xref: /openbmc/qemu/crypto/cipher-nettle.c.inc (revision c418f935)
1/*
2 * QEMU Crypto cipher nettle algorithms
3 *
4 * Copyright (c) 2015 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21#ifdef CONFIG_QEMU_PRIVATE_XTS
22#include "crypto/xts.h"
23#endif
24
25#include <nettle/nettle-types.h>
26#include <nettle/aes.h>
27#include <nettle/des.h>
28#include <nettle/cbc.h>
29#include <nettle/cast128.h>
30#include <nettle/serpent.h>
31#include <nettle/twofish.h>
32#include <nettle/ctr.h>
33#ifndef CONFIG_QEMU_PRIVATE_XTS
34#include <nettle/xts.h>
35#endif
36
37typedef void (*QCryptoCipherNettleFuncWrapper)(const void *ctx,
38                                               size_t length,
39                                               uint8_t *dst,
40                                               const uint8_t *src);
41
42#if CONFIG_NETTLE_VERSION_MAJOR < 3
43typedef nettle_crypt_func * QCryptoCipherNettleFuncNative;
44typedef void *       cipher_ctx_t;
45typedef unsigned     cipher_length_t;
46#define CONST_CTX
47
48#define cast5_set_key cast128_set_key
49
50#define aes128_ctx aes_ctx
51#define aes192_ctx aes_ctx
52#define aes256_ctx aes_ctx
53#define aes128_set_encrypt_key(c, k) \
54    aes_set_encrypt_key(c, 16, k)
55#define aes192_set_encrypt_key(c, k) \
56    aes_set_encrypt_key(c, 24, k)
57#define aes256_set_encrypt_key(c, k) \
58    aes_set_encrypt_key(c, 32, k)
59#define aes128_set_decrypt_key(c, k) \
60    aes_set_decrypt_key(c, 16, k)
61#define aes192_set_decrypt_key(c, k) \
62    aes_set_decrypt_key(c, 24, k)
63#define aes256_set_decrypt_key(c, k) \
64    aes_set_decrypt_key(c, 32, k)
65#define aes128_encrypt aes_encrypt
66#define aes192_encrypt aes_encrypt
67#define aes256_encrypt aes_encrypt
68#define aes128_decrypt aes_decrypt
69#define aes192_decrypt aes_decrypt
70#define aes256_decrypt aes_decrypt
71#else
72typedef nettle_cipher_func * QCryptoCipherNettleFuncNative;
73typedef const void * cipher_ctx_t;
74typedef size_t       cipher_length_t;
75#define CONST_CTX    const
76#endif
77
78static inline bool qcrypto_length_check(size_t len, size_t blocksize,
79                                        Error **errp)
80{
81    if (unlikely(len & (blocksize - 1))) {
82        error_setg(errp, "Length %zu must be a multiple of block size %zu",
83                   len, blocksize);
84        return false;
85    }
86    return true;
87}
88
89
90static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx)
91{
92    g_free(ctx);
93}
94
95static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher,
96                                   const uint8_t *iv, size_t niv,
97                                   Error **errp)
98{
99    error_setg(errp, "Setting IV is not supported");
100    return -1;
101}
102
103
104#define DEFINE_SETIV(NAME, TYPE, BLEN)                                  \
105static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv,       \
106                        size_t niv, Error **errp)                       \
107{                                                                       \
108    TYPE *ctx = container_of(cipher, TYPE, base);                       \
109    if (niv != BLEN) {                                                  \
110        error_setg(errp, "Expected IV size %d not %zu", BLEN, niv);     \
111        return -1;                                                      \
112    }                                                                   \
113    memcpy(ctx->iv, iv, niv);                                           \
114    return 0;                                                           \
115}
116
117
118#define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
119static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in,    \
120                              void *out, size_t len, Error **errp)      \
121{                                                                       \
122    TYPE *ctx = container_of(cipher, TYPE, base);                       \
123    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
124        return -1;                                                      \
125    }                                                                   \
126    ENCRYPT(&ctx->key, len, out, in);                                   \
127    return 0;                                                           \
128}                                                                       \
129static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in,    \
130                              void *out, size_t len, Error **errp)      \
131{                                                                       \
132    TYPE *ctx = container_of(cipher, TYPE, base);                       \
133    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
134        return -1;                                                      \
135    }                                                                   \
136    DECRYPT(&ctx->key, len, out, in);                                   \
137    return 0;                                                           \
138}                                                                       \
139static const struct QCryptoCipherDriver NAME##_driver_ecb = {           \
140    .cipher_encrypt = NAME##_encrypt_ecb,                               \
141    .cipher_decrypt = NAME##_decrypt_ecb,                               \
142    .cipher_setiv = qcrypto_cipher_no_setiv,                            \
143    .cipher_free = qcrypto_cipher_ctx_free,                             \
144};
145
146
147#define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
148static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in,    \
149                              void *out, size_t len, Error **errp)      \
150{                                                                       \
151    TYPE *ctx = container_of(cipher, TYPE, base);                       \
152    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
153        return -1;                                                      \
154    }                                                                   \
155    cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);       \
156    return 0;                                                           \
157}                                                                       \
158static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in,    \
159                              void *out, size_t len, Error **errp)      \
160{                                                                       \
161    TYPE *ctx = container_of(cipher, TYPE, base);                       \
162    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
163        return -1;                                                      \
164    }                                                                   \
165    cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in);       \
166    return 0;                                                           \
167}                                                                       \
168static const struct QCryptoCipherDriver NAME##_driver_cbc = {           \
169    .cipher_encrypt = NAME##_encrypt_cbc,                               \
170    .cipher_decrypt = NAME##_decrypt_cbc,                               \
171    .cipher_setiv = NAME##_setiv,                                       \
172    .cipher_free = qcrypto_cipher_ctx_free,                             \
173};
174
175
176#define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)                           \
177static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in,    \
178                              void *out, size_t len, Error **errp)      \
179{                                                                       \
180    TYPE *ctx = container_of(cipher, TYPE, base);                       \
181    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
182        return -1;                                                      \
183    }                                                                   \
184    ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);         \
185    return 0;                                                           \
186}                                                                       \
187static const struct QCryptoCipherDriver NAME##_driver_ctr = {           \
188    .cipher_encrypt = NAME##_encrypt_ctr,                               \
189    .cipher_decrypt = NAME##_encrypt_ctr,                               \
190    .cipher_setiv = NAME##_setiv,                                       \
191    .cipher_free = qcrypto_cipher_ctx_free,                             \
192};
193
194
195#ifdef CONFIG_QEMU_PRIVATE_XTS
196#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
197static void NAME##_xts_wrape(const void *ctx, size_t length,            \
198                             uint8_t *dst, const uint8_t *src)          \
199{                                                                       \
200    ENCRYPT((cipher_ctx_t)ctx, length, dst, src);                       \
201}                                                                       \
202static void NAME##_xts_wrapd(const void *ctx, size_t length,            \
203                             uint8_t *dst, const uint8_t *src)          \
204{                                                                       \
205    DECRYPT((cipher_ctx_t)ctx, length, dst, src);                       \
206}                                                                       \
207static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
208                              void *out, size_t len, Error **errp)      \
209{                                                                       \
210    TYPE *ctx = container_of(cipher, TYPE, base);                       \
211    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
212        return -1;                                                      \
213    }                                                                   \
214    xts_encrypt(&ctx->key, &ctx->key_xts,                               \
215                NAME##_xts_wrape, NAME##_xts_wrapd,                     \
216                ctx->iv, len, out, in);                                 \
217    return 0;                                                           \
218}                                                                       \
219static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
220                              void *out, size_t len, Error **errp)      \
221{                                                                       \
222    TYPE *ctx = container_of(cipher, TYPE, base);                       \
223    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
224        return -1;                                                      \
225    }                                                                   \
226    xts_decrypt(&ctx->key, &ctx->key_xts,                               \
227                NAME##_xts_wrape, NAME##_xts_wrapd,                     \
228                ctx->iv, len, out, in);                                 \
229    return 0;                                                           \
230}
231#else
232#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
233static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
234                              void *out, size_t len, Error **errp)      \
235{                                                                       \
236    TYPE *ctx = container_of(cipher, TYPE, base);                       \
237    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
238        return -1;                                                      \
239    }                                                                   \
240    xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT,              \
241                        ctx->iv, len, out, in);                         \
242    return 0;                                                           \
243}                                                                       \
244static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
245                              void *out, size_t len, Error **errp)      \
246{                                                                       \
247    TYPE *ctx = container_of(cipher, TYPE, base);                       \
248    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
249        return -1;                                                      \
250    }                                                                   \
251    xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT,     \
252                        ctx->iv, len, out, in);                         \
253    return 0;                                                           \
254}
255#endif
256
257#define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)          \
258    QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE);                  \
259    DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)             \
260static const struct QCryptoCipherDriver NAME##_driver_xts = {   \
261    .cipher_encrypt = NAME##_encrypt_xts,                       \
262    .cipher_decrypt = NAME##_decrypt_xts,                       \
263    .cipher_setiv = NAME##_setiv,                               \
264    .cipher_free = qcrypto_cipher_ctx_free,                     \
265};
266
267
268#define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)  \
269    DEFINE_SETIV(NAME, TYPE, BLEN)                              \
270    DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
271    DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
272    DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)
273
274#define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)      \
275    DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
276    DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)
277
278
279typedef struct QCryptoNettleDESRFB {
280    QCryptoCipher base;
281    struct des_ctx key;
282    uint8_t iv[DES_BLOCK_SIZE];
283} QCryptoNettleDESRFB;
284
285static void des_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
286                               uint8_t *dst, const uint8_t *src)
287{
288    des_encrypt(ctx, length, dst, src);
289}
290
291static void des_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
292                               uint8_t *dst, const uint8_t *src)
293{
294    des_decrypt(ctx, length, dst, src);
295}
296
297DEFINE_ECB_CBC_CTR(qcrypto_nettle_des_rfb, QCryptoNettleDESRFB,
298                   DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native)
299
300
301typedef struct QCryptoNettleDES3 {
302    QCryptoCipher base;
303    struct des3_ctx key;
304    uint8_t iv[DES3_BLOCK_SIZE];
305} QCryptoNettleDES3;
306
307static void des3_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
308                                uint8_t *dst, const uint8_t *src)
309{
310    des3_encrypt(ctx, length, dst, src);
311}
312
313static void des3_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
314                                uint8_t *dst, const uint8_t *src)
315{
316    des3_decrypt(ctx, length, dst, src);
317}
318
319DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE,
320                   des3_encrypt_native, des3_decrypt_native)
321
322
323typedef struct QCryptoNettleAES128 {
324    QCryptoCipher base;
325    uint8_t iv[AES_BLOCK_SIZE];
326    /* First key from pair is encode, second key is decode. */
327    struct aes128_ctx key[2], key_xts[2];
328} QCryptoNettleAES128;
329
330static void aes128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
331                                  uint8_t *dst, const uint8_t *src)
332{
333    CONST_CTX struct aes128_ctx *keys = ctx;
334    aes128_encrypt(&keys[0], length, dst, src);
335}
336
337static void aes128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
338                                  uint8_t *dst, const uint8_t *src)
339{
340    CONST_CTX struct aes128_ctx *keys = ctx;
341    aes128_decrypt(&keys[1], length, dst, src);
342}
343
344DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128,
345                       QCryptoNettleAES128, AES_BLOCK_SIZE,
346                       aes128_encrypt_native, aes128_decrypt_native)
347
348
349typedef struct QCryptoNettleAES192 {
350    QCryptoCipher base;
351    uint8_t iv[AES_BLOCK_SIZE];
352    /* First key from pair is encode, second key is decode. */
353    struct aes192_ctx key[2], key_xts[2];
354} QCryptoNettleAES192;
355
356static void aes192_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
357                                  uint8_t *dst, const uint8_t *src)
358{
359    CONST_CTX struct aes192_ctx *keys = ctx;
360    aes192_encrypt(&keys[0], length, dst, src);
361}
362
363static void aes192_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
364                                  uint8_t *dst, const uint8_t *src)
365{
366    CONST_CTX struct aes192_ctx *keys = ctx;
367    aes192_decrypt(&keys[1], length, dst, src);
368}
369
370DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192,
371                       QCryptoNettleAES192, AES_BLOCK_SIZE,
372                       aes192_encrypt_native, aes192_decrypt_native)
373
374
375typedef struct QCryptoNettleAES256 {
376    QCryptoCipher base;
377    uint8_t iv[AES_BLOCK_SIZE];
378    /* First key from pair is encode, second key is decode. */
379    struct aes256_ctx key[2], key_xts[2];
380} QCryptoNettleAES256;
381
382static void aes256_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
383                                  uint8_t *dst, const uint8_t *src)
384{
385    CONST_CTX struct aes256_ctx *keys = ctx;
386    aes256_encrypt(&keys[0], length, dst, src);
387}
388
389static void aes256_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
390                               uint8_t *dst, const uint8_t *src)
391{
392    CONST_CTX struct aes256_ctx *keys = ctx;
393    aes256_decrypt(&keys[1], length, dst, src);
394}
395
396DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256,
397                       QCryptoNettleAES256, AES_BLOCK_SIZE,
398                       aes256_encrypt_native, aes256_decrypt_native)
399
400
401typedef struct QCryptoNettleCAST128 {
402    QCryptoCipher base;
403    uint8_t iv[CAST128_BLOCK_SIZE];
404    struct cast128_ctx key, key_xts;
405} QCryptoNettleCAST128;
406
407static void cast128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
408                                   uint8_t *dst, const uint8_t *src)
409{
410    cast128_encrypt(ctx, length, dst, src);
411}
412
413static void cast128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
414                                   uint8_t *dst, const uint8_t *src)
415{
416    cast128_decrypt(ctx, length, dst, src);
417}
418
419DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128,
420                   QCryptoNettleCAST128, CAST128_BLOCK_SIZE,
421                   cast128_encrypt_native, cast128_decrypt_native)
422
423
424typedef struct QCryptoNettleSerpent {
425    QCryptoCipher base;
426    uint8_t iv[SERPENT_BLOCK_SIZE];
427    struct serpent_ctx key, key_xts;
428} QCryptoNettleSerpent;
429
430
431static void serpent_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
432                                   uint8_t *dst, const uint8_t *src)
433{
434    serpent_encrypt(ctx, length, dst, src);
435}
436
437static void serpent_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
438                                   uint8_t *dst, const uint8_t *src)
439{
440    serpent_decrypt(ctx, length, dst, src);
441}
442
443DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent,
444                       QCryptoNettleSerpent, SERPENT_BLOCK_SIZE,
445                       serpent_encrypt_native, serpent_decrypt_native)
446
447
448typedef struct QCryptoNettleTwofish {
449    QCryptoCipher base;
450    uint8_t iv[TWOFISH_BLOCK_SIZE];
451    struct twofish_ctx key, key_xts;
452} QCryptoNettleTwofish;
453
454static void twofish_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
455                                   uint8_t *dst, const uint8_t *src)
456{
457    twofish_encrypt(ctx, length, dst, src);
458}
459
460static void twofish_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
461                                   uint8_t *dst, const uint8_t *src)
462{
463    twofish_decrypt(ctx, length, dst, src);
464}
465
466DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
467                       QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
468                       twofish_encrypt_native, twofish_decrypt_native)
469
470
471bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
472                             QCryptoCipherMode mode)
473{
474    switch (alg) {
475    case QCRYPTO_CIPHER_ALG_DES_RFB:
476    case QCRYPTO_CIPHER_ALG_3DES:
477    case QCRYPTO_CIPHER_ALG_AES_128:
478    case QCRYPTO_CIPHER_ALG_AES_192:
479    case QCRYPTO_CIPHER_ALG_AES_256:
480    case QCRYPTO_CIPHER_ALG_CAST5_128:
481    case QCRYPTO_CIPHER_ALG_SERPENT_128:
482    case QCRYPTO_CIPHER_ALG_SERPENT_192:
483    case QCRYPTO_CIPHER_ALG_SERPENT_256:
484    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
485    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
486    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
487        break;
488    default:
489        return false;
490    }
491
492    switch (mode) {
493    case QCRYPTO_CIPHER_MODE_ECB:
494    case QCRYPTO_CIPHER_MODE_CBC:
495    case QCRYPTO_CIPHER_MODE_XTS:
496    case QCRYPTO_CIPHER_MODE_CTR:
497        return true;
498    default:
499        return false;
500    }
501}
502
503static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
504                                             QCryptoCipherMode mode,
505                                             const uint8_t *key,
506                                             size_t nkey,
507                                             Error **errp)
508{
509    switch (mode) {
510    case QCRYPTO_CIPHER_MODE_ECB:
511    case QCRYPTO_CIPHER_MODE_CBC:
512    case QCRYPTO_CIPHER_MODE_XTS:
513    case QCRYPTO_CIPHER_MODE_CTR:
514        break;
515    default:
516        goto bad_cipher_mode;
517    }
518
519    if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
520        return NULL;
521    }
522
523    switch (alg) {
524    case QCRYPTO_CIPHER_ALG_DES_RFB:
525        {
526            QCryptoNettleDESRFB *ctx;
527            const QCryptoCipherDriver *drv;
528            uint8_t *rfbkey;
529
530            switch (mode) {
531            case QCRYPTO_CIPHER_MODE_ECB:
532                drv = &qcrypto_nettle_des_rfb_driver_ecb;
533                break;
534            case QCRYPTO_CIPHER_MODE_CBC:
535                drv = &qcrypto_nettle_des_rfb_driver_cbc;
536                break;
537            case QCRYPTO_CIPHER_MODE_CTR:
538                drv = &qcrypto_nettle_des_rfb_driver_ctr;
539                break;
540            default:
541                goto bad_cipher_mode;
542            }
543
544            ctx = g_new0(QCryptoNettleDESRFB, 1);
545            ctx->base.driver = drv;
546
547            rfbkey = qcrypto_cipher_munge_des_rfb_key(key, nkey);
548            des_set_key(&ctx->key, rfbkey);
549            g_free(rfbkey);
550
551            return &ctx->base;
552        }
553
554    case QCRYPTO_CIPHER_ALG_3DES:
555        {
556            QCryptoNettleDES3 *ctx;
557            const QCryptoCipherDriver *drv;
558
559            switch (mode) {
560            case QCRYPTO_CIPHER_MODE_ECB:
561                drv = &qcrypto_nettle_des3_driver_ecb;
562                break;
563            case QCRYPTO_CIPHER_MODE_CBC:
564                drv = &qcrypto_nettle_des3_driver_cbc;
565                break;
566            case QCRYPTO_CIPHER_MODE_CTR:
567                drv = &qcrypto_nettle_des3_driver_ctr;
568                break;
569            default:
570                goto bad_cipher_mode;
571            }
572
573            ctx = g_new0(QCryptoNettleDES3, 1);
574            ctx->base.driver = drv;
575            des3_set_key(&ctx->key, key);
576            return &ctx->base;
577        }
578
579    case QCRYPTO_CIPHER_ALG_AES_128:
580        {
581            QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1);
582
583            switch (mode) {
584            case QCRYPTO_CIPHER_MODE_ECB:
585                ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb;
586                break;
587            case QCRYPTO_CIPHER_MODE_CBC:
588                ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc;
589                break;
590            case QCRYPTO_CIPHER_MODE_CTR:
591                ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr;
592                break;
593            case QCRYPTO_CIPHER_MODE_XTS:
594                ctx->base.driver = &qcrypto_nettle_aes128_driver_xts;
595                nkey /= 2;
596                aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey);
597                aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey);
598                break;
599            default:
600                g_assert_not_reached();
601            }
602            aes128_set_encrypt_key(&ctx->key[0], key);
603            aes128_set_decrypt_key(&ctx->key[1], key);
604
605            return &ctx->base;
606        }
607
608    case QCRYPTO_CIPHER_ALG_AES_192:
609        {
610            QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1);
611
612            switch (mode) {
613            case QCRYPTO_CIPHER_MODE_ECB:
614                ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb;
615                break;
616            case QCRYPTO_CIPHER_MODE_CBC:
617                ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc;
618                break;
619            case QCRYPTO_CIPHER_MODE_CTR:
620                ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr;
621                break;
622            case QCRYPTO_CIPHER_MODE_XTS:
623                ctx->base.driver = &qcrypto_nettle_aes192_driver_xts;
624                nkey /= 2;
625                aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey);
626                aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey);
627                break;
628            default:
629                g_assert_not_reached();
630            }
631            aes192_set_encrypt_key(&ctx->key[0], key);
632            aes192_set_decrypt_key(&ctx->key[1], key);
633
634            return &ctx->base;
635        }
636
637    case QCRYPTO_CIPHER_ALG_AES_256:
638        {
639            QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1);
640
641            switch (mode) {
642            case QCRYPTO_CIPHER_MODE_ECB:
643                ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb;
644                break;
645            case QCRYPTO_CIPHER_MODE_CBC:
646                ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc;
647                break;
648            case QCRYPTO_CIPHER_MODE_CTR:
649                ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr;
650                break;
651            case QCRYPTO_CIPHER_MODE_XTS:
652                ctx->base.driver = &qcrypto_nettle_aes256_driver_xts;
653                nkey /= 2;
654                aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey);
655                aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey);
656                break;
657            default:
658                g_assert_not_reached();
659            }
660            aes256_set_encrypt_key(&ctx->key[0], key);
661            aes256_set_decrypt_key(&ctx->key[1], key);
662
663            return &ctx->base;
664        }
665
666    case QCRYPTO_CIPHER_ALG_CAST5_128:
667        {
668            QCryptoNettleCAST128 *ctx;
669            const QCryptoCipherDriver *drv;
670
671            switch (mode) {
672            case QCRYPTO_CIPHER_MODE_ECB:
673                drv = &qcrypto_nettle_cast128_driver_ecb;
674                break;
675            case QCRYPTO_CIPHER_MODE_CBC:
676                drv = &qcrypto_nettle_cast128_driver_cbc;
677                break;
678            case QCRYPTO_CIPHER_MODE_CTR:
679                drv = &qcrypto_nettle_cast128_driver_ctr;
680                break;
681            default:
682                goto bad_cipher_mode;
683            }
684
685            ctx = g_new0(QCryptoNettleCAST128, 1);
686            ctx->base.driver = drv;
687            cast5_set_key(&ctx->key, nkey, key);
688
689            return &ctx->base;
690        }
691
692    case QCRYPTO_CIPHER_ALG_SERPENT_128:
693    case QCRYPTO_CIPHER_ALG_SERPENT_192:
694    case QCRYPTO_CIPHER_ALG_SERPENT_256:
695        {
696            QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1);
697
698            switch (mode) {
699            case QCRYPTO_CIPHER_MODE_ECB:
700                ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb;
701                break;
702            case QCRYPTO_CIPHER_MODE_CBC:
703                ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc;
704                break;
705            case QCRYPTO_CIPHER_MODE_CTR:
706                ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr;
707                break;
708            case QCRYPTO_CIPHER_MODE_XTS:
709                ctx->base.driver = &qcrypto_nettle_serpent_driver_xts;
710                nkey /= 2;
711                serpent_set_key(&ctx->key_xts, nkey, key + nkey);
712                break;
713            default:
714                g_assert_not_reached();
715            }
716            serpent_set_key(&ctx->key, nkey, key);
717
718            return &ctx->base;
719        }
720
721    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
722    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
723    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
724        {
725            QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1);
726
727            switch (mode) {
728            case QCRYPTO_CIPHER_MODE_ECB:
729                ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb;
730                break;
731            case QCRYPTO_CIPHER_MODE_CBC:
732                ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc;
733                break;
734            case QCRYPTO_CIPHER_MODE_CTR:
735                ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr;
736                break;
737            case QCRYPTO_CIPHER_MODE_XTS:
738                ctx->base.driver = &qcrypto_nettle_twofish_driver_xts;
739                nkey /= 2;
740                twofish_set_key(&ctx->key_xts, nkey, key + nkey);
741                break;
742            default:
743                g_assert_not_reached();
744            }
745            twofish_set_key(&ctx->key, nkey, key);
746
747            return &ctx->base;
748        }
749
750    default:
751        error_setg(errp, "Unsupported cipher algorithm %s",
752                   QCryptoCipherAlgorithm_str(alg));
753        return NULL;
754    }
755
756 bad_cipher_mode:
757    error_setg(errp, "Unsupported cipher mode %s",
758               QCryptoCipherMode_str(mode));
759    return NULL;
760}
761