xref: /openbmc/qemu/crypto/cipher-nettle.c.inc (revision d2dfe0b5)
1/*
2 * QEMU Crypto cipher nettle algorithms
3 *
4 * Copyright (c) 2015 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21#ifdef CONFIG_QEMU_PRIVATE_XTS
22#include "crypto/xts.h"
23#endif
24
25#include <nettle/nettle-types.h>
26#include <nettle/aes.h>
27#include <nettle/des.h>
28#include <nettle/cbc.h>
29#include <nettle/cast128.h>
30#include <nettle/serpent.h>
31#include <nettle/twofish.h>
32#include <nettle/ctr.h>
33#ifndef CONFIG_QEMU_PRIVATE_XTS
34#include <nettle/xts.h>
35#endif
36
37static inline bool qcrypto_length_check(size_t len, size_t blocksize,
38                                        Error **errp)
39{
40    if (unlikely(len & (blocksize - 1))) {
41        error_setg(errp, "Length %zu must be a multiple of block size %zu",
42                   len, blocksize);
43        return false;
44    }
45    return true;
46}
47
48
49static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx)
50{
51    g_free(ctx);
52}
53
54static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher,
55                                   const uint8_t *iv, size_t niv,
56                                   Error **errp)
57{
58    error_setg(errp, "Setting IV is not supported");
59    return -1;
60}
61
62
63#define DEFINE_SETIV(NAME, TYPE, BLEN)                                  \
64static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv,       \
65                        size_t niv, Error **errp)                       \
66{                                                                       \
67    TYPE *ctx = container_of(cipher, TYPE, base);                       \
68    if (niv != BLEN) {                                                  \
69        error_setg(errp, "Expected IV size %d not %zu", BLEN, niv);     \
70        return -1;                                                      \
71    }                                                                   \
72    memcpy(ctx->iv, iv, niv);                                           \
73    return 0;                                                           \
74}
75
76
77#define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
78static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in,    \
79                              void *out, size_t len, Error **errp)      \
80{                                                                       \
81    TYPE *ctx = container_of(cipher, TYPE, base);                       \
82    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
83        return -1;                                                      \
84    }                                                                   \
85    ENCRYPT(&ctx->key, len, out, in);                                   \
86    return 0;                                                           \
87}                                                                       \
88static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in,    \
89                              void *out, size_t len, Error **errp)      \
90{                                                                       \
91    TYPE *ctx = container_of(cipher, TYPE, base);                       \
92    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
93        return -1;                                                      \
94    }                                                                   \
95    DECRYPT(&ctx->key, len, out, in);                                   \
96    return 0;                                                           \
97}                                                                       \
98static const struct QCryptoCipherDriver NAME##_driver_ecb = {           \
99    .cipher_encrypt = NAME##_encrypt_ecb,                               \
100    .cipher_decrypt = NAME##_decrypt_ecb,                               \
101    .cipher_setiv = qcrypto_cipher_no_setiv,                            \
102    .cipher_free = qcrypto_cipher_ctx_free,                             \
103};
104
105
106#define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
107static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in,    \
108                              void *out, size_t len, Error **errp)      \
109{                                                                       \
110    TYPE *ctx = container_of(cipher, TYPE, base);                       \
111    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
112        return -1;                                                      \
113    }                                                                   \
114    cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);       \
115    return 0;                                                           \
116}                                                                       \
117static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in,    \
118                              void *out, size_t len, Error **errp)      \
119{                                                                       \
120    TYPE *ctx = container_of(cipher, TYPE, base);                       \
121    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
122        return -1;                                                      \
123    }                                                                   \
124    cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in);       \
125    return 0;                                                           \
126}                                                                       \
127static const struct QCryptoCipherDriver NAME##_driver_cbc = {           \
128    .cipher_encrypt = NAME##_encrypt_cbc,                               \
129    .cipher_decrypt = NAME##_decrypt_cbc,                               \
130    .cipher_setiv = NAME##_setiv,                                       \
131    .cipher_free = qcrypto_cipher_ctx_free,                             \
132};
133
134
135#define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)                           \
136static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in,    \
137                              void *out, size_t len, Error **errp)      \
138{                                                                       \
139    TYPE *ctx = container_of(cipher, TYPE, base);                       \
140    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
141        return -1;                                                      \
142    }                                                                   \
143    ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);         \
144    return 0;                                                           \
145}                                                                       \
146static const struct QCryptoCipherDriver NAME##_driver_ctr = {           \
147    .cipher_encrypt = NAME##_encrypt_ctr,                               \
148    .cipher_decrypt = NAME##_encrypt_ctr,                               \
149    .cipher_setiv = NAME##_setiv,                                       \
150    .cipher_free = qcrypto_cipher_ctx_free,                             \
151};
152
153
154#ifdef CONFIG_QEMU_PRIVATE_XTS
155#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
156static void NAME##_xts_wrape(const void *ctx, size_t length,            \
157                             uint8_t *dst, const uint8_t *src)          \
158{                                                                       \
159    ENCRYPT((const void *)ctx, length, dst, src);                       \
160}                                                                       \
161static void NAME##_xts_wrapd(const void *ctx, size_t length,            \
162                             uint8_t *dst, const uint8_t *src)          \
163{                                                                       \
164    DECRYPT((const void *)ctx, length, dst, src);                       \
165}                                                                       \
166static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
167                              void *out, size_t len, Error **errp)      \
168{                                                                       \
169    TYPE *ctx = container_of(cipher, TYPE, base);                       \
170    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
171        return -1;                                                      \
172    }                                                                   \
173    xts_encrypt(&ctx->key, &ctx->key_xts,                               \
174                NAME##_xts_wrape, NAME##_xts_wrapd,                     \
175                ctx->iv, len, out, in);                                 \
176    return 0;                                                           \
177}                                                                       \
178static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
179                              void *out, size_t len, Error **errp)      \
180{                                                                       \
181    TYPE *ctx = container_of(cipher, TYPE, base);                       \
182    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
183        return -1;                                                      \
184    }                                                                   \
185    xts_decrypt(&ctx->key, &ctx->key_xts,                               \
186                NAME##_xts_wrape, NAME##_xts_wrapd,                     \
187                ctx->iv, len, out, in);                                 \
188    return 0;                                                           \
189}
190#else
191#define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
192static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
193                              void *out, size_t len, Error **errp)      \
194{                                                                       \
195    TYPE *ctx = container_of(cipher, TYPE, base);                       \
196    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
197        return -1;                                                      \
198    }                                                                   \
199    xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT,              \
200                        ctx->iv, len, out, in);                         \
201    return 0;                                                           \
202}                                                                       \
203static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
204                              void *out, size_t len, Error **errp)      \
205{                                                                       \
206    TYPE *ctx = container_of(cipher, TYPE, base);                       \
207    if (!qcrypto_length_check(len, BLEN, errp)) {                       \
208        return -1;                                                      \
209    }                                                                   \
210    xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT,     \
211                        ctx->iv, len, out, in);                         \
212    return 0;                                                           \
213}
214#endif
215
216#define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)          \
217    QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE);                  \
218    DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)             \
219static const struct QCryptoCipherDriver NAME##_driver_xts = {   \
220    .cipher_encrypt = NAME##_encrypt_xts,                       \
221    .cipher_decrypt = NAME##_decrypt_xts,                       \
222    .cipher_setiv = NAME##_setiv,                               \
223    .cipher_free = qcrypto_cipher_ctx_free,                     \
224};
225
226
227#define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)  \
228    DEFINE_SETIV(NAME, TYPE, BLEN)                              \
229    DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
230    DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
231    DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)
232
233#define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)      \
234    DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
235    DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)
236
237
238typedef struct QCryptoNettleDES {
239    QCryptoCipher base;
240    struct des_ctx key;
241    uint8_t iv[DES_BLOCK_SIZE];
242} QCryptoNettleDES;
243
244static void des_encrypt_native(const void *ctx, size_t length,
245                               uint8_t *dst, const uint8_t *src)
246{
247    des_encrypt(ctx, length, dst, src);
248}
249
250static void des_decrypt_native(const void *ctx, size_t length,
251                               uint8_t *dst, const uint8_t *src)
252{
253    des_decrypt(ctx, length, dst, src);
254}
255
256DEFINE_ECB_CBC_CTR(qcrypto_nettle_des, QCryptoNettleDES,
257                   DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native)
258
259
260typedef struct QCryptoNettleDES3 {
261    QCryptoCipher base;
262    struct des3_ctx key;
263    uint8_t iv[DES3_BLOCK_SIZE];
264} QCryptoNettleDES3;
265
266static void des3_encrypt_native(const void *ctx, size_t length,
267                                uint8_t *dst, const uint8_t *src)
268{
269    des3_encrypt(ctx, length, dst, src);
270}
271
272static void des3_decrypt_native(const void *ctx, size_t length,
273                                uint8_t *dst, const uint8_t *src)
274{
275    des3_decrypt(ctx, length, dst, src);
276}
277
278DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE,
279                   des3_encrypt_native, des3_decrypt_native)
280
281
282typedef struct QCryptoNettleAES128 {
283    QCryptoCipher base;
284    uint8_t iv[AES_BLOCK_SIZE];
285    /* First key from pair is encode, second key is decode. */
286    struct aes128_ctx key[2], key_xts[2];
287} QCryptoNettleAES128;
288
289static void aes128_encrypt_native(const void *ctx, size_t length,
290                                  uint8_t *dst, const uint8_t *src)
291{
292    const struct aes128_ctx *keys = ctx;
293    aes128_encrypt(&keys[0], length, dst, src);
294}
295
296static void aes128_decrypt_native(const void *ctx, size_t length,
297                                  uint8_t *dst, const uint8_t *src)
298{
299    const struct aes128_ctx *keys = ctx;
300    aes128_decrypt(&keys[1], length, dst, src);
301}
302
303DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128,
304                       QCryptoNettleAES128, AES_BLOCK_SIZE,
305                       aes128_encrypt_native, aes128_decrypt_native)
306
307
308typedef struct QCryptoNettleAES192 {
309    QCryptoCipher base;
310    uint8_t iv[AES_BLOCK_SIZE];
311    /* First key from pair is encode, second key is decode. */
312    struct aes192_ctx key[2], key_xts[2];
313} QCryptoNettleAES192;
314
315static void aes192_encrypt_native(const void *ctx, size_t length,
316                                  uint8_t *dst, const uint8_t *src)
317{
318    const struct aes192_ctx *keys = ctx;
319    aes192_encrypt(&keys[0], length, dst, src);
320}
321
322static void aes192_decrypt_native(const void *ctx, size_t length,
323                                  uint8_t *dst, const uint8_t *src)
324{
325    const struct aes192_ctx *keys = ctx;
326    aes192_decrypt(&keys[1], length, dst, src);
327}
328
329DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192,
330                       QCryptoNettleAES192, AES_BLOCK_SIZE,
331                       aes192_encrypt_native, aes192_decrypt_native)
332
333
334typedef struct QCryptoNettleAES256 {
335    QCryptoCipher base;
336    uint8_t iv[AES_BLOCK_SIZE];
337    /* First key from pair is encode, second key is decode. */
338    struct aes256_ctx key[2], key_xts[2];
339} QCryptoNettleAES256;
340
341static void aes256_encrypt_native(const void *ctx, size_t length,
342                                  uint8_t *dst, const uint8_t *src)
343{
344    const struct aes256_ctx *keys = ctx;
345    aes256_encrypt(&keys[0], length, dst, src);
346}
347
348static void aes256_decrypt_native(const void *ctx, size_t length,
349                                  uint8_t *dst, const uint8_t *src)
350{
351    const struct aes256_ctx *keys = ctx;
352    aes256_decrypt(&keys[1], length, dst, src);
353}
354
355DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256,
356                       QCryptoNettleAES256, AES_BLOCK_SIZE,
357                       aes256_encrypt_native, aes256_decrypt_native)
358
359
360typedef struct QCryptoNettleCAST128 {
361    QCryptoCipher base;
362    uint8_t iv[CAST128_BLOCK_SIZE];
363    struct cast128_ctx key, key_xts;
364} QCryptoNettleCAST128;
365
366static void cast128_encrypt_native(const void *ctx, size_t length,
367                                   uint8_t *dst, const uint8_t *src)
368{
369    cast128_encrypt(ctx, length, dst, src);
370}
371
372static void cast128_decrypt_native(const void *ctx, size_t length,
373                                   uint8_t *dst, const uint8_t *src)
374{
375    cast128_decrypt(ctx, length, dst, src);
376}
377
378DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128,
379                   QCryptoNettleCAST128, CAST128_BLOCK_SIZE,
380                   cast128_encrypt_native, cast128_decrypt_native)
381
382
383typedef struct QCryptoNettleSerpent {
384    QCryptoCipher base;
385    uint8_t iv[SERPENT_BLOCK_SIZE];
386    struct serpent_ctx key, key_xts;
387} QCryptoNettleSerpent;
388
389
390static void serpent_encrypt_native(const void *ctx, size_t length,
391                                   uint8_t *dst, const uint8_t *src)
392{
393    serpent_encrypt(ctx, length, dst, src);
394}
395
396static void serpent_decrypt_native(const void *ctx, size_t length,
397                                   uint8_t *dst, const uint8_t *src)
398{
399    serpent_decrypt(ctx, length, dst, src);
400}
401
402DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent,
403                       QCryptoNettleSerpent, SERPENT_BLOCK_SIZE,
404                       serpent_encrypt_native, serpent_decrypt_native)
405
406
407typedef struct QCryptoNettleTwofish {
408    QCryptoCipher base;
409    uint8_t iv[TWOFISH_BLOCK_SIZE];
410    struct twofish_ctx key, key_xts;
411} QCryptoNettleTwofish;
412
413static void twofish_encrypt_native(const void *ctx, size_t length,
414                                   uint8_t *dst, const uint8_t *src)
415{
416    twofish_encrypt(ctx, length, dst, src);
417}
418
419static void twofish_decrypt_native(const void *ctx, size_t length,
420                                   uint8_t *dst, const uint8_t *src)
421{
422    twofish_decrypt(ctx, length, dst, src);
423}
424
425DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
426                       QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
427                       twofish_encrypt_native, twofish_decrypt_native)
428
429
430bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
431                             QCryptoCipherMode mode)
432{
433    switch (alg) {
434    case QCRYPTO_CIPHER_ALG_DES:
435    case QCRYPTO_CIPHER_ALG_3DES:
436    case QCRYPTO_CIPHER_ALG_AES_128:
437    case QCRYPTO_CIPHER_ALG_AES_192:
438    case QCRYPTO_CIPHER_ALG_AES_256:
439    case QCRYPTO_CIPHER_ALG_CAST5_128:
440    case QCRYPTO_CIPHER_ALG_SERPENT_128:
441    case QCRYPTO_CIPHER_ALG_SERPENT_192:
442    case QCRYPTO_CIPHER_ALG_SERPENT_256:
443    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
444    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
445    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
446        break;
447    default:
448        return false;
449    }
450
451    switch (mode) {
452    case QCRYPTO_CIPHER_MODE_ECB:
453    case QCRYPTO_CIPHER_MODE_CBC:
454    case QCRYPTO_CIPHER_MODE_XTS:
455    case QCRYPTO_CIPHER_MODE_CTR:
456        return true;
457    default:
458        return false;
459    }
460}
461
462static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
463                                             QCryptoCipherMode mode,
464                                             const uint8_t *key,
465                                             size_t nkey,
466                                             Error **errp)
467{
468    switch (mode) {
469    case QCRYPTO_CIPHER_MODE_ECB:
470    case QCRYPTO_CIPHER_MODE_CBC:
471    case QCRYPTO_CIPHER_MODE_XTS:
472    case QCRYPTO_CIPHER_MODE_CTR:
473        break;
474    default:
475        goto bad_cipher_mode;
476    }
477
478    if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
479        return NULL;
480    }
481
482    switch (alg) {
483    case QCRYPTO_CIPHER_ALG_DES:
484        {
485            QCryptoNettleDES *ctx;
486            const QCryptoCipherDriver *drv;
487
488            switch (mode) {
489            case QCRYPTO_CIPHER_MODE_ECB:
490                drv = &qcrypto_nettle_des_driver_ecb;
491                break;
492            case QCRYPTO_CIPHER_MODE_CBC:
493                drv = &qcrypto_nettle_des_driver_cbc;
494                break;
495            case QCRYPTO_CIPHER_MODE_CTR:
496                drv = &qcrypto_nettle_des_driver_ctr;
497                break;
498            default:
499                goto bad_cipher_mode;
500            }
501
502            ctx = g_new0(QCryptoNettleDES, 1);
503            ctx->base.driver = drv;
504            des_set_key(&ctx->key, key);
505
506            return &ctx->base;
507        }
508
509    case QCRYPTO_CIPHER_ALG_3DES:
510        {
511            QCryptoNettleDES3 *ctx;
512            const QCryptoCipherDriver *drv;
513
514            switch (mode) {
515            case QCRYPTO_CIPHER_MODE_ECB:
516                drv = &qcrypto_nettle_des3_driver_ecb;
517                break;
518            case QCRYPTO_CIPHER_MODE_CBC:
519                drv = &qcrypto_nettle_des3_driver_cbc;
520                break;
521            case QCRYPTO_CIPHER_MODE_CTR:
522                drv = &qcrypto_nettle_des3_driver_ctr;
523                break;
524            default:
525                goto bad_cipher_mode;
526            }
527
528            ctx = g_new0(QCryptoNettleDES3, 1);
529            ctx->base.driver = drv;
530            des3_set_key(&ctx->key, key);
531            return &ctx->base;
532        }
533
534    case QCRYPTO_CIPHER_ALG_AES_128:
535        {
536            QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1);
537
538            switch (mode) {
539            case QCRYPTO_CIPHER_MODE_ECB:
540                ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb;
541                break;
542            case QCRYPTO_CIPHER_MODE_CBC:
543                ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc;
544                break;
545            case QCRYPTO_CIPHER_MODE_CTR:
546                ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr;
547                break;
548            case QCRYPTO_CIPHER_MODE_XTS:
549                ctx->base.driver = &qcrypto_nettle_aes128_driver_xts;
550                nkey /= 2;
551                aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey);
552                aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey);
553                break;
554            default:
555                g_assert_not_reached();
556            }
557            aes128_set_encrypt_key(&ctx->key[0], key);
558            aes128_set_decrypt_key(&ctx->key[1], key);
559
560            return &ctx->base;
561        }
562
563    case QCRYPTO_CIPHER_ALG_AES_192:
564        {
565            QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1);
566
567            switch (mode) {
568            case QCRYPTO_CIPHER_MODE_ECB:
569                ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb;
570                break;
571            case QCRYPTO_CIPHER_MODE_CBC:
572                ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc;
573                break;
574            case QCRYPTO_CIPHER_MODE_CTR:
575                ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr;
576                break;
577            case QCRYPTO_CIPHER_MODE_XTS:
578                ctx->base.driver = &qcrypto_nettle_aes192_driver_xts;
579                nkey /= 2;
580                aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey);
581                aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey);
582                break;
583            default:
584                g_assert_not_reached();
585            }
586            aes192_set_encrypt_key(&ctx->key[0], key);
587            aes192_set_decrypt_key(&ctx->key[1], key);
588
589            return &ctx->base;
590        }
591
592    case QCRYPTO_CIPHER_ALG_AES_256:
593        {
594            QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1);
595
596            switch (mode) {
597            case QCRYPTO_CIPHER_MODE_ECB:
598                ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb;
599                break;
600            case QCRYPTO_CIPHER_MODE_CBC:
601                ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc;
602                break;
603            case QCRYPTO_CIPHER_MODE_CTR:
604                ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr;
605                break;
606            case QCRYPTO_CIPHER_MODE_XTS:
607                ctx->base.driver = &qcrypto_nettle_aes256_driver_xts;
608                nkey /= 2;
609                aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey);
610                aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey);
611                break;
612            default:
613                g_assert_not_reached();
614            }
615            aes256_set_encrypt_key(&ctx->key[0], key);
616            aes256_set_decrypt_key(&ctx->key[1], key);
617
618            return &ctx->base;
619        }
620
621    case QCRYPTO_CIPHER_ALG_CAST5_128:
622        {
623            QCryptoNettleCAST128 *ctx;
624            const QCryptoCipherDriver *drv;
625
626            switch (mode) {
627            case QCRYPTO_CIPHER_MODE_ECB:
628                drv = &qcrypto_nettle_cast128_driver_ecb;
629                break;
630            case QCRYPTO_CIPHER_MODE_CBC:
631                drv = &qcrypto_nettle_cast128_driver_cbc;
632                break;
633            case QCRYPTO_CIPHER_MODE_CTR:
634                drv = &qcrypto_nettle_cast128_driver_ctr;
635                break;
636            default:
637                goto bad_cipher_mode;
638            }
639
640            ctx = g_new0(QCryptoNettleCAST128, 1);
641            ctx->base.driver = drv;
642            cast5_set_key(&ctx->key, nkey, key);
643
644            return &ctx->base;
645        }
646
647    case QCRYPTO_CIPHER_ALG_SERPENT_128:
648    case QCRYPTO_CIPHER_ALG_SERPENT_192:
649    case QCRYPTO_CIPHER_ALG_SERPENT_256:
650        {
651            QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1);
652
653            switch (mode) {
654            case QCRYPTO_CIPHER_MODE_ECB:
655                ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb;
656                break;
657            case QCRYPTO_CIPHER_MODE_CBC:
658                ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc;
659                break;
660            case QCRYPTO_CIPHER_MODE_CTR:
661                ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr;
662                break;
663            case QCRYPTO_CIPHER_MODE_XTS:
664                ctx->base.driver = &qcrypto_nettle_serpent_driver_xts;
665                nkey /= 2;
666                serpent_set_key(&ctx->key_xts, nkey, key + nkey);
667                break;
668            default:
669                g_assert_not_reached();
670            }
671            serpent_set_key(&ctx->key, nkey, key);
672
673            return &ctx->base;
674        }
675
676    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
677    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
678    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
679        {
680            QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1);
681
682            switch (mode) {
683            case QCRYPTO_CIPHER_MODE_ECB:
684                ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb;
685                break;
686            case QCRYPTO_CIPHER_MODE_CBC:
687                ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc;
688                break;
689            case QCRYPTO_CIPHER_MODE_CTR:
690                ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr;
691                break;
692            case QCRYPTO_CIPHER_MODE_XTS:
693                ctx->base.driver = &qcrypto_nettle_twofish_driver_xts;
694                nkey /= 2;
695                twofish_set_key(&ctx->key_xts, nkey, key + nkey);
696                break;
697            default:
698                g_assert_not_reached();
699            }
700            twofish_set_key(&ctx->key, nkey, key);
701
702            return &ctx->base;
703        }
704
705    default:
706        error_setg(errp, "Unsupported cipher algorithm %s",
707                   QCryptoCipherAlgorithm_str(alg));
708        return NULL;
709    }
710
711 bad_cipher_mode:
712    error_setg(errp, "Unsupported cipher mode %s",
713               QCryptoCipherMode_str(mode));
714    return NULL;
715}
716