qemu/crypto/cipher-nettle.c
<<
>>
Prefs
   1/*
   2 * QEMU Crypto cipher nettle algorithms
   3 *
   4 * Copyright (c) 2015 Red Hat, Inc.
   5 *
   6 * This library is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU Lesser General Public
   8 * License as published by the Free Software Foundation; either
   9 * version 2.1 of the License, or (at your option) any later version.
  10 *
  11 * This library is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 * Lesser General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU Lesser General Public
  17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18 *
  19 */
  20
  21#include "qemu/osdep.h"
  22#ifdef CONFIG_QEMU_PRIVATE_XTS
  23#include "crypto/xts.h"
  24#endif
  25#include "cipherpriv.h"
  26
  27#include <nettle/nettle-types.h>
  28#include <nettle/aes.h>
  29#include <nettle/des.h>
  30#include <nettle/cbc.h>
  31#include <nettle/cast128.h>
  32#include <nettle/serpent.h>
  33#include <nettle/twofish.h>
  34#include <nettle/ctr.h>
  35#ifndef CONFIG_QEMU_PRIVATE_XTS
  36#include <nettle/xts.h>
  37#endif
  38
  39typedef void (*QCryptoCipherNettleFuncWrapper)(const void *ctx,
  40                                               size_t length,
  41                                               uint8_t *dst,
  42                                               const uint8_t *src);
  43
  44#if CONFIG_NETTLE_VERSION_MAJOR < 3
  45typedef nettle_crypt_func * QCryptoCipherNettleFuncNative;
  46typedef void *       cipher_ctx_t;
  47typedef unsigned     cipher_length_t;
  48
  49#define cast5_set_key cast128_set_key
  50
  51#define aes128_ctx aes_ctx
  52#define aes192_ctx aes_ctx
  53#define aes256_ctx aes_ctx
  54#define aes128_set_encrypt_key(c, k) \
  55    aes_set_encrypt_key(c, 16, k)
  56#define aes192_set_encrypt_key(c, k) \
  57    aes_set_encrypt_key(c, 24, k)
  58#define aes256_set_encrypt_key(c, k) \
  59    aes_set_encrypt_key(c, 32, k)
  60#define aes128_set_decrypt_key(c, k) \
  61    aes_set_decrypt_key(c, 16, k)
  62#define aes192_set_decrypt_key(c, k) \
  63    aes_set_decrypt_key(c, 24, k)
  64#define aes256_set_decrypt_key(c, k) \
  65    aes_set_decrypt_key(c, 32, k)
  66#define aes128_encrypt aes_encrypt
  67#define aes192_encrypt aes_encrypt
  68#define aes256_encrypt aes_encrypt
  69#define aes128_decrypt aes_decrypt
  70#define aes192_decrypt aes_decrypt
  71#define aes256_decrypt aes_decrypt
  72#else
  73typedef nettle_cipher_func * QCryptoCipherNettleFuncNative;
  74typedef const void * cipher_ctx_t;
  75typedef size_t       cipher_length_t;
  76#endif
  77
  78typedef struct QCryptoNettleAES128 {
  79    struct aes128_ctx enc;
  80    struct aes128_ctx dec;
  81} QCryptoNettleAES128;
  82
  83typedef struct QCryptoNettleAES192 {
  84    struct aes192_ctx enc;
  85    struct aes192_ctx dec;
  86} QCryptoNettleAES192;
  87
  88typedef struct QCryptoNettleAES256 {
  89    struct aes256_ctx enc;
  90    struct aes256_ctx dec;
  91} QCryptoNettleAES256;
  92
  93static void aes128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
  94                                  uint8_t *dst, const uint8_t *src)
  95{
  96    const QCryptoNettleAES128 *aesctx = ctx;
  97    aes128_encrypt(&aesctx->enc, length, dst, src);
  98}
  99
 100static void aes128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 101                                  uint8_t *dst, const uint8_t *src)
 102{
 103    const QCryptoNettleAES128 *aesctx = ctx;
 104    aes128_decrypt(&aesctx->dec, length, dst, src);
 105}
 106
 107static void aes192_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 108                               uint8_t *dst, const uint8_t *src)
 109{
 110    const QCryptoNettleAES192 *aesctx = ctx;
 111    aes192_encrypt(&aesctx->enc, length, dst, src);
 112}
 113
 114static void aes192_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 115                               uint8_t *dst, const uint8_t *src)
 116{
 117    const QCryptoNettleAES192 *aesctx = ctx;
 118    aes192_decrypt(&aesctx->dec, length, dst, src);
 119}
 120
 121static void aes256_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 122                               uint8_t *dst, const uint8_t *src)
 123{
 124    const QCryptoNettleAES256 *aesctx = ctx;
 125    aes256_encrypt(&aesctx->enc, length, dst, src);
 126}
 127
 128static void aes256_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 129                               uint8_t *dst, const uint8_t *src)
 130{
 131    const QCryptoNettleAES256 *aesctx = ctx;
 132    aes256_decrypt(&aesctx->dec, length, dst, src);
 133}
 134
 135static void des_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 136                               uint8_t *dst, const uint8_t *src)
 137{
 138    des_encrypt(ctx, length, dst, src);
 139}
 140
 141static void des_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 142                               uint8_t *dst, const uint8_t *src)
 143{
 144    des_decrypt(ctx, length, dst, src);
 145}
 146
 147static void des3_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 148                                uint8_t *dst, const uint8_t *src)
 149{
 150    des3_encrypt(ctx, length, dst, src);
 151}
 152
 153static void des3_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 154                                uint8_t *dst, const uint8_t *src)
 155{
 156    des3_decrypt(ctx, length, dst, src);
 157}
 158
 159static void cast128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 160                                   uint8_t *dst, const uint8_t *src)
 161{
 162    cast128_encrypt(ctx, length, dst, src);
 163}
 164
 165static void cast128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 166                                   uint8_t *dst, const uint8_t *src)
 167{
 168    cast128_decrypt(ctx, length, dst, src);
 169}
 170
 171static void serpent_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 172                                   uint8_t *dst, const uint8_t *src)
 173{
 174    serpent_encrypt(ctx, length, dst, src);
 175}
 176
 177static void serpent_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 178                                   uint8_t *dst, const uint8_t *src)
 179{
 180    serpent_decrypt(ctx, length, dst, src);
 181}
 182
 183static void twofish_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 184                                   uint8_t *dst, const uint8_t *src)
 185{
 186    twofish_encrypt(ctx, length, dst, src);
 187}
 188
 189static void twofish_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
 190                                   uint8_t *dst, const uint8_t *src)
 191{
 192    twofish_decrypt(ctx, length, dst, src);
 193}
 194
 195static void aes128_encrypt_wrapper(const void *ctx, size_t length,
 196                                uint8_t *dst, const uint8_t *src)
 197{
 198    const QCryptoNettleAES128 *aesctx = ctx;
 199    aes128_encrypt(&aesctx->enc, length, dst, src);
 200}
 201
 202static void aes128_decrypt_wrapper(const void *ctx, size_t length,
 203                                uint8_t *dst, const uint8_t *src)
 204{
 205    const QCryptoNettleAES128 *aesctx = ctx;
 206    aes128_decrypt(&aesctx->dec, length, dst, src);
 207}
 208
 209static void aes192_encrypt_wrapper(const void *ctx, size_t length,
 210                                uint8_t *dst, const uint8_t *src)
 211{
 212    const QCryptoNettleAES192 *aesctx = ctx;
 213    aes192_encrypt(&aesctx->enc, length, dst, src);
 214}
 215
 216static void aes192_decrypt_wrapper(const void *ctx, size_t length,
 217                                uint8_t *dst, const uint8_t *src)
 218{
 219    const QCryptoNettleAES192 *aesctx = ctx;
 220    aes192_decrypt(&aesctx->dec, length, dst, src);
 221}
 222
 223static void aes256_encrypt_wrapper(const void *ctx, size_t length,
 224                                uint8_t *dst, const uint8_t *src)
 225{
 226    const QCryptoNettleAES256 *aesctx = ctx;
 227    aes256_encrypt(&aesctx->enc, length, dst, src);
 228}
 229
 230static void aes256_decrypt_wrapper(const void *ctx, size_t length,
 231                                uint8_t *dst, const uint8_t *src)
 232{
 233    const QCryptoNettleAES256 *aesctx = ctx;
 234    aes256_decrypt(&aesctx->dec, length, dst, src);
 235}
 236
 237static void des_encrypt_wrapper(const void *ctx, size_t length,
 238                                uint8_t *dst, const uint8_t *src)
 239{
 240    des_encrypt(ctx, length, dst, src);
 241}
 242
 243static void des_decrypt_wrapper(const void *ctx, size_t length,
 244                                uint8_t *dst, const uint8_t *src)
 245{
 246    des_decrypt(ctx, length, dst, src);
 247}
 248
 249static void des3_encrypt_wrapper(const void *ctx, size_t length,
 250                                uint8_t *dst, const uint8_t *src)
 251{
 252    des3_encrypt(ctx, length, dst, src);
 253}
 254
 255static void des3_decrypt_wrapper(const void *ctx, size_t length,
 256                                uint8_t *dst, const uint8_t *src)
 257{
 258    des3_decrypt(ctx, length, dst, src);
 259}
 260
 261static void cast128_encrypt_wrapper(const void *ctx, size_t length,
 262                                    uint8_t *dst, const uint8_t *src)
 263{
 264    cast128_encrypt(ctx, length, dst, src);
 265}
 266
 267static void cast128_decrypt_wrapper(const void *ctx, size_t length,
 268                                    uint8_t *dst, const uint8_t *src)
 269{
 270    cast128_decrypt(ctx, length, dst, src);
 271}
 272
 273static void serpent_encrypt_wrapper(const void *ctx, size_t length,
 274                                    uint8_t *dst, const uint8_t *src)
 275{
 276    serpent_encrypt(ctx, length, dst, src);
 277}
 278
 279static void serpent_decrypt_wrapper(const void *ctx, size_t length,
 280                                    uint8_t *dst, const uint8_t *src)
 281{
 282    serpent_decrypt(ctx, length, dst, src);
 283}
 284
 285static void twofish_encrypt_wrapper(const void *ctx, size_t length,
 286                                    uint8_t *dst, const uint8_t *src)
 287{
 288    twofish_encrypt(ctx, length, dst, src);
 289}
 290
 291static void twofish_decrypt_wrapper(const void *ctx, size_t length,
 292                                    uint8_t *dst, const uint8_t *src)
 293{
 294    twofish_decrypt(ctx, length, dst, src);
 295}
 296
 297typedef struct QCryptoCipherNettle QCryptoCipherNettle;
 298struct QCryptoCipherNettle {
 299    /* Primary cipher context for all modes */
 300    void *ctx;
 301    /* Second cipher context for XTS mode only */
 302    void *ctx_tweak;
 303    /* Cipher callbacks for both contexts */
 304    QCryptoCipherNettleFuncNative alg_encrypt_native;
 305    QCryptoCipherNettleFuncNative alg_decrypt_native;
 306    QCryptoCipherNettleFuncWrapper alg_encrypt_wrapper;
 307    QCryptoCipherNettleFuncWrapper alg_decrypt_wrapper;
 308    /* Initialization vector or Counter */
 309    uint8_t *iv;
 310    size_t blocksize;
 311};
 312
 313bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
 314                             QCryptoCipherMode mode)
 315{
 316    switch (alg) {
 317    case QCRYPTO_CIPHER_ALG_DES_RFB:
 318    case QCRYPTO_CIPHER_ALG_3DES:
 319    case QCRYPTO_CIPHER_ALG_AES_128:
 320    case QCRYPTO_CIPHER_ALG_AES_192:
 321    case QCRYPTO_CIPHER_ALG_AES_256:
 322    case QCRYPTO_CIPHER_ALG_CAST5_128:
 323    case QCRYPTO_CIPHER_ALG_SERPENT_128:
 324    case QCRYPTO_CIPHER_ALG_SERPENT_192:
 325    case QCRYPTO_CIPHER_ALG_SERPENT_256:
 326    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
 327    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
 328    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
 329        break;
 330    default:
 331        return false;
 332    }
 333
 334    switch (mode) {
 335    case QCRYPTO_CIPHER_MODE_ECB:
 336    case QCRYPTO_CIPHER_MODE_CBC:
 337    case QCRYPTO_CIPHER_MODE_XTS:
 338    case QCRYPTO_CIPHER_MODE_CTR:
 339        return true;
 340    default:
 341        return false;
 342    }
 343}
 344
 345
 346static void
 347qcrypto_nettle_cipher_free_ctx(QCryptoCipherNettle *ctx)
 348{
 349    if (!ctx) {
 350        return;
 351    }
 352
 353    g_free(ctx->iv);
 354    g_free(ctx->ctx);
 355    g_free(ctx->ctx_tweak);
 356    g_free(ctx);
 357}
 358
 359
 360static QCryptoCipherNettle *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
 361                                                   QCryptoCipherMode mode,
 362                                                   const uint8_t *key,
 363                                                   size_t nkey,
 364                                                   Error **errp)
 365{
 366    QCryptoCipherNettle *ctx;
 367    uint8_t *rfbkey;
 368
 369    switch (mode) {
 370    case QCRYPTO_CIPHER_MODE_ECB:
 371    case QCRYPTO_CIPHER_MODE_CBC:
 372    case QCRYPTO_CIPHER_MODE_XTS:
 373    case QCRYPTO_CIPHER_MODE_CTR:
 374        break;
 375    default:
 376        error_setg(errp, "Unsupported cipher mode %s",
 377                   QCryptoCipherMode_str(mode));
 378        return NULL;
 379    }
 380
 381    if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
 382        return NULL;
 383    }
 384
 385    ctx = g_new0(QCryptoCipherNettle, 1);
 386
 387    switch (alg) {
 388    case QCRYPTO_CIPHER_ALG_DES_RFB:
 389        ctx->ctx = g_new0(struct des_ctx, 1);
 390        rfbkey = qcrypto_cipher_munge_des_rfb_key(key, nkey);
 391        des_set_key(ctx->ctx, rfbkey);
 392        g_free(rfbkey);
 393
 394        ctx->alg_encrypt_native = des_encrypt_native;
 395        ctx->alg_decrypt_native = des_decrypt_native;
 396        ctx->alg_encrypt_wrapper = des_encrypt_wrapper;
 397        ctx->alg_decrypt_wrapper = des_decrypt_wrapper;
 398
 399        ctx->blocksize = DES_BLOCK_SIZE;
 400        break;
 401
 402    case QCRYPTO_CIPHER_ALG_3DES:
 403        ctx->ctx = g_new0(struct des3_ctx, 1);
 404        des3_set_key(ctx->ctx, key);
 405
 406        ctx->alg_encrypt_native = des3_encrypt_native;
 407        ctx->alg_decrypt_native = des3_decrypt_native;
 408        ctx->alg_encrypt_wrapper = des3_encrypt_wrapper;
 409        ctx->alg_decrypt_wrapper = des3_decrypt_wrapper;
 410
 411        ctx->blocksize = DES3_BLOCK_SIZE;
 412        break;
 413
 414    case QCRYPTO_CIPHER_ALG_AES_128:
 415        ctx->ctx = g_new0(QCryptoNettleAES128, 1);
 416
 417        if (mode == QCRYPTO_CIPHER_MODE_XTS) {
 418            ctx->ctx_tweak = g_new0(QCryptoNettleAES128, 1);
 419
 420            nkey /= 2;
 421            aes128_set_encrypt_key(&((QCryptoNettleAES128 *)ctx->ctx)->enc,
 422                                   key);
 423            aes128_set_decrypt_key(&((QCryptoNettleAES128 *)ctx->ctx)->dec,
 424                                   key);
 425
 426            aes128_set_encrypt_key(&((QCryptoNettleAES128 *)ctx->ctx_tweak)->
 427                                   enc, key + nkey);
 428            aes128_set_decrypt_key(&((QCryptoNettleAES128 *)ctx->ctx_tweak)->
 429                                   dec, key + nkey);
 430        } else {
 431            aes128_set_encrypt_key(&((QCryptoNettleAES128 *)ctx->ctx)->enc,
 432                                   key);
 433            aes128_set_decrypt_key(&((QCryptoNettleAES128 *)ctx->ctx)->dec,
 434                                   key);
 435        }
 436
 437        ctx->alg_encrypt_native = aes128_encrypt_native;
 438        ctx->alg_decrypt_native = aes128_decrypt_native;
 439        ctx->alg_encrypt_wrapper = aes128_encrypt_wrapper;
 440        ctx->alg_decrypt_wrapper = aes128_decrypt_wrapper;
 441
 442        ctx->blocksize = AES_BLOCK_SIZE;
 443        break;
 444
 445    case QCRYPTO_CIPHER_ALG_AES_192:
 446        ctx->ctx = g_new0(QCryptoNettleAES192, 1);
 447
 448        if (mode == QCRYPTO_CIPHER_MODE_XTS) {
 449            ctx->ctx_tweak = g_new0(QCryptoNettleAES192, 1);
 450
 451            nkey /= 2;
 452            aes192_set_encrypt_key(&((QCryptoNettleAES192 *)ctx->ctx)->enc,
 453                                   key);
 454            aes192_set_decrypt_key(&((QCryptoNettleAES192 *)ctx->ctx)->dec,
 455                                   key);
 456
 457            aes192_set_encrypt_key(&((QCryptoNettleAES192 *)ctx->ctx_tweak)->
 458                                   enc, key + nkey);
 459            aes192_set_decrypt_key(&((QCryptoNettleAES192 *)ctx->ctx_tweak)->
 460                                   dec, key + nkey);
 461        } else {
 462            aes192_set_encrypt_key(&((QCryptoNettleAES192 *)ctx->ctx)->enc,
 463                                   key);
 464            aes192_set_decrypt_key(&((QCryptoNettleAES192 *)ctx->ctx)->dec,
 465                                   key);
 466        }
 467
 468        ctx->alg_encrypt_native = aes192_encrypt_native;
 469        ctx->alg_decrypt_native = aes192_decrypt_native;
 470        ctx->alg_encrypt_wrapper = aes192_encrypt_wrapper;
 471        ctx->alg_decrypt_wrapper = aes192_decrypt_wrapper;
 472
 473        ctx->blocksize = AES_BLOCK_SIZE;
 474        break;
 475
 476    case QCRYPTO_CIPHER_ALG_AES_256:
 477        ctx->ctx = g_new0(QCryptoNettleAES256, 1);
 478
 479        if (mode == QCRYPTO_CIPHER_MODE_XTS) {
 480            ctx->ctx_tweak = g_new0(QCryptoNettleAES256, 1);
 481
 482            nkey /= 2;
 483            aes256_set_encrypt_key(&((QCryptoNettleAES256 *)ctx->ctx)->enc,
 484                                   key);
 485            aes256_set_decrypt_key(&((QCryptoNettleAES256 *)ctx->ctx)->dec,
 486                                   key);
 487
 488            aes256_set_encrypt_key(&((QCryptoNettleAES256 *)ctx->ctx_tweak)->
 489                                   enc, key + nkey);
 490            aes256_set_decrypt_key(&((QCryptoNettleAES256 *)ctx->ctx_tweak)->
 491                                   dec, key + nkey);
 492        } else {
 493            aes256_set_encrypt_key(&((QCryptoNettleAES256 *)ctx->ctx)->enc,
 494                                   key);
 495            aes256_set_decrypt_key(&((QCryptoNettleAES256 *)ctx->ctx)->dec,
 496                                   key);
 497        }
 498
 499        ctx->alg_encrypt_native = aes256_encrypt_native;
 500        ctx->alg_decrypt_native = aes256_decrypt_native;
 501        ctx->alg_encrypt_wrapper = aes256_encrypt_wrapper;
 502        ctx->alg_decrypt_wrapper = aes256_decrypt_wrapper;
 503
 504        ctx->blocksize = AES_BLOCK_SIZE;
 505        break;
 506
 507    case QCRYPTO_CIPHER_ALG_CAST5_128:
 508        ctx->ctx = g_new0(struct cast128_ctx, 1);
 509
 510        if (mode == QCRYPTO_CIPHER_MODE_XTS) {
 511            ctx->ctx_tweak = g_new0(struct cast128_ctx, 1);
 512
 513            nkey /= 2;
 514            cast5_set_key(ctx->ctx, nkey, key);
 515            cast5_set_key(ctx->ctx_tweak, nkey, key + nkey);
 516        } else {
 517            cast5_set_key(ctx->ctx, nkey, key);
 518        }
 519
 520        ctx->alg_encrypt_native = cast128_encrypt_native;
 521        ctx->alg_decrypt_native = cast128_decrypt_native;
 522        ctx->alg_encrypt_wrapper = cast128_encrypt_wrapper;
 523        ctx->alg_decrypt_wrapper = cast128_decrypt_wrapper;
 524
 525        ctx->blocksize = CAST128_BLOCK_SIZE;
 526        break;
 527
 528    case QCRYPTO_CIPHER_ALG_SERPENT_128:
 529    case QCRYPTO_CIPHER_ALG_SERPENT_192:
 530    case QCRYPTO_CIPHER_ALG_SERPENT_256:
 531        ctx->ctx = g_new0(struct serpent_ctx, 1);
 532
 533        if (mode == QCRYPTO_CIPHER_MODE_XTS) {
 534            ctx->ctx_tweak = g_new0(struct serpent_ctx, 1);
 535
 536            nkey /= 2;
 537            serpent_set_key(ctx->ctx, nkey, key);
 538            serpent_set_key(ctx->ctx_tweak, nkey, key + nkey);
 539        } else {
 540            serpent_set_key(ctx->ctx, nkey, key);
 541        }
 542
 543        ctx->alg_encrypt_native = serpent_encrypt_native;
 544        ctx->alg_decrypt_native = serpent_decrypt_native;
 545        ctx->alg_encrypt_wrapper = serpent_encrypt_wrapper;
 546        ctx->alg_decrypt_wrapper = serpent_decrypt_wrapper;
 547
 548        ctx->blocksize = SERPENT_BLOCK_SIZE;
 549        break;
 550
 551    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
 552    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
 553    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
 554        ctx->ctx = g_new0(struct twofish_ctx, 1);
 555
 556        if (mode == QCRYPTO_CIPHER_MODE_XTS) {
 557            ctx->ctx_tweak = g_new0(struct twofish_ctx, 1);
 558
 559            nkey /= 2;
 560            twofish_set_key(ctx->ctx, nkey, key);
 561            twofish_set_key(ctx->ctx_tweak, nkey, key + nkey);
 562        } else {
 563            twofish_set_key(ctx->ctx, nkey, key);
 564        }
 565
 566        ctx->alg_encrypt_native = twofish_encrypt_native;
 567        ctx->alg_decrypt_native = twofish_decrypt_native;
 568        ctx->alg_encrypt_wrapper = twofish_encrypt_wrapper;
 569        ctx->alg_decrypt_wrapper = twofish_decrypt_wrapper;
 570
 571        ctx->blocksize = TWOFISH_BLOCK_SIZE;
 572        break;
 573
 574    default:
 575        error_setg(errp, "Unsupported cipher algorithm %s",
 576                   QCryptoCipherAlgorithm_str(alg));
 577        goto error;
 578    }
 579
 580    if (mode == QCRYPTO_CIPHER_MODE_XTS &&
 581        ctx->blocksize != XTS_BLOCK_SIZE) {
 582        error_setg(errp, "Cipher block size %zu must equal XTS block size %d",
 583                   ctx->blocksize, XTS_BLOCK_SIZE);
 584        goto error;
 585    }
 586
 587    ctx->iv = g_new0(uint8_t, ctx->blocksize);
 588
 589    return ctx;
 590
 591 error:
 592    qcrypto_nettle_cipher_free_ctx(ctx);
 593    return NULL;
 594}
 595
 596
 597static void
 598qcrypto_nettle_cipher_ctx_free(QCryptoCipher *cipher)
 599{
 600    QCryptoCipherNettle *ctx;
 601
 602    ctx = cipher->opaque;
 603    qcrypto_nettle_cipher_free_ctx(ctx);
 604}
 605
 606
 607static int
 608qcrypto_nettle_cipher_encrypt(QCryptoCipher *cipher,
 609                              const void *in,
 610                              void *out,
 611                              size_t len,
 612                              Error **errp)
 613{
 614    QCryptoCipherNettle *ctx = cipher->opaque;
 615
 616    if (len % ctx->blocksize) {
 617        error_setg(errp, "Length %zu must be a multiple of block size %zu",
 618                   len, ctx->blocksize);
 619        return -1;
 620    }
 621
 622    switch (cipher->mode) {
 623    case QCRYPTO_CIPHER_MODE_ECB:
 624        ctx->alg_encrypt_wrapper(ctx->ctx, len, out, in);
 625        break;
 626
 627    case QCRYPTO_CIPHER_MODE_CBC:
 628        cbc_encrypt(ctx->ctx, ctx->alg_encrypt_native,
 629                    ctx->blocksize, ctx->iv,
 630                    len, out, in);
 631        break;
 632
 633    case QCRYPTO_CIPHER_MODE_XTS:
 634#ifdef CONFIG_QEMU_PRIVATE_XTS
 635        xts_encrypt(ctx->ctx, ctx->ctx_tweak,
 636                    ctx->alg_encrypt_wrapper, ctx->alg_encrypt_wrapper,
 637                    ctx->iv, len, out, in);
 638#else
 639        xts_encrypt_message(ctx->ctx, ctx->ctx_tweak,
 640                            ctx->alg_encrypt_native,
 641                            ctx->iv, len, out, in);
 642#endif
 643        break;
 644
 645    case QCRYPTO_CIPHER_MODE_CTR:
 646        ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
 647                    ctx->blocksize, ctx->iv,
 648                    len, out, in);
 649        break;
 650
 651    default:
 652        error_setg(errp, "Unsupported cipher mode %s",
 653                   QCryptoCipherMode_str(cipher->mode));
 654        return -1;
 655    }
 656    return 0;
 657}
 658
 659
 660static int
 661qcrypto_nettle_cipher_decrypt(QCryptoCipher *cipher,
 662                              const void *in,
 663                              void *out,
 664                              size_t len,
 665                              Error **errp)
 666{
 667    QCryptoCipherNettle *ctx = cipher->opaque;
 668
 669    if (len % ctx->blocksize) {
 670        error_setg(errp, "Length %zu must be a multiple of block size %zu",
 671                   len, ctx->blocksize);
 672        return -1;
 673    }
 674
 675    switch (cipher->mode) {
 676    case QCRYPTO_CIPHER_MODE_ECB:
 677        ctx->alg_decrypt_wrapper(ctx->ctx, len, out, in);
 678        break;
 679
 680    case QCRYPTO_CIPHER_MODE_CBC:
 681        cbc_decrypt(ctx->ctx, ctx->alg_decrypt_native,
 682                    ctx->blocksize, ctx->iv,
 683                    len, out, in);
 684        break;
 685
 686    case QCRYPTO_CIPHER_MODE_XTS:
 687#ifdef CONFIG_QEMU_PRIVATE_XTS
 688        xts_decrypt(ctx->ctx, ctx->ctx_tweak,
 689                    ctx->alg_encrypt_wrapper, ctx->alg_decrypt_wrapper,
 690                    ctx->iv, len, out, in);
 691#else
 692        xts_decrypt_message(ctx->ctx, ctx->ctx_tweak,
 693                            ctx->alg_decrypt_native,
 694                            ctx->alg_encrypt_native,
 695                            ctx->iv, len, out, in);
 696#endif
 697        break;
 698    case QCRYPTO_CIPHER_MODE_CTR:
 699        ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
 700                    ctx->blocksize, ctx->iv,
 701                    len, out, in);
 702        break;
 703
 704    default:
 705        error_setg(errp, "Unsupported cipher mode %s",
 706                   QCryptoCipherMode_str(cipher->mode));
 707        return -1;
 708    }
 709    return 0;
 710}
 711
 712static int
 713qcrypto_nettle_cipher_setiv(QCryptoCipher *cipher,
 714                            const uint8_t *iv, size_t niv,
 715                            Error **errp)
 716{
 717    QCryptoCipherNettle *ctx = cipher->opaque;
 718    if (niv != ctx->blocksize) {
 719        error_setg(errp, "Expected IV size %zu not %zu",
 720                   ctx->blocksize, niv);
 721        return -1;
 722    }
 723    memcpy(ctx->iv, iv, niv);
 724    return 0;
 725}
 726
 727
 728static struct QCryptoCipherDriver qcrypto_cipher_lib_driver = {
 729    .cipher_encrypt = qcrypto_nettle_cipher_encrypt,
 730    .cipher_decrypt = qcrypto_nettle_cipher_decrypt,
 731    .cipher_setiv = qcrypto_nettle_cipher_setiv,
 732    .cipher_free = qcrypto_nettle_cipher_ctx_free,
 733};
 734