1/* 2 * QEMU Crypto cipher nettle algorithms 3 * 4 * Copyright (c) 2015 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21#ifdef CONFIG_QEMU_PRIVATE_XTS 22#include "crypto/xts.h" 23#endif 24 25#include <nettle/nettle-types.h> 26#include <nettle/aes.h> 27#include <nettle/des.h> 28#include <nettle/cbc.h> 29#include <nettle/cast128.h> 30#include <nettle/serpent.h> 31#include <nettle/twofish.h> 32#include <nettle/ctr.h> 33#ifndef CONFIG_QEMU_PRIVATE_XTS 34#include <nettle/xts.h> 35#endif 36 37static inline bool qcrypto_length_check(size_t len, size_t blocksize, 38 Error **errp) 39{ 40 if (unlikely(len & (blocksize - 1))) { 41 error_setg(errp, "Length %zu must be a multiple of block size %zu", 42 len, blocksize); 43 return false; 44 } 45 return true; 46} 47 48 49static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx) 50{ 51 g_free(ctx); 52} 53 54static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher, 55 const uint8_t *iv, size_t niv, 56 Error **errp) 57{ 58 error_setg(errp, "Setting IV is not supported"); 59 return -1; 60} 61 62 63#define DEFINE_SETIV(NAME, TYPE, BLEN) \ 64static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv, \ 65 size_t niv, Error **errp) \ 66{ \ 67 TYPE *ctx = container_of(cipher, TYPE, base); \ 68 if (niv != BLEN) { \ 69 error_setg(errp, "Expected IV size %d not %zu", BLEN, niv); \ 70 return -1; \ 71 } \ 72 memcpy(ctx->iv, iv, niv); \ 73 return 0; \ 74} 75 76 77#define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 78static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in, \ 79 void *out, size_t len, Error **errp) \ 80{ \ 81 TYPE *ctx = container_of(cipher, TYPE, base); \ 82 if (!qcrypto_length_check(len, BLEN, errp)) { \ 83 return -1; \ 84 } \ 85 ENCRYPT(&ctx->key, len, out, in); \ 86 return 0; \ 87} \ 88static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in, \ 89 void *out, size_t len, Error **errp) \ 90{ \ 91 TYPE *ctx = container_of(cipher, TYPE, base); \ 92 if (!qcrypto_length_check(len, BLEN, errp)) { \ 93 return -1; \ 94 } \ 95 DECRYPT(&ctx->key, len, out, in); \ 96 return 0; \ 97} \ 98static const struct QCryptoCipherDriver NAME##_driver_ecb = { \ 99 .cipher_encrypt = NAME##_encrypt_ecb, \ 100 .cipher_decrypt = NAME##_decrypt_ecb, \ 101 .cipher_setiv = qcrypto_cipher_no_setiv, \ 102 .cipher_free = qcrypto_cipher_ctx_free, \ 103}; 104 105 106#define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 107static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in, \ 108 void *out, size_t len, Error **errp) \ 109{ \ 110 TYPE *ctx = container_of(cipher, TYPE, base); \ 111 if (!qcrypto_length_check(len, BLEN, errp)) { \ 112 return -1; \ 113 } \ 114 cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in); \ 115 return 0; \ 116} \ 117static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in, \ 118 void *out, size_t len, Error **errp) \ 119{ \ 120 TYPE *ctx = container_of(cipher, TYPE, base); \ 121 if (!qcrypto_length_check(len, BLEN, errp)) { \ 122 return -1; \ 123 } \ 124 cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in); \ 125 return 0; \ 126} \ 127static const struct QCryptoCipherDriver NAME##_driver_cbc = { \ 128 .cipher_encrypt = NAME##_encrypt_cbc, \ 129 .cipher_decrypt = NAME##_decrypt_cbc, \ 130 .cipher_setiv = NAME##_setiv, \ 131 .cipher_free = qcrypto_cipher_ctx_free, \ 132}; 133 134 135#define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT) \ 136static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in, \ 137 void *out, size_t len, Error **errp) \ 138{ \ 139 TYPE *ctx = container_of(cipher, TYPE, base); \ 140 if (!qcrypto_length_check(len, BLEN, errp)) { \ 141 return -1; \ 142 } \ 143 ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in); \ 144 return 0; \ 145} \ 146static const struct QCryptoCipherDriver NAME##_driver_ctr = { \ 147 .cipher_encrypt = NAME##_encrypt_ctr, \ 148 .cipher_decrypt = NAME##_encrypt_ctr, \ 149 .cipher_setiv = NAME##_setiv, \ 150 .cipher_free = qcrypto_cipher_ctx_free, \ 151}; 152 153 154#ifdef CONFIG_QEMU_PRIVATE_XTS 155#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 156static void NAME##_xts_wrape(const void *ctx, size_t length, \ 157 uint8_t *dst, const uint8_t *src) \ 158{ \ 159 ENCRYPT((const void *)ctx, length, dst, src); \ 160} \ 161static void NAME##_xts_wrapd(const void *ctx, size_t length, \ 162 uint8_t *dst, const uint8_t *src) \ 163{ \ 164 DECRYPT((const void *)ctx, length, dst, src); \ 165} \ 166static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in, \ 167 void *out, size_t len, Error **errp) \ 168{ \ 169 TYPE *ctx = container_of(cipher, TYPE, base); \ 170 if (!qcrypto_length_check(len, BLEN, errp)) { \ 171 return -1; \ 172 } \ 173 xts_encrypt(&ctx->key, &ctx->key_xts, \ 174 NAME##_xts_wrape, NAME##_xts_wrapd, \ 175 ctx->iv, len, out, in); \ 176 return 0; \ 177} \ 178static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in, \ 179 void *out, size_t len, Error **errp) \ 180{ \ 181 TYPE *ctx = container_of(cipher, TYPE, base); \ 182 if (!qcrypto_length_check(len, BLEN, errp)) { \ 183 return -1; \ 184 } \ 185 xts_decrypt(&ctx->key, &ctx->key_xts, \ 186 NAME##_xts_wrape, NAME##_xts_wrapd, \ 187 ctx->iv, len, out, in); \ 188 return 0; \ 189} 190#else 191#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 192static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in, \ 193 void *out, size_t len, Error **errp) \ 194{ \ 195 TYPE *ctx = container_of(cipher, TYPE, base); \ 196 if (!qcrypto_length_check(len, BLEN, errp)) { \ 197 return -1; \ 198 } \ 199 xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT, \ 200 ctx->iv, len, out, in); \ 201 return 0; \ 202} \ 203static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in, \ 204 void *out, size_t len, Error **errp) \ 205{ \ 206 TYPE *ctx = container_of(cipher, TYPE, base); \ 207 if (!qcrypto_length_check(len, BLEN, errp)) { \ 208 return -1; \ 209 } \ 210 xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT, \ 211 ctx->iv, len, out, in); \ 212 return 0; \ 213} 214#endif 215 216#define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 217 QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE); \ 218 DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 219static const struct QCryptoCipherDriver NAME##_driver_xts = { \ 220 .cipher_encrypt = NAME##_encrypt_xts, \ 221 .cipher_decrypt = NAME##_decrypt_xts, \ 222 .cipher_setiv = NAME##_setiv, \ 223 .cipher_free = qcrypto_cipher_ctx_free, \ 224}; 225 226 227#define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 228 DEFINE_SETIV(NAME, TYPE, BLEN) \ 229 DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 230 DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 231 DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT) 232 233#define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 234 DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) \ 235 DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT) 236 237 238typedef struct QCryptoNettleDES { 239 QCryptoCipher base; 240 struct des_ctx key; 241 uint8_t iv[DES_BLOCK_SIZE]; 242} QCryptoNettleDES; 243 244static void des_encrypt_native(const void *ctx, size_t length, 245 uint8_t *dst, const uint8_t *src) 246{ 247 des_encrypt(ctx, length, dst, src); 248} 249 250static void des_decrypt_native(const void *ctx, size_t length, 251 uint8_t *dst, const uint8_t *src) 252{ 253 des_decrypt(ctx, length, dst, src); 254} 255 256DEFINE_ECB_CBC_CTR(qcrypto_nettle_des, QCryptoNettleDES, 257 DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native) 258 259 260typedef struct QCryptoNettleDES3 { 261 QCryptoCipher base; 262 struct des3_ctx key; 263 uint8_t iv[DES3_BLOCK_SIZE]; 264} QCryptoNettleDES3; 265 266static void des3_encrypt_native(const void *ctx, size_t length, 267 uint8_t *dst, const uint8_t *src) 268{ 269 des3_encrypt(ctx, length, dst, src); 270} 271 272static void des3_decrypt_native(const void *ctx, size_t length, 273 uint8_t *dst, const uint8_t *src) 274{ 275 des3_decrypt(ctx, length, dst, src); 276} 277 278DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE, 279 des3_encrypt_native, des3_decrypt_native) 280 281 282typedef struct QCryptoNettleAES128 { 283 QCryptoCipher base; 284 uint8_t iv[AES_BLOCK_SIZE]; 285 /* First key from pair is encode, second key is decode. */ 286 struct aes128_ctx key[2], key_xts[2]; 287} QCryptoNettleAES128; 288 289static void aes128_encrypt_native(const void *ctx, size_t length, 290 uint8_t *dst, const uint8_t *src) 291{ 292 const struct aes128_ctx *keys = ctx; 293 aes128_encrypt(&keys[0], length, dst, src); 294} 295 296static void aes128_decrypt_native(const void *ctx, size_t length, 297 uint8_t *dst, const uint8_t *src) 298{ 299 const struct aes128_ctx *keys = ctx; 300 aes128_decrypt(&keys[1], length, dst, src); 301} 302 303DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128, 304 QCryptoNettleAES128, AES_BLOCK_SIZE, 305 aes128_encrypt_native, aes128_decrypt_native) 306 307 308typedef struct QCryptoNettleAES192 { 309 QCryptoCipher base; 310 uint8_t iv[AES_BLOCK_SIZE]; 311 /* First key from pair is encode, second key is decode. */ 312 struct aes192_ctx key[2], key_xts[2]; 313} QCryptoNettleAES192; 314 315static void aes192_encrypt_native(const void *ctx, size_t length, 316 uint8_t *dst, const uint8_t *src) 317{ 318 const struct aes192_ctx *keys = ctx; 319 aes192_encrypt(&keys[0], length, dst, src); 320} 321 322static void aes192_decrypt_native(const void *ctx, size_t length, 323 uint8_t *dst, const uint8_t *src) 324{ 325 const struct aes192_ctx *keys = ctx; 326 aes192_decrypt(&keys[1], length, dst, src); 327} 328 329DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192, 330 QCryptoNettleAES192, AES_BLOCK_SIZE, 331 aes192_encrypt_native, aes192_decrypt_native) 332 333 334typedef struct QCryptoNettleAES256 { 335 QCryptoCipher base; 336 uint8_t iv[AES_BLOCK_SIZE]; 337 /* First key from pair is encode, second key is decode. */ 338 struct aes256_ctx key[2], key_xts[2]; 339} QCryptoNettleAES256; 340 341static void aes256_encrypt_native(const void *ctx, size_t length, 342 uint8_t *dst, const uint8_t *src) 343{ 344 const struct aes256_ctx *keys = ctx; 345 aes256_encrypt(&keys[0], length, dst, src); 346} 347 348static void aes256_decrypt_native(const void *ctx, size_t length, 349 uint8_t *dst, const uint8_t *src) 350{ 351 const struct aes256_ctx *keys = ctx; 352 aes256_decrypt(&keys[1], length, dst, src); 353} 354 355DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256, 356 QCryptoNettleAES256, AES_BLOCK_SIZE, 357 aes256_encrypt_native, aes256_decrypt_native) 358 359 360typedef struct QCryptoNettleCAST128 { 361 QCryptoCipher base; 362 uint8_t iv[CAST128_BLOCK_SIZE]; 363 struct cast128_ctx key, key_xts; 364} QCryptoNettleCAST128; 365 366static void cast128_encrypt_native(const void *ctx, size_t length, 367 uint8_t *dst, const uint8_t *src) 368{ 369 cast128_encrypt(ctx, length, dst, src); 370} 371 372static void cast128_decrypt_native(const void *ctx, size_t length, 373 uint8_t *dst, const uint8_t *src) 374{ 375 cast128_decrypt(ctx, length, dst, src); 376} 377 378DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128, 379 QCryptoNettleCAST128, CAST128_BLOCK_SIZE, 380 cast128_encrypt_native, cast128_decrypt_native) 381 382 383typedef struct QCryptoNettleSerpent { 384 QCryptoCipher base; 385 uint8_t iv[SERPENT_BLOCK_SIZE]; 386 struct serpent_ctx key, key_xts; 387} QCryptoNettleSerpent; 388 389 390static void serpent_encrypt_native(const void *ctx, size_t length, 391 uint8_t *dst, const uint8_t *src) 392{ 393 serpent_encrypt(ctx, length, dst, src); 394} 395 396static void serpent_decrypt_native(const void *ctx, size_t length, 397 uint8_t *dst, const uint8_t *src) 398{ 399 serpent_decrypt(ctx, length, dst, src); 400} 401 402DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent, 403 QCryptoNettleSerpent, SERPENT_BLOCK_SIZE, 404 serpent_encrypt_native, serpent_decrypt_native) 405 406 407typedef struct QCryptoNettleTwofish { 408 QCryptoCipher base; 409 uint8_t iv[TWOFISH_BLOCK_SIZE]; 410 struct twofish_ctx key, key_xts; 411} QCryptoNettleTwofish; 412 413static void twofish_encrypt_native(const void *ctx, size_t length, 414 uint8_t *dst, const uint8_t *src) 415{ 416 twofish_encrypt(ctx, length, dst, src); 417} 418 419static void twofish_decrypt_native(const void *ctx, size_t length, 420 uint8_t *dst, const uint8_t *src) 421{ 422 twofish_decrypt(ctx, length, dst, src); 423} 424 425DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish, 426 QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE, 427 twofish_encrypt_native, twofish_decrypt_native) 428 429 430bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg, 431 QCryptoCipherMode mode) 432{ 433 switch (alg) { 434 case QCRYPTO_CIPHER_ALG_DES: 435 case QCRYPTO_CIPHER_ALG_3DES: 436 case QCRYPTO_CIPHER_ALG_AES_128: 437 case QCRYPTO_CIPHER_ALG_AES_192: 438 case QCRYPTO_CIPHER_ALG_AES_256: 439 case QCRYPTO_CIPHER_ALG_CAST5_128: 440 case QCRYPTO_CIPHER_ALG_SERPENT_128: 441 case QCRYPTO_CIPHER_ALG_SERPENT_192: 442 case QCRYPTO_CIPHER_ALG_SERPENT_256: 443 case QCRYPTO_CIPHER_ALG_TWOFISH_128: 444 case QCRYPTO_CIPHER_ALG_TWOFISH_192: 445 case QCRYPTO_CIPHER_ALG_TWOFISH_256: 446 break; 447 default: 448 return false; 449 } 450 451 switch (mode) { 452 case QCRYPTO_CIPHER_MODE_ECB: 453 case QCRYPTO_CIPHER_MODE_CBC: 454 case QCRYPTO_CIPHER_MODE_XTS: 455 case QCRYPTO_CIPHER_MODE_CTR: 456 return true; 457 default: 458 return false; 459 } 460} 461 462static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg, 463 QCryptoCipherMode mode, 464 const uint8_t *key, 465 size_t nkey, 466 Error **errp) 467{ 468 switch (mode) { 469 case QCRYPTO_CIPHER_MODE_ECB: 470 case QCRYPTO_CIPHER_MODE_CBC: 471 case QCRYPTO_CIPHER_MODE_XTS: 472 case QCRYPTO_CIPHER_MODE_CTR: 473 break; 474 default: 475 goto bad_cipher_mode; 476 } 477 478 if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) { 479 return NULL; 480 } 481 482 switch (alg) { 483 case QCRYPTO_CIPHER_ALG_DES: 484 { 485 QCryptoNettleDES *ctx; 486 const QCryptoCipherDriver *drv; 487 488 switch (mode) { 489 case QCRYPTO_CIPHER_MODE_ECB: 490 drv = &qcrypto_nettle_des_driver_ecb; 491 break; 492 case QCRYPTO_CIPHER_MODE_CBC: 493 drv = &qcrypto_nettle_des_driver_cbc; 494 break; 495 case QCRYPTO_CIPHER_MODE_CTR: 496 drv = &qcrypto_nettle_des_driver_ctr; 497 break; 498 default: 499 goto bad_cipher_mode; 500 } 501 502 ctx = g_new0(QCryptoNettleDES, 1); 503 ctx->base.driver = drv; 504 des_set_key(&ctx->key, key); 505 506 return &ctx->base; 507 } 508 509 case QCRYPTO_CIPHER_ALG_3DES: 510 { 511 QCryptoNettleDES3 *ctx; 512 const QCryptoCipherDriver *drv; 513 514 switch (mode) { 515 case QCRYPTO_CIPHER_MODE_ECB: 516 drv = &qcrypto_nettle_des3_driver_ecb; 517 break; 518 case QCRYPTO_CIPHER_MODE_CBC: 519 drv = &qcrypto_nettle_des3_driver_cbc; 520 break; 521 case QCRYPTO_CIPHER_MODE_CTR: 522 drv = &qcrypto_nettle_des3_driver_ctr; 523 break; 524 default: 525 goto bad_cipher_mode; 526 } 527 528 ctx = g_new0(QCryptoNettleDES3, 1); 529 ctx->base.driver = drv; 530 des3_set_key(&ctx->key, key); 531 return &ctx->base; 532 } 533 534 case QCRYPTO_CIPHER_ALG_AES_128: 535 { 536 QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1); 537 538 switch (mode) { 539 case QCRYPTO_CIPHER_MODE_ECB: 540 ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb; 541 break; 542 case QCRYPTO_CIPHER_MODE_CBC: 543 ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc; 544 break; 545 case QCRYPTO_CIPHER_MODE_CTR: 546 ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr; 547 break; 548 case QCRYPTO_CIPHER_MODE_XTS: 549 ctx->base.driver = &qcrypto_nettle_aes128_driver_xts; 550 nkey /= 2; 551 aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey); 552 aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey); 553 break; 554 default: 555 g_assert_not_reached(); 556 } 557 aes128_set_encrypt_key(&ctx->key[0], key); 558 aes128_set_decrypt_key(&ctx->key[1], key); 559 560 return &ctx->base; 561 } 562 563 case QCRYPTO_CIPHER_ALG_AES_192: 564 { 565 QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1); 566 567 switch (mode) { 568 case QCRYPTO_CIPHER_MODE_ECB: 569 ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb; 570 break; 571 case QCRYPTO_CIPHER_MODE_CBC: 572 ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc; 573 break; 574 case QCRYPTO_CIPHER_MODE_CTR: 575 ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr; 576 break; 577 case QCRYPTO_CIPHER_MODE_XTS: 578 ctx->base.driver = &qcrypto_nettle_aes192_driver_xts; 579 nkey /= 2; 580 aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey); 581 aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey); 582 break; 583 default: 584 g_assert_not_reached(); 585 } 586 aes192_set_encrypt_key(&ctx->key[0], key); 587 aes192_set_decrypt_key(&ctx->key[1], key); 588 589 return &ctx->base; 590 } 591 592 case QCRYPTO_CIPHER_ALG_AES_256: 593 { 594 QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1); 595 596 switch (mode) { 597 case QCRYPTO_CIPHER_MODE_ECB: 598 ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb; 599 break; 600 case QCRYPTO_CIPHER_MODE_CBC: 601 ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc; 602 break; 603 case QCRYPTO_CIPHER_MODE_CTR: 604 ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr; 605 break; 606 case QCRYPTO_CIPHER_MODE_XTS: 607 ctx->base.driver = &qcrypto_nettle_aes256_driver_xts; 608 nkey /= 2; 609 aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey); 610 aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey); 611 break; 612 default: 613 g_assert_not_reached(); 614 } 615 aes256_set_encrypt_key(&ctx->key[0], key); 616 aes256_set_decrypt_key(&ctx->key[1], key); 617 618 return &ctx->base; 619 } 620 621 case QCRYPTO_CIPHER_ALG_CAST5_128: 622 { 623 QCryptoNettleCAST128 *ctx; 624 const QCryptoCipherDriver *drv; 625 626 switch (mode) { 627 case QCRYPTO_CIPHER_MODE_ECB: 628 drv = &qcrypto_nettle_cast128_driver_ecb; 629 break; 630 case QCRYPTO_CIPHER_MODE_CBC: 631 drv = &qcrypto_nettle_cast128_driver_cbc; 632 break; 633 case QCRYPTO_CIPHER_MODE_CTR: 634 drv = &qcrypto_nettle_cast128_driver_ctr; 635 break; 636 default: 637 goto bad_cipher_mode; 638 } 639 640 ctx = g_new0(QCryptoNettleCAST128, 1); 641 ctx->base.driver = drv; 642 cast5_set_key(&ctx->key, nkey, key); 643 644 return &ctx->base; 645 } 646 647 case QCRYPTO_CIPHER_ALG_SERPENT_128: 648 case QCRYPTO_CIPHER_ALG_SERPENT_192: 649 case QCRYPTO_CIPHER_ALG_SERPENT_256: 650 { 651 QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1); 652 653 switch (mode) { 654 case QCRYPTO_CIPHER_MODE_ECB: 655 ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb; 656 break; 657 case QCRYPTO_CIPHER_MODE_CBC: 658 ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc; 659 break; 660 case QCRYPTO_CIPHER_MODE_CTR: 661 ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr; 662 break; 663 case QCRYPTO_CIPHER_MODE_XTS: 664 ctx->base.driver = &qcrypto_nettle_serpent_driver_xts; 665 nkey /= 2; 666 serpent_set_key(&ctx->key_xts, nkey, key + nkey); 667 break; 668 default: 669 g_assert_not_reached(); 670 } 671 serpent_set_key(&ctx->key, nkey, key); 672 673 return &ctx->base; 674 } 675 676 case QCRYPTO_CIPHER_ALG_TWOFISH_128: 677 case QCRYPTO_CIPHER_ALG_TWOFISH_192: 678 case QCRYPTO_CIPHER_ALG_TWOFISH_256: 679 { 680 QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1); 681 682 switch (mode) { 683 case QCRYPTO_CIPHER_MODE_ECB: 684 ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb; 685 break; 686 case QCRYPTO_CIPHER_MODE_CBC: 687 ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc; 688 break; 689 case QCRYPTO_CIPHER_MODE_CTR: 690 ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr; 691 break; 692 case QCRYPTO_CIPHER_MODE_XTS: 693 ctx->base.driver = &qcrypto_nettle_twofish_driver_xts; 694 nkey /= 2; 695 twofish_set_key(&ctx->key_xts, nkey, key + nkey); 696 break; 697 default: 698 g_assert_not_reached(); 699 } 700 twofish_set_key(&ctx->key, nkey, key); 701 702 return &ctx->base; 703 } 704 705 default: 706 error_setg(errp, "Unsupported cipher algorithm %s", 707 QCryptoCipherAlgorithm_str(alg)); 708 return NULL; 709 } 710 711 bad_cipher_mode: 712 error_setg(errp, "Unsupported cipher mode %s", 713 QCryptoCipherMode_str(mode)); 714 return NULL; 715} 716