From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, Gonglei <arei.gonglei@huawei.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <rth@twiddle.net>
Subject: [Qemu-devel] [PATCH v3 06/10] crypto: add a nettle cipher implementation
Date: Thu, 18 Jun 2015 18:02:20 +0100 [thread overview]
Message-ID: <1434646944-24040-7-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1434646944-24040-1-git-send-email-berrange@redhat.com>
If we are linking to gnutls already and gnutls is built against
nettle, then we should use nettle as a cipher backend in
preference to our built-in backend.
This will be used when linking against some GNUTLS 2.x versions
and all GNUTLS 3.x versions.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
configure | 35 ++++++++-
crypto/cipher-nettle.c | 206 +++++++++++++++++++++++++++++++++++++++++++++++++
crypto/cipher.c | 2 +
3 files changed, 240 insertions(+), 3 deletions(-)
create mode 100644 crypto/cipher-nettle.c
diff --git a/configure b/configure
index 28f4172..6749a85 100755
--- a/configure
+++ b/configure
@@ -2170,6 +2170,7 @@ fi
# GNUTLS probe
gnutls_gcrypt=no
+gnutls_nettle=no
if test "$gnutls" != "no"; then
if $pkg_config --exists "gnutls"; then
gnutls_cflags=`$pkg_config --cflags gnutls`
@@ -2188,14 +2189,25 @@ if test "$gnutls" != "no"; then
if $pkg_config --exists 'gnutls >= 3.0'; then
gnutls_gcrypt=no
+ gnutls_nettle=yes
elif $pkg_config --exists 'gnutls >= 2.12'; then
case `$pkg_config --libs --static gnutls` in
- *gcrypt*) gnutls_gcrypt=yes ;;
- *nettle*) gnutls_gcrypt=no ;;
- *) gnutls_gcrypt=yes ;;
+ *gcrypt*)
+ gnutls_gcrypt=yes
+ gnutls_nettle=no
+ ;;
+ *nettle*)
+ gnutls_gcrypt=no
+ gnutls_nettle=yes
+ ;;
+ *)
+ gnutls_gcrypt=yes
+ gnutls_nettle=no
+ ;;
esac
else
gnutls_gcrypt=yes
+ gnutls_nettle=no
fi
elif test "$gnutls" = "yes"; then
feature_not_found "gnutls" "Install gnutls devel"
@@ -2220,6 +2232,19 @@ if test "$gnutls_gcrypt" != "no"; then
fi
+if test "$gnutls_nettle" != "no"; then
+ if $pkg_config --exists "nettle"; then
+ nettle_cflags=`$pkg_config --cflags nettle`
+ nettle_libs=`$pkg_config --libs nettle`
+ libs_softmmu="$nettle_libs $libs_softmmu"
+ libs_tools="$nettle_libs $libs_tools"
+ QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
+ else
+ feature_not_found "nettle" "Install nettle devel"
+ fi
+fi
+
+
##########################################
# VTE probe
@@ -4482,6 +4507,7 @@ echo "GTK support $gtk"
echo "GNUTLS support $gnutls"
echo "GNUTLS hash $gnutls_hash"
echo "GNUTLS gcrypt $gnutls_gcrypt"
+echo "GNUTLS nettle $gnutls_nettle"
echo "VTE support $vte"
echo "curses support $curses"
echo "curl support $curl"
@@ -4840,6 +4866,9 @@ fi
if test "$gnutls_gcrypt" = "yes" ; then
echo "CONFIG_GNUTLS_GCRYPT=y" >> $config_host_mak
fi
+if test "$gnutls_nettle" = "yes" ; then
+ echo "CONFIG_GNUTLS_NETTLE=y" >> $config_host_mak
+fi
if test "$vte" = "yes" ; then
echo "CONFIG_VTE=y" >> $config_host_mak
echo "VTE_CFLAGS=$vte_cflags" >> $config_host_mak
diff --git a/crypto/cipher-nettle.c b/crypto/cipher-nettle.c
new file mode 100644
index 0000000..e5a14bc
--- /dev/null
+++ b/crypto/cipher-nettle.c
@@ -0,0 +1,206 @@
+/*
+ * QEMU Crypto cipher nettle algorithms
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <nettle/nettle-types.h>
+#include <nettle/aes.h>
+#include <nettle/des.h>
+#include <nettle/cbc.h>
+
+typedef struct QCryptoCipherNettle QCryptoCipherNettle;
+struct QCryptoCipherNettle {
+ void *ctx_encrypt;
+ void *ctx_decrypt;
+ nettle_crypt_func *alg_encrypt;
+ nettle_crypt_func *alg_decrypt;
+ uint8_t *iv;
+ size_t niv;
+};
+
+bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg)
+{
+ switch (alg) {
+ case QCRYPTO_CIPHER_ALG_DES_RFB:
+ case QCRYPTO_CIPHER_ALG_AES_128:
+ case QCRYPTO_CIPHER_ALG_AES_192:
+ case QCRYPTO_CIPHER_ALG_AES_256:
+ return true;
+ default:
+ return false;
+ }
+}
+
+
+QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
+ QCryptoCipherMode mode,
+ const uint8_t *key, size_t nkey,
+ Error **errp)
+{
+ QCryptoCipher *cipher;
+ QCryptoCipherNettle *ctx;
+ uint8_t *rfbkey;
+
+ switch (mode) {
+ case QCRYPTO_CIPHER_MODE_ECB:
+ case QCRYPTO_CIPHER_MODE_CBC:
+ break;
+ default:
+ error_setg(errp, "Unsupported cipher mode %d", mode);
+ return NULL;
+ }
+
+ if (!qcrypto_cipher_validate_key_length(alg, nkey, errp)) {
+ return NULL;
+ }
+
+ cipher = g_new0(QCryptoCipher, 1);
+ cipher->alg = alg;
+ cipher->mode = mode;
+
+ ctx = g_new0(QCryptoCipherNettle, 1);
+
+ switch (alg) {
+ case QCRYPTO_CIPHER_ALG_DES_RFB:
+ ctx->ctx_encrypt = g_new0(struct des_ctx, 1);
+ ctx->ctx_decrypt = NULL; /* 1 ctx can do both */
+ rfbkey = qcrypto_cipher_munge_des_rfb_key(key, nkey);
+ des_set_key(ctx->ctx_encrypt, rfbkey);
+ g_free(rfbkey);
+
+ ctx->alg_encrypt = (nettle_crypt_func *)des_encrypt;
+ ctx->alg_decrypt = (nettle_crypt_func *)des_decrypt;
+
+ ctx->niv = DES_BLOCK_SIZE;
+ break;
+
+ case QCRYPTO_CIPHER_ALG_AES_128:
+ case QCRYPTO_CIPHER_ALG_AES_192:
+ case QCRYPTO_CIPHER_ALG_AES_256:
+ ctx->ctx_encrypt = g_new0(struct aes_ctx, 1);
+ ctx->ctx_decrypt = g_new0(struct aes_ctx, 1);
+
+ aes_set_encrypt_key(ctx->ctx_encrypt, nkey, key);
+ aes_set_decrypt_key(ctx->ctx_decrypt, nkey, key);
+
+ ctx->alg_encrypt = (nettle_crypt_func *)aes_encrypt;
+ ctx->alg_decrypt = (nettle_crypt_func *)aes_decrypt;
+
+ ctx->niv = AES_BLOCK_SIZE;
+ break;
+ default:
+ error_setg(errp, "Unsupported cipher algorithm %d", alg);
+ goto error;
+ }
+
+ ctx->iv = g_new0(uint8_t, ctx->niv);
+ cipher->opaque = ctx;
+
+ return cipher;
+
+ error:
+ g_free(cipher);
+ g_free(ctx);
+ return NULL;
+}
+
+
+void qcrypto_cipher_free(QCryptoCipher *cipher)
+{
+ QCryptoCipherNettle *ctx;
+
+ if (!cipher) {
+ return;
+ }
+
+ ctx = cipher->opaque;
+ g_free(ctx->iv);
+ g_free(ctx->ctx_encrypt);
+ g_free(ctx->ctx_decrypt);
+ g_free(ctx);
+ g_free(cipher);
+}
+
+
+int qcrypto_cipher_encrypt(QCryptoCipher *cipher,
+ const void *in,
+ void *out,
+ size_t len,
+ Error **errp)
+{
+ QCryptoCipherNettle *ctx = cipher->opaque;
+
+ switch (cipher->mode) {
+ case QCRYPTO_CIPHER_MODE_ECB:
+ ctx->alg_encrypt(ctx->ctx_encrypt, len, out, in);
+ break;
+
+ case QCRYPTO_CIPHER_MODE_CBC:
+ cbc_encrypt(ctx->ctx_encrypt, ctx->alg_encrypt,
+ ctx->niv, ctx->iv,
+ len, out, in);
+ break;
+ default:
+ error_setg(errp, "Unsupported cipher algorithm %d",
+ cipher->alg);
+ return -1;
+ }
+ return 0;
+}
+
+
+int qcrypto_cipher_decrypt(QCryptoCipher *cipher,
+ const void *in,
+ void *out,
+ size_t len,
+ Error **errp)
+{
+ QCryptoCipherNettle *ctx = cipher->opaque;
+
+ switch (cipher->mode) {
+ case QCRYPTO_CIPHER_MODE_ECB:
+ ctx->alg_decrypt(ctx->ctx_decrypt ? ctx->ctx_decrypt : ctx->ctx_encrypt,
+ len, out, in);
+ break;
+
+ case QCRYPTO_CIPHER_MODE_CBC:
+ cbc_decrypt(ctx->ctx_decrypt ? ctx->ctx_decrypt : ctx->ctx_encrypt,
+ ctx->alg_decrypt, ctx->niv, ctx->iv,
+ len, out, in);
+ break;
+ default:
+ error_setg(errp, "Unsupported cipher algorithm %d",
+ cipher->alg);
+ return -1;
+ }
+ return 0;
+}
+
+int qcrypto_cipher_setiv(QCryptoCipher *cipher,
+ const uint8_t *iv, size_t niv,
+ Error **errp)
+{
+ QCryptoCipherNettle *ctx = cipher->opaque;
+ if (niv != ctx->niv) {
+ error_setg(errp, "Expected IV size %zu not %zu",
+ ctx->niv, niv);
+ return -1;
+ }
+ memcpy(ctx->iv, iv, niv);
+ return 0;
+}
diff --git a/crypto/cipher.c b/crypto/cipher.c
index 02bcda3..6327aa3 100644
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -22,6 +22,8 @@
#ifdef CONFIG_GNUTLS_GCRYPT
#include "crypto/cipher-gcrypt.c"
+#elif CONFIG_GNUTLS_NETTLE
+#include "crypto/cipher-nettle.c"
#else
#include "crypto/cipher-builtin.c"
#endif
--
2.4.2
next prev parent reply other threads:[~2015-06-18 17:03 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-18 17:02 [Qemu-devel] [PATCH v3 00/10] Consolidate crypto APIs & implementations Daniel P. Berrange
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 01/10] crypto: introduce new module for computing hash digests Daniel P. Berrange
2015-06-23 2:11 ` Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 02/10] crypto: move built-in AES implementation into crypto/ Daniel P. Berrange
2015-06-23 2:11 ` Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 03/10] crypto: move built-in D3DES " Daniel P. Berrange
2015-06-23 2:12 ` Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 04/10] crypto: introduce generic cipher API & built-in implementation Daniel P. Berrange
2015-06-23 2:15 ` Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 05/10] crypto: add a gcrypt cipher implementation Daniel P. Berrange
2015-06-18 17:02 ` Daniel P. Berrange [this message]
2015-06-23 2:17 ` [Qemu-devel] [PATCH v3 06/10] crypto: add a nettle " Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 07/10] block: convert quorum blockdrv to use crypto APIs Daniel P. Berrange
2015-06-23 2:17 ` Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 08/10] ui: convert VNC websockets " Daniel P. Berrange
2015-06-23 2:18 ` Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 09/10] block: convert qcow/qcow2 to use generic cipher API Daniel P. Berrange
2015-06-23 2:18 ` Gonglei
2015-06-18 17:02 ` [Qemu-devel] [PATCH v3 10/10] ui: convert VNC " Daniel P. Berrange
2015-06-23 2:26 ` Gonglei
2015-06-23 8:48 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1434646944-24040-7-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.