1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21#include "qemu/osdep.h"
22#include "crypto/xts.h"
23#include "cipherpriv.h"
24
25#include <nettle/nettle-types.h>
26#include <nettle/aes.h>
27#include <nettle/des.h>
28#include <nettle/cbc.h>
29#include <nettle/cast128.h>
30#include <nettle/serpent.h>
31#include <nettle/twofish.h>
32#include <nettle/ctr.h>
33
34typedef void (*QCryptoCipherNettleFuncWrapper)(const void *ctx,
35 size_t length,
36 uint8_t *dst,
37 const uint8_t *src);
38
39#if CONFIG_NETTLE_VERSION_MAJOR < 3
40typedef nettle_crypt_func * QCryptoCipherNettleFuncNative;
41typedef void * cipher_ctx_t;
42typedef unsigned cipher_length_t;
43
44#define cast5_set_key cast128_set_key
45#else
46typedef nettle_cipher_func * QCryptoCipherNettleFuncNative;
47typedef const void * cipher_ctx_t;
48typedef size_t cipher_length_t;
49#endif
50
51typedef struct QCryptoNettleAES {
52 struct aes_ctx enc;
53 struct aes_ctx dec;
54} QCryptoNettleAES;
55
56static void aes_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
57 uint8_t *dst, const uint8_t *src)
58{
59 const QCryptoNettleAES *aesctx = ctx;
60 aes_encrypt(&aesctx->enc, length, dst, src);
61}
62
63static void aes_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
64 uint8_t *dst, const uint8_t *src)
65{
66 const QCryptoNettleAES *aesctx = ctx;
67 aes_decrypt(&aesctx->dec, length, dst, src);
68}
69
70static void des_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
71 uint8_t *dst, const uint8_t *src)
72{
73 des_encrypt(ctx, length, dst, src);
74}
75
76static void des_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
77 uint8_t *dst, const uint8_t *src)
78{
79 des_decrypt(ctx, length, dst, src);
80}
81
82static void des3_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
83 uint8_t *dst, const uint8_t *src)
84{
85 des3_encrypt(ctx, length, dst, src);
86}
87
88static void des3_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
89 uint8_t *dst, const uint8_t *src)
90{
91 des3_decrypt(ctx, length, dst, src);
92}
93
94static void cast128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
95 uint8_t *dst, const uint8_t *src)
96{
97 cast128_encrypt(ctx, length, dst, src);
98}
99
100static void cast128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
101 uint8_t *dst, const uint8_t *src)
102{
103 cast128_decrypt(ctx, length, dst, src);
104}
105
106static void serpent_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
107 uint8_t *dst, const uint8_t *src)
108{
109 serpent_encrypt(ctx, length, dst, src);
110}
111
112static void serpent_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
113 uint8_t *dst, const uint8_t *src)
114{
115 serpent_decrypt(ctx, length, dst, src);
116}
117
118static void twofish_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
119 uint8_t *dst, const uint8_t *src)
120{
121 twofish_encrypt(ctx, length, dst, src);
122}
123
124static void twofish_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
125 uint8_t *dst, const uint8_t *src)
126{
127 twofish_decrypt(ctx, length, dst, src);
128}
129
130static void aes_encrypt_wrapper(const void *ctx, size_t length,
131 uint8_t *dst, const uint8_t *src)
132{
133 const QCryptoNettleAES *aesctx = ctx;
134 aes_encrypt(&aesctx->enc, length, dst, src);
135}
136
137static void aes_decrypt_wrapper(const void *ctx, size_t length,
138 uint8_t *dst, const uint8_t *src)
139{
140 const QCryptoNettleAES *aesctx = ctx;
141 aes_decrypt(&aesctx->dec, length, dst, src);
142}
143
144static void des_encrypt_wrapper(const void *ctx, size_t length,
145 uint8_t *dst, const uint8_t *src)
146{
147 des_encrypt(ctx, length, dst, src);
148}
149
150static void des_decrypt_wrapper(const void *ctx, size_t length,
151 uint8_t *dst, const uint8_t *src)
152{
153 des_decrypt(ctx, length, dst, src);
154}
155
156static void des3_encrypt_wrapper(const void *ctx, size_t length,
157 uint8_t *dst, const uint8_t *src)
158{
159 des3_encrypt(ctx, length, dst, src);
160}
161
162static void des3_decrypt_wrapper(const void *ctx, size_t length,
163 uint8_t *dst, const uint8_t *src)
164{
165 des3_decrypt(ctx, length, dst, src);
166}
167
168static void cast128_encrypt_wrapper(const void *ctx, size_t length,
169 uint8_t *dst, const uint8_t *src)
170{
171 cast128_encrypt(ctx, length, dst, src);
172}
173
174static void cast128_decrypt_wrapper(const void *ctx, size_t length,
175 uint8_t *dst, const uint8_t *src)
176{
177 cast128_decrypt(ctx, length, dst, src);
178}
179
180static void serpent_encrypt_wrapper(const void *ctx, size_t length,
181 uint8_t *dst, const uint8_t *src)
182{
183 serpent_encrypt(ctx, length, dst, src);
184}
185
186static void serpent_decrypt_wrapper(const void *ctx, size_t length,
187 uint8_t *dst, const uint8_t *src)
188{
189 serpent_decrypt(ctx, length, dst, src);
190}
191
192static void twofish_encrypt_wrapper(const void *ctx, size_t length,
193 uint8_t *dst, const uint8_t *src)
194{
195 twofish_encrypt(ctx, length, dst, src);
196}
197
198static void twofish_decrypt_wrapper(const void *ctx, size_t length,
199 uint8_t *dst, const uint8_t *src)
200{
201 twofish_decrypt(ctx, length, dst, src);
202}
203
204typedef struct QCryptoCipherNettle QCryptoCipherNettle;
205struct QCryptoCipherNettle {
206
207 void *ctx;
208
209 void *ctx_tweak;
210
211 QCryptoCipherNettleFuncNative alg_encrypt_native;
212 QCryptoCipherNettleFuncNative alg_decrypt_native;
213 QCryptoCipherNettleFuncWrapper alg_encrypt_wrapper;
214 QCryptoCipherNettleFuncWrapper alg_decrypt_wrapper;
215
216 uint8_t *iv;
217 size_t blocksize;
218};
219
220bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
221 QCryptoCipherMode mode)
222{
223 switch (alg) {
224 case QCRYPTO_CIPHER_ALG_DES_RFB:
225 case QCRYPTO_CIPHER_ALG_3DES:
226 case QCRYPTO_CIPHER_ALG_AES_128:
227 case QCRYPTO_CIPHER_ALG_AES_192:
228 case QCRYPTO_CIPHER_ALG_AES_256:
229 case QCRYPTO_CIPHER_ALG_CAST5_128:
230 case QCRYPTO_CIPHER_ALG_SERPENT_128:
231 case QCRYPTO_CIPHER_ALG_SERPENT_192:
232 case QCRYPTO_CIPHER_ALG_SERPENT_256:
233 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
234 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
235 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
236 break;
237 default:
238 return false;
239 }
240
241 switch (mode) {
242 case QCRYPTO_CIPHER_MODE_ECB:
243 case QCRYPTO_CIPHER_MODE_CBC:
244 case QCRYPTO_CIPHER_MODE_XTS:
245 case QCRYPTO_CIPHER_MODE_CTR:
246 return true;
247 default:
248 return false;
249 }
250}
251
252
253static void
254qcrypto_nettle_cipher_free_ctx(QCryptoCipherNettle *ctx)
255{
256 if (!ctx) {
257 return;
258 }
259
260 g_free(ctx->iv);
261 g_free(ctx->ctx);
262 g_free(ctx->ctx_tweak);
263 g_free(ctx);
264}
265
266
267static QCryptoCipherNettle *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
268 QCryptoCipherMode mode,
269 const uint8_t *key,
270 size_t nkey,
271 Error **errp)
272{
273 QCryptoCipherNettle *ctx;
274 uint8_t *rfbkey;
275
276 switch (mode) {
277 case QCRYPTO_CIPHER_MODE_ECB:
278 case QCRYPTO_CIPHER_MODE_CBC:
279 case QCRYPTO_CIPHER_MODE_XTS:
280 case QCRYPTO_CIPHER_MODE_CTR:
281 break;
282 default:
283 error_setg(errp, "Unsupported cipher mode %s",
284 QCryptoCipherMode_str(mode));
285 return NULL;
286 }
287
288 if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
289 return NULL;
290 }
291
292 ctx = g_new0(QCryptoCipherNettle, 1);
293
294 switch (alg) {
295 case QCRYPTO_CIPHER_ALG_DES_RFB:
296 ctx->ctx = g_new0(struct des_ctx, 1);
297 rfbkey = qcrypto_cipher_munge_des_rfb_key(key, nkey);
298 des_set_key(ctx->ctx, rfbkey);
299 g_free(rfbkey);
300
301 ctx->alg_encrypt_native = des_encrypt_native;
302 ctx->alg_decrypt_native = des_decrypt_native;
303 ctx->alg_encrypt_wrapper = des_encrypt_wrapper;
304 ctx->alg_decrypt_wrapper = des_decrypt_wrapper;
305
306 ctx->blocksize = DES_BLOCK_SIZE;
307 break;
308
309 case QCRYPTO_CIPHER_ALG_3DES:
310 ctx->ctx = g_new0(struct des3_ctx, 1);
311 des3_set_key(ctx->ctx, key);
312
313 ctx->alg_encrypt_native = des3_encrypt_native;
314 ctx->alg_decrypt_native = des3_decrypt_native;
315 ctx->alg_encrypt_wrapper = des3_encrypt_wrapper;
316 ctx->alg_decrypt_wrapper = des3_decrypt_wrapper;
317
318 ctx->blocksize = DES3_BLOCK_SIZE;
319 break;
320
321 case QCRYPTO_CIPHER_ALG_AES_128:
322 case QCRYPTO_CIPHER_ALG_AES_192:
323 case QCRYPTO_CIPHER_ALG_AES_256:
324 ctx->ctx = g_new0(QCryptoNettleAES, 1);
325
326 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
327 ctx->ctx_tweak = g_new0(QCryptoNettleAES, 1);
328
329 nkey /= 2;
330 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx)->enc,
331 nkey, key);
332 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx)->dec,
333 nkey, key);
334
335 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx_tweak)->enc,
336 nkey, key + nkey);
337 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx_tweak)->dec,
338 nkey, key + nkey);
339 } else {
340 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx)->enc,
341 nkey, key);
342 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx)->dec,
343 nkey, key);
344 }
345
346 ctx->alg_encrypt_native = aes_encrypt_native;
347 ctx->alg_decrypt_native = aes_decrypt_native;
348 ctx->alg_encrypt_wrapper = aes_encrypt_wrapper;
349 ctx->alg_decrypt_wrapper = aes_decrypt_wrapper;
350
351 ctx->blocksize = AES_BLOCK_SIZE;
352 break;
353
354 case QCRYPTO_CIPHER_ALG_CAST5_128:
355 ctx->ctx = g_new0(struct cast128_ctx, 1);
356
357 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
358 ctx->ctx_tweak = g_new0(struct cast128_ctx, 1);
359
360 nkey /= 2;
361 cast5_set_key(ctx->ctx, nkey, key);
362 cast5_set_key(ctx->ctx_tweak, nkey, key + nkey);
363 } else {
364 cast5_set_key(ctx->ctx, nkey, key);
365 }
366
367 ctx->alg_encrypt_native = cast128_encrypt_native;
368 ctx->alg_decrypt_native = cast128_decrypt_native;
369 ctx->alg_encrypt_wrapper = cast128_encrypt_wrapper;
370 ctx->alg_decrypt_wrapper = cast128_decrypt_wrapper;
371
372 ctx->blocksize = CAST128_BLOCK_SIZE;
373 break;
374
375 case QCRYPTO_CIPHER_ALG_SERPENT_128:
376 case QCRYPTO_CIPHER_ALG_SERPENT_192:
377 case QCRYPTO_CIPHER_ALG_SERPENT_256:
378 ctx->ctx = g_new0(struct serpent_ctx, 1);
379
380 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
381 ctx->ctx_tweak = g_new0(struct serpent_ctx, 1);
382
383 nkey /= 2;
384 serpent_set_key(ctx->ctx, nkey, key);
385 serpent_set_key(ctx->ctx_tweak, nkey, key + nkey);
386 } else {
387 serpent_set_key(ctx->ctx, nkey, key);
388 }
389
390 ctx->alg_encrypt_native = serpent_encrypt_native;
391 ctx->alg_decrypt_native = serpent_decrypt_native;
392 ctx->alg_encrypt_wrapper = serpent_encrypt_wrapper;
393 ctx->alg_decrypt_wrapper = serpent_decrypt_wrapper;
394
395 ctx->blocksize = SERPENT_BLOCK_SIZE;
396 break;
397
398 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
399 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
400 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
401 ctx->ctx = g_new0(struct twofish_ctx, 1);
402
403 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
404 ctx->ctx_tweak = g_new0(struct twofish_ctx, 1);
405
406 nkey /= 2;
407 twofish_set_key(ctx->ctx, nkey, key);
408 twofish_set_key(ctx->ctx_tweak, nkey, key + nkey);
409 } else {
410 twofish_set_key(ctx->ctx, nkey, key);
411 }
412
413 ctx->alg_encrypt_native = twofish_encrypt_native;
414 ctx->alg_decrypt_native = twofish_decrypt_native;
415 ctx->alg_encrypt_wrapper = twofish_encrypt_wrapper;
416 ctx->alg_decrypt_wrapper = twofish_decrypt_wrapper;
417
418 ctx->blocksize = TWOFISH_BLOCK_SIZE;
419 break;
420
421 default:
422 error_setg(errp, "Unsupported cipher algorithm %s",
423 QCryptoCipherAlgorithm_str(alg));
424 goto error;
425 }
426
427 if (mode == QCRYPTO_CIPHER_MODE_XTS &&
428 ctx->blocksize != XTS_BLOCK_SIZE) {
429 error_setg(errp, "Cipher block size %zu must equal XTS block size %d",
430 ctx->blocksize, XTS_BLOCK_SIZE);
431 goto error;
432 }
433
434 ctx->iv = g_new0(uint8_t, ctx->blocksize);
435
436 return ctx;
437
438 error:
439 qcrypto_nettle_cipher_free_ctx(ctx);
440 return NULL;
441}
442
443
444static void
445qcrypto_nettle_cipher_ctx_free(QCryptoCipher *cipher)
446{
447 QCryptoCipherNettle *ctx;
448
449 ctx = cipher->opaque;
450 qcrypto_nettle_cipher_free_ctx(ctx);
451}
452
453
454static int
455qcrypto_nettle_cipher_encrypt(QCryptoCipher *cipher,
456 const void *in,
457 void *out,
458 size_t len,
459 Error **errp)
460{
461 QCryptoCipherNettle *ctx = cipher->opaque;
462
463 if (len % ctx->blocksize) {
464 error_setg(errp, "Length %zu must be a multiple of block size %zu",
465 len, ctx->blocksize);
466 return -1;
467 }
468
469 switch (cipher->mode) {
470 case QCRYPTO_CIPHER_MODE_ECB:
471 ctx->alg_encrypt_wrapper(ctx->ctx, len, out, in);
472 break;
473
474 case QCRYPTO_CIPHER_MODE_CBC:
475 cbc_encrypt(ctx->ctx, ctx->alg_encrypt_native,
476 ctx->blocksize, ctx->iv,
477 len, out, in);
478 break;
479
480 case QCRYPTO_CIPHER_MODE_XTS:
481 xts_encrypt(ctx->ctx, ctx->ctx_tweak,
482 ctx->alg_encrypt_wrapper, ctx->alg_encrypt_wrapper,
483 ctx->iv, len, out, in);
484 break;
485
486 case QCRYPTO_CIPHER_MODE_CTR:
487 ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
488 ctx->blocksize, ctx->iv,
489 len, out, in);
490 break;
491
492 default:
493 error_setg(errp, "Unsupported cipher mode %s",
494 QCryptoCipherMode_str(cipher->mode));
495 return -1;
496 }
497 return 0;
498}
499
500
501static int
502qcrypto_nettle_cipher_decrypt(QCryptoCipher *cipher,
503 const void *in,
504 void *out,
505 size_t len,
506 Error **errp)
507{
508 QCryptoCipherNettle *ctx = cipher->opaque;
509
510 if (len % ctx->blocksize) {
511 error_setg(errp, "Length %zu must be a multiple of block size %zu",
512 len, ctx->blocksize);
513 return -1;
514 }
515
516 switch (cipher->mode) {
517 case QCRYPTO_CIPHER_MODE_ECB:
518 ctx->alg_decrypt_wrapper(ctx->ctx, len, out, in);
519 break;
520
521 case QCRYPTO_CIPHER_MODE_CBC:
522 cbc_decrypt(ctx->ctx, ctx->alg_decrypt_native,
523 ctx->blocksize, ctx->iv,
524 len, out, in);
525 break;
526
527 case QCRYPTO_CIPHER_MODE_XTS:
528 xts_decrypt(ctx->ctx, ctx->ctx_tweak,
529 ctx->alg_encrypt_wrapper, ctx->alg_decrypt_wrapper,
530 ctx->iv, len, out, in);
531 break;
532 case QCRYPTO_CIPHER_MODE_CTR:
533 ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
534 ctx->blocksize, ctx->iv,
535 len, out, in);
536 break;
537
538 default:
539 error_setg(errp, "Unsupported cipher mode %s",
540 QCryptoCipherMode_str(cipher->mode));
541 return -1;
542 }
543 return 0;
544}
545
546static int
547qcrypto_nettle_cipher_setiv(QCryptoCipher *cipher,
548 const uint8_t *iv, size_t niv,
549 Error **errp)
550{
551 QCryptoCipherNettle *ctx = cipher->opaque;
552 if (niv != ctx->blocksize) {
553 error_setg(errp, "Expected IV size %zu not %zu",
554 ctx->blocksize, niv);
555 return -1;
556 }
557 memcpy(ctx->iv, iv, niv);
558 return 0;
559}
560
561
562static struct QCryptoCipherDriver qcrypto_cipher_lib_driver = {
563 .cipher_encrypt = qcrypto_nettle_cipher_encrypt,
564 .cipher_decrypt = qcrypto_nettle_cipher_decrypt,
565 .cipher_setiv = qcrypto_nettle_cipher_setiv,
566 .cipher_free = qcrypto_nettle_cipher_ctx_free,
567};
568
