
301 blkcipher_walk_init(&walk, dst, src, nbytes);
302 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192 | CPACF_DECRYPT,
306 static struct crypto_alg ecb_des3_alg = {
307 .cra_name = "ecb(des3_ede)",
308 .cra_driver_name = "ecb-des3_ede-s390",
309 .cra_priority = 400, /* combo: des3 + ecb */
310 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
311 .cra_blocksize = DES_BLOCK_SIZE,
312 .cra_ctxsize = sizeof(struct s390_des_ctx),
313 .cra_type = &crypto_blkcipher_type,
314 .cra_module = THIS_MODULE,
317 .min_keysize = DES3_KEY_SIZE,
318 .max_keysize = DES3_KEY_SIZE,
319 .setkey = des3_setkey,
320 .encrypt = ecb_des3_encrypt,
321 .decrypt = ecb_des3_decrypt,
326 static int cbc_des3_encrypt(struct blkcipher_desc *desc,
327 struct scatterlist *dst, struct scatterlist *src,
330 struct blkcipher_walk walk;
332 blkcipher_walk_init(&walk, dst, src, nbytes);
333 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192, &walk);
336 static int cbc_des3_decrypt(struct blkcipher_desc *desc,
337 struct scatterlist *dst, struct scatterlist *src,
340 struct blkcipher_walk walk;
342 blkcipher_walk_init(&walk, dst, src, nbytes);
343 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192 | CPACF_DECRYPT,
347 static struct crypto_alg cbc_des3_alg = {
348 .cra_name = "cbc(des3_ede)",
349 .cra_driver_name = "cbc-des3_ede-s390",
350 .cra_priority = 400, /* combo: des3 + cbc */
351 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
352 .cra_blocksize = DES_BLOCK_SIZE,
353 .cra_ctxsize = sizeof(struct s390_des_ctx),
354 .cra_type = &crypto_blkcipher_type,
355 .cra_module = THIS_MODULE,
358 .min_keysize = DES3_KEY_SIZE,
359 .max_keysize = DES3_KEY_SIZE,
360 .ivsize = DES_BLOCK_SIZE,
361 .setkey = des3_setkey,
362 .encrypt = cbc_des3_encrypt,
363 .decrypt = cbc_des3_decrypt,
368 static unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes)
372 /* align to block size, max. PAGE_SIZE */
373 n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(DES_BLOCK_SIZE - 1);
374 memcpy(ctrptr, iv, DES_BLOCK_SIZE);
375 for (i = (n / DES_BLOCK_SIZE) - 1; i > 0; i--) {
376 memcpy(ctrptr + DES_BLOCK_SIZE, ctrptr, DES_BLOCK_SIZE);
377 crypto_inc(ctrptr + DES_BLOCK_SIZE, DES_BLOCK_SIZE);
378 ctrptr += DES_BLOCK_SIZE;
383 static int ctr_desall_crypt(struct blkcipher_desc *desc, unsigned long fc,
384 struct blkcipher_walk *walk)
386 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
387 u8 buf[DES_BLOCK_SIZE], *ctrptr;
388 unsigned int n, nbytes;
391 locked = mutex_trylock(&ctrblk_lock);
393 ret = blkcipher_walk_virt_block(desc, walk, DES_BLOCK_SIZE);
394 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) {
396 if (nbytes >= 2*DES_BLOCK_SIZE && locked)
397 n = __ctrblk_init(ctrblk, walk->iv, nbytes);
398 ctrptr = (n > DES_BLOCK_SIZE) ? ctrblk : walk->iv;
399 cpacf_kmctr(fc, ctx->key, walk->dst.virt.addr,
400 walk->src.virt.addr, n, ctrptr);
401 if (ctrptr == ctrblk)
402 memcpy(walk->iv, ctrptr + n - DES_BLOCK_SIZE,
404 crypto_inc(walk->iv, DES_BLOCK_SIZE);
405 ret = blkcipher_walk_done(desc, walk, nbytes - n);
408 mutex_unlock(&ctrblk_lock);
409 /* final block may be < DES_BLOCK_SIZE, copy only nbytes */
411 cpacf_kmctr(fc, ctx->key, buf, walk->src.virt.addr,
412 DES_BLOCK_SIZE, walk->iv);
413 memcpy(walk->dst.virt.addr, buf, nbytes);
414 crypto_inc(walk->iv, DES_BLOCK_SIZE);
415 ret = blkcipher_walk_done(desc, walk, 0);
420 static int ctr_des_encrypt(struct blkcipher_desc *desc,
421 struct scatterlist *dst, struct scatterlist *src,
424 struct blkcipher_walk walk;
426 blkcipher_walk_init(&walk, dst, src, nbytes);
427 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA, &walk);
430 static int ctr_des_decrypt(struct blkcipher_desc *desc,
431 struct scatterlist *dst, struct scatterlist *src,
434 struct blkcipher_walk walk;
436 blkcipher_walk_init(&walk, dst, src, nbytes);
437 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA | CPACF_DECRYPT, &walk);
440 static struct crypto_alg ctr_des_alg = {
441 .cra_name = "ctr(des)",
442 .cra_driver_name = "ctr-des-s390",
443 .cra_priority = 400, /* combo: des + ctr */
444 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
446 .cra_ctxsize = sizeof(struct s390_des_ctx),
447 .cra_type = &crypto_blkcipher_type,
448 .cra_module = THIS_MODULE,
451 .min_keysize = DES_KEY_SIZE,
452 .max_keysize = DES_KEY_SIZE,
453 .ivsize = DES_BLOCK_SIZE,
454 .setkey = des_setkey,
455 .encrypt = ctr_des_encrypt,
456 .decrypt = ctr_des_decrypt,
461 static int ctr_des3_encrypt(struct blkcipher_desc *desc,
462 struct scatterlist *dst, struct scatterlist *src,
465 struct blkcipher_walk walk;
467 blkcipher_walk_init(&walk, dst, src, nbytes);
468 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192, &walk);
471 static int ctr_des3_decrypt(struct blkcipher_desc *desc,
472 struct scatterlist *dst, struct scatterlist *src,
475 struct blkcipher_walk walk;
477 blkcipher_walk_init(&walk, dst, src, nbytes);
478 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192 | CPACF_DECRYPT,
482 static struct crypto_alg ctr_des3_alg = {
483 .cra_name = "ctr(des3_ede)",
484 .cra_driver_name = "ctr-des3_ede-s390",
485 .cra_priority = 400, /* combo: des3 + ede */
486 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
488 .cra_ctxsize = sizeof(struct s390_des_ctx),
489 .cra_type = &crypto_blkcipher_type,
490 .cra_module = THIS_MODULE,
493 .min_keysize = DES3_KEY_SIZE,
494 .max_keysize = DES3_KEY_SIZE,
495 .ivsize = DES_BLOCK_SIZE,
496 .setkey = des3_setkey,
497 .encrypt = ctr_des3_encrypt,
498 .decrypt = ctr_des3_decrypt,
503 static struct crypto_alg *des_s390_algs_ptr[8];
504 static int des_s390_algs_num;
506 static int des_s390_register_alg(struct crypto_alg *alg)
510 ret = crypto_register_alg(alg);
512 des_s390_algs_ptr[des_s390_algs_num++] = alg;
516 static void des_s390_exit(void)
518 while (des_s390_algs_num--)
519 crypto_unregister_alg(des_s390_algs_ptr[des_s390_algs_num]);
521 free_page((unsigned long) ctrblk);
524 static int __init des_s390_init(void)
528 /* Query available functions for KM, KMC and KMCTR */
529 cpacf_query(CPACF_KM, &km_functions);
530 cpacf_query(CPACF_KMC, &kmc_functions);
531 cpacf_query(CPACF_KMCTR, &kmctr_functions);
533 if (cpacf_test_func(&km_functions, CPACF_KM_DEA)) {
534 ret = des_s390_register_alg(&des_alg);
537 ret = des_s390_register_alg(&ecb_des_alg);
541 if (cpacf_test_func(&kmc_functions, CPACF_KMC_DEA)) {
542 ret = des_s390_register_alg(&cbc_des_alg);
546 if (cpacf_test_func(&km_functions, CPACF_KM_TDEA_192)) {
547 ret = des_s390_register_alg(&des3_alg);
550 ret = des_s390_register_alg(&ecb_des3_alg);
554 if (cpacf_test_func(&kmc_functions, CPACF_KMC_TDEA_192)) {
555 ret = des_s390_register_alg(&cbc_des3_alg);
560 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA) ||
561 cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) {
562 ctrblk = (u8 *) __get_free_page(GFP_KERNEL);
569 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA)) {
570 ret = des_s390_register_alg(&ctr_des_alg);
574 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) {
575 ret = des_s390_register_alg(&ctr_des3_alg);
586 module_cpu_feature_match(MSA, des_s390_init);
587 module_exit(des_s390_exit);
589 MODULE_ALIAS_CRYPTO("des");
590 MODULE_ALIAS_CRYPTO("des3_ede");
592 MODULE_LICENSE("GPL");
593 MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms");