Update version for v7.1.0-rc3 release
[qemu.git] / crypto / cipher-nettle.c.inc
1 /*
2  * QEMU Crypto cipher nettle algorithms
3  *
4  * Copyright (c) 2015 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20
21 #ifdef CONFIG_QEMU_PRIVATE_XTS
22 #include "crypto/xts.h"
23 #endif
24
25 #include <nettle/nettle-types.h>
26 #include <nettle/aes.h>
27 #include <nettle/des.h>
28 #include <nettle/cbc.h>
29 #include <nettle/cast128.h>
30 #include <nettle/serpent.h>
31 #include <nettle/twofish.h>
32 #include <nettle/ctr.h>
33 #ifndef CONFIG_QEMU_PRIVATE_XTS
34 #include <nettle/xts.h>
35 #endif
36
37 static inline bool qcrypto_length_check(size_t len, size_t blocksize,
38                                         Error **errp)
39 {
40     if (unlikely(len & (blocksize - 1))) {
41         error_setg(errp, "Length %zu must be a multiple of block size %zu",
42                    len, blocksize);
43         return false;
44     }
45     return true;
46 }
47
48
49 static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx)
50 {
51     g_free(ctx);
52 }
53
54 static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher,
55                                    const uint8_t *iv, size_t niv,
56                                    Error **errp)
57 {
58     error_setg(errp, "Setting IV is not supported");
59     return -1;
60 }
61
62
63 #define DEFINE_SETIV(NAME, TYPE, BLEN)                                  \
64 static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv,       \
65                         size_t niv, Error **errp)                       \
66 {                                                                       \
67     TYPE *ctx = container_of(cipher, TYPE, base);                       \
68     if (niv != BLEN) {                                                  \
69         error_setg(errp, "Expected IV size %d not %zu", BLEN, niv);     \
70         return -1;                                                      \
71     }                                                                   \
72     memcpy(ctx->iv, iv, niv);                                           \
73     return 0;                                                           \
74 }
75
76
77 #define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
78 static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in,    \
79                               void *out, size_t len, Error **errp)      \
80 {                                                                       \
81     TYPE *ctx = container_of(cipher, TYPE, base);                       \
82     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
83         return -1;                                                      \
84     }                                                                   \
85     ENCRYPT(&ctx->key, len, out, in);                                   \
86     return 0;                                                           \
87 }                                                                       \
88 static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in,    \
89                               void *out, size_t len, Error **errp)      \
90 {                                                                       \
91     TYPE *ctx = container_of(cipher, TYPE, base);                       \
92     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
93         return -1;                                                      \
94     }                                                                   \
95     DECRYPT(&ctx->key, len, out, in);                                   \
96     return 0;                                                           \
97 }                                                                       \
98 static const struct QCryptoCipherDriver NAME##_driver_ecb = {           \
99     .cipher_encrypt = NAME##_encrypt_ecb,                               \
100     .cipher_decrypt = NAME##_decrypt_ecb,                               \
101     .cipher_setiv = qcrypto_cipher_no_setiv,                            \
102     .cipher_free = qcrypto_cipher_ctx_free,                             \
103 };
104
105
106 #define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
107 static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in,    \
108                               void *out, size_t len, Error **errp)      \
109 {                                                                       \
110     TYPE *ctx = container_of(cipher, TYPE, base);                       \
111     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
112         return -1;                                                      \
113     }                                                                   \
114     cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);       \
115     return 0;                                                           \
116 }                                                                       \
117 static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in,    \
118                               void *out, size_t len, Error **errp)      \
119 {                                                                       \
120     TYPE *ctx = container_of(cipher, TYPE, base);                       \
121     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
122         return -1;                                                      \
123     }                                                                   \
124     cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in);       \
125     return 0;                                                           \
126 }                                                                       \
127 static const struct QCryptoCipherDriver NAME##_driver_cbc = {           \
128     .cipher_encrypt = NAME##_encrypt_cbc,                               \
129     .cipher_decrypt = NAME##_decrypt_cbc,                               \
130     .cipher_setiv = NAME##_setiv,                                       \
131     .cipher_free = qcrypto_cipher_ctx_free,                             \
132 };
133
134
135 #define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)                           \
136 static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in,    \
137                               void *out, size_t len, Error **errp)      \
138 {                                                                       \
139     TYPE *ctx = container_of(cipher, TYPE, base);                       \
140     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
141         return -1;                                                      \
142     }                                                                   \
143     ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);         \
144     return 0;                                                           \
145 }                                                                       \
146 static const struct QCryptoCipherDriver NAME##_driver_ctr = {           \
147     .cipher_encrypt = NAME##_encrypt_ctr,                               \
148     .cipher_decrypt = NAME##_encrypt_ctr,                               \
149     .cipher_setiv = NAME##_setiv,                                       \
150     .cipher_free = qcrypto_cipher_ctx_free,                             \
151 };
152
153
154 #ifdef CONFIG_QEMU_PRIVATE_XTS
155 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
156 static void NAME##_xts_wrape(const void *ctx, size_t length,            \
157                              uint8_t *dst, const uint8_t *src)          \
158 {                                                                       \
159     ENCRYPT((const void *)ctx, length, dst, src);                       \
160 }                                                                       \
161 static void NAME##_xts_wrapd(const void *ctx, size_t length,            \
162                              uint8_t *dst, const uint8_t *src)          \
163 {                                                                       \
164     DECRYPT((const void *)ctx, length, dst, src);                       \
165 }                                                                       \
166 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
167                               void *out, size_t len, Error **errp)      \
168 {                                                                       \
169     TYPE *ctx = container_of(cipher, TYPE, base);                       \
170     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
171         return -1;                                                      \
172     }                                                                   \
173     xts_encrypt(&ctx->key, &ctx->key_xts,                               \
174                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
175                 ctx->iv, len, out, in);                                 \
176     return 0;                                                           \
177 }                                                                       \
178 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
179                               void *out, size_t len, Error **errp)      \
180 {                                                                       \
181     TYPE *ctx = container_of(cipher, TYPE, base);                       \
182     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
183         return -1;                                                      \
184     }                                                                   \
185     xts_decrypt(&ctx->key, &ctx->key_xts,                               \
186                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
187                 ctx->iv, len, out, in);                                 \
188     return 0;                                                           \
189 }
190 #else
191 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
192 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
193                               void *out, size_t len, Error **errp)      \
194 {                                                                       \
195     TYPE *ctx = container_of(cipher, TYPE, base);                       \
196     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
197         return -1;                                                      \
198     }                                                                   \
199     xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT,              \
200                         ctx->iv, len, out, in);                         \
201     return 0;                                                           \
202 }                                                                       \
203 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
204                               void *out, size_t len, Error **errp)      \
205 {                                                                       \
206     TYPE *ctx = container_of(cipher, TYPE, base);                       \
207     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
208         return -1;                                                      \
209     }                                                                   \
210     xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT,     \
211                         ctx->iv, len, out, in);                         \
212     return 0;                                                           \
213 }
214 #endif
215
216 #define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)          \
217     QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE);                  \
218     DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)             \
219 static const struct QCryptoCipherDriver NAME##_driver_xts = {   \
220     .cipher_encrypt = NAME##_encrypt_xts,                       \
221     .cipher_decrypt = NAME##_decrypt_xts,                       \
222     .cipher_setiv = NAME##_setiv,                               \
223     .cipher_free = qcrypto_cipher_ctx_free,                     \
224 };
225
226
227 #define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)  \
228     DEFINE_SETIV(NAME, TYPE, BLEN)                              \
229     DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
230     DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
231     DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)
232
233 #define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)      \
234     DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
235     DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)
236
237
238 typedef struct QCryptoNettleDES {
239     QCryptoCipher base;
240     struct des_ctx key;
241     uint8_t iv[DES_BLOCK_SIZE];
242 } QCryptoNettleDES;
243
244 static void des_encrypt_native(const void *ctx, size_t length,
245                                uint8_t *dst, const uint8_t *src)
246 {
247     des_encrypt(ctx, length, dst, src);
248 }
249
250 static void des_decrypt_native(const void *ctx, size_t length,
251                                uint8_t *dst, const uint8_t *src)
252 {
253     des_decrypt(ctx, length, dst, src);
254 }
255
256 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des, QCryptoNettleDES,
257                    DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native)
258
259
260 typedef struct QCryptoNettleDES3 {
261     QCryptoCipher base;
262     struct des3_ctx key;
263     uint8_t iv[DES3_BLOCK_SIZE];
264 } QCryptoNettleDES3;
265
266 static void des3_encrypt_native(const void *ctx, size_t length,
267                                 uint8_t *dst, const uint8_t *src)
268 {
269     des3_encrypt(ctx, length, dst, src);
270 }
271
272 static void des3_decrypt_native(const void *ctx, size_t length,
273                                 uint8_t *dst, const uint8_t *src)
274 {
275     des3_decrypt(ctx, length, dst, src);
276 }
277
278 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE,
279                    des3_encrypt_native, des3_decrypt_native)
280
281
282 typedef struct QCryptoNettleAES128 {
283     QCryptoCipher base;
284     uint8_t iv[AES_BLOCK_SIZE];
285     /* First key from pair is encode, second key is decode. */
286     struct aes128_ctx key[2], key_xts[2];
287 } QCryptoNettleAES128;
288
289 static void aes128_encrypt_native(const void *ctx, size_t length,
290                                   uint8_t *dst, const uint8_t *src)
291 {
292     const struct aes128_ctx *keys = ctx;
293     aes128_encrypt(&keys[0], length, dst, src);
294 }
295
296 static void aes128_decrypt_native(const void *ctx, size_t length,
297                                   uint8_t *dst, const uint8_t *src)
298 {
299     const struct aes128_ctx *keys = ctx;
300     aes128_decrypt(&keys[1], length, dst, src);
301 }
302
303 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128,
304                        QCryptoNettleAES128, AES_BLOCK_SIZE,
305                        aes128_encrypt_native, aes128_decrypt_native)
306
307
308 typedef struct QCryptoNettleAES192 {
309     QCryptoCipher base;
310     uint8_t iv[AES_BLOCK_SIZE];
311     /* First key from pair is encode, second key is decode. */
312     struct aes192_ctx key[2], key_xts[2];
313 } QCryptoNettleAES192;
314
315 static void aes192_encrypt_native(const void *ctx, size_t length,
316                                   uint8_t *dst, const uint8_t *src)
317 {
318     const struct aes192_ctx *keys = ctx;
319     aes192_encrypt(&keys[0], length, dst, src);
320 }
321
322 static void aes192_decrypt_native(const void *ctx, size_t length,
323                                   uint8_t *dst, const uint8_t *src)
324 {
325     const struct aes192_ctx *keys = ctx;
326     aes192_decrypt(&keys[1], length, dst, src);
327 }
328
329 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192,
330                        QCryptoNettleAES192, AES_BLOCK_SIZE,
331                        aes192_encrypt_native, aes192_decrypt_native)
332
333
334 typedef struct QCryptoNettleAES256 {
335     QCryptoCipher base;
336     uint8_t iv[AES_BLOCK_SIZE];
337     /* First key from pair is encode, second key is decode. */
338     struct aes256_ctx key[2], key_xts[2];
339 } QCryptoNettleAES256;
340
341 static void aes256_encrypt_native(const void *ctx, size_t length,
342                                   uint8_t *dst, const uint8_t *src)
343 {
344     const struct aes256_ctx *keys = ctx;
345     aes256_encrypt(&keys[0], length, dst, src);
346 }
347
348 static void aes256_decrypt_native(const void *ctx, size_t length,
349                                   uint8_t *dst, const uint8_t *src)
350 {
351     const struct aes256_ctx *keys = ctx;
352     aes256_decrypt(&keys[1], length, dst, src);
353 }
354
355 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256,
356                        QCryptoNettleAES256, AES_BLOCK_SIZE,
357                        aes256_encrypt_native, aes256_decrypt_native)
358
359
360 typedef struct QCryptoNettleCAST128 {
361     QCryptoCipher base;
362     uint8_t iv[CAST128_BLOCK_SIZE];
363     struct cast128_ctx key, key_xts;
364 } QCryptoNettleCAST128;
365
366 static void cast128_encrypt_native(const void *ctx, size_t length,
367                                    uint8_t *dst, const uint8_t *src)
368 {
369     cast128_encrypt(ctx, length, dst, src);
370 }
371
372 static void cast128_decrypt_native(const void *ctx, size_t length,
373                                    uint8_t *dst, const uint8_t *src)
374 {
375     cast128_decrypt(ctx, length, dst, src);
376 }
377
378 DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128,
379                    QCryptoNettleCAST128, CAST128_BLOCK_SIZE,
380                    cast128_encrypt_native, cast128_decrypt_native)
381
382
383 typedef struct QCryptoNettleSerpent {
384     QCryptoCipher base;
385     uint8_t iv[SERPENT_BLOCK_SIZE];
386     struct serpent_ctx key, key_xts;
387 } QCryptoNettleSerpent;
388
389
390 static void serpent_encrypt_native(const void *ctx, size_t length,
391                                    uint8_t *dst, const uint8_t *src)
392 {
393     serpent_encrypt(ctx, length, dst, src);
394 }
395
396 static void serpent_decrypt_native(const void *ctx, size_t length,
397                                    uint8_t *dst, const uint8_t *src)
398 {
399     serpent_decrypt(ctx, length, dst, src);
400 }
401
402 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent,
403                        QCryptoNettleSerpent, SERPENT_BLOCK_SIZE,
404                        serpent_encrypt_native, serpent_decrypt_native)
405
406
407 typedef struct QCryptoNettleTwofish {
408     QCryptoCipher base;
409     uint8_t iv[TWOFISH_BLOCK_SIZE];
410     struct twofish_ctx key, key_xts;
411 } QCryptoNettleTwofish;
412
413 static void twofish_encrypt_native(const void *ctx, size_t length,
414                                    uint8_t *dst, const uint8_t *src)
415 {
416     twofish_encrypt(ctx, length, dst, src);
417 }
418
419 static void twofish_decrypt_native(const void *ctx, size_t length,
420                                    uint8_t *dst, const uint8_t *src)
421 {
422     twofish_decrypt(ctx, length, dst, src);
423 }
424
425 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
426                        QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
427                        twofish_encrypt_native, twofish_decrypt_native)
428
429
430 bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
431                              QCryptoCipherMode mode)
432 {
433     switch (alg) {
434     case QCRYPTO_CIPHER_ALG_DES:
435     case QCRYPTO_CIPHER_ALG_3DES:
436     case QCRYPTO_CIPHER_ALG_AES_128:
437     case QCRYPTO_CIPHER_ALG_AES_192:
438     case QCRYPTO_CIPHER_ALG_AES_256:
439     case QCRYPTO_CIPHER_ALG_CAST5_128:
440     case QCRYPTO_CIPHER_ALG_SERPENT_128:
441     case QCRYPTO_CIPHER_ALG_SERPENT_192:
442     case QCRYPTO_CIPHER_ALG_SERPENT_256:
443     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
444     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
445     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
446         break;
447     default:
448         return false;
449     }
450
451     switch (mode) {
452     case QCRYPTO_CIPHER_MODE_ECB:
453     case QCRYPTO_CIPHER_MODE_CBC:
454     case QCRYPTO_CIPHER_MODE_XTS:
455     case QCRYPTO_CIPHER_MODE_CTR:
456         return true;
457     default:
458         return false;
459     }
460 }
461
462 static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
463                                              QCryptoCipherMode mode,
464                                              const uint8_t *key,
465                                              size_t nkey,
466                                              Error **errp)
467 {
468     switch (mode) {
469     case QCRYPTO_CIPHER_MODE_ECB:
470     case QCRYPTO_CIPHER_MODE_CBC:
471     case QCRYPTO_CIPHER_MODE_XTS:
472     case QCRYPTO_CIPHER_MODE_CTR:
473         break;
474     default:
475         goto bad_cipher_mode;
476     }
477
478     if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
479         return NULL;
480     }
481
482     switch (alg) {
483     case QCRYPTO_CIPHER_ALG_DES:
484         {
485             QCryptoNettleDES *ctx;
486             const QCryptoCipherDriver *drv;
487
488             switch (mode) {
489             case QCRYPTO_CIPHER_MODE_ECB:
490                 drv = &qcrypto_nettle_des_driver_ecb;
491                 break;
492             case QCRYPTO_CIPHER_MODE_CBC:
493                 drv = &qcrypto_nettle_des_driver_cbc;
494                 break;
495             case QCRYPTO_CIPHER_MODE_CTR:
496                 drv = &qcrypto_nettle_des_driver_ctr;
497                 break;
498             default:
499                 goto bad_cipher_mode;
500             }
501
502             ctx = g_new0(QCryptoNettleDES, 1);
503             ctx->base.driver = drv;
504             des_set_key(&ctx->key, key);
505
506             return &ctx->base;
507         }
508
509     case QCRYPTO_CIPHER_ALG_3DES:
510         {
511             QCryptoNettleDES3 *ctx;
512             const QCryptoCipherDriver *drv;
513
514             switch (mode) {
515             case QCRYPTO_CIPHER_MODE_ECB:
516                 drv = &qcrypto_nettle_des3_driver_ecb;
517                 break;
518             case QCRYPTO_CIPHER_MODE_CBC:
519                 drv = &qcrypto_nettle_des3_driver_cbc;
520                 break;
521             case QCRYPTO_CIPHER_MODE_CTR:
522                 drv = &qcrypto_nettle_des3_driver_ctr;
523                 break;
524             default:
525                 goto bad_cipher_mode;
526             }
527
528             ctx = g_new0(QCryptoNettleDES3, 1);
529             ctx->base.driver = drv;
530             des3_set_key(&ctx->key, key);
531             return &ctx->base;
532         }
533
534     case QCRYPTO_CIPHER_ALG_AES_128:
535         {
536             QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1);
537
538             switch (mode) {
539             case QCRYPTO_CIPHER_MODE_ECB:
540                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb;
541                 break;
542             case QCRYPTO_CIPHER_MODE_CBC:
543                 ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc;
544                 break;
545             case QCRYPTO_CIPHER_MODE_CTR:
546                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr;
547                 break;
548             case QCRYPTO_CIPHER_MODE_XTS:
549                 ctx->base.driver = &qcrypto_nettle_aes128_driver_xts;
550                 nkey /= 2;
551                 aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey);
552                 aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey);
553                 break;
554             default:
555                 g_assert_not_reached();
556             }
557             aes128_set_encrypt_key(&ctx->key[0], key);
558             aes128_set_decrypt_key(&ctx->key[1], key);
559
560             return &ctx->base;
561         }
562
563     case QCRYPTO_CIPHER_ALG_AES_192:
564         {
565             QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1);
566
567             switch (mode) {
568             case QCRYPTO_CIPHER_MODE_ECB:
569                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb;
570                 break;
571             case QCRYPTO_CIPHER_MODE_CBC:
572                 ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc;
573                 break;
574             case QCRYPTO_CIPHER_MODE_CTR:
575                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr;
576                 break;
577             case QCRYPTO_CIPHER_MODE_XTS:
578                 ctx->base.driver = &qcrypto_nettle_aes192_driver_xts;
579                 nkey /= 2;
580                 aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey);
581                 aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey);
582                 break;
583             default:
584                 g_assert_not_reached();
585             }
586             aes192_set_encrypt_key(&ctx->key[0], key);
587             aes192_set_decrypt_key(&ctx->key[1], key);
588
589             return &ctx->base;
590         }
591
592     case QCRYPTO_CIPHER_ALG_AES_256:
593         {
594             QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1);
595
596             switch (mode) {
597             case QCRYPTO_CIPHER_MODE_ECB:
598                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb;
599                 break;
600             case QCRYPTO_CIPHER_MODE_CBC:
601                 ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc;
602                 break;
603             case QCRYPTO_CIPHER_MODE_CTR:
604                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr;
605                 break;
606             case QCRYPTO_CIPHER_MODE_XTS:
607                 ctx->base.driver = &qcrypto_nettle_aes256_driver_xts;
608                 nkey /= 2;
609                 aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey);
610                 aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey);
611                 break;
612             default:
613                 g_assert_not_reached();
614             }
615             aes256_set_encrypt_key(&ctx->key[0], key);
616             aes256_set_decrypt_key(&ctx->key[1], key);
617
618             return &ctx->base;
619         }
620
621     case QCRYPTO_CIPHER_ALG_CAST5_128:
622         {
623             QCryptoNettleCAST128 *ctx;
624             const QCryptoCipherDriver *drv;
625
626             switch (mode) {
627             case QCRYPTO_CIPHER_MODE_ECB:
628                 drv = &qcrypto_nettle_cast128_driver_ecb;
629                 break;
630             case QCRYPTO_CIPHER_MODE_CBC:
631                 drv = &qcrypto_nettle_cast128_driver_cbc;
632                 break;
633             case QCRYPTO_CIPHER_MODE_CTR:
634                 drv = &qcrypto_nettle_cast128_driver_ctr;
635                 break;
636             default:
637                 goto bad_cipher_mode;
638             }
639
640             ctx = g_new0(QCryptoNettleCAST128, 1);
641             ctx->base.driver = drv;
642             cast5_set_key(&ctx->key, nkey, key);
643
644             return &ctx->base;
645         }
646
647     case QCRYPTO_CIPHER_ALG_SERPENT_128:
648     case QCRYPTO_CIPHER_ALG_SERPENT_192:
649     case QCRYPTO_CIPHER_ALG_SERPENT_256:
650         {
651             QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1);
652
653             switch (mode) {
654             case QCRYPTO_CIPHER_MODE_ECB:
655                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb;
656                 break;
657             case QCRYPTO_CIPHER_MODE_CBC:
658                 ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc;
659                 break;
660             case QCRYPTO_CIPHER_MODE_CTR:
661                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr;
662                 break;
663             case QCRYPTO_CIPHER_MODE_XTS:
664                 ctx->base.driver = &qcrypto_nettle_serpent_driver_xts;
665                 nkey /= 2;
666                 serpent_set_key(&ctx->key_xts, nkey, key + nkey);
667                 break;
668             default:
669                 g_assert_not_reached();
670             }
671             serpent_set_key(&ctx->key, nkey, key);
672
673             return &ctx->base;
674         }
675
676     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
677     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
678     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
679         {
680             QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1);
681
682             switch (mode) {
683             case QCRYPTO_CIPHER_MODE_ECB:
684                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb;
685                 break;
686             case QCRYPTO_CIPHER_MODE_CBC:
687                 ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc;
688                 break;
689             case QCRYPTO_CIPHER_MODE_CTR:
690                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr;
691                 break;
692             case QCRYPTO_CIPHER_MODE_XTS:
693                 ctx->base.driver = &qcrypto_nettle_twofish_driver_xts;
694                 nkey /= 2;
695                 twofish_set_key(&ctx->key_xts, nkey, key + nkey);
696                 break;
697             default:
698                 g_assert_not_reached();
699             }
700             twofish_set_key(&ctx->key, nkey, key);
701
702             return &ctx->base;
703         }
704
705     default:
706         error_setg(errp, "Unsupported cipher algorithm %s",
707                    QCryptoCipherAlgorithm_str(alg));
708         return NULL;
709     }
710
711  bad_cipher_mode:
712     error_setg(errp, "Unsupported cipher mode %s",
713                QCryptoCipherMode_str(mode));
714     return NULL;
715 }