xref: /openbmc/qemu/crypto/cipher-nettle.c.inc (revision 03ee5e0c)
1/*
2 * QEMU Crypto cipher nettle algorithms
3 *
4 * Copyright (c) 2015 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21#ifdef CONFIG_QEMU_PRIVATE_XTS
22#include "crypto/xts.h"
23#endif
24
25#include <nettle/nettle-types.h>
26#include <nettle/aes.h>
27#include <nettle/des.h>
28#include <nettle/cbc.h>
29#include <nettle/cast128.h>
30#include <nettle/serpent.h>
31#include <nettle/twofish.h>
32#include <nettle/ctr.h>
33#ifndef CONFIG_QEMU_PRIVATE_XTS
34#include <nettle/xts.h>
35#endif
36#ifdef CONFIG_CRYPTO_SM4
37#include <nettle/sm4.h>
38#endif
39
40static inline bool qcrypto_length_check(size_t len, size_t blocksize,
41                                        Error **errp)
42{
43    if (unlikely(len & (blocksize - 1))) {
44        error_setg(errp, "Length %zu must be a multiple of block size %zu",
45                   len, blocksize);
46        return false;
47    }
48    return true;
49}
50
51
52static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx)
53{
54    g_free(ctx);
55}
56
57static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher,
58                                   const uint8_t *iv, size_t niv,
59                                   Error **errp)
60{
61    error_setg(errp, "Setting IV is not supported");
62    return -1;
63}
64
65
66#define DEFINE_SETIV(NAME, TYPE, BLEN)                                  \
67static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv,       \
68                        size_t niv, Error **errp)                       \
69{                                                                       \
70    TYPE *ctx = container_of(cipher, TYPE, base);                       \
71    if (niv != BLEN) {                                                  \
72        error_setg(errp, "Expected IV size %d not %zu", BLEN, niv);     \
73        return -1;                                                      \
74    }                                                                   \
75    memcpy(ctx->iv, iv, niv);                                           \
76    return 0;                                                           \
77}
78
79
80#define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
81static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in,    \
82                              void *out, size_t len, Error **errp)      \
83{                                                                       \
84    TYPE *ctx = container_of(cipher, TYPE, base);                       \
85    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
86        return -1;                                                      \
87    }                                                                   \
88    ENCRYPT(&ctx->key, len, out, in);                                   \
89    return 0;                                                           \
90}                                                                       \
91static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in,    \
92                              void *out, size_t len, Error **errp)      \
93{                                                                       \
94    TYPE *ctx = container_of(cipher, TYPE, base);                       \
95    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
96        return -1;                                                      \
97    }                                                                   \
98    DECRYPT(&ctx->key, len, out, in);                                   \
99    return 0;                                                           \
100}                                                                       \
101static const struct QCryptoCipherDriver NAME##_driver_ecb = {           \
102    .cipher_encrypt = NAME##_encrypt_ecb,                               \
103    .cipher_decrypt = NAME##_decrypt_ecb,                               \
104    .cipher_setiv = qcrypto_cipher_no_setiv,                            \
105    .cipher_free = qcrypto_cipher_ctx_free,                             \
106};
107
108
109#define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
110static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in,    \
111                              void *out, size_t len, Error **errp)      \
112{                                                                       \
113    TYPE *ctx = container_of(cipher, TYPE, base);                       \
114    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
115        return -1;                                                      \
116    }                                                                   \
117    cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);       \
118    return 0;                                                           \
119}                                                                       \
120static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in,    \
121                              void *out, size_t len, Error **errp)      \
122{                                                                       \
123    TYPE *ctx = container_of(cipher, TYPE, base);                       \
124    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
125        return -1;                                                      \
126    }                                                                   \
127    cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in);       \
128    return 0;                                                           \
129}                                                                       \
130static const struct QCryptoCipherDriver NAME##_driver_cbc = {           \
131    .cipher_encrypt = NAME##_encrypt_cbc,                               \
132    .cipher_decrypt = NAME##_decrypt_cbc,                               \
133    .cipher_setiv = NAME##_setiv,                                       \
134    .cipher_free = qcrypto_cipher_ctx_free,                             \
135};
136
137
138#define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)                           \
139static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in,    \
140                              void *out, size_t len, Error **errp)      \
141{                                                                       \
142    TYPE *ctx = container_of(cipher, TYPE, base);                       \
143    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
144        return -1;                                                      \
145    }                                                                   \
146    ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);         \
147    return 0;                                                           \
148}                                                                       \
149static const struct QCryptoCipherDriver NAME##_driver_ctr = {           \
150    .cipher_encrypt = NAME##_encrypt_ctr,                               \
151    .cipher_decrypt = NAME##_encrypt_ctr,                               \
152    .cipher_setiv = NAME##_setiv,                                       \
153    .cipher_free = qcrypto_cipher_ctx_free,                             \
154};
155
156
157#ifdef CONFIG_QEMU_PRIVATE_XTS
158#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
159static void NAME##_xts_wrape(const void *ctx, size_t length,            \
160                             uint8_t *dst, const uint8_t *src)          \
161{                                                                       \
162    ENCRYPT((const void *)ctx, length, dst, src);                       \
163}                                                                       \
164static void NAME##_xts_wrapd(const void *ctx, size_t length,            \
165                             uint8_t *dst, const uint8_t *src)          \
166{                                                                       \
167    DECRYPT((const void *)ctx, length, dst, src);                       \
168}                                                                       \
169static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
170                              void *out, size_t len, Error **errp)      \
171{                                                                       \
172    TYPE *ctx = container_of(cipher, TYPE, base);                       \
173    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
174        return -1;                                                      \
175    }                                                                   \
176    xts_encrypt(&ctx->key, &ctx->key_xts,                               \
177                NAME##_xts_wrape, NAME##_xts_wrapd,                     \
178                ctx->iv, len, out, in);                                 \
179    return 0;                                                           \
180}                                                                       \
181static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
182                              void *out, size_t len, Error **errp)      \
183{                                                                       \
184    TYPE *ctx = container_of(cipher, TYPE, base);                       \
185    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
186        return -1;                                                      \
187    }                                                                   \
188    xts_decrypt(&ctx->key, &ctx->key_xts,                               \
189                NAME##_xts_wrape, NAME##_xts_wrapd,                     \
190                ctx->iv, len, out, in);                                 \
191    return 0;                                                           \
192}
193#else
194#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
195static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
196                              void *out, size_t len, Error **errp)      \
197{                                                                       \
198    TYPE *ctx = container_of(cipher, TYPE, base);                       \
199    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
200        return -1;                                                      \
201    }                                                                   \
202    xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT,              \
203                        ctx->iv, len, out, in);                         \
204    return 0;                                                           \
205}                                                                       \
206static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
207                              void *out, size_t len, Error **errp)      \
208{                                                                       \
209    TYPE *ctx = container_of(cipher, TYPE, base);                       \
210    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
211        return -1;                                                      \
212    }                                                                   \
213    xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT,     \
214                        ctx->iv, len, out, in);                         \
215    return 0;                                                           \
216}
217#endif
218
219#define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)          \
220    QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE);                  \
221    DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)             \
222static const struct QCryptoCipherDriver NAME##_driver_xts = {   \
223    .cipher_encrypt = NAME##_encrypt_xts,                       \
224    .cipher_decrypt = NAME##_decrypt_xts,                       \
225    .cipher_setiv = NAME##_setiv,                               \
226    .cipher_free = qcrypto_cipher_ctx_free,                     \
227};
228
229
230#define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)  \
231    DEFINE_SETIV(NAME, TYPE, BLEN)                              \
232    DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
233    DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
234    DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)
235
236#define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)      \
237    DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
238    DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)
239
240
241typedef struct QCryptoNettleDES {
242    QCryptoCipher base;
243    struct des_ctx key;
244    uint8_t iv[DES_BLOCK_SIZE];
245} QCryptoNettleDES;
246
247static void des_encrypt_native(const void *ctx, size_t length,
248                               uint8_t *dst, const uint8_t *src)
249{
250    des_encrypt(ctx, length, dst, src);
251}
252
253static void des_decrypt_native(const void *ctx, size_t length,
254                               uint8_t *dst, const uint8_t *src)
255{
256    des_decrypt(ctx, length, dst, src);
257}
258
259DEFINE_ECB_CBC_CTR(qcrypto_nettle_des, QCryptoNettleDES,
260                   DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native)
261
262
263typedef struct QCryptoNettleDES3 {
264    QCryptoCipher base;
265    struct des3_ctx key;
266    uint8_t iv[DES3_BLOCK_SIZE];
267} QCryptoNettleDES3;
268
269static void des3_encrypt_native(const void *ctx, size_t length,
270                                uint8_t *dst, const uint8_t *src)
271{
272    des3_encrypt(ctx, length, dst, src);
273}
274
275static void des3_decrypt_native(const void *ctx, size_t length,
276                                uint8_t *dst, const uint8_t *src)
277{
278    des3_decrypt(ctx, length, dst, src);
279}
280
281DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE,
282                   des3_encrypt_native, des3_decrypt_native)
283
284
285typedef struct QCryptoNettleAES128 {
286    QCryptoCipher base;
287    uint8_t iv[AES_BLOCK_SIZE];
288    /* First key from pair is encode, second key is decode. */
289    struct aes128_ctx key[2], key_xts[2];
290} QCryptoNettleAES128;
291
292static void aes128_encrypt_native(const void *ctx, size_t length,
293                                  uint8_t *dst, const uint8_t *src)
294{
295    const struct aes128_ctx *keys = ctx;
296    aes128_encrypt(&keys[0], length, dst, src);
297}
298
299static void aes128_decrypt_native(const void *ctx, size_t length,
300                                  uint8_t *dst, const uint8_t *src)
301{
302    const struct aes128_ctx *keys = ctx;
303    aes128_decrypt(&keys[1], length, dst, src);
304}
305
306DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128,
307                       QCryptoNettleAES128, AES_BLOCK_SIZE,
308                       aes128_encrypt_native, aes128_decrypt_native)
309
310
311typedef struct QCryptoNettleAES192 {
312    QCryptoCipher base;
313    uint8_t iv[AES_BLOCK_SIZE];
314    /* First key from pair is encode, second key is decode. */
315    struct aes192_ctx key[2], key_xts[2];
316} QCryptoNettleAES192;
317
318static void aes192_encrypt_native(const void *ctx, size_t length,
319                                  uint8_t *dst, const uint8_t *src)
320{
321    const struct aes192_ctx *keys = ctx;
322    aes192_encrypt(&keys[0], length, dst, src);
323}
324
325static void aes192_decrypt_native(const void *ctx, size_t length,
326                                  uint8_t *dst, const uint8_t *src)
327{
328    const struct aes192_ctx *keys = ctx;
329    aes192_decrypt(&keys[1], length, dst, src);
330}
331
332DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192,
333                       QCryptoNettleAES192, AES_BLOCK_SIZE,
334                       aes192_encrypt_native, aes192_decrypt_native)
335
336
337typedef struct QCryptoNettleAES256 {
338    QCryptoCipher base;
339    uint8_t iv[AES_BLOCK_SIZE];
340    /* First key from pair is encode, second key is decode. */
341    struct aes256_ctx key[2], key_xts[2];
342} QCryptoNettleAES256;
343
344static void aes256_encrypt_native(const void *ctx, size_t length,
345                                  uint8_t *dst, const uint8_t *src)
346{
347    const struct aes256_ctx *keys = ctx;
348    aes256_encrypt(&keys[0], length, dst, src);
349}
350
351static void aes256_decrypt_native(const void *ctx, size_t length,
352                                  uint8_t *dst, const uint8_t *src)
353{
354    const struct aes256_ctx *keys = ctx;
355    aes256_decrypt(&keys[1], length, dst, src);
356}
357
358DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256,
359                       QCryptoNettleAES256, AES_BLOCK_SIZE,
360                       aes256_encrypt_native, aes256_decrypt_native)
361
362
363typedef struct QCryptoNettleCAST128 {
364    QCryptoCipher base;
365    uint8_t iv[CAST128_BLOCK_SIZE];
366    struct cast128_ctx key, key_xts;
367} QCryptoNettleCAST128;
368
369static void cast128_encrypt_native(const void *ctx, size_t length,
370                                   uint8_t *dst, const uint8_t *src)
371{
372    cast128_encrypt(ctx, length, dst, src);
373}
374
375static void cast128_decrypt_native(const void *ctx, size_t length,
376                                   uint8_t *dst, const uint8_t *src)
377{
378    cast128_decrypt(ctx, length, dst, src);
379}
380
381DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128,
382                   QCryptoNettleCAST128, CAST128_BLOCK_SIZE,
383                   cast128_encrypt_native, cast128_decrypt_native)
384
385
386typedef struct QCryptoNettleSerpent {
387    QCryptoCipher base;
388    uint8_t iv[SERPENT_BLOCK_SIZE];
389    struct serpent_ctx key, key_xts;
390} QCryptoNettleSerpent;
391
392
393static void serpent_encrypt_native(const void *ctx, size_t length,
394                                   uint8_t *dst, const uint8_t *src)
395{
396    serpent_encrypt(ctx, length, dst, src);
397}
398
399static void serpent_decrypt_native(const void *ctx, size_t length,
400                                   uint8_t *dst, const uint8_t *src)
401{
402    serpent_decrypt(ctx, length, dst, src);
403}
404
405DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent,
406                       QCryptoNettleSerpent, SERPENT_BLOCK_SIZE,
407                       serpent_encrypt_native, serpent_decrypt_native)
408
409
410typedef struct QCryptoNettleTwofish {
411    QCryptoCipher base;
412    uint8_t iv[TWOFISH_BLOCK_SIZE];
413    struct twofish_ctx key, key_xts;
414} QCryptoNettleTwofish;
415
416static void twofish_encrypt_native(const void *ctx, size_t length,
417                                   uint8_t *dst, const uint8_t *src)
418{
419    twofish_encrypt(ctx, length, dst, src);
420}
421
422static void twofish_decrypt_native(const void *ctx, size_t length,
423                                   uint8_t *dst, const uint8_t *src)
424{
425    twofish_decrypt(ctx, length, dst, src);
426}
427
428DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
429                       QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
430                       twofish_encrypt_native, twofish_decrypt_native)
431
432#ifdef CONFIG_CRYPTO_SM4
433typedef struct QCryptoNettleSm4 {
434    QCryptoCipher base;
435    struct sm4_ctx key[2];
436} QCryptoNettleSm4;
437
438static void sm4_encrypt_native(void *ctx, size_t length,
439                               uint8_t *dst, const uint8_t *src)
440{
441    struct sm4_ctx *keys = ctx;
442    sm4_crypt(&keys[0], length, dst, src);
443}
444
445static void sm4_decrypt_native(void *ctx, size_t length,
446                               uint8_t *dst, const uint8_t *src)
447{
448    struct sm4_ctx *keys = ctx;
449    sm4_crypt(&keys[1], length, dst, src);
450}
451
452DEFINE_ECB(qcrypto_nettle_sm4,
453           QCryptoNettleSm4, SM4_BLOCK_SIZE,
454           sm4_encrypt_native, sm4_decrypt_native)
455#endif
456
457bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
458                             QCryptoCipherMode mode)
459{
460    switch (alg) {
461    case QCRYPTO_CIPHER_ALG_DES:
462    case QCRYPTO_CIPHER_ALG_3DES:
463    case QCRYPTO_CIPHER_ALG_AES_128:
464    case QCRYPTO_CIPHER_ALG_AES_192:
465    case QCRYPTO_CIPHER_ALG_AES_256:
466    case QCRYPTO_CIPHER_ALG_CAST5_128:
467    case QCRYPTO_CIPHER_ALG_SERPENT_128:
468    case QCRYPTO_CIPHER_ALG_SERPENT_192:
469    case QCRYPTO_CIPHER_ALG_SERPENT_256:
470    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
471    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
472    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
473#ifdef CONFIG_CRYPTO_SM4
474    case QCRYPTO_CIPHER_ALG_SM4:
475#endif
476        break;
477    default:
478        return false;
479    }
480
481    switch (mode) {
482    case QCRYPTO_CIPHER_MODE_ECB:
483    case QCRYPTO_CIPHER_MODE_CBC:
484    case QCRYPTO_CIPHER_MODE_XTS:
485    case QCRYPTO_CIPHER_MODE_CTR:
486        return true;
487    default:
488        return false;
489    }
490}
491
492static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
493                                             QCryptoCipherMode mode,
494                                             const uint8_t *key,
495                                             size_t nkey,
496                                             Error **errp)
497{
498    switch (mode) {
499    case QCRYPTO_CIPHER_MODE_ECB:
500    case QCRYPTO_CIPHER_MODE_CBC:
501    case QCRYPTO_CIPHER_MODE_XTS:
502    case QCRYPTO_CIPHER_MODE_CTR:
503        break;
504    default:
505        goto bad_cipher_mode;
506    }
507
508    if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
509        return NULL;
510    }
511
512    switch (alg) {
513    case QCRYPTO_CIPHER_ALG_DES:
514        {
515            QCryptoNettleDES *ctx;
516            const QCryptoCipherDriver *drv;
517
518            switch (mode) {
519            case QCRYPTO_CIPHER_MODE_ECB:
520                drv = &qcrypto_nettle_des_driver_ecb;
521                break;
522            case QCRYPTO_CIPHER_MODE_CBC:
523                drv = &qcrypto_nettle_des_driver_cbc;
524                break;
525            case QCRYPTO_CIPHER_MODE_CTR:
526                drv = &qcrypto_nettle_des_driver_ctr;
527                break;
528            default:
529                goto bad_cipher_mode;
530            }
531
532            ctx = g_new0(QCryptoNettleDES, 1);
533            ctx->base.driver = drv;
534            des_set_key(&ctx->key, key);
535
536            return &ctx->base;
537        }
538
539    case QCRYPTO_CIPHER_ALG_3DES:
540        {
541            QCryptoNettleDES3 *ctx;
542            const QCryptoCipherDriver *drv;
543
544            switch (mode) {
545            case QCRYPTO_CIPHER_MODE_ECB:
546                drv = &qcrypto_nettle_des3_driver_ecb;
547                break;
548            case QCRYPTO_CIPHER_MODE_CBC:
549                drv = &qcrypto_nettle_des3_driver_cbc;
550                break;
551            case QCRYPTO_CIPHER_MODE_CTR:
552                drv = &qcrypto_nettle_des3_driver_ctr;
553                break;
554            default:
555                goto bad_cipher_mode;
556            }
557
558            ctx = g_new0(QCryptoNettleDES3, 1);
559            ctx->base.driver = drv;
560            des3_set_key(&ctx->key, key);
561            return &ctx->base;
562        }
563
564    case QCRYPTO_CIPHER_ALG_AES_128:
565        {
566            QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1);
567
568            switch (mode) {
569            case QCRYPTO_CIPHER_MODE_ECB:
570                ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb;
571                break;
572            case QCRYPTO_CIPHER_MODE_CBC:
573                ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc;
574                break;
575            case QCRYPTO_CIPHER_MODE_CTR:
576                ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr;
577                break;
578            case QCRYPTO_CIPHER_MODE_XTS:
579                ctx->base.driver = &qcrypto_nettle_aes128_driver_xts;
580                nkey /= 2;
581                aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey);
582                aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey);
583                break;
584            default:
585                g_assert_not_reached();
586            }
587            aes128_set_encrypt_key(&ctx->key[0], key);
588            aes128_set_decrypt_key(&ctx->key[1], key);
589
590            return &ctx->base;
591        }
592
593    case QCRYPTO_CIPHER_ALG_AES_192:
594        {
595            QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1);
596
597            switch (mode) {
598            case QCRYPTO_CIPHER_MODE_ECB:
599                ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb;
600                break;
601            case QCRYPTO_CIPHER_MODE_CBC:
602                ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc;
603                break;
604            case QCRYPTO_CIPHER_MODE_CTR:
605                ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr;
606                break;
607            case QCRYPTO_CIPHER_MODE_XTS:
608                ctx->base.driver = &qcrypto_nettle_aes192_driver_xts;
609                nkey /= 2;
610                aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey);
611                aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey);
612                break;
613            default:
614                g_assert_not_reached();
615            }
616            aes192_set_encrypt_key(&ctx->key[0], key);
617            aes192_set_decrypt_key(&ctx->key[1], key);
618
619            return &ctx->base;
620        }
621
622    case QCRYPTO_CIPHER_ALG_AES_256:
623        {
624            QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1);
625
626            switch (mode) {
627            case QCRYPTO_CIPHER_MODE_ECB:
628                ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb;
629                break;
630            case QCRYPTO_CIPHER_MODE_CBC:
631                ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc;
632                break;
633            case QCRYPTO_CIPHER_MODE_CTR:
634                ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr;
635                break;
636            case QCRYPTO_CIPHER_MODE_XTS:
637                ctx->base.driver = &qcrypto_nettle_aes256_driver_xts;
638                nkey /= 2;
639                aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey);
640                aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey);
641                break;
642            default:
643                g_assert_not_reached();
644            }
645            aes256_set_encrypt_key(&ctx->key[0], key);
646            aes256_set_decrypt_key(&ctx->key[1], key);
647
648            return &ctx->base;
649        }
650
651    case QCRYPTO_CIPHER_ALG_CAST5_128:
652        {
653            QCryptoNettleCAST128 *ctx;
654            const QCryptoCipherDriver *drv;
655
656            switch (mode) {
657            case QCRYPTO_CIPHER_MODE_ECB:
658                drv = &qcrypto_nettle_cast128_driver_ecb;
659                break;
660            case QCRYPTO_CIPHER_MODE_CBC:
661                drv = &qcrypto_nettle_cast128_driver_cbc;
662                break;
663            case QCRYPTO_CIPHER_MODE_CTR:
664                drv = &qcrypto_nettle_cast128_driver_ctr;
665                break;
666            default:
667                goto bad_cipher_mode;
668            }
669
670            ctx = g_new0(QCryptoNettleCAST128, 1);
671            ctx->base.driver = drv;
672            cast5_set_key(&ctx->key, nkey, key);
673
674            return &ctx->base;
675        }
676
677    case QCRYPTO_CIPHER_ALG_SERPENT_128:
678    case QCRYPTO_CIPHER_ALG_SERPENT_192:
679    case QCRYPTO_CIPHER_ALG_SERPENT_256:
680        {
681            QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1);
682
683            switch (mode) {
684            case QCRYPTO_CIPHER_MODE_ECB:
685                ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb;
686                break;
687            case QCRYPTO_CIPHER_MODE_CBC:
688                ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc;
689                break;
690            case QCRYPTO_CIPHER_MODE_CTR:
691                ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr;
692                break;
693            case QCRYPTO_CIPHER_MODE_XTS:
694                ctx->base.driver = &qcrypto_nettle_serpent_driver_xts;
695                nkey /= 2;
696                serpent_set_key(&ctx->key_xts, nkey, key + nkey);
697                break;
698            default:
699                g_assert_not_reached();
700            }
701            serpent_set_key(&ctx->key, nkey, key);
702
703            return &ctx->base;
704        }
705
706    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
707    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
708    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
709        {
710            QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1);
711
712            switch (mode) {
713            case QCRYPTO_CIPHER_MODE_ECB:
714                ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb;
715                break;
716            case QCRYPTO_CIPHER_MODE_CBC:
717                ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc;
718                break;
719            case QCRYPTO_CIPHER_MODE_CTR:
720                ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr;
721                break;
722            case QCRYPTO_CIPHER_MODE_XTS:
723                ctx->base.driver = &qcrypto_nettle_twofish_driver_xts;
724                nkey /= 2;
725                twofish_set_key(&ctx->key_xts, nkey, key + nkey);
726                break;
727            default:
728                g_assert_not_reached();
729            }
730            twofish_set_key(&ctx->key, nkey, key);
731
732            return &ctx->base;
733        }
734#ifdef CONFIG_CRYPTO_SM4
735    case QCRYPTO_CIPHER_ALG_SM4:
736        {
737            QCryptoNettleSm4 *ctx;
738            const QCryptoCipherDriver *drv;
739
740            switch (mode) {
741            case QCRYPTO_CIPHER_MODE_ECB:
742                drv = &qcrypto_nettle_sm4_driver_ecb;
743                break;
744            default:
745                goto bad_cipher_mode;
746            }
747
748            ctx = g_new0(QCryptoNettleSm4, 1);
749            ctx->base.driver = drv;
750            sm4_set_encrypt_key(&ctx->key[0], key);
751            sm4_set_decrypt_key(&ctx->key[1], key);
752
753            return &ctx->base;
754        }
755#endif
756
757    default:
758        error_setg(errp, "Unsupported cipher algorithm %s",
759                   QCryptoCipherAlgorithm_str(alg));
760        return NULL;
761    }
762
763 bad_cipher_mode:
764    error_setg(errp, "Unsupported cipher mode %s",
765               QCryptoCipherMode_str(mode));
766    return NULL;
767}
768