1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21#include "qemu/osdep.h"
22#include "crypto/xts.h"
23
24#include <nettle/nettle-types.h>
25#include <nettle/aes.h>
26#include <nettle/des.h>
27#include <nettle/cbc.h>
28#include <nettle/cast128.h>
29#include <nettle/serpent.h>
30#include <nettle/twofish.h>
31#include <nettle/ctr.h>
32
33typedef void (*QCryptoCipherNettleFuncWrapper)(const void *ctx,
34 size_t length,
35 uint8_t *dst,
36 const uint8_t *src);
37
38#if CONFIG_NETTLE_VERSION_MAJOR < 3
39typedef nettle_crypt_func * QCryptoCipherNettleFuncNative;
40typedef void * cipher_ctx_t;
41typedef unsigned cipher_length_t;
42
43#define cast5_set_key cast128_set_key
44#else
45typedef nettle_cipher_func * QCryptoCipherNettleFuncNative;
46typedef const void * cipher_ctx_t;
47typedef size_t cipher_length_t;
48#endif
49
50typedef struct QCryptoNettleAES {
51 struct aes_ctx enc;
52 struct aes_ctx dec;
53} QCryptoNettleAES;
54
55static void aes_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
56 uint8_t *dst, const uint8_t *src)
57{
58 const QCryptoNettleAES *aesctx = ctx;
59 aes_encrypt(&aesctx->enc, length, dst, src);
60}
61
62static void aes_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
63 uint8_t *dst, const uint8_t *src)
64{
65 const QCryptoNettleAES *aesctx = ctx;
66 aes_decrypt(&aesctx->dec, length, dst, src);
67}
68
69static void des_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
70 uint8_t *dst, const uint8_t *src)
71{
72 des_encrypt(ctx, length, dst, src);
73}
74
75static void des_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
76 uint8_t *dst, const uint8_t *src)
77{
78 des_decrypt(ctx, length, dst, src);
79}
80
81static void cast128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
82 uint8_t *dst, const uint8_t *src)
83{
84 cast128_encrypt(ctx, length, dst, src);
85}
86
87static void cast128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
88 uint8_t *dst, const uint8_t *src)
89{
90 cast128_decrypt(ctx, length, dst, src);
91}
92
93static void serpent_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
94 uint8_t *dst, const uint8_t *src)
95{
96 serpent_encrypt(ctx, length, dst, src);
97}
98
99static void serpent_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
100 uint8_t *dst, const uint8_t *src)
101{
102 serpent_decrypt(ctx, length, dst, src);
103}
104
105static void twofish_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
106 uint8_t *dst, const uint8_t *src)
107{
108 twofish_encrypt(ctx, length, dst, src);
109}
110
111static void twofish_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
112 uint8_t *dst, const uint8_t *src)
113{
114 twofish_decrypt(ctx, length, dst, src);
115}
116
117static void aes_encrypt_wrapper(const void *ctx, size_t length,
118 uint8_t *dst, const uint8_t *src)
119{
120 const QCryptoNettleAES *aesctx = ctx;
121 aes_encrypt(&aesctx->enc, length, dst, src);
122}
123
124static void aes_decrypt_wrapper(const void *ctx, size_t length,
125 uint8_t *dst, const uint8_t *src)
126{
127 const QCryptoNettleAES *aesctx = ctx;
128 aes_decrypt(&aesctx->dec, length, dst, src);
129}
130
131static void des_encrypt_wrapper(const void *ctx, size_t length,
132 uint8_t *dst, const uint8_t *src)
133{
134 des_encrypt(ctx, length, dst, src);
135}
136
137static void des_decrypt_wrapper(const void *ctx, size_t length,
138 uint8_t *dst, const uint8_t *src)
139{
140 des_decrypt(ctx, length, dst, src);
141}
142
143static void cast128_encrypt_wrapper(const void *ctx, size_t length,
144 uint8_t *dst, const uint8_t *src)
145{
146 cast128_encrypt(ctx, length, dst, src);
147}
148
149static void cast128_decrypt_wrapper(const void *ctx, size_t length,
150 uint8_t *dst, const uint8_t *src)
151{
152 cast128_decrypt(ctx, length, dst, src);
153}
154
155static void serpent_encrypt_wrapper(const void *ctx, size_t length,
156 uint8_t *dst, const uint8_t *src)
157{
158 serpent_encrypt(ctx, length, dst, src);
159}
160
161static void serpent_decrypt_wrapper(const void *ctx, size_t length,
162 uint8_t *dst, const uint8_t *src)
163{
164 serpent_decrypt(ctx, length, dst, src);
165}
166
167static void twofish_encrypt_wrapper(const void *ctx, size_t length,
168 uint8_t *dst, const uint8_t *src)
169{
170 twofish_encrypt(ctx, length, dst, src);
171}
172
173static void twofish_decrypt_wrapper(const void *ctx, size_t length,
174 uint8_t *dst, const uint8_t *src)
175{
176 twofish_decrypt(ctx, length, dst, src);
177}
178
179typedef struct QCryptoCipherNettle QCryptoCipherNettle;
180struct QCryptoCipherNettle {
181
182 void *ctx;
183
184 void *ctx_tweak;
185
186 QCryptoCipherNettleFuncNative alg_encrypt_native;
187 QCryptoCipherNettleFuncNative alg_decrypt_native;
188 QCryptoCipherNettleFuncWrapper alg_encrypt_wrapper;
189 QCryptoCipherNettleFuncWrapper alg_decrypt_wrapper;
190
191 uint8_t *iv;
192 size_t blocksize;
193};
194
195bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
196 QCryptoCipherMode mode)
197{
198 switch (alg) {
199 case QCRYPTO_CIPHER_ALG_DES_RFB:
200 case QCRYPTO_CIPHER_ALG_AES_128:
201 case QCRYPTO_CIPHER_ALG_AES_192:
202 case QCRYPTO_CIPHER_ALG_AES_256:
203 case QCRYPTO_CIPHER_ALG_CAST5_128:
204 case QCRYPTO_CIPHER_ALG_SERPENT_128:
205 case QCRYPTO_CIPHER_ALG_SERPENT_192:
206 case QCRYPTO_CIPHER_ALG_SERPENT_256:
207 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
208 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
209 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
210 break;
211 default:
212 return false;
213 }
214
215 switch (mode) {
216 case QCRYPTO_CIPHER_MODE_ECB:
217 case QCRYPTO_CIPHER_MODE_CBC:
218 case QCRYPTO_CIPHER_MODE_XTS:
219 case QCRYPTO_CIPHER_MODE_CTR:
220 return true;
221 default:
222 return false;
223 }
224}
225
226
227QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
228 QCryptoCipherMode mode,
229 const uint8_t *key, size_t nkey,
230 Error **errp)
231{
232 QCryptoCipher *cipher;
233 QCryptoCipherNettle *ctx;
234 uint8_t *rfbkey;
235
236 switch (mode) {
237 case QCRYPTO_CIPHER_MODE_ECB:
238 case QCRYPTO_CIPHER_MODE_CBC:
239 case QCRYPTO_CIPHER_MODE_XTS:
240 case QCRYPTO_CIPHER_MODE_CTR:
241 break;
242 default:
243 error_setg(errp, "Unsupported cipher mode %s",
244 QCryptoCipherMode_lookup[mode]);
245 return NULL;
246 }
247
248 if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
249 return NULL;
250 }
251
252 cipher = g_new0(QCryptoCipher, 1);
253 cipher->alg = alg;
254 cipher->mode = mode;
255
256 ctx = g_new0(QCryptoCipherNettle, 1);
257
258 switch (alg) {
259 case QCRYPTO_CIPHER_ALG_DES_RFB:
260 ctx->ctx = g_new0(struct des_ctx, 1);
261 rfbkey = qcrypto_cipher_munge_des_rfb_key(key, nkey);
262 des_set_key(ctx->ctx, rfbkey);
263 g_free(rfbkey);
264
265 ctx->alg_encrypt_native = des_encrypt_native;
266 ctx->alg_decrypt_native = des_decrypt_native;
267 ctx->alg_encrypt_wrapper = des_encrypt_wrapper;
268 ctx->alg_decrypt_wrapper = des_decrypt_wrapper;
269
270 ctx->blocksize = DES_BLOCK_SIZE;
271 break;
272
273 case QCRYPTO_CIPHER_ALG_AES_128:
274 case QCRYPTO_CIPHER_ALG_AES_192:
275 case QCRYPTO_CIPHER_ALG_AES_256:
276 ctx->ctx = g_new0(QCryptoNettleAES, 1);
277
278 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
279 ctx->ctx_tweak = g_new0(QCryptoNettleAES, 1);
280
281 nkey /= 2;
282 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx)->enc,
283 nkey, key);
284 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx)->dec,
285 nkey, key);
286
287 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx_tweak)->enc,
288 nkey, key + nkey);
289 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx_tweak)->dec,
290 nkey, key + nkey);
291 } else {
292 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx)->enc,
293 nkey, key);
294 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx)->dec,
295 nkey, key);
296 }
297
298 ctx->alg_encrypt_native = aes_encrypt_native;
299 ctx->alg_decrypt_native = aes_decrypt_native;
300 ctx->alg_encrypt_wrapper = aes_encrypt_wrapper;
301 ctx->alg_decrypt_wrapper = aes_decrypt_wrapper;
302
303 ctx->blocksize = AES_BLOCK_SIZE;
304 break;
305
306 case QCRYPTO_CIPHER_ALG_CAST5_128:
307 ctx->ctx = g_new0(struct cast128_ctx, 1);
308
309 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
310 ctx->ctx_tweak = g_new0(struct cast128_ctx, 1);
311
312 nkey /= 2;
313 cast5_set_key(ctx->ctx, nkey, key);
314 cast5_set_key(ctx->ctx_tweak, nkey, key + nkey);
315 } else {
316 cast5_set_key(ctx->ctx, nkey, key);
317 }
318
319 ctx->alg_encrypt_native = cast128_encrypt_native;
320 ctx->alg_decrypt_native = cast128_decrypt_native;
321 ctx->alg_encrypt_wrapper = cast128_encrypt_wrapper;
322 ctx->alg_decrypt_wrapper = cast128_decrypt_wrapper;
323
324 ctx->blocksize = CAST128_BLOCK_SIZE;
325 break;
326
327 case QCRYPTO_CIPHER_ALG_SERPENT_128:
328 case QCRYPTO_CIPHER_ALG_SERPENT_192:
329 case QCRYPTO_CIPHER_ALG_SERPENT_256:
330 ctx->ctx = g_new0(struct serpent_ctx, 1);
331
332 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
333 ctx->ctx_tweak = g_new0(struct serpent_ctx, 1);
334
335 nkey /= 2;
336 serpent_set_key(ctx->ctx, nkey, key);
337 serpent_set_key(ctx->ctx_tweak, nkey, key + nkey);
338 } else {
339 serpent_set_key(ctx->ctx, nkey, key);
340 }
341
342 ctx->alg_encrypt_native = serpent_encrypt_native;
343 ctx->alg_decrypt_native = serpent_decrypt_native;
344 ctx->alg_encrypt_wrapper = serpent_encrypt_wrapper;
345 ctx->alg_decrypt_wrapper = serpent_decrypt_wrapper;
346
347 ctx->blocksize = SERPENT_BLOCK_SIZE;
348 break;
349
350 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
351 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
352 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
353 ctx->ctx = g_new0(struct twofish_ctx, 1);
354
355 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
356 ctx->ctx_tweak = g_new0(struct twofish_ctx, 1);
357
358 nkey /= 2;
359 twofish_set_key(ctx->ctx, nkey, key);
360 twofish_set_key(ctx->ctx_tweak, nkey, key + nkey);
361 } else {
362 twofish_set_key(ctx->ctx, nkey, key);
363 }
364
365 ctx->alg_encrypt_native = twofish_encrypt_native;
366 ctx->alg_decrypt_native = twofish_decrypt_native;
367 ctx->alg_encrypt_wrapper = twofish_encrypt_wrapper;
368 ctx->alg_decrypt_wrapper = twofish_decrypt_wrapper;
369
370 ctx->blocksize = TWOFISH_BLOCK_SIZE;
371 break;
372
373 default:
374 error_setg(errp, "Unsupported cipher algorithm %s",
375 QCryptoCipherAlgorithm_lookup[alg]);
376 goto error;
377 }
378
379 if (mode == QCRYPTO_CIPHER_MODE_XTS &&
380 ctx->blocksize != XTS_BLOCK_SIZE) {
381 error_setg(errp, "Cipher block size %zu must equal XTS block size %d",
382 ctx->blocksize, XTS_BLOCK_SIZE);
383 goto error;
384 }
385
386 ctx->iv = g_new0(uint8_t, ctx->blocksize);
387 cipher->opaque = ctx;
388
389 return cipher;
390
391 error:
392 g_free(cipher);
393 g_free(ctx);
394 return NULL;
395}
396
397
398void qcrypto_cipher_free(QCryptoCipher *cipher)
399{
400 QCryptoCipherNettle *ctx;
401
402 if (!cipher) {
403 return;
404 }
405
406 ctx = cipher->opaque;
407 g_free(ctx->iv);
408 g_free(ctx->ctx);
409 g_free(ctx->ctx_tweak);
410 g_free(ctx);
411 g_free(cipher);
412}
413
414
415int qcrypto_cipher_encrypt(QCryptoCipher *cipher,
416 const void *in,
417 void *out,
418 size_t len,
419 Error **errp)
420{
421 QCryptoCipherNettle *ctx = cipher->opaque;
422
423 if (len % ctx->blocksize) {
424 error_setg(errp, "Length %zu must be a multiple of block size %zu",
425 len, ctx->blocksize);
426 return -1;
427 }
428
429 switch (cipher->mode) {
430 case QCRYPTO_CIPHER_MODE_ECB:
431 ctx->alg_encrypt_wrapper(ctx->ctx, len, out, in);
432 break;
433
434 case QCRYPTO_CIPHER_MODE_CBC:
435 cbc_encrypt(ctx->ctx, ctx->alg_encrypt_native,
436 ctx->blocksize, ctx->iv,
437 len, out, in);
438 break;
439
440 case QCRYPTO_CIPHER_MODE_XTS:
441 xts_encrypt(ctx->ctx, ctx->ctx_tweak,
442 ctx->alg_encrypt_wrapper, ctx->alg_encrypt_wrapper,
443 ctx->iv, len, out, in);
444 break;
445
446 case QCRYPTO_CIPHER_MODE_CTR:
447 ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
448 ctx->blocksize, ctx->iv,
449 len, out, in);
450 break;
451
452 default:
453 error_setg(errp, "Unsupported cipher mode %s",
454 QCryptoCipherMode_lookup[cipher->mode]);
455 return -1;
456 }
457 return 0;
458}
459
460
461int qcrypto_cipher_decrypt(QCryptoCipher *cipher,
462 const void *in,
463 void *out,
464 size_t len,
465 Error **errp)
466{
467 QCryptoCipherNettle *ctx = cipher->opaque;
468
469 if (len % ctx->blocksize) {
470 error_setg(errp, "Length %zu must be a multiple of block size %zu",
471 len, ctx->blocksize);
472 return -1;
473 }
474
475 switch (cipher->mode) {
476 case QCRYPTO_CIPHER_MODE_ECB:
477 ctx->alg_decrypt_wrapper(ctx->ctx, len, out, in);
478 break;
479
480 case QCRYPTO_CIPHER_MODE_CBC:
481 cbc_decrypt(ctx->ctx, ctx->alg_decrypt_native,
482 ctx->blocksize, ctx->iv,
483 len, out, in);
484 break;
485
486 case QCRYPTO_CIPHER_MODE_XTS:
487 xts_decrypt(ctx->ctx, ctx->ctx_tweak,
488 ctx->alg_encrypt_wrapper, ctx->alg_decrypt_wrapper,
489 ctx->iv, len, out, in);
490 break;
491 case QCRYPTO_CIPHER_MODE_CTR:
492 ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
493 ctx->blocksize, ctx->iv,
494 len, out, in);
495 break;
496
497 default:
498 error_setg(errp, "Unsupported cipher mode %s",
499 QCryptoCipherMode_lookup[cipher->mode]);
500 return -1;
501 }
502 return 0;
503}
504
505int qcrypto_cipher_setiv(QCryptoCipher *cipher,
506 const uint8_t *iv, size_t niv,
507 Error **errp)
508{
509 QCryptoCipherNettle *ctx = cipher->opaque;
510 if (niv != ctx->blocksize) {
511 error_setg(errp, "Expected IV size %zu not %zu",
512 ctx->blocksize, niv);
513 return -1;
514 }
515 memcpy(ctx->iv, iv, niv);
516 return 0;
517}
518
