Merge remote-tracking branch 'remotes/dgilbert-gitlab/tags/pull-migration-20210726a...
[qemu/armbru.git] / crypto / cipher-nettle.c.inc
blob24cc61f87bfc4ae7ab8ff523a4105a67bace67a1
1 /*
2  * QEMU Crypto cipher nettle algorithms
3  *
4  * Copyright (c) 2015 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
21 #ifdef CONFIG_QEMU_PRIVATE_XTS
22 #include "crypto/xts.h"
23 #endif
25 #include <nettle/nettle-types.h>
26 #include <nettle/aes.h>
27 #include <nettle/des.h>
28 #include <nettle/cbc.h>
29 #include <nettle/cast128.h>
30 #include <nettle/serpent.h>
31 #include <nettle/twofish.h>
32 #include <nettle/ctr.h>
33 #ifndef CONFIG_QEMU_PRIVATE_XTS
34 #include <nettle/xts.h>
35 #endif
37 static inline bool qcrypto_length_check(size_t len, size_t blocksize,
38                                         Error **errp)
40     if (unlikely(len & (blocksize - 1))) {
41         error_setg(errp, "Length %zu must be a multiple of block size %zu",
42                    len, blocksize);
43         return false;
44     }
45     return true;
49 static void qcrypto_cipher_ctx_free(QCryptoCipher *ctx)
51     g_free(ctx);
54 static int qcrypto_cipher_no_setiv(QCryptoCipher *cipher,
55                                    const uint8_t *iv, size_t niv,
56                                    Error **errp)
58     error_setg(errp, "Setting IV is not supported");
59     return -1;
63 #define DEFINE_SETIV(NAME, TYPE, BLEN)                                  \
64 static int NAME##_setiv(QCryptoCipher *cipher, const uint8_t *iv,       \
65                         size_t niv, Error **errp)                       \
66 {                                                                       \
67     TYPE *ctx = container_of(cipher, TYPE, base);                       \
68     if (niv != BLEN) {                                                  \
69         error_setg(errp, "Expected IV size %d not %zu", BLEN, niv);     \
70         return -1;                                                      \
71     }                                                                   \
72     memcpy(ctx->iv, iv, niv);                                           \
73     return 0;                                                           \
77 #define DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
78 static int NAME##_encrypt_ecb(QCryptoCipher *cipher, const void *in,    \
79                               void *out, size_t len, Error **errp)      \
80 {                                                                       \
81     TYPE *ctx = container_of(cipher, TYPE, base);                       \
82     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
83         return -1;                                                      \
84     }                                                                   \
85     ENCRYPT(&ctx->key, len, out, in);                                   \
86     return 0;                                                           \
87 }                                                                       \
88 static int NAME##_decrypt_ecb(QCryptoCipher *cipher, const void *in,    \
89                               void *out, size_t len, Error **errp)      \
90 {                                                                       \
91     TYPE *ctx = container_of(cipher, TYPE, base);                       \
92     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
93         return -1;                                                      \
94     }                                                                   \
95     DECRYPT(&ctx->key, len, out, in);                                   \
96     return 0;                                                           \
97 }                                                                       \
98 static const struct QCryptoCipherDriver NAME##_driver_ecb = {           \
99     .cipher_encrypt = NAME##_encrypt_ecb,                               \
100     .cipher_decrypt = NAME##_decrypt_ecb,                               \
101     .cipher_setiv = qcrypto_cipher_no_setiv,                            \
102     .cipher_free = qcrypto_cipher_ctx_free,                             \
106 #define DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                  \
107 static int NAME##_encrypt_cbc(QCryptoCipher *cipher, const void *in,    \
108                               void *out, size_t len, Error **errp)      \
109 {                                                                       \
110     TYPE *ctx = container_of(cipher, TYPE, base);                       \
111     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
112         return -1;                                                      \
113     }                                                                   \
114     cbc_encrypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);       \
115     return 0;                                                           \
116 }                                                                       \
117 static int NAME##_decrypt_cbc(QCryptoCipher *cipher, const void *in,    \
118                               void *out, size_t len, Error **errp)      \
119 {                                                                       \
120     TYPE *ctx = container_of(cipher, TYPE, base);                       \
121     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
122         return -1;                                                      \
123     }                                                                   \
124     cbc_decrypt(&ctx->key, DECRYPT, BLEN, ctx->iv, len, out, in);       \
125     return 0;                                                           \
126 }                                                                       \
127 static const struct QCryptoCipherDriver NAME##_driver_cbc = {           \
128     .cipher_encrypt = NAME##_encrypt_cbc,                               \
129     .cipher_decrypt = NAME##_decrypt_cbc,                               \
130     .cipher_setiv = NAME##_setiv,                                       \
131     .cipher_free = qcrypto_cipher_ctx_free,                             \
135 #define DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)                           \
136 static int NAME##_encrypt_ctr(QCryptoCipher *cipher, const void *in,    \
137                               void *out, size_t len, Error **errp)      \
138 {                                                                       \
139     TYPE *ctx = container_of(cipher, TYPE, base);                       \
140     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
141         return -1;                                                      \
142     }                                                                   \
143     ctr_crypt(&ctx->key, ENCRYPT, BLEN, ctx->iv, len, out, in);         \
144     return 0;                                                           \
145 }                                                                       \
146 static const struct QCryptoCipherDriver NAME##_driver_ctr = {           \
147     .cipher_encrypt = NAME##_encrypt_ctr,                               \
148     .cipher_decrypt = NAME##_encrypt_ctr,                               \
149     .cipher_setiv = NAME##_setiv,                                       \
150     .cipher_free = qcrypto_cipher_ctx_free,                             \
154 #ifdef CONFIG_QEMU_PRIVATE_XTS
155 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
156 static void NAME##_xts_wrape(const void *ctx, size_t length,            \
157                              uint8_t *dst, const uint8_t *src)          \
158 {                                                                       \
159     ENCRYPT((const void *)ctx, length, dst, src);                       \
160 }                                                                       \
161 static void NAME##_xts_wrapd(const void *ctx, size_t length,            \
162                              uint8_t *dst, const uint8_t *src)          \
163 {                                                                       \
164     DECRYPT((const void *)ctx, length, dst, src);                       \
165 }                                                                       \
166 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
167                               void *out, size_t len, Error **errp)      \
168 {                                                                       \
169     TYPE *ctx = container_of(cipher, TYPE, base);                       \
170     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
171         return -1;                                                      \
172     }                                                                   \
173     xts_encrypt(&ctx->key, &ctx->key_xts,                               \
174                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
175                 ctx->iv, len, out, in);                                 \
176     return 0;                                                           \
177 }                                                                       \
178 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
179                               void *out, size_t len, Error **errp)      \
180 {                                                                       \
181     TYPE *ctx = container_of(cipher, TYPE, base);                       \
182     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
183         return -1;                                                      \
184     }                                                                   \
185     xts_decrypt(&ctx->key, &ctx->key_xts,                               \
186                 NAME##_xts_wrape, NAME##_xts_wrapd,                     \
187                 ctx->iv, len, out, in);                                 \
188     return 0;                                                           \
190 #else
191 #define DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)                 \
192 static int NAME##_encrypt_xts(QCryptoCipher *cipher, const void *in,    \
193                               void *out, size_t len, Error **errp)      \
194 {                                                                       \
195     TYPE *ctx = container_of(cipher, TYPE, base);                       \
196     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
197         return -1;                                                      \
198     }                                                                   \
199     xts_encrypt_message(&ctx->key, &ctx->key_xts, ENCRYPT,              \
200                         ctx->iv, len, out, in);                         \
201     return 0;                                                           \
202 }                                                                       \
203 static int NAME##_decrypt_xts(QCryptoCipher *cipher, const void *in,    \
204                               void *out, size_t len, Error **errp)      \
205 {                                                                       \
206     TYPE *ctx = container_of(cipher, TYPE, base);                       \
207     if (!qcrypto_length_check(len, BLEN, errp)) {                       \
208         return -1;                                                      \
209     }                                                                   \
210     xts_decrypt_message(&ctx->key, &ctx->key_xts, DECRYPT, ENCRYPT,     \
211                         ctx->iv, len, out, in);                         \
212     return 0;                                                           \
214 #endif
216 #define DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)          \
217     QEMU_BUILD_BUG_ON(BLEN != XTS_BLOCK_SIZE);                  \
218     DEFINE__XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)             \
219 static const struct QCryptoCipherDriver NAME##_driver_xts = {   \
220     .cipher_encrypt = NAME##_encrypt_xts,                       \
221     .cipher_decrypt = NAME##_decrypt_xts,                       \
222     .cipher_setiv = NAME##_setiv,                               \
223     .cipher_free = qcrypto_cipher_ctx_free,                     \
227 #define DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)  \
228     DEFINE_SETIV(NAME, TYPE, BLEN)                              \
229     DEFINE_ECB(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
230     DEFINE_CBC(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
231     DEFINE_CTR(NAME, TYPE, BLEN, ENCRYPT)
233 #define DEFINE_ECB_CBC_CTR_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)      \
234     DEFINE_ECB_CBC_CTR(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)              \
235     DEFINE_XTS(NAME, TYPE, BLEN, ENCRYPT, DECRYPT)
238 typedef struct QCryptoNettleDES {
239     QCryptoCipher base;
240     struct des_ctx key;
241     uint8_t iv[DES_BLOCK_SIZE];
242 } QCryptoNettleDES;
244 static void des_encrypt_native(const void *ctx, size_t length,
245                                uint8_t *dst, const uint8_t *src)
247     des_encrypt(ctx, length, dst, src);
250 static void des_decrypt_native(const void *ctx, size_t length,
251                                uint8_t *dst, const uint8_t *src)
253     des_decrypt(ctx, length, dst, src);
256 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des, QCryptoNettleDES,
257                    DES_BLOCK_SIZE, des_encrypt_native, des_decrypt_native)
260 typedef struct QCryptoNettleDES3 {
261     QCryptoCipher base;
262     struct des3_ctx key;
263     uint8_t iv[DES3_BLOCK_SIZE];
264 } QCryptoNettleDES3;
266 static void des3_encrypt_native(const void *ctx, size_t length,
267                                 uint8_t *dst, const uint8_t *src)
269     des3_encrypt(ctx, length, dst, src);
272 static void des3_decrypt_native(const void *ctx, size_t length,
273                                 uint8_t *dst, const uint8_t *src)
275     des3_decrypt(ctx, length, dst, src);
278 DEFINE_ECB_CBC_CTR(qcrypto_nettle_des3, QCryptoNettleDES3, DES3_BLOCK_SIZE,
279                    des3_encrypt_native, des3_decrypt_native)
282 typedef struct QCryptoNettleAES128 {
283     QCryptoCipher base;
284     uint8_t iv[AES_BLOCK_SIZE];
285     /* First key from pair is encode, second key is decode. */
286     struct aes128_ctx key[2], key_xts[2];
287 } QCryptoNettleAES128;
289 static void aes128_encrypt_native(const void *ctx, size_t length,
290                                   uint8_t *dst, const uint8_t *src)
292     const struct aes128_ctx *keys = ctx;
293     aes128_encrypt(&keys[0], length, dst, src);
296 static void aes128_decrypt_native(const void *ctx, size_t length,
297                                   uint8_t *dst, const uint8_t *src)
299     const struct aes128_ctx *keys = ctx;
300     aes128_decrypt(&keys[1], length, dst, src);
303 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes128,
304                        QCryptoNettleAES128, AES_BLOCK_SIZE,
305                        aes128_encrypt_native, aes128_decrypt_native)
308 typedef struct QCryptoNettleAES192 {
309     QCryptoCipher base;
310     uint8_t iv[AES_BLOCK_SIZE];
311     /* First key from pair is encode, second key is decode. */
312     struct aes192_ctx key[2], key_xts[2];
313 } QCryptoNettleAES192;
315 static void aes192_encrypt_native(const void *ctx, size_t length,
316                                   uint8_t *dst, const uint8_t *src)
318     const struct aes192_ctx *keys = ctx;
319     aes192_encrypt(&keys[0], length, dst, src);
322 static void aes192_decrypt_native(const void *ctx, size_t length,
323                                   uint8_t *dst, const uint8_t *src)
325     const struct aes192_ctx *keys = ctx;
326     aes192_decrypt(&keys[1], length, dst, src);
329 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes192,
330                        QCryptoNettleAES192, AES_BLOCK_SIZE,
331                        aes192_encrypt_native, aes192_decrypt_native)
334 typedef struct QCryptoNettleAES256 {
335     QCryptoCipher base;
336     uint8_t iv[AES_BLOCK_SIZE];
337     /* First key from pair is encode, second key is decode. */
338     struct aes256_ctx key[2], key_xts[2];
339 } QCryptoNettleAES256;
341 static void aes256_encrypt_native(const void *ctx, size_t length,
342                                   uint8_t *dst, const uint8_t *src)
344     const struct aes256_ctx *keys = ctx;
345     aes256_encrypt(&keys[0], length, dst, src);
348 static void aes256_decrypt_native(const void *ctx, size_t length,
349                                   uint8_t *dst, const uint8_t *src)
351     const struct aes256_ctx *keys = ctx;
352     aes256_decrypt(&keys[1], length, dst, src);
355 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_aes256,
356                        QCryptoNettleAES256, AES_BLOCK_SIZE,
357                        aes256_encrypt_native, aes256_decrypt_native)
360 typedef struct QCryptoNettleCAST128 {
361     QCryptoCipher base;
362     uint8_t iv[CAST128_BLOCK_SIZE];
363     struct cast128_ctx key, key_xts;
364 } QCryptoNettleCAST128;
366 static void cast128_encrypt_native(const void *ctx, size_t length,
367                                    uint8_t *dst, const uint8_t *src)
369     cast128_encrypt(ctx, length, dst, src);
372 static void cast128_decrypt_native(const void *ctx, size_t length,
373                                    uint8_t *dst, const uint8_t *src)
375     cast128_decrypt(ctx, length, dst, src);
378 DEFINE_ECB_CBC_CTR(qcrypto_nettle_cast128,
379                    QCryptoNettleCAST128, CAST128_BLOCK_SIZE,
380                    cast128_encrypt_native, cast128_decrypt_native)
383 typedef struct QCryptoNettleSerpent {
384     QCryptoCipher base;
385     uint8_t iv[SERPENT_BLOCK_SIZE];
386     struct serpent_ctx key, key_xts;
387 } QCryptoNettleSerpent;
390 static void serpent_encrypt_native(const void *ctx, size_t length,
391                                    uint8_t *dst, const uint8_t *src)
393     serpent_encrypt(ctx, length, dst, src);
396 static void serpent_decrypt_native(const void *ctx, size_t length,
397                                    uint8_t *dst, const uint8_t *src)
399     serpent_decrypt(ctx, length, dst, src);
402 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_serpent,
403                        QCryptoNettleSerpent, SERPENT_BLOCK_SIZE,
404                        serpent_encrypt_native, serpent_decrypt_native)
407 typedef struct QCryptoNettleTwofish {
408     QCryptoCipher base;
409     uint8_t iv[TWOFISH_BLOCK_SIZE];
410     struct twofish_ctx key, key_xts;
411 } QCryptoNettleTwofish;
413 static void twofish_encrypt_native(const void *ctx, size_t length,
414                                    uint8_t *dst, const uint8_t *src)
416     twofish_encrypt(ctx, length, dst, src);
419 static void twofish_decrypt_native(const void *ctx, size_t length,
420                                    uint8_t *dst, const uint8_t *src)
422     twofish_decrypt(ctx, length, dst, src);
425 DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
426                        QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
427                        twofish_encrypt_native, twofish_decrypt_native)
430 bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
431                              QCryptoCipherMode mode)
433     switch (alg) {
434     case QCRYPTO_CIPHER_ALG_DES:
435     case QCRYPTO_CIPHER_ALG_3DES:
436     case QCRYPTO_CIPHER_ALG_AES_128:
437     case QCRYPTO_CIPHER_ALG_AES_192:
438     case QCRYPTO_CIPHER_ALG_AES_256:
439     case QCRYPTO_CIPHER_ALG_CAST5_128:
440     case QCRYPTO_CIPHER_ALG_SERPENT_128:
441     case QCRYPTO_CIPHER_ALG_SERPENT_192:
442     case QCRYPTO_CIPHER_ALG_SERPENT_256:
443     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
444     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
445     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
446         break;
447     default:
448         return false;
449     }
451     switch (mode) {
452     case QCRYPTO_CIPHER_MODE_ECB:
453     case QCRYPTO_CIPHER_MODE_CBC:
454     case QCRYPTO_CIPHER_MODE_XTS:
455     case QCRYPTO_CIPHER_MODE_CTR:
456         return true;
457     default:
458         return false;
459     }
462 static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
463                                              QCryptoCipherMode mode,
464                                              const uint8_t *key,
465                                              size_t nkey,
466                                              Error **errp)
468     switch (mode) {
469     case QCRYPTO_CIPHER_MODE_ECB:
470     case QCRYPTO_CIPHER_MODE_CBC:
471     case QCRYPTO_CIPHER_MODE_XTS:
472     case QCRYPTO_CIPHER_MODE_CTR:
473         break;
474     default:
475         goto bad_cipher_mode;
476     }
478     if (!qcrypto_cipher_validate_key_length(alg, mode, nkey, errp)) {
479         return NULL;
480     }
482     switch (alg) {
483     case QCRYPTO_CIPHER_ALG_DES:
484         {
485             QCryptoNettleDES *ctx;
486             const QCryptoCipherDriver *drv;
488             switch (mode) {
489             case QCRYPTO_CIPHER_MODE_ECB:
490                 drv = &qcrypto_nettle_des_driver_ecb;
491                 break;
492             case QCRYPTO_CIPHER_MODE_CBC:
493                 drv = &qcrypto_nettle_des_driver_cbc;
494                 break;
495             case QCRYPTO_CIPHER_MODE_CTR:
496                 drv = &qcrypto_nettle_des_driver_ctr;
497                 break;
498             default:
499                 goto bad_cipher_mode;
500             }
502             ctx = g_new0(QCryptoNettleDES, 1);
503             ctx->base.driver = drv;
504             des_set_key(&ctx->key, key);
506             return &ctx->base;
507         }
509     case QCRYPTO_CIPHER_ALG_3DES:
510         {
511             QCryptoNettleDES3 *ctx;
512             const QCryptoCipherDriver *drv;
514             switch (mode) {
515             case QCRYPTO_CIPHER_MODE_ECB:
516                 drv = &qcrypto_nettle_des3_driver_ecb;
517                 break;
518             case QCRYPTO_CIPHER_MODE_CBC:
519                 drv = &qcrypto_nettle_des3_driver_cbc;
520                 break;
521             case QCRYPTO_CIPHER_MODE_CTR:
522                 drv = &qcrypto_nettle_des3_driver_ctr;
523                 break;
524             default:
525                 goto bad_cipher_mode;
526             }
528             ctx = g_new0(QCryptoNettleDES3, 1);
529             ctx->base.driver = drv;
530             des3_set_key(&ctx->key, key);
531             return &ctx->base;
532         }
534     case QCRYPTO_CIPHER_ALG_AES_128:
535         {
536             QCryptoNettleAES128 *ctx = g_new0(QCryptoNettleAES128, 1);
538             switch (mode) {
539             case QCRYPTO_CIPHER_MODE_ECB:
540                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ecb;
541                 break;
542             case QCRYPTO_CIPHER_MODE_CBC:
543                 ctx->base.driver = &qcrypto_nettle_aes128_driver_cbc;
544                 break;
545             case QCRYPTO_CIPHER_MODE_CTR:
546                 ctx->base.driver = &qcrypto_nettle_aes128_driver_ctr;
547                 break;
548             case QCRYPTO_CIPHER_MODE_XTS:
549                 ctx->base.driver = &qcrypto_nettle_aes128_driver_xts;
550                 nkey /= 2;
551                 aes128_set_encrypt_key(&ctx->key_xts[0], key + nkey);
552                 aes128_set_decrypt_key(&ctx->key_xts[1], key + nkey);
553                 break;
554             default:
555                 g_assert_not_reached();
556             }
557             aes128_set_encrypt_key(&ctx->key[0], key);
558             aes128_set_decrypt_key(&ctx->key[1], key);
560             return &ctx->base;
561         }
563     case QCRYPTO_CIPHER_ALG_AES_192:
564         {
565             QCryptoNettleAES192 *ctx = g_new0(QCryptoNettleAES192, 1);
567             switch (mode) {
568             case QCRYPTO_CIPHER_MODE_ECB:
569                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ecb;
570                 break;
571             case QCRYPTO_CIPHER_MODE_CBC:
572                 ctx->base.driver = &qcrypto_nettle_aes192_driver_cbc;
573                 break;
574             case QCRYPTO_CIPHER_MODE_CTR:
575                 ctx->base.driver = &qcrypto_nettle_aes192_driver_ctr;
576                 break;
577             case QCRYPTO_CIPHER_MODE_XTS:
578                 ctx->base.driver = &qcrypto_nettle_aes192_driver_xts;
579                 nkey /= 2;
580                 aes192_set_encrypt_key(&ctx->key_xts[0], key + nkey);
581                 aes192_set_decrypt_key(&ctx->key_xts[1], key + nkey);
582                 break;
583             default:
584                 g_assert_not_reached();
585             }
586             aes192_set_encrypt_key(&ctx->key[0], key);
587             aes192_set_decrypt_key(&ctx->key[1], key);
589             return &ctx->base;
590         }
592     case QCRYPTO_CIPHER_ALG_AES_256:
593         {
594             QCryptoNettleAES256 *ctx = g_new0(QCryptoNettleAES256, 1);
596             switch (mode) {
597             case QCRYPTO_CIPHER_MODE_ECB:
598                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ecb;
599                 break;
600             case QCRYPTO_CIPHER_MODE_CBC:
601                 ctx->base.driver = &qcrypto_nettle_aes256_driver_cbc;
602                 break;
603             case QCRYPTO_CIPHER_MODE_CTR:
604                 ctx->base.driver = &qcrypto_nettle_aes256_driver_ctr;
605                 break;
606             case QCRYPTO_CIPHER_MODE_XTS:
607                 ctx->base.driver = &qcrypto_nettle_aes256_driver_xts;
608                 nkey /= 2;
609                 aes256_set_encrypt_key(&ctx->key_xts[0], key + nkey);
610                 aes256_set_decrypt_key(&ctx->key_xts[1], key + nkey);
611                 break;
612             default:
613                 g_assert_not_reached();
614             }
615             aes256_set_encrypt_key(&ctx->key[0], key);
616             aes256_set_decrypt_key(&ctx->key[1], key);
618             return &ctx->base;
619         }
621     case QCRYPTO_CIPHER_ALG_CAST5_128:
622         {
623             QCryptoNettleCAST128 *ctx;
624             const QCryptoCipherDriver *drv;
626             switch (mode) {
627             case QCRYPTO_CIPHER_MODE_ECB:
628                 drv = &qcrypto_nettle_cast128_driver_ecb;
629                 break;
630             case QCRYPTO_CIPHER_MODE_CBC:
631                 drv = &qcrypto_nettle_cast128_driver_cbc;
632                 break;
633             case QCRYPTO_CIPHER_MODE_CTR:
634                 drv = &qcrypto_nettle_cast128_driver_ctr;
635                 break;
636             default:
637                 goto bad_cipher_mode;
638             }
640             ctx = g_new0(QCryptoNettleCAST128, 1);
641             ctx->base.driver = drv;
642             cast5_set_key(&ctx->key, nkey, key);
644             return &ctx->base;
645         }
647     case QCRYPTO_CIPHER_ALG_SERPENT_128:
648     case QCRYPTO_CIPHER_ALG_SERPENT_192:
649     case QCRYPTO_CIPHER_ALG_SERPENT_256:
650         {
651             QCryptoNettleSerpent *ctx = g_new0(QCryptoNettleSerpent, 1);
653             switch (mode) {
654             case QCRYPTO_CIPHER_MODE_ECB:
655                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ecb;
656                 break;
657             case QCRYPTO_CIPHER_MODE_CBC:
658                 ctx->base.driver = &qcrypto_nettle_serpent_driver_cbc;
659                 break;
660             case QCRYPTO_CIPHER_MODE_CTR:
661                 ctx->base.driver = &qcrypto_nettle_serpent_driver_ctr;
662                 break;
663             case QCRYPTO_CIPHER_MODE_XTS:
664                 ctx->base.driver = &qcrypto_nettle_serpent_driver_xts;
665                 nkey /= 2;
666                 serpent_set_key(&ctx->key_xts, nkey, key + nkey);
667                 break;
668             default:
669                 g_assert_not_reached();
670             }
671             serpent_set_key(&ctx->key, nkey, key);
673             return &ctx->base;
674         }
676     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
677     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
678     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
679         {
680             QCryptoNettleTwofish *ctx = g_new0(QCryptoNettleTwofish, 1);
682             switch (mode) {
683             case QCRYPTO_CIPHER_MODE_ECB:
684                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ecb;
685                 break;
686             case QCRYPTO_CIPHER_MODE_CBC:
687                 ctx->base.driver = &qcrypto_nettle_twofish_driver_cbc;
688                 break;
689             case QCRYPTO_CIPHER_MODE_CTR:
690                 ctx->base.driver = &qcrypto_nettle_twofish_driver_ctr;
691                 break;
692             case QCRYPTO_CIPHER_MODE_XTS:
693                 ctx->base.driver = &qcrypto_nettle_twofish_driver_xts;
694                 nkey /= 2;
695                 twofish_set_key(&ctx->key_xts, nkey, key + nkey);
696                 break;
697             default:
698                 g_assert_not_reached();
699             }
700             twofish_set_key(&ctx->key, nkey, key);
702             return &ctx->base;
703         }
705     default:
706         error_setg(errp, "Unsupported cipher algorithm %s",
707                    QCryptoCipherAlgorithm_str(alg));
708         return NULL;
709     }
711  bad_cipher_mode:
712     error_setg(errp, "Unsupported cipher mode %s",
713                QCryptoCipherMode_str(mode));
714     return NULL;