1 // SPDX-License-Identifier: GPL-2.0+
5 * s390 implementation of the DES Cipher Algorithm.
7 * Copyright IBM Corp. 2003, 2011
8 * Author(s): Thomas Spatzier
9 * Jan Glauber (jan.glauber@de.ibm.com)
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/cpufeature.h>
15 #include <linux/crypto.h>
16 #include <linux/fips.h>
17 #include <linux/mutex.h>
18 #include <crypto/algapi.h>
19 #include <crypto/internal/des.h>
20 #include <asm/cpacf.h>
22 #define DES3_KEY_SIZE (3 * DES_KEY_SIZE)
25 static DEFINE_MUTEX(ctrblk_lock);
27 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions;
30 u8 iv[DES_BLOCK_SIZE];
31 u8 key[DES3_KEY_SIZE];
34 static int des_setkey(struct crypto_tfm *tfm, const u8 *key,
37 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
40 err = crypto_des_verify_key(tfm, key);
44 memcpy(ctx->key, key, key_len);
48 static void s390_des_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
50 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
52 cpacf_km(CPACF_KM_DEA, ctx->key, out, in, DES_BLOCK_SIZE);
55 static void s390_des_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
57 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
59 cpacf_km(CPACF_KM_DEA | CPACF_DECRYPT,
60 ctx->key, out, in, DES_BLOCK_SIZE);
63 static struct crypto_alg des_alg = {
65 .cra_driver_name = "des-s390",
67 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
68 .cra_blocksize = DES_BLOCK_SIZE,
69 .cra_ctxsize = sizeof(struct s390_des_ctx),
70 .cra_module = THIS_MODULE,
73 .cia_min_keysize = DES_KEY_SIZE,
74 .cia_max_keysize = DES_KEY_SIZE,
75 .cia_setkey = des_setkey,
76 .cia_encrypt = s390_des_encrypt,
77 .cia_decrypt = s390_des_decrypt,
82 static int ecb_desall_crypt(struct blkcipher_desc *desc, unsigned long fc,
83 struct blkcipher_walk *walk)
85 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
86 unsigned int nbytes, n;
89 ret = blkcipher_walk_virt(desc, walk);
90 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) {
91 /* only use complete blocks */
92 n = nbytes & ~(DES_BLOCK_SIZE - 1);
93 cpacf_km(fc, ctx->key, walk->dst.virt.addr,
94 walk->src.virt.addr, n);
95 ret = blkcipher_walk_done(desc, walk, nbytes - n);
100 static int cbc_desall_crypt(struct blkcipher_desc *desc, unsigned long fc,
101 struct blkcipher_walk *walk)
103 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
104 unsigned int nbytes, n;
107 u8 iv[DES_BLOCK_SIZE];
108 u8 key[DES3_KEY_SIZE];
111 ret = blkcipher_walk_virt(desc, walk);
112 memcpy(param.iv, walk->iv, DES_BLOCK_SIZE);
113 memcpy(param.key, ctx->key, DES3_KEY_SIZE);
114 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) {
115 /* only use complete blocks */
116 n = nbytes & ~(DES_BLOCK_SIZE - 1);
117 cpacf_kmc(fc, ¶m, walk->dst.virt.addr,
118 walk->src.virt.addr, n);
119 ret = blkcipher_walk_done(desc, walk, nbytes - n);
121 memcpy(walk->iv, param.iv, DES_BLOCK_SIZE);
125 static int ecb_des_encrypt(struct blkcipher_desc *desc,
126 struct scatterlist *dst, struct scatterlist *src,
129 struct blkcipher_walk walk;
131 blkcipher_walk_init(&walk, dst, src, nbytes);
132 return ecb_desall_crypt(desc, CPACF_KM_DEA, &walk);
135 static int ecb_des_decrypt(struct blkcipher_desc *desc,
136 struct scatterlist *dst, struct scatterlist *src,
139 struct blkcipher_walk walk;
141 blkcipher_walk_init(&walk, dst, src, nbytes);
142 return ecb_desall_crypt(desc, CPACF_KM_DEA | CPACF_DECRYPT, &walk);
145 static struct crypto_alg ecb_des_alg = {
146 .cra_name = "ecb(des)",
147 .cra_driver_name = "ecb-des-s390",
148 .cra_priority = 400, /* combo: des + ecb */
149 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
150 .cra_blocksize = DES_BLOCK_SIZE,
151 .cra_ctxsize = sizeof(struct s390_des_ctx),
152 .cra_type = &crypto_blkcipher_type,
153 .cra_module = THIS_MODULE,
156 .min_keysize = DES_KEY_SIZE,
157 .max_keysize = DES_KEY_SIZE,
158 .setkey = des_setkey,
159 .encrypt = ecb_des_encrypt,
160 .decrypt = ecb_des_decrypt,
165 static int cbc_des_encrypt(struct blkcipher_desc *desc,
166 struct scatterlist *dst, struct scatterlist *src,
169 struct blkcipher_walk walk;
171 blkcipher_walk_init(&walk, dst, src, nbytes);
172 return cbc_desall_crypt(desc, CPACF_KMC_DEA, &walk);
175 static int cbc_des_decrypt(struct blkcipher_desc *desc,
176 struct scatterlist *dst, struct scatterlist *src,
179 struct blkcipher_walk walk;
181 blkcipher_walk_init(&walk, dst, src, nbytes);
182 return cbc_desall_crypt(desc, CPACF_KMC_DEA | CPACF_DECRYPT, &walk);
185 static struct crypto_alg cbc_des_alg = {
186 .cra_name = "cbc(des)",
187 .cra_driver_name = "cbc-des-s390",
188 .cra_priority = 400, /* combo: des + cbc */
189 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
190 .cra_blocksize = DES_BLOCK_SIZE,
191 .cra_ctxsize = sizeof(struct s390_des_ctx),
192 .cra_type = &crypto_blkcipher_type,
193 .cra_module = THIS_MODULE,
196 .min_keysize = DES_KEY_SIZE,
197 .max_keysize = DES_KEY_SIZE,
198 .ivsize = DES_BLOCK_SIZE,
199 .setkey = des_setkey,
200 .encrypt = cbc_des_encrypt,
201 .decrypt = cbc_des_decrypt,
209 * For DES-EDE3, there is no known need to reject weak or
210 * complementation keys. Any weakness is obviated by the use of
213 * However, if the first two or last two independent 64-bit keys are
214 * equal (k1 == k2 or k2 == k3), then the DES3 operation is simply the
215 * same as DES. Implementers MUST reject keys that exhibit this
218 * In fips mode additinally check for all 3 keys are unique.
221 static int des3_setkey(struct crypto_tfm *tfm, const u8 *key,
222 unsigned int key_len)
224 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
227 err = crypto_des3_ede_verify_key(tfm, key);
231 memcpy(ctx->key, key, key_len);
235 static void des3_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
237 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
239 cpacf_km(CPACF_KM_TDEA_192, ctx->key, dst, src, DES_BLOCK_SIZE);
242 static void des3_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
244 struct s390_des_ctx *ctx = crypto_tfm_ctx(tfm);
246 cpacf_km(CPACF_KM_TDEA_192 | CPACF_DECRYPT,
247 ctx->key, dst, src, DES_BLOCK_SIZE);
250 static struct crypto_alg des3_alg = {
251 .cra_name = "des3_ede",
252 .cra_driver_name = "des3_ede-s390",
254 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
255 .cra_blocksize = DES_BLOCK_SIZE,
256 .cra_ctxsize = sizeof(struct s390_des_ctx),
257 .cra_module = THIS_MODULE,
260 .cia_min_keysize = DES3_KEY_SIZE,
261 .cia_max_keysize = DES3_KEY_SIZE,
262 .cia_setkey = des3_setkey,
263 .cia_encrypt = des3_encrypt,
264 .cia_decrypt = des3_decrypt,
269 static int ecb_des3_encrypt(struct blkcipher_desc *desc,
270 struct scatterlist *dst, struct scatterlist *src,
273 struct blkcipher_walk walk;
275 blkcipher_walk_init(&walk, dst, src, nbytes);
276 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192, &walk);
279 static int ecb_des3_decrypt(struct blkcipher_desc *desc,
280 struct scatterlist *dst, struct scatterlist *src,
283 struct blkcipher_walk walk;
285 blkcipher_walk_init(&walk, dst, src, nbytes);
286 return ecb_desall_crypt(desc, CPACF_KM_TDEA_192 | CPACF_DECRYPT,
290 static struct crypto_alg ecb_des3_alg = {
291 .cra_name = "ecb(des3_ede)",
292 .cra_driver_name = "ecb-des3_ede-s390",
293 .cra_priority = 400, /* combo: des3 + ecb */
294 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
295 .cra_blocksize = DES_BLOCK_SIZE,
296 .cra_ctxsize = sizeof(struct s390_des_ctx),
297 .cra_type = &crypto_blkcipher_type,
298 .cra_module = THIS_MODULE,
301 .min_keysize = DES3_KEY_SIZE,
302 .max_keysize = DES3_KEY_SIZE,
303 .setkey = des3_setkey,
304 .encrypt = ecb_des3_encrypt,
305 .decrypt = ecb_des3_decrypt,
310 static int cbc_des3_encrypt(struct blkcipher_desc *desc,
311 struct scatterlist *dst, struct scatterlist *src,
314 struct blkcipher_walk walk;
316 blkcipher_walk_init(&walk, dst, src, nbytes);
317 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192, &walk);
320 static int cbc_des3_decrypt(struct blkcipher_desc *desc,
321 struct scatterlist *dst, struct scatterlist *src,
324 struct blkcipher_walk walk;
326 blkcipher_walk_init(&walk, dst, src, nbytes);
327 return cbc_desall_crypt(desc, CPACF_KMC_TDEA_192 | CPACF_DECRYPT,
331 static struct crypto_alg cbc_des3_alg = {
332 .cra_name = "cbc(des3_ede)",
333 .cra_driver_name = "cbc-des3_ede-s390",
334 .cra_priority = 400, /* combo: des3 + cbc */
335 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
336 .cra_blocksize = DES_BLOCK_SIZE,
337 .cra_ctxsize = sizeof(struct s390_des_ctx),
338 .cra_type = &crypto_blkcipher_type,
339 .cra_module = THIS_MODULE,
342 .min_keysize = DES3_KEY_SIZE,
343 .max_keysize = DES3_KEY_SIZE,
344 .ivsize = DES_BLOCK_SIZE,
345 .setkey = des3_setkey,
346 .encrypt = cbc_des3_encrypt,
347 .decrypt = cbc_des3_decrypt,
352 static unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes)
356 /* align to block size, max. PAGE_SIZE */
357 n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(DES_BLOCK_SIZE - 1);
358 memcpy(ctrptr, iv, DES_BLOCK_SIZE);
359 for (i = (n / DES_BLOCK_SIZE) - 1; i > 0; i--) {
360 memcpy(ctrptr + DES_BLOCK_SIZE, ctrptr, DES_BLOCK_SIZE);
361 crypto_inc(ctrptr + DES_BLOCK_SIZE, DES_BLOCK_SIZE);
362 ctrptr += DES_BLOCK_SIZE;
367 static int ctr_desall_crypt(struct blkcipher_desc *desc, unsigned long fc,
368 struct blkcipher_walk *walk)
370 struct s390_des_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
371 u8 buf[DES_BLOCK_SIZE], *ctrptr;
372 unsigned int n, nbytes;
375 locked = mutex_trylock(&ctrblk_lock);
377 ret = blkcipher_walk_virt_block(desc, walk, DES_BLOCK_SIZE);
378 while ((nbytes = walk->nbytes) >= DES_BLOCK_SIZE) {
380 if (nbytes >= 2*DES_BLOCK_SIZE && locked)
381 n = __ctrblk_init(ctrblk, walk->iv, nbytes);
382 ctrptr = (n > DES_BLOCK_SIZE) ? ctrblk : walk->iv;
383 cpacf_kmctr(fc, ctx->key, walk->dst.virt.addr,
384 walk->src.virt.addr, n, ctrptr);
385 if (ctrptr == ctrblk)
386 memcpy(walk->iv, ctrptr + n - DES_BLOCK_SIZE,
388 crypto_inc(walk->iv, DES_BLOCK_SIZE);
389 ret = blkcipher_walk_done(desc, walk, nbytes - n);
392 mutex_unlock(&ctrblk_lock);
393 /* final block may be < DES_BLOCK_SIZE, copy only nbytes */
395 cpacf_kmctr(fc, ctx->key, buf, walk->src.virt.addr,
396 DES_BLOCK_SIZE, walk->iv);
397 memcpy(walk->dst.virt.addr, buf, nbytes);
398 crypto_inc(walk->iv, DES_BLOCK_SIZE);
399 ret = blkcipher_walk_done(desc, walk, 0);
404 static int ctr_des_encrypt(struct blkcipher_desc *desc,
405 struct scatterlist *dst, struct scatterlist *src,
408 struct blkcipher_walk walk;
410 blkcipher_walk_init(&walk, dst, src, nbytes);
411 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA, &walk);
414 static int ctr_des_decrypt(struct blkcipher_desc *desc,
415 struct scatterlist *dst, struct scatterlist *src,
418 struct blkcipher_walk walk;
420 blkcipher_walk_init(&walk, dst, src, nbytes);
421 return ctr_desall_crypt(desc, CPACF_KMCTR_DEA | CPACF_DECRYPT, &walk);
424 static struct crypto_alg ctr_des_alg = {
425 .cra_name = "ctr(des)",
426 .cra_driver_name = "ctr-des-s390",
427 .cra_priority = 400, /* combo: des + ctr */
428 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
430 .cra_ctxsize = sizeof(struct s390_des_ctx),
431 .cra_type = &crypto_blkcipher_type,
432 .cra_module = THIS_MODULE,
435 .min_keysize = DES_KEY_SIZE,
436 .max_keysize = DES_KEY_SIZE,
437 .ivsize = DES_BLOCK_SIZE,
438 .setkey = des_setkey,
439 .encrypt = ctr_des_encrypt,
440 .decrypt = ctr_des_decrypt,
445 static int ctr_des3_encrypt(struct blkcipher_desc *desc,
446 struct scatterlist *dst, struct scatterlist *src,
449 struct blkcipher_walk walk;
451 blkcipher_walk_init(&walk, dst, src, nbytes);
452 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192, &walk);
455 static int ctr_des3_decrypt(struct blkcipher_desc *desc,
456 struct scatterlist *dst, struct scatterlist *src,
459 struct blkcipher_walk walk;
461 blkcipher_walk_init(&walk, dst, src, nbytes);
462 return ctr_desall_crypt(desc, CPACF_KMCTR_TDEA_192 | CPACF_DECRYPT,
466 static struct crypto_alg ctr_des3_alg = {
467 .cra_name = "ctr(des3_ede)",
468 .cra_driver_name = "ctr-des3_ede-s390",
469 .cra_priority = 400, /* combo: des3 + ede */
470 .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
472 .cra_ctxsize = sizeof(struct s390_des_ctx),
473 .cra_type = &crypto_blkcipher_type,
474 .cra_module = THIS_MODULE,
477 .min_keysize = DES3_KEY_SIZE,
478 .max_keysize = DES3_KEY_SIZE,
479 .ivsize = DES_BLOCK_SIZE,
480 .setkey = des3_setkey,
481 .encrypt = ctr_des3_encrypt,
482 .decrypt = ctr_des3_decrypt,
487 static struct crypto_alg *des_s390_algs_ptr[8];
488 static int des_s390_algs_num;
490 static int des_s390_register_alg(struct crypto_alg *alg)
494 ret = crypto_register_alg(alg);
496 des_s390_algs_ptr[des_s390_algs_num++] = alg;
500 static void des_s390_exit(void)
502 while (des_s390_algs_num--)
503 crypto_unregister_alg(des_s390_algs_ptr[des_s390_algs_num]);
505 free_page((unsigned long) ctrblk);
508 static int __init des_s390_init(void)
512 /* Query available functions for KM, KMC and KMCTR */
513 cpacf_query(CPACF_KM, &km_functions);
514 cpacf_query(CPACF_KMC, &kmc_functions);
515 cpacf_query(CPACF_KMCTR, &kmctr_functions);
517 if (cpacf_test_func(&km_functions, CPACF_KM_DEA)) {
518 ret = des_s390_register_alg(&des_alg);
521 ret = des_s390_register_alg(&ecb_des_alg);
525 if (cpacf_test_func(&kmc_functions, CPACF_KMC_DEA)) {
526 ret = des_s390_register_alg(&cbc_des_alg);
530 if (cpacf_test_func(&km_functions, CPACF_KM_TDEA_192)) {
531 ret = des_s390_register_alg(&des3_alg);
534 ret = des_s390_register_alg(&ecb_des3_alg);
538 if (cpacf_test_func(&kmc_functions, CPACF_KMC_TDEA_192)) {
539 ret = des_s390_register_alg(&cbc_des3_alg);
544 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA) ||
545 cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) {
546 ctrblk = (u8 *) __get_free_page(GFP_KERNEL);
553 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_DEA)) {
554 ret = des_s390_register_alg(&ctr_des_alg);
558 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_TDEA_192)) {
559 ret = des_s390_register_alg(&ctr_des3_alg);
570 module_cpu_feature_match(MSA, des_s390_init);
571 module_exit(des_s390_exit);
573 MODULE_ALIAS_CRYPTO("des");
574 MODULE_ALIAS_CRYPTO("des3_ede");
576 MODULE_LICENSE("GPL");
577 MODULE_DESCRIPTION("DES & Triple DES EDE Cipher Algorithms");