Merge remote-tracking branch 'remotes/berrange/tags/pull-qio-2017-11-28-1' into staging
[qemu.git] / crypto / cipher-nettle.c
blob3848cb3b3a0902d9e6ec54da96b0205581133779
1 /*
2 * QEMU Crypto cipher nettle algorithms
4 * Copyright (c) 2015 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "qemu/osdep.h"
22 #include "crypto/xts.h"
23 #include "cipherpriv.h"
25 #include <nettle/nettle-types.h>
26 #include <nettle/aes.h>
27 #include <nettle/des.h>
28 #include <nettle/cbc.h>
29 #include <nettle/cast128.h>
30 #include <nettle/serpent.h>
31 #include <nettle/twofish.h>
32 #include <nettle/ctr.h>
34 typedef void (*QCryptoCipherNettleFuncWrapper)(const void *ctx,
35 size_t length,
36 uint8_t *dst,
37 const uint8_t *src);
39 #if CONFIG_NETTLE_VERSION_MAJOR < 3
40 typedef nettle_crypt_func * QCryptoCipherNettleFuncNative;
41 typedef void * cipher_ctx_t;
42 typedef unsigned cipher_length_t;
44 #define cast5_set_key cast128_set_key
45 #else
46 typedef nettle_cipher_func * QCryptoCipherNettleFuncNative;
47 typedef const void * cipher_ctx_t;
48 typedef size_t cipher_length_t;
49 #endif
51 typedef struct QCryptoNettleAES {
52 struct aes_ctx enc;
53 struct aes_ctx dec;
54 } QCryptoNettleAES;
56 static void aes_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
57 uint8_t *dst, const uint8_t *src)
59 const QCryptoNettleAES *aesctx = ctx;
60 aes_encrypt(&aesctx->enc, length, dst, src);
63 static void aes_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
64 uint8_t *dst, const uint8_t *src)
66 const QCryptoNettleAES *aesctx = ctx;
67 aes_decrypt(&aesctx->dec, length, dst, src);
70 static void des_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
71 uint8_t *dst, const uint8_t *src)
73 des_encrypt(ctx, length, dst, src);
76 static void des_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
77 uint8_t *dst, const uint8_t *src)
79 des_decrypt(ctx, length, dst, src);
82 static void des3_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
83 uint8_t *dst, const uint8_t *src)
85 des3_encrypt(ctx, length, dst, src);
88 static void des3_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
89 uint8_t *dst, const uint8_t *src)
91 des3_decrypt(ctx, length, dst, src);
94 static void cast128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
95 uint8_t *dst, const uint8_t *src)
97 cast128_encrypt(ctx, length, dst, src);
100 static void cast128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
101 uint8_t *dst, const uint8_t *src)
103 cast128_decrypt(ctx, length, dst, src);
106 static void serpent_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
107 uint8_t *dst, const uint8_t *src)
109 serpent_encrypt(ctx, length, dst, src);
112 static void serpent_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
113 uint8_t *dst, const uint8_t *src)
115 serpent_decrypt(ctx, length, dst, src);
118 static void twofish_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
119 uint8_t *dst, const uint8_t *src)
121 twofish_encrypt(ctx, length, dst, src);
124 static void twofish_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
125 uint8_t *dst, const uint8_t *src)
127 twofish_decrypt(ctx, length, dst, src);
130 static void aes_encrypt_wrapper(const void *ctx, size_t length,
131 uint8_t *dst, const uint8_t *src)
133 const QCryptoNettleAES *aesctx = ctx;
134 aes_encrypt(&aesctx->enc, length, dst, src);
137 static void aes_decrypt_wrapper(const void *ctx, size_t length,
138 uint8_t *dst, const uint8_t *src)
140 const QCryptoNettleAES *aesctx = ctx;
141 aes_decrypt(&aesctx->dec, length, dst, src);
144 static void des_encrypt_wrapper(const void *ctx, size_t length,
145 uint8_t *dst, const uint8_t *src)
147 des_encrypt(ctx, length, dst, src);
150 static void des_decrypt_wrapper(const void *ctx, size_t length,
151 uint8_t *dst, const uint8_t *src)
153 des_decrypt(ctx, length, dst, src);
156 static void des3_encrypt_wrapper(const void *ctx, size_t length,
157 uint8_t *dst, const uint8_t *src)
159 des3_encrypt(ctx, length, dst, src);
162 static void des3_decrypt_wrapper(const void *ctx, size_t length,
163 uint8_t *dst, const uint8_t *src)
165 des3_decrypt(ctx, length, dst, src);
168 static void cast128_encrypt_wrapper(const void *ctx, size_t length,
169 uint8_t *dst, const uint8_t *src)
171 cast128_encrypt(ctx, length, dst, src);
174 static void cast128_decrypt_wrapper(const void *ctx, size_t length,
175 uint8_t *dst, const uint8_t *src)
177 cast128_decrypt(ctx, length, dst, src);
180 static void serpent_encrypt_wrapper(const void *ctx, size_t length,
181 uint8_t *dst, const uint8_t *src)
183 serpent_encrypt(ctx, length, dst, src);
186 static void serpent_decrypt_wrapper(const void *ctx, size_t length,
187 uint8_t *dst, const uint8_t *src)
189 serpent_decrypt(ctx, length, dst, src);
192 static void twofish_encrypt_wrapper(const void *ctx, size_t length,
193 uint8_t *dst, const uint8_t *src)
195 twofish_encrypt(ctx, length, dst, src);
198 static void twofish_decrypt_wrapper(const void *ctx, size_t length,
199 uint8_t *dst, const uint8_t *src)
201 twofish_decrypt(ctx, length, dst, src);
204 typedef struct QCryptoCipherNettle QCryptoCipherNettle;
205 struct QCryptoCipherNettle {
206 /* Primary cipher context for all modes */
207 void *ctx;
208 /* Second cipher context for XTS mode only */
209 void *ctx_tweak;
210 /* Cipher callbacks for both contexts */
211 QCryptoCipherNettleFuncNative alg_encrypt_native;
212 QCryptoCipherNettleFuncNative alg_decrypt_native;
213 QCryptoCipherNettleFuncWrapper alg_encrypt_wrapper;
214 QCryptoCipherNettleFuncWrapper alg_decrypt_wrapper;
215 /* Initialization vector or Counter */
216 uint8_t *iv;
217 size_t blocksize;
220 bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
221 QCryptoCipherMode mode)
223 switch (alg) {
224 case QCRYPTO_CIPHER_ALG_DES_RFB:
225 case QCRYPTO_CIPHER_ALG_3DES:
226 case QCRYPTO_CIPHER_ALG_AES_128:
227 case QCRYPTO_CIPHER_ALG_AES_192:
228 case QCRYPTO_CIPHER_ALG_AES_256:
229 case QCRYPTO_CIPHER_ALG_CAST5_128:
230 case QCRYPTO_CIPHER_ALG_SERPENT_128:
231 case QCRYPTO_CIPHER_ALG_SERPENT_192:
232 case QCRYPTO_CIPHER_ALG_SERPENT_256:
233 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
234 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
235 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
236 break;
237 default:
238 return false;
241 switch (mode) {
242 case QCRYPTO_CIPHER_MODE_ECB:
243 case QCRYPTO_CIPHER_MODE_CBC:
244 case QCRYPTO_CIPHER_MODE_XTS:
245 case QCRYPTO_CIPHER_MODE_CTR:
246 return true;
247 default:
248 return false;
253 static void
254 qcrypto_nettle_cipher_free_ctx(QCryptoCipherNettle *ctx)
256 if (!ctx) {
257 return;
260 g_free(ctx->iv);
261 g_free(ctx->ctx);
262 g_free(ctx->ctx_tweak);
263 g_free(ctx);
267 static QCryptoCipherNettle *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
268 QCryptoCipherMode mode,
269 const uint8_t *key,
270 size_t nkey,
271 Error **errp)
273 QCryptoCipherNettle *ctx;
274 uint8_t *rfbkey;
276 switch (mode) {
277 case QCRYPTO_CIPHER_MODE_ECB:
278 case QCRYPTO_CIPHER_MODE_CBC:
279 case QCRYPTO_CIPHER_MODE_XTS:
280 case QCRYPTO_CIPHER_MODE_CTR:
281 break;
282 default:
283 error_setg(errp, "Unsupported cipher mode %s",
284 QCryptoCipherMode_str(mode));
285 return NULL;
288 if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
289 return NULL;
292 ctx = g_new0(QCryptoCipherNettle, 1);
294 switch (alg) {
295 case QCRYPTO_CIPHER_ALG_DES_RFB:
296 ctx->ctx = g_new0(struct des_ctx, 1);
297 rfbkey = qcrypto_cipher_munge_des_rfb_key(key, nkey);
298 des_set_key(ctx->ctx, rfbkey);
299 g_free(rfbkey);
301 ctx->alg_encrypt_native = des_encrypt_native;
302 ctx->alg_decrypt_native = des_decrypt_native;
303 ctx->alg_encrypt_wrapper = des_encrypt_wrapper;
304 ctx->alg_decrypt_wrapper = des_decrypt_wrapper;
306 ctx->blocksize = DES_BLOCK_SIZE;
307 break;
309 case QCRYPTO_CIPHER_ALG_3DES:
310 ctx->ctx = g_new0(struct des3_ctx, 1);
311 des3_set_key(ctx->ctx, key);
313 ctx->alg_encrypt_native = des3_encrypt_native;
314 ctx->alg_decrypt_native = des3_decrypt_native;
315 ctx->alg_encrypt_wrapper = des3_encrypt_wrapper;
316 ctx->alg_decrypt_wrapper = des3_decrypt_wrapper;
318 ctx->blocksize = DES3_BLOCK_SIZE;
319 break;
321 case QCRYPTO_CIPHER_ALG_AES_128:
322 case QCRYPTO_CIPHER_ALG_AES_192:
323 case QCRYPTO_CIPHER_ALG_AES_256:
324 ctx->ctx = g_new0(QCryptoNettleAES, 1);
326 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
327 ctx->ctx_tweak = g_new0(QCryptoNettleAES, 1);
329 nkey /= 2;
330 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx)->enc,
331 nkey, key);
332 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx)->dec,
333 nkey, key);
335 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx_tweak)->enc,
336 nkey, key + nkey);
337 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx_tweak)->dec,
338 nkey, key + nkey);
339 } else {
340 aes_set_encrypt_key(&((QCryptoNettleAES *)ctx->ctx)->enc,
341 nkey, key);
342 aes_set_decrypt_key(&((QCryptoNettleAES *)ctx->ctx)->dec,
343 nkey, key);
346 ctx->alg_encrypt_native = aes_encrypt_native;
347 ctx->alg_decrypt_native = aes_decrypt_native;
348 ctx->alg_encrypt_wrapper = aes_encrypt_wrapper;
349 ctx->alg_decrypt_wrapper = aes_decrypt_wrapper;
351 ctx->blocksize = AES_BLOCK_SIZE;
352 break;
354 case QCRYPTO_CIPHER_ALG_CAST5_128:
355 ctx->ctx = g_new0(struct cast128_ctx, 1);
357 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
358 ctx->ctx_tweak = g_new0(struct cast128_ctx, 1);
360 nkey /= 2;
361 cast5_set_key(ctx->ctx, nkey, key);
362 cast5_set_key(ctx->ctx_tweak, nkey, key + nkey);
363 } else {
364 cast5_set_key(ctx->ctx, nkey, key);
367 ctx->alg_encrypt_native = cast128_encrypt_native;
368 ctx->alg_decrypt_native = cast128_decrypt_native;
369 ctx->alg_encrypt_wrapper = cast128_encrypt_wrapper;
370 ctx->alg_decrypt_wrapper = cast128_decrypt_wrapper;
372 ctx->blocksize = CAST128_BLOCK_SIZE;
373 break;
375 case QCRYPTO_CIPHER_ALG_SERPENT_128:
376 case QCRYPTO_CIPHER_ALG_SERPENT_192:
377 case QCRYPTO_CIPHER_ALG_SERPENT_256:
378 ctx->ctx = g_new0(struct serpent_ctx, 1);
380 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
381 ctx->ctx_tweak = g_new0(struct serpent_ctx, 1);
383 nkey /= 2;
384 serpent_set_key(ctx->ctx, nkey, key);
385 serpent_set_key(ctx->ctx_tweak, nkey, key + nkey);
386 } else {
387 serpent_set_key(ctx->ctx, nkey, key);
390 ctx->alg_encrypt_native = serpent_encrypt_native;
391 ctx->alg_decrypt_native = serpent_decrypt_native;
392 ctx->alg_encrypt_wrapper = serpent_encrypt_wrapper;
393 ctx->alg_decrypt_wrapper = serpent_decrypt_wrapper;
395 ctx->blocksize = SERPENT_BLOCK_SIZE;
396 break;
398 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
399 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
400 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
401 ctx->ctx = g_new0(struct twofish_ctx, 1);
403 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
404 ctx->ctx_tweak = g_new0(struct twofish_ctx, 1);
406 nkey /= 2;
407 twofish_set_key(ctx->ctx, nkey, key);
408 twofish_set_key(ctx->ctx_tweak, nkey, key + nkey);
409 } else {
410 twofish_set_key(ctx->ctx, nkey, key);
413 ctx->alg_encrypt_native = twofish_encrypt_native;
414 ctx->alg_decrypt_native = twofish_decrypt_native;
415 ctx->alg_encrypt_wrapper = twofish_encrypt_wrapper;
416 ctx->alg_decrypt_wrapper = twofish_decrypt_wrapper;
418 ctx->blocksize = TWOFISH_BLOCK_SIZE;
419 break;
421 default:
422 error_setg(errp, "Unsupported cipher algorithm %s",
423 QCryptoCipherAlgorithm_str(alg));
424 goto error;
427 if (mode == QCRYPTO_CIPHER_MODE_XTS &&
428 ctx->blocksize != XTS_BLOCK_SIZE) {
429 error_setg(errp, "Cipher block size %zu must equal XTS block size %d",
430 ctx->blocksize, XTS_BLOCK_SIZE);
431 goto error;
434 ctx->iv = g_new0(uint8_t, ctx->blocksize);
436 return ctx;
438 error:
439 qcrypto_nettle_cipher_free_ctx(ctx);
440 return NULL;
444 static void
445 qcrypto_nettle_cipher_ctx_free(QCryptoCipher *cipher)
447 QCryptoCipherNettle *ctx;
449 ctx = cipher->opaque;
450 qcrypto_nettle_cipher_free_ctx(ctx);
454 static int
455 qcrypto_nettle_cipher_encrypt(QCryptoCipher *cipher,
456 const void *in,
457 void *out,
458 size_t len,
459 Error **errp)
461 QCryptoCipherNettle *ctx = cipher->opaque;
463 if (len % ctx->blocksize) {
464 error_setg(errp, "Length %zu must be a multiple of block size %zu",
465 len, ctx->blocksize);
466 return -1;
469 switch (cipher->mode) {
470 case QCRYPTO_CIPHER_MODE_ECB:
471 ctx->alg_encrypt_wrapper(ctx->ctx, len, out, in);
472 break;
474 case QCRYPTO_CIPHER_MODE_CBC:
475 cbc_encrypt(ctx->ctx, ctx->alg_encrypt_native,
476 ctx->blocksize, ctx->iv,
477 len, out, in);
478 break;
480 case QCRYPTO_CIPHER_MODE_XTS:
481 xts_encrypt(ctx->ctx, ctx->ctx_tweak,
482 ctx->alg_encrypt_wrapper, ctx->alg_encrypt_wrapper,
483 ctx->iv, len, out, in);
484 break;
486 case QCRYPTO_CIPHER_MODE_CTR:
487 ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
488 ctx->blocksize, ctx->iv,
489 len, out, in);
490 break;
492 default:
493 error_setg(errp, "Unsupported cipher mode %s",
494 QCryptoCipherMode_str(cipher->mode));
495 return -1;
497 return 0;
501 static int
502 qcrypto_nettle_cipher_decrypt(QCryptoCipher *cipher,
503 const void *in,
504 void *out,
505 size_t len,
506 Error **errp)
508 QCryptoCipherNettle *ctx = cipher->opaque;
510 if (len % ctx->blocksize) {
511 error_setg(errp, "Length %zu must be a multiple of block size %zu",
512 len, ctx->blocksize);
513 return -1;
516 switch (cipher->mode) {
517 case QCRYPTO_CIPHER_MODE_ECB:
518 ctx->alg_decrypt_wrapper(ctx->ctx, len, out, in);
519 break;
521 case QCRYPTO_CIPHER_MODE_CBC:
522 cbc_decrypt(ctx->ctx, ctx->alg_decrypt_native,
523 ctx->blocksize, ctx->iv,
524 len, out, in);
525 break;
527 case QCRYPTO_CIPHER_MODE_XTS:
528 xts_decrypt(ctx->ctx, ctx->ctx_tweak,
529 ctx->alg_encrypt_wrapper, ctx->alg_decrypt_wrapper,
530 ctx->iv, len, out, in);
531 break;
532 case QCRYPTO_CIPHER_MODE_CTR:
533 ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
534 ctx->blocksize, ctx->iv,
535 len, out, in);
536 break;
538 default:
539 error_setg(errp, "Unsupported cipher mode %s",
540 QCryptoCipherMode_str(cipher->mode));
541 return -1;
543 return 0;
546 static int
547 qcrypto_nettle_cipher_setiv(QCryptoCipher *cipher,
548 const uint8_t *iv, size_t niv,
549 Error **errp)
551 QCryptoCipherNettle *ctx = cipher->opaque;
552 if (niv != ctx->blocksize) {
553 error_setg(errp, "Expected IV size %zu not %zu",
554 ctx->blocksize, niv);
555 return -1;
557 memcpy(ctx->iv, iv, niv);
558 return 0;
562 static struct QCryptoCipherDriver qcrypto_cipher_lib_driver = {
563 .cipher_encrypt = qcrypto_nettle_cipher_encrypt,
564 .cipher_decrypt = qcrypto_nettle_cipher_decrypt,
565 .cipher_setiv = qcrypto_nettle_cipher_setiv,
566 .cipher_free = qcrypto_nettle_cipher_ctx_free,