hw/rtc/sun4v-rtc: Relicense to GPLv2-or-later
[qemu/armbru.git] / crypto / cipher-nettle.c.inc
blob42b39e18a23d49b1a5d86eaa5874f849f444b522
1 /*
2  * QEMU Crypto cipher nettle algorithms
3  *
4  * Copyright (c) 2015 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
21 #ifdef CONFIG_QEMU_PRIVATE_XTS
22 #include "crypto/xts.h"
23 #endif
25 #include <nettle/nettle-types.h>
26 #include <nettle/aes.h>
27 #include <nettle/des.h>
28 #include <nettle/cbc.h>
29 #include <nettle/cast128.h>
30 #include <nettle/serpent.h>
31 #include <nettle/twofish.h>
32 #include <nettle/ctr.h>
33 #ifndef CONFIG_QEMU_PRIVATE_XTS
34 #include <nettle/xts.h>
35 #endif
36 #ifdef CONFIG_CRYPTO_SM4
37 #include <nettle/sm4.h>
38 #endif
40 static inline bool qcrypto_length_check(size_t len, size_t blocksize,
41                                         Error **errp)
43     if (unlikely(len & (blocksize - 1))) {
44         error_setg(errp, "Length %zu must be a multiple of block size %zu",
45                    len, blocksize);
46         return false;
47     }
48     return true;
52 static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx)
54     g_free(ctx);
57 static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher,
58                                    const uint8_t *iv, size_t niv,
59                                    Error **errp)
61     error_setg(errp, "Setting IV is not supported");
62     return -1;
66 #define DEFINE_SETIV(NAME, TYPE, BLEN)                                  \
67 static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv,       \
68                         size_t niv, Error **errp)                       \
69 {                                                                       \
70     TYPE *ctx = container_of(cipher, TYPE, base);                       \
71     if (niv != BLEN) {                                                  \
72         error_setg(errp, "Expected IV size %d not %zu", BLEN, niv);     \
73         return -1;                                                      \
74     }                                                                   \
75     memcpy(ctx->iv, iv, niv);                                           \
76     return 0;                                                           \
80 #define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
81 static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in,    \
82                               void *out, size_t len, Error **errp)      \
83 {                                                                       \
84     TYPE *ctx = container_of(cipher, TYPE, base);                       \
85     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
86         return -1;                                                      \
87     }                                                                   \
88     ENCRYPT(&ctx->key, len, out, in);                                   \
89     return 0;                                                           \
90 }                                                                       \
91 static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in,    \
92                               void *out, size_t len, Error **errp)      \
93 {                                                                       \
94     TYPE *ctx = container_of(cipher, TYPE, base);                       \
95     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
96         return -1;                                                      \
97     }                                                                   \
98     DECRYPT(&ctx->key, len, out, in);                                   \
99     return 0;                                                           \
100 }                                                                       \
101 static const struct QCryptoCipherDriver NAME##_driver_ecb = {           \
102     .cipher_encrypt = NAME##_encrypt_ecb,                               \
103     .cipher_decrypt = NAME##_decrypt_ecb,                               \
104     .cipher_setiv = qcrypto_cipher_no_setiv,                            \
105     .cipher_free = qcrypto_cipher_ctx_free,                             \
109 #define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
110 static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in,    \
111                               void *out, size_t len, Error **errp)      \
112 {                                                                       \
113     TYPE *ctx = container_of(cipher, TYPE, base);                       \
114     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
115         return -1;                                                      \
116     }                                                                   \
117     cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);       \
118     return 0;                                                           \
119 }                                                                       \
120 static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in,    \
121                               void *out, size_t len, Error **errp)      \
122 {                                                                       \
123     TYPE *ctx = container_of(cipher, TYPE, base);                       \
124     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
125         return -1;                                                      \
126     }                                                                   \
127     cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in);       \
128     return 0;                                                           \
129 }                                                                       \
130 static const struct QCryptoCipherDriver NAME##_driver_cbc = {           \
131     .cipher_encrypt = NAME##_encrypt_cbc,                               \
132     .cipher_decrypt = NAME##_decrypt_cbc,                               \
133     .cipher_setiv = NAME##_setiv,                                       \
134     .cipher_free = qcrypto_cipher_ctx_free,                             \
138 #define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)                           \
139 static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in,    \
140                               void *out, size_t len, Error **errp)      \
141 {                                                                       \
142     TYPE *ctx = container_of(cipher, TYPE, base);                       \
143     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
144         return -1;                                                      \
145     }                                                                   \
146     ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);         \
147     return 0;                                                           \
148 }                                                                       \
149 static const struct QCryptoCipherDriver NAME##_driver_ctr = {           \
150     .cipher_encrypt = NAME##_encrypt_ctr,                               \
151     .cipher_decrypt = NAME##_encrypt_ctr,                               \
152     .cipher_setiv = NAME##_setiv,                                       \
153     .cipher_free = qcrypto_cipher_ctx_free,                             \
157 #ifdef CONFIG_QEMU_PRIVATE_XTS
158 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
159 static void NAME##_xts_wrape(const void *ctx, size_t length,            \
160                              uint8_t *dst, const uint8_t *src)          \
161 {                                                                       \
162     ENCRYPT((const void *)ctx, length, dst, src);                       \
163 }                                                                       \
164 static void NAME##_xts_wrapd(const void *ctx, size_t length,            \
165                              uint8_t *dst, const uint8_t *src)          \
166 {                                                                       \
167     DECRYPT((const void *)ctx, length, dst, src);                       \
168 }                                                                       \
169 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
170                               void *out, size_t len, Error **errp)      \
171 {                                                                       \
172     TYPE *ctx = container_of(cipher, TYPE, base);                       \
173     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
174         return -1;                                                      \
175     }                                                                   \
176     xts_encrypt(&ctx->key, &ctx->key_xts,                               \
177                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
178                 ctx->iv, len, out, in);                                 \
179     return 0;                                                           \
180 }                                                                       \
181 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
182                               void *out, size_t len, Error **errp)      \
183 {                                                                       \
184     TYPE *ctx = container_of(cipher, TYPE, base);                       \
185     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
186         return -1;                                                      \
187     }                                                                   \
188     xts_decrypt(&ctx->key, &ctx->key_xts,                               \
189                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
190                 ctx->iv, len, out, in);                                 \
191     return 0;                                                           \
193 #else
194 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
195 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
196                               void *out, size_t len, Error **errp)      \
197 {                                                                       \
198     TYPE *ctx = container_of(cipher, TYPE, base);                       \
199     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
200         return -1;                                                      \
201     }                                                                   \
202     xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT,              \
203                         ctx->iv, len, out, in);                         \
204     return 0;                                                           \
205 }                                                                       \
206 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
207                               void *out, size_t len, Error **errp)      \
208 {                                                                       \
209     TYPE *ctx = container_of(cipher, TYPE, base);                       \
210     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
211         return -1;                                                      \
212     }                                                                   \
213     xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT,     \
214                         ctx->iv, len, out, in);                         \
215     return 0;                                                           \
217 #endif
219 #define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)          \
220     QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE);                  \
221     DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)             \
222 static const struct QCryptoCipherDriver NAME##_driver_xts = {   \
223     .cipher_encrypt = NAME##_encrypt_xts,                       \
224     .cipher_decrypt = NAME##_decrypt_xts,                       \
225     .cipher_setiv = NAME##_setiv,                               \
226     .cipher_free = qcrypto_cipher_ctx_free,                     \
230 #define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)  \
231     DEFINE_SETIV(NAME, TYPE, BLEN)                              \
232     DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
233     DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
234     DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)
236 #define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)      \
237     DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
238     DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)
241 typedef struct QCryptoNettleDES {
242     QCryptoCipher base;
243     struct des_ctx key;
244     uint8_t iv[DES_BLOCK_SIZE];
245 } QCryptoNettleDES;
247 static void des_encrypt_native(const void *ctx, size_t length,
248                                uint8_t *dst, const uint8_t *src)
250     des_encrypt(ctx, length, dst, src);
253 static void des_decrypt_native(const void *ctx, size_t length,
254                                uint8_t *dst, const uint8_t *src)
256     des_decrypt(ctx, length, dst, src);
259 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des, QCryptoNettleDES,
260                    DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native)
263 typedef struct QCryptoNettleDES3 {
264     QCryptoCipher base;
265     struct des3_ctx key;
266     uint8_t iv[DES3_BLOCK_SIZE];
267 } QCryptoNettleDES3;
269 static void des3_encrypt_native(const void *ctx, size_t length,
270                                 uint8_t *dst, const uint8_t *src)
272     des3_encrypt(ctx, length, dst, src);
275 static void des3_decrypt_native(const void *ctx, size_t length,
276                                 uint8_t *dst, const uint8_t *src)
278     des3_decrypt(ctx, length, dst, src);
281 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE,
282                    des3_encrypt_native, des3_decrypt_native)
285 typedef struct QCryptoNettleAES128 {
286     QCryptoCipher base;
287     uint8_t iv[AES_BLOCK_SIZE];
288     /* First key from pair is encode, second key is decode. */
289     struct aes128_ctx key[2], key_xts[2];
290 } QCryptoNettleAES128;
292 static void aes128_encrypt_native(const void *ctx, size_t length,
293                                   uint8_t *dst, const uint8_t *src)
295     const struct aes128_ctx *keys = ctx;
296     aes128_encrypt(&keys[0], length, dst, src);
299 static void aes128_decrypt_native(const void *ctx, size_t length,
300                                   uint8_t *dst, const uint8_t *src)
302     const struct aes128_ctx *keys = ctx;
303     aes128_decrypt(&keys[1], length, dst, src);
306 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128,
307                        QCryptoNettleAES128, AES_BLOCK_SIZE,
308                        aes128_encrypt_native, aes128_decrypt_native)
311 typedef struct QCryptoNettleAES192 {
312     QCryptoCipher base;
313     uint8_t iv[AES_BLOCK_SIZE];
314     /* First key from pair is encode, second key is decode. */
315     struct aes192_ctx key[2], key_xts[2];
316 } QCryptoNettleAES192;
318 static void aes192_encrypt_native(const void *ctx, size_t length,
319                                   uint8_t *dst, const uint8_t *src)
321     const struct aes192_ctx *keys = ctx;
322     aes192_encrypt(&keys[0], length, dst, src);
325 static void aes192_decrypt_native(const void *ctx, size_t length,
326                                   uint8_t *dst, const uint8_t *src)
328     const struct aes192_ctx *keys = ctx;
329     aes192_decrypt(&keys[1], length, dst, src);
332 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192,
333                        QCryptoNettleAES192, AES_BLOCK_SIZE,
334                        aes192_encrypt_native, aes192_decrypt_native)
337 typedef struct QCryptoNettleAES256 {
338     QCryptoCipher base;
339     uint8_t iv[AES_BLOCK_SIZE];
340     /* First key from pair is encode, second key is decode. */
341     struct aes256_ctx key[2], key_xts[2];
342 } QCryptoNettleAES256;
344 static void aes256_encrypt_native(const void *ctx, size_t length,
345                                   uint8_t *dst, const uint8_t *src)
347     const struct aes256_ctx *keys = ctx;
348     aes256_encrypt(&keys[0], length, dst, src);
351 static void aes256_decrypt_native(const void *ctx, size_t length,
352                                   uint8_t *dst, const uint8_t *src)
354     const struct aes256_ctx *keys = ctx;
355     aes256_decrypt(&keys[1], length, dst, src);
358 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256,
359                        QCryptoNettleAES256, AES_BLOCK_SIZE,
360                        aes256_encrypt_native, aes256_decrypt_native)
363 typedef struct QCryptoNettleCAST128 {
364     QCryptoCipher base;
365     uint8_t iv[CAST128_BLOCK_SIZE];
366     struct cast128_ctx key, key_xts;
367 } QCryptoNettleCAST128;
369 static void cast128_encrypt_native(const void *ctx, size_t length,
370                                    uint8_t *dst, const uint8_t *src)
372     cast128_encrypt(ctx, length, dst, src);
375 static void cast128_decrypt_native(const void *ctx, size_t length,
376                                    uint8_t *dst, const uint8_t *src)
378     cast128_decrypt(ctx, length, dst, src);
381 DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128,
382                    QCryptoNettleCAST128, CAST128_BLOCK_SIZE,
383                    cast128_encrypt_native, cast128_decrypt_native)
386 typedef struct QCryptoNettleSerpent {
387     QCryptoCipher base;
388     uint8_t iv[SERPENT_BLOCK_SIZE];
389     struct serpent_ctx key, key_xts;
390 } QCryptoNettleSerpent;
393 static void serpent_encrypt_native(const void *ctx, size_t length,
394                                    uint8_t *dst, const uint8_t *src)
396     serpent_encrypt(ctx, length, dst, src);
399 static void serpent_decrypt_native(const void *ctx, size_t length,
400                                    uint8_t *dst, const uint8_t *src)
402     serpent_decrypt(ctx, length, dst, src);
405 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent,
406                        QCryptoNettleSerpent, SERPENT_BLOCK_SIZE,
407                        serpent_encrypt_native, serpent_decrypt_native)
410 typedef struct QCryptoNettleTwofish {
411     QCryptoCipher base;
412     uint8_t iv[TWOFISH_BLOCK_SIZE];
413     struct twofish_ctx key, key_xts;
414 } QCryptoNettleTwofish;
416 static void twofish_encrypt_native(const void *ctx, size_t length,
417                                    uint8_t *dst, const uint8_t *src)
419     twofish_encrypt(ctx, length, dst, src);
422 static void twofish_decrypt_native(const void *ctx, size_t length,
423                                    uint8_t *dst, const uint8_t *src)
425     twofish_decrypt(ctx, length, dst, src);
428 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
429                        QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
430                        twofish_encrypt_native, twofish_decrypt_native)
432 #ifdef CONFIG_CRYPTO_SM4
433 typedef struct QCryptoNettleSm4 {
434     QCryptoCipher base;
435     struct sm4_ctx key[2];
436 } QCryptoNettleSm4;
438 static void sm4_encrypt_native(void *ctx, size_t length,
439                                uint8_t *dst, const uint8_t *src)
441     struct sm4_ctx *keys = ctx;
442     sm4_crypt(&keys[0], length, dst, src);
445 static void sm4_decrypt_native(void *ctx, size_t length,
446                                uint8_t *dst, const uint8_t *src)
448     struct sm4_ctx *keys = ctx;
449     sm4_crypt(&keys[1], length, dst, src);
452 DEFINE_ECB(qcrypto_nettle_sm4,
453            QCryptoNettleSm4, SM4_BLOCK_SIZE,
454            sm4_encrypt_native, sm4_decrypt_native)
455 #endif
457 bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
458                              QCryptoCipherMode mode)
460     switch (alg) {
461     case QCRYPTO_CIPHER_ALG_DES:
462     case QCRYPTO_CIPHER_ALG_3DES:
463     case QCRYPTO_CIPHER_ALG_AES_128:
464     case QCRYPTO_CIPHER_ALG_AES_192:
465     case QCRYPTO_CIPHER_ALG_AES_256:
466     case QCRYPTO_CIPHER_ALG_CAST5_128:
467     case QCRYPTO_CIPHER_ALG_SERPENT_128:
468     case QCRYPTO_CIPHER_ALG_SERPENT_192:
469     case QCRYPTO_CIPHER_ALG_SERPENT_256:
470     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
471     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
472     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
473 #ifdef CONFIG_CRYPTO_SM4
474     case QCRYPTO_CIPHER_ALG_SM4:
475 #endif
476         break;
477     default:
478         return false;
479     }
481     switch (mode) {
482     case QCRYPTO_CIPHER_MODE_ECB:
483     case QCRYPTO_CIPHER_MODE_CBC:
484     case QCRYPTO_CIPHER_MODE_XTS:
485     case QCRYPTO_CIPHER_MODE_CTR:
486         return true;
487     default:
488         return false;
489     }
492 static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
493                                              QCryptoCipherMode mode,
494                                              const uint8_t *key,
495                                              size_t nkey,
496                                              Error **errp)
498     switch (mode) {
499     case QCRYPTO_CIPHER_MODE_ECB:
500     case QCRYPTO_CIPHER_MODE_CBC:
501     case QCRYPTO_CIPHER_MODE_XTS:
502     case QCRYPTO_CIPHER_MODE_CTR:
503         break;
504     default:
505         goto bad_cipher_mode;
506     }
508     if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
509         return NULL;
510     }
512     switch (alg) {
513     case QCRYPTO_CIPHER_ALG_DES:
514         {
515             QCryptoNettleDES *ctx;
516             const QCryptoCipherDriver *drv;
518             switch (mode) {
519             case QCRYPTO_CIPHER_MODE_ECB:
520                 drv = &qcrypto_nettle_des_driver_ecb;
521                 break;
522             case QCRYPTO_CIPHER_MODE_CBC:
523                 drv = &qcrypto_nettle_des_driver_cbc;
524                 break;
525             case QCRYPTO_CIPHER_MODE_CTR:
526                 drv = &qcrypto_nettle_des_driver_ctr;
527                 break;
528             default:
529                 goto bad_cipher_mode;
530             }
532             ctx = g_new0(QCryptoNettleDES, 1);
533             ctx->base.driver = drv;
534             des_set_key(&ctx->key, key);
536             return &ctx->base;
537         }
539     case QCRYPTO_CIPHER_ALG_3DES:
540         {
541             QCryptoNettleDES3 *ctx;
542             const QCryptoCipherDriver *drv;
544             switch (mode) {
545             case QCRYPTO_CIPHER_MODE_ECB:
546                 drv = &qcrypto_nettle_des3_driver_ecb;
547                 break;
548             case QCRYPTO_CIPHER_MODE_CBC:
549                 drv = &qcrypto_nettle_des3_driver_cbc;
550                 break;
551             case QCRYPTO_CIPHER_MODE_CTR:
552                 drv = &qcrypto_nettle_des3_driver_ctr;
553                 break;
554             default:
555                 goto bad_cipher_mode;
556             }
558             ctx = g_new0(QCryptoNettleDES3, 1);
559             ctx->base.driver = drv;
560             des3_set_key(&ctx->key, key);
561             return &ctx->base;
562         }
564     case QCRYPTO_CIPHER_ALG_AES_128:
565         {
566             QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1);
568             switch (mode) {
569             case QCRYPTO_CIPHER_MODE_ECB:
570                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb;
571                 break;
572             case QCRYPTO_CIPHER_MODE_CBC:
573                 ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc;
574                 break;
575             case QCRYPTO_CIPHER_MODE_CTR:
576                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr;
577                 break;
578             case QCRYPTO_CIPHER_MODE_XTS:
579                 ctx->base.driver = &qcrypto_nettle_aes128_driver_xts;
580                 nkey /= 2;
581                 aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey);
582                 aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey);
583                 break;
584             default:
585                 g_assert_not_reached();
586             }
587             aes128_set_encrypt_key(&ctx->key[0], key);
588             aes128_set_decrypt_key(&ctx->key[1], key);
590             return &ctx->base;
591         }
593     case QCRYPTO_CIPHER_ALG_AES_192:
594         {
595             QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1);
597             switch (mode) {
598             case QCRYPTO_CIPHER_MODE_ECB:
599                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb;
600                 break;
601             case QCRYPTO_CIPHER_MODE_CBC:
602                 ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc;
603                 break;
604             case QCRYPTO_CIPHER_MODE_CTR:
605                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr;
606                 break;
607             case QCRYPTO_CIPHER_MODE_XTS:
608                 ctx->base.driver = &qcrypto_nettle_aes192_driver_xts;
609                 nkey /= 2;
610                 aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey);
611                 aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey);
612                 break;
613             default:
614                 g_assert_not_reached();
615             }
616             aes192_set_encrypt_key(&ctx->key[0], key);
617             aes192_set_decrypt_key(&ctx->key[1], key);
619             return &ctx->base;
620         }
622     case QCRYPTO_CIPHER_ALG_AES_256:
623         {
624             QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1);
626             switch (mode) {
627             case QCRYPTO_CIPHER_MODE_ECB:
628                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb;
629                 break;
630             case QCRYPTO_CIPHER_MODE_CBC:
631                 ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc;
632                 break;
633             case QCRYPTO_CIPHER_MODE_CTR:
634                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr;
635                 break;
636             case QCRYPTO_CIPHER_MODE_XTS:
637                 ctx->base.driver = &qcrypto_nettle_aes256_driver_xts;
638                 nkey /= 2;
639                 aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey);
640                 aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey);
641                 break;
642             default:
643                 g_assert_not_reached();
644             }
645             aes256_set_encrypt_key(&ctx->key[0], key);
646             aes256_set_decrypt_key(&ctx->key[1], key);
648             return &ctx->base;
649         }
651     case QCRYPTO_CIPHER_ALG_CAST5_128:
652         {
653             QCryptoNettleCAST128 *ctx;
654             const QCryptoCipherDriver *drv;
656             switch (mode) {
657             case QCRYPTO_CIPHER_MODE_ECB:
658                 drv = &qcrypto_nettle_cast128_driver_ecb;
659                 break;
660             case QCRYPTO_CIPHER_MODE_CBC:
661                 drv = &qcrypto_nettle_cast128_driver_cbc;
662                 break;
663             case QCRYPTO_CIPHER_MODE_CTR:
664                 drv = &qcrypto_nettle_cast128_driver_ctr;
665                 break;
666             default:
667                 goto bad_cipher_mode;
668             }
670             ctx = g_new0(QCryptoNettleCAST128, 1);
671             ctx->base.driver = drv;
672             cast5_set_key(&ctx->key, nkey, key);
674             return &ctx->base;
675         }
677     case QCRYPTO_CIPHER_ALG_SERPENT_128:
678     case QCRYPTO_CIPHER_ALG_SERPENT_192:
679     case QCRYPTO_CIPHER_ALG_SERPENT_256:
680         {
681             QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1);
683             switch (mode) {
684             case QCRYPTO_CIPHER_MODE_ECB:
685                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb;
686                 break;
687             case QCRYPTO_CIPHER_MODE_CBC:
688                 ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc;
689                 break;
690             case QCRYPTO_CIPHER_MODE_CTR:
691                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr;
692                 break;
693             case QCRYPTO_CIPHER_MODE_XTS:
694                 ctx->base.driver = &qcrypto_nettle_serpent_driver_xts;
695                 nkey /= 2;
696                 serpent_set_key(&ctx->key_xts, nkey, key + nkey);
697                 break;
698             default:
699                 g_assert_not_reached();
700             }
701             serpent_set_key(&ctx->key, nkey, key);
703             return &ctx->base;
704         }
706     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
707     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
708     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
709         {
710             QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1);
712             switch (mode) {
713             case QCRYPTO_CIPHER_MODE_ECB:
714                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb;
715                 break;
716             case QCRYPTO_CIPHER_MODE_CBC:
717                 ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc;
718                 break;
719             case QCRYPTO_CIPHER_MODE_CTR:
720                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr;
721                 break;
722             case QCRYPTO_CIPHER_MODE_XTS:
723                 ctx->base.driver = &qcrypto_nettle_twofish_driver_xts;
724                 nkey /= 2;
725                 twofish_set_key(&ctx->key_xts, nkey, key + nkey);
726                 break;
727             default:
728                 g_assert_not_reached();
729             }
730             twofish_set_key(&ctx->key, nkey, key);
732             return &ctx->base;
733         }
734 #ifdef CONFIG_CRYPTO_SM4
735     case QCRYPTO_CIPHER_ALG_SM4:
736         {
737             QCryptoNettleSm4 *ctx = g_new0(QCryptoNettleSm4, 1);
739             switch (mode) {
740             case QCRYPTO_CIPHER_MODE_ECB:
741                 ctx->base.driver = &qcrypto_nettle_sm4_driver_ecb;
742                 break;
743             default:
744                 goto bad_cipher_mode;
745             }
747             sm4_set_encrypt_key(&ctx->key[0], key);
748             sm4_set_decrypt_key(&ctx->key[1], key);
750             return &ctx->base;
751         }
752 #endif
754     default:
755         error_setg(errp, "Unsupported cipher algorithm %s",
756                    QCryptoCipherAlgorithm_str(alg));
757         return NULL;
758     }
760  bad_cipher_mode:
761     error_setg(errp, "Unsupported cipher mode %s",
762                QCryptoCipherMode_str(mode));
763     return NULL;