Hexagon (target/hexagon) add A5_ACS (vacsh)
[qemu/ar7.git] / crypto / cipher-nettle.c.inc
blobcac771e4ff7bd93a055a968aa5ad4cd0750ec9b5
1 /*
2  * QEMU Crypto cipher nettle algorithms
3  *
4  * Copyright (c) 2015 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
21 #ifdef CONFIG_QEMU_PRIVATE_XTS
22 #include "crypto/xts.h"
23 #endif
25 #include <nettle/nettle-types.h>
26 #include <nettle/aes.h>
27 #include <nettle/des.h>
28 #include <nettle/cbc.h>
29 #include <nettle/cast128.h>
30 #include <nettle/serpent.h>
31 #include <nettle/twofish.h>
32 #include <nettle/ctr.h>
33 #ifndef CONFIG_QEMU_PRIVATE_XTS
34 #include <nettle/xts.h>
35 #endif
37 typedef void (*QCryptoCipherNettleFuncWrapper)(const void *ctx,
38                                                size_t length,
39                                                uint8_t *dst,
40                                                const uint8_t *src);
42 #if CONFIG_NETTLE_VERSION_MAJOR < 3
43 typedef nettle_crypt_func * QCryptoCipherNettleFuncNative;
44 typedef void *       cipher_ctx_t;
45 typedef unsigned     cipher_length_t;
46 #define CONST_CTX
48 #define cast5_set_key cast128_set_key
50 #define aes128_ctx aes_ctx
51 #define aes192_ctx aes_ctx
52 #define aes256_ctx aes_ctx
53 #define aes128_set_encrypt_key(c, k) \
54     aes_set_encrypt_key(c, 16, k)
55 #define aes192_set_encrypt_key(c, k) \
56     aes_set_encrypt_key(c, 24, k)
57 #define aes256_set_encrypt_key(c, k) \
58     aes_set_encrypt_key(c, 32, k)
59 #define aes128_set_decrypt_key(c, k) \
60     aes_set_decrypt_key(c, 16, k)
61 #define aes192_set_decrypt_key(c, k) \
62     aes_set_decrypt_key(c, 24, k)
63 #define aes256_set_decrypt_key(c, k) \
64     aes_set_decrypt_key(c, 32, k)
65 #define aes128_encrypt aes_encrypt
66 #define aes192_encrypt aes_encrypt
67 #define aes256_encrypt aes_encrypt
68 #define aes128_decrypt aes_decrypt
69 #define aes192_decrypt aes_decrypt
70 #define aes256_decrypt aes_decrypt
71 #else
72 typedef nettle_cipher_func * QCryptoCipherNettleFuncNative;
73 typedef const void * cipher_ctx_t;
74 typedef size_t       cipher_length_t;
75 #define CONST_CTX    const
76 #endif
78 static inline bool qcrypto_length_check(size_t len, size_t blocksize,
79                                         Error **errp)
81     if (unlikely(len & (blocksize - 1))) {
82         error_setg(errp, "Length %zu must be a multiple of block size %zu",
83                    len, blocksize);
84         return false;
85     }
86     return true;
90 static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx)
92     g_free(ctx);
95 static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher,
96                                    const uint8_t *iv, size_t niv,
97                                    Error **errp)
99     error_setg(errp, "Setting IV is not supported");
100     return -1;
104 #define DEFINE_SETIV(NAME, TYPE, BLEN)                                  \
105 static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv,       \
106                         size_t niv, Error **errp)                       \
107 {                                                                       \
108     TYPE *ctx = container_of(cipher, TYPE, base);                       \
109     if (niv != BLEN) {                                                  \
110         error_setg(errp, "Expected IV size %d not %zu", BLEN, niv);     \
111         return -1;                                                      \
112     }                                                                   \
113     memcpy(ctx->iv, iv, niv);                                           \
114     return 0;                                                           \
118 #define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
119 static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in,    \
120                               void *out, size_t len, Error **errp)      \
121 {                                                                       \
122     TYPE *ctx = container_of(cipher, TYPE, base);                       \
123     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
124         return -1;                                                      \
125     }                                                                   \
126     ENCRYPT(&ctx->key, len, out, in);                                   \
127     return 0;                                                           \
128 }                                                                       \
129 static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in,    \
130                               void *out, size_t len, Error **errp)      \
131 {                                                                       \
132     TYPE *ctx = container_of(cipher, TYPE, base);                       \
133     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
134         return -1;                                                      \
135     }                                                                   \
136     DECRYPT(&ctx->key, len, out, in);                                   \
137     return 0;                                                           \
138 }                                                                       \
139 static const struct QCryptoCipherDriver NAME##_driver_ecb = {           \
140     .cipher_encrypt = NAME##_encrypt_ecb,                               \
141     .cipher_decrypt = NAME##_decrypt_ecb,                               \
142     .cipher_setiv = qcrypto_cipher_no_setiv,                            \
143     .cipher_free = qcrypto_cipher_ctx_free,                             \
147 #define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
148 static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in,    \
149                               void *out, size_t len, Error **errp)      \
150 {                                                                       \
151     TYPE *ctx = container_of(cipher, TYPE, base);                       \
152     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
153         return -1;                                                      \
154     }                                                                   \
155     cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);       \
156     return 0;                                                           \
157 }                                                                       \
158 static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in,    \
159                               void *out, size_t len, Error **errp)      \
160 {                                                                       \
161     TYPE *ctx = container_of(cipher, TYPE, base);                       \
162     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
163         return -1;                                                      \
164     }                                                                   \
165     cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in);       \
166     return 0;                                                           \
167 }                                                                       \
168 static const struct QCryptoCipherDriver NAME##_driver_cbc = {           \
169     .cipher_encrypt = NAME##_encrypt_cbc,                               \
170     .cipher_decrypt = NAME##_decrypt_cbc,                               \
171     .cipher_setiv = NAME##_setiv,                                       \
172     .cipher_free = qcrypto_cipher_ctx_free,                             \
176 #define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)                           \
177 static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in,    \
178                               void *out, size_t len, Error **errp)      \
179 {                                                                       \
180     TYPE *ctx = container_of(cipher, TYPE, base);                       \
181     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
182         return -1;                                                      \
183     }                                                                   \
184     ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);         \
185     return 0;                                                           \
186 }                                                                       \
187 static const struct QCryptoCipherDriver NAME##_driver_ctr = {           \
188     .cipher_encrypt = NAME##_encrypt_ctr,                               \
189     .cipher_decrypt = NAME##_encrypt_ctr,                               \
190     .cipher_setiv = NAME##_setiv,                                       \
191     .cipher_free = qcrypto_cipher_ctx_free,                             \
195 #ifdef CONFIG_QEMU_PRIVATE_XTS
196 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
197 static void NAME##_xts_wrape(const void *ctx, size_t length,            \
198                              uint8_t *dst, const uint8_t *src)          \
199 {                                                                       \
200     ENCRYPT((cipher_ctx_t)ctx, length, dst, src);                       \
201 }                                                                       \
202 static void NAME##_xts_wrapd(const void *ctx, size_t length,            \
203                              uint8_t *dst, const uint8_t *src)          \
204 {                                                                       \
205     DECRYPT((cipher_ctx_t)ctx, length, dst, src);                       \
206 }                                                                       \
207 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
208                               void *out, size_t len, Error **errp)      \
209 {                                                                       \
210     TYPE *ctx = container_of(cipher, TYPE, base);                       \
211     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
212         return -1;                                                      \
213     }                                                                   \
214     xts_encrypt(&ctx->key, &ctx->key_xts,                               \
215                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
216                 ctx->iv, len, out, in);                                 \
217     return 0;                                                           \
218 }                                                                       \
219 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
220                               void *out, size_t len, Error **errp)      \
221 {                                                                       \
222     TYPE *ctx = container_of(cipher, TYPE, base);                       \
223     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
224         return -1;                                                      \
225     }                                                                   \
226     xts_decrypt(&ctx->key, &ctx->key_xts,                               \
227                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
228                 ctx->iv, len, out, in);                                 \
229     return 0;                                                           \
231 #else
232 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
233 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
234                               void *out, size_t len, Error **errp)      \
235 {                                                                       \
236     TYPE *ctx = container_of(cipher, TYPE, base);                       \
237     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
238         return -1;                                                      \
239     }                                                                   \
240     xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT,              \
241                         ctx->iv, len, out, in);                         \
242     return 0;                                                           \
243 }                                                                       \
244 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
245                               void *out, size_t len, Error **errp)      \
246 {                                                                       \
247     TYPE *ctx = container_of(cipher, TYPE, base);                       \
248     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
249         return -1;                                                      \
250     }                                                                   \
251     xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT,     \
252                         ctx->iv, len, out, in);                         \
253     return 0;                                                           \
255 #endif
257 #define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)          \
258     QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE);                  \
259     DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)             \
260 static const struct QCryptoCipherDriver NAME##_driver_xts = {   \
261     .cipher_encrypt = NAME##_encrypt_xts,                       \
262     .cipher_decrypt = NAME##_decrypt_xts,                       \
263     .cipher_setiv = NAME##_setiv,                               \
264     .cipher_free = qcrypto_cipher_ctx_free,                     \
268 #define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)  \
269     DEFINE_SETIV(NAME, TYPE, BLEN)                              \
270     DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
271     DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
272     DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)
274 #define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)      \
275     DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
276     DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)
279 typedef struct QCryptoNettleDESRFB {
280     QCryptoCipher base;
281     struct des_ctx key;
282     uint8_t iv[DES_BLOCK_SIZE];
283 } QCryptoNettleDESRFB;
285 static void des_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
286                                uint8_t *dst, const uint8_t *src)
288     des_encrypt(ctx, length, dst, src);
291 static void des_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
292                                uint8_t *dst, const uint8_t *src)
294     des_decrypt(ctx, length, dst, src);
297 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des_rfb, QCryptoNettleDESRFB,
298                    DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native)
301 typedef struct QCryptoNettleDES3 {
302     QCryptoCipher base;
303     struct des3_ctx key;
304     uint8_t iv[DES3_BLOCK_SIZE];
305 } QCryptoNettleDES3;
307 static void des3_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
308                                 uint8_t *dst, const uint8_t *src)
310     des3_encrypt(ctx, length, dst, src);
313 static void des3_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
314                                 uint8_t *dst, const uint8_t *src)
316     des3_decrypt(ctx, length, dst, src);
319 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE,
320                    des3_encrypt_native, des3_decrypt_native)
323 typedef struct QCryptoNettleAES128 {
324     QCryptoCipher base;
325     uint8_t iv[AES_BLOCK_SIZE];
326     /* First key from pair is encode, second key is decode. */
327     struct aes128_ctx key[2], key_xts[2];
328 } QCryptoNettleAES128;
330 static void aes128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
331                                   uint8_t *dst, const uint8_t *src)
333     CONST_CTX struct aes128_ctx *keys = ctx;
334     aes128_encrypt(&keys[0], length, dst, src);
337 static void aes128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
338                                   uint8_t *dst, const uint8_t *src)
340     CONST_CTX struct aes128_ctx *keys = ctx;
341     aes128_decrypt(&keys[1], length, dst, src);
344 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128,
345                        QCryptoNettleAES128, AES_BLOCK_SIZE,
346                        aes128_encrypt_native, aes128_decrypt_native)
349 typedef struct QCryptoNettleAES192 {
350     QCryptoCipher base;
351     uint8_t iv[AES_BLOCK_SIZE];
352     /* First key from pair is encode, second key is decode. */
353     struct aes192_ctx key[2], key_xts[2];
354 } QCryptoNettleAES192;
356 static void aes192_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
357                                   uint8_t *dst, const uint8_t *src)
359     CONST_CTX struct aes192_ctx *keys = ctx;
360     aes192_encrypt(&keys[0], length, dst, src);
363 static void aes192_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
364                                   uint8_t *dst, const uint8_t *src)
366     CONST_CTX struct aes192_ctx *keys = ctx;
367     aes192_decrypt(&keys[1], length, dst, src);
370 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192,
371                        QCryptoNettleAES192, AES_BLOCK_SIZE,
372                        aes192_encrypt_native, aes192_decrypt_native)
375 typedef struct QCryptoNettleAES256 {
376     QCryptoCipher base;
377     uint8_t iv[AES_BLOCK_SIZE];
378     /* First key from pair is encode, second key is decode. */
379     struct aes256_ctx key[2], key_xts[2];
380 } QCryptoNettleAES256;
382 static void aes256_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
383                                   uint8_t *dst, const uint8_t *src)
385     CONST_CTX struct aes256_ctx *keys = ctx;
386     aes256_encrypt(&keys[0], length, dst, src);
389 static void aes256_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
390                                uint8_t *dst, const uint8_t *src)
392     CONST_CTX struct aes256_ctx *keys = ctx;
393     aes256_decrypt(&keys[1], length, dst, src);
396 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256,
397                        QCryptoNettleAES256, AES_BLOCK_SIZE,
398                        aes256_encrypt_native, aes256_decrypt_native)
401 typedef struct QCryptoNettleCAST128 {
402     QCryptoCipher base;
403     uint8_t iv[CAST128_BLOCK_SIZE];
404     struct cast128_ctx key, key_xts;
405 } QCryptoNettleCAST128;
407 static void cast128_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
408                                    uint8_t *dst, const uint8_t *src)
410     cast128_encrypt(ctx, length, dst, src);
413 static void cast128_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
414                                    uint8_t *dst, const uint8_t *src)
416     cast128_decrypt(ctx, length, dst, src);
419 DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128,
420                    QCryptoNettleCAST128, CAST128_BLOCK_SIZE,
421                    cast128_encrypt_native, cast128_decrypt_native)
424 typedef struct QCryptoNettleSerpent {
425     QCryptoCipher base;
426     uint8_t iv[SERPENT_BLOCK_SIZE];
427     struct serpent_ctx key, key_xts;
428 } QCryptoNettleSerpent;
431 static void serpent_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
432                                    uint8_t *dst, const uint8_t *src)
434     serpent_encrypt(ctx, length, dst, src);
437 static void serpent_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
438                                    uint8_t *dst, const uint8_t *src)
440     serpent_decrypt(ctx, length, dst, src);
443 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent,
444                        QCryptoNettleSerpent, SERPENT_BLOCK_SIZE,
445                        serpent_encrypt_native, serpent_decrypt_native)
448 typedef struct QCryptoNettleTwofish {
449     QCryptoCipher base;
450     uint8_t iv[TWOFISH_BLOCK_SIZE];
451     struct twofish_ctx key, key_xts;
452 } QCryptoNettleTwofish;
454 static void twofish_encrypt_native(cipher_ctx_t ctx, cipher_length_t length,
455                                    uint8_t *dst, const uint8_t *src)
457     twofish_encrypt(ctx, length, dst, src);
460 static void twofish_decrypt_native(cipher_ctx_t ctx, cipher_length_t length,
461                                    uint8_t *dst, const uint8_t *src)
463     twofish_decrypt(ctx, length, dst, src);
466 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
467                        QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
468                        twofish_encrypt_native, twofish_decrypt_native)
471 bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
472                              QCryptoCipherMode mode)
474     switch (alg) {
475     case QCRYPTO_CIPHER_ALG_DES_RFB:
476     case QCRYPTO_CIPHER_ALG_3DES:
477     case QCRYPTO_CIPHER_ALG_AES_128:
478     case QCRYPTO_CIPHER_ALG_AES_192:
479     case QCRYPTO_CIPHER_ALG_AES_256:
480     case QCRYPTO_CIPHER_ALG_CAST5_128:
481     case QCRYPTO_CIPHER_ALG_SERPENT_128:
482     case QCRYPTO_CIPHER_ALG_SERPENT_192:
483     case QCRYPTO_CIPHER_ALG_SERPENT_256:
484     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
485     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
486     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
487         break;
488     default:
489         return false;
490     }
492     switch (mode) {
493     case QCRYPTO_CIPHER_MODE_ECB:
494     case QCRYPTO_CIPHER_MODE_CBC:
495     case QCRYPTO_CIPHER_MODE_XTS:
496     case QCRYPTO_CIPHER_MODE_CTR:
497         return true;
498     default:
499         return false;
500     }
503 static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
504                                              QCryptoCipherMode mode,
505                                              const uint8_t *key,
506                                              size_t nkey,
507                                              Error **errp)
509     switch (mode) {
510     case QCRYPTO_CIPHER_MODE_ECB:
511     case QCRYPTO_CIPHER_MODE_CBC:
512     case QCRYPTO_CIPHER_MODE_XTS:
513     case QCRYPTO_CIPHER_MODE_CTR:
514         break;
515     default:
516         goto bad_cipher_mode;
517     }
519     if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
520         return NULL;
521     }
523     switch (alg) {
524     case QCRYPTO_CIPHER_ALG_DES_RFB:
525         {
526             QCryptoNettleDESRFB *ctx;
527             const QCryptoCipherDriver *drv;
528             uint8_t *rfbkey;
530             switch (mode) {
531             case QCRYPTO_CIPHER_MODE_ECB:
532                 drv = &qcrypto_nettle_des_rfb_driver_ecb;
533                 break;
534             case QCRYPTO_CIPHER_MODE_CBC:
535                 drv = &qcrypto_nettle_des_rfb_driver_cbc;
536                 break;
537             case QCRYPTO_CIPHER_MODE_CTR:
538                 drv = &qcrypto_nettle_des_rfb_driver_ctr;
539                 break;
540             default:
541                 goto bad_cipher_mode;
542             }
544             ctx = g_new0(QCryptoNettleDESRFB, 1);
545             ctx->base.driver = drv;
547             rfbkey = qcrypto_cipher_munge_des_rfb_key(key, nkey);
548             des_set_key(&ctx->key, rfbkey);
549             g_free(rfbkey);
551             return &ctx->base;
552         }
554     case QCRYPTO_CIPHER_ALG_3DES:
555         {
556             QCryptoNettleDES3 *ctx;
557             const QCryptoCipherDriver *drv;
559             switch (mode) {
560             case QCRYPTO_CIPHER_MODE_ECB:
561                 drv = &qcrypto_nettle_des3_driver_ecb;
562                 break;
563             case QCRYPTO_CIPHER_MODE_CBC:
564                 drv = &qcrypto_nettle_des3_driver_cbc;
565                 break;
566             case QCRYPTO_CIPHER_MODE_CTR:
567                 drv = &qcrypto_nettle_des3_driver_ctr;
568                 break;
569             default:
570                 goto bad_cipher_mode;
571             }
573             ctx = g_new0(QCryptoNettleDES3, 1);
574             ctx->base.driver = drv;
575             des3_set_key(&ctx->key, key);
576             return &ctx->base;
577         }
579     case QCRYPTO_CIPHER_ALG_AES_128:
580         {
581             QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1);
583             switch (mode) {
584             case QCRYPTO_CIPHER_MODE_ECB:
585                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb;
586                 break;
587             case QCRYPTO_CIPHER_MODE_CBC:
588                 ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc;
589                 break;
590             case QCRYPTO_CIPHER_MODE_CTR:
591                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr;
592                 break;
593             case QCRYPTO_CIPHER_MODE_XTS:
594                 ctx->base.driver = &qcrypto_nettle_aes128_driver_xts;
595                 nkey /= 2;
596                 aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey);
597                 aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey);
598                 break;
599             default:
600                 g_assert_not_reached();
601             }
602             aes128_set_encrypt_key(&ctx->key[0], key);
603             aes128_set_decrypt_key(&ctx->key[1], key);
605             return &ctx->base;
606         }
608     case QCRYPTO_CIPHER_ALG_AES_192:
609         {
610             QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1);
612             switch (mode) {
613             case QCRYPTO_CIPHER_MODE_ECB:
614                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb;
615                 break;
616             case QCRYPTO_CIPHER_MODE_CBC:
617                 ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc;
618                 break;
619             case QCRYPTO_CIPHER_MODE_CTR:
620                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr;
621                 break;
622             case QCRYPTO_CIPHER_MODE_XTS:
623                 ctx->base.driver = &qcrypto_nettle_aes192_driver_xts;
624                 nkey /= 2;
625                 aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey);
626                 aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey);
627                 break;
628             default:
629                 g_assert_not_reached();
630             }
631             aes192_set_encrypt_key(&ctx->key[0], key);
632             aes192_set_decrypt_key(&ctx->key[1], key);
634             return &ctx->base;
635         }
637     case QCRYPTO_CIPHER_ALG_AES_256:
638         {
639             QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1);
641             switch (mode) {
642             case QCRYPTO_CIPHER_MODE_ECB:
643                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb;
644                 break;
645             case QCRYPTO_CIPHER_MODE_CBC:
646                 ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc;
647                 break;
648             case QCRYPTO_CIPHER_MODE_CTR:
649                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr;
650                 break;
651             case QCRYPTO_CIPHER_MODE_XTS:
652                 ctx->base.driver = &qcrypto_nettle_aes256_driver_xts;
653                 nkey /= 2;
654                 aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey);
655                 aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey);
656                 break;
657             default:
658                 g_assert_not_reached();
659             }
660             aes256_set_encrypt_key(&ctx->key[0], key);
661             aes256_set_decrypt_key(&ctx->key[1], key);
663             return &ctx->base;
664         }
666     case QCRYPTO_CIPHER_ALG_CAST5_128:
667         {
668             QCryptoNettleCAST128 *ctx;
669             const QCryptoCipherDriver *drv;
671             switch (mode) {
672             case QCRYPTO_CIPHER_MODE_ECB:
673                 drv = &qcrypto_nettle_cast128_driver_ecb;
674                 break;
675             case QCRYPTO_CIPHER_MODE_CBC:
676                 drv = &qcrypto_nettle_cast128_driver_cbc;
677                 break;
678             case QCRYPTO_CIPHER_MODE_CTR:
679                 drv = &qcrypto_nettle_cast128_driver_ctr;
680                 break;
681             default:
682                 goto bad_cipher_mode;
683             }
685             ctx = g_new0(QCryptoNettleCAST128, 1);
686             ctx->base.driver = drv;
687             cast5_set_key(&ctx->key, nkey, key);
689             return &ctx->base;
690         }
692     case QCRYPTO_CIPHER_ALG_SERPENT_128:
693     case QCRYPTO_CIPHER_ALG_SERPENT_192:
694     case QCRYPTO_CIPHER_ALG_SERPENT_256:
695         {
696             QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1);
698             switch (mode) {
699             case QCRYPTO_CIPHER_MODE_ECB:
700                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb;
701                 break;
702             case QCRYPTO_CIPHER_MODE_CBC:
703                 ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc;
704                 break;
705             case QCRYPTO_CIPHER_MODE_CTR:
706                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr;
707                 break;
708             case QCRYPTO_CIPHER_MODE_XTS:
709                 ctx->base.driver = &qcrypto_nettle_serpent_driver_xts;
710                 nkey /= 2;
711                 serpent_set_key(&ctx->key_xts, nkey, key + nkey);
712                 break;
713             default:
714                 g_assert_not_reached();
715             }
716             serpent_set_key(&ctx->key, nkey, key);
718             return &ctx->base;
719         }
721     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
722     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
723     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
724         {
725             QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1);
727             switch (mode) {
728             case QCRYPTO_CIPHER_MODE_ECB:
729                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb;
730                 break;
731             case QCRYPTO_CIPHER_MODE_CBC:
732                 ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc;
733                 break;
734             case QCRYPTO_CIPHER_MODE_CTR:
735                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr;
736                 break;
737             case QCRYPTO_CIPHER_MODE_XTS:
738                 ctx->base.driver = &qcrypto_nettle_twofish_driver_xts;
739                 nkey /= 2;
740                 twofish_set_key(&ctx->key_xts, nkey, key + nkey);
741                 break;
742             default:
743                 g_assert_not_reached();
744             }
745             twofish_set_key(&ctx->key, nkey, key);
747             return &ctx->base;
748         }
750     default:
751         error_setg(errp, "Unsupported cipher algorithm %s",
752                    QCryptoCipherAlgorithm_str(alg));
753         return NULL;
754     }
756  bad_cipher_mode:
757     error_setg(errp, "Unsupported cipher mode %s",
758                QCryptoCipherMode_str(mode));
759     return NULL;