From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Eric Blake" <eblake@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>
Subject: [PATCH 07/18] crypto: drop custom XTS support in gcrypt driver
Date: Tue, 6 Jul 2021 10:59:13 +0100 [thread overview]
Message-ID: <20210706095924.764117-8-berrange@redhat.com> (raw)
In-Reply-To: <20210706095924.764117-1-berrange@redhat.com>
The XTS cipher mode was introduced in gcrypt 1.8.0, which
matches QEMU's current minimum version.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
crypto/cipher-gcrypt.c.inc | 127 -------------------------------------
meson.build | 14 +---
2 files changed, 1 insertion(+), 140 deletions(-)
diff --git a/crypto/cipher-gcrypt.c.inc b/crypto/cipher-gcrypt.c.inc
index 42d4137534..3aab08a1a9 100644
--- a/crypto/cipher-gcrypt.c.inc
+++ b/crypto/cipher-gcrypt.c.inc
@@ -18,10 +18,6 @@
*
*/
-#ifdef CONFIG_QEMU_PRIVATE_XTS
-#include "crypto/xts.h"
-#endif
-
#include <gcrypt.h>
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
@@ -59,10 +55,6 @@ typedef struct QCryptoCipherGcrypt {
QCryptoCipher base;
gcry_cipher_hd_t handle;
size_t blocksize;
-#ifdef CONFIG_QEMU_PRIVATE_XTS
- gcry_cipher_hd_t tweakhandle;
- uint8_t iv[XTS_BLOCK_SIZE];
-#endif
} QCryptoCipherGcrypt;
@@ -178,90 +170,6 @@ static const struct QCryptoCipherDriver qcrypto_gcrypt_ctr_driver = {
.cipher_free = qcrypto_gcrypt_ctx_free,
};
-#ifdef CONFIG_QEMU_PRIVATE_XTS
-static void qcrypto_gcrypt_xts_ctx_free(QCryptoCipher *cipher)
-{
- QCryptoCipherGcrypt *ctx = container_of(cipher, QCryptoCipherGcrypt, base);
-
- gcry_cipher_close(ctx->tweakhandle);
- qcrypto_gcrypt_ctx_free(cipher);
-}
-
-static void qcrypto_gcrypt_xts_wrape(const void *ctx, size_t length,
- uint8_t *dst, const uint8_t *src)
-{
- gcry_error_t err;
- err = gcry_cipher_encrypt((gcry_cipher_hd_t)ctx, dst, length, src, length);
- g_assert(err == 0);
-}
-
-static void qcrypto_gcrypt_xts_wrapd(const void *ctx, size_t length,
- uint8_t *dst, const uint8_t *src)
-{
- gcry_error_t err;
- err = gcry_cipher_decrypt((gcry_cipher_hd_t)ctx, dst, length, src, length);
- g_assert(err == 0);
-}
-
-static int qcrypto_gcrypt_xts_encrypt(QCryptoCipher *cipher, const void *in,
- void *out, size_t len, Error **errp)
-{
- QCryptoCipherGcrypt *ctx = container_of(cipher, QCryptoCipherGcrypt, base);
-
- if (len & (ctx->blocksize - 1)) {
- error_setg(errp, "Length %zu must be a multiple of block size %zu",
- len, ctx->blocksize);
- return -1;
- }
-
- xts_encrypt(ctx->handle, ctx->tweakhandle,
- qcrypto_gcrypt_xts_wrape, qcrypto_gcrypt_xts_wrapd,
- ctx->iv, len, out, in);
- return 0;
-}
-
-static int qcrypto_gcrypt_xts_decrypt(QCryptoCipher *cipher, const void *in,
- void *out, size_t len, Error **errp)
-{
- QCryptoCipherGcrypt *ctx = container_of(cipher, QCryptoCipherGcrypt, base);
-
- if (len & (ctx->blocksize - 1)) {
- error_setg(errp, "Length %zu must be a multiple of block size %zu",
- len, ctx->blocksize);
- return -1;
- }
-
- xts_decrypt(ctx->handle, ctx->tweakhandle,
- qcrypto_gcrypt_xts_wrape, qcrypto_gcrypt_xts_wrapd,
- ctx->iv, len, out, in);
- return 0;
-}
-
-static int qcrypto_gcrypt_xts_setiv(QCryptoCipher *cipher,
- const uint8_t *iv, size_t niv,
- Error **errp)
-{
- QCryptoCipherGcrypt *ctx = container_of(cipher, QCryptoCipherGcrypt, base);
-
- if (niv != ctx->blocksize) {
- error_setg(errp, "Expected IV size %zu not %zu",
- ctx->blocksize, niv);
- return -1;
- }
-
- memcpy(ctx->iv, iv, niv);
- return 0;
-}
-
-static const struct QCryptoCipherDriver qcrypto_gcrypt_xts_driver = {
- .cipher_encrypt = qcrypto_gcrypt_xts_encrypt,
- .cipher_decrypt = qcrypto_gcrypt_xts_decrypt,
- .cipher_setiv = qcrypto_gcrypt_xts_setiv,
- .cipher_free = qcrypto_gcrypt_xts_ctx_free,
-};
-#endif /* CONFIG_QEMU_PRIVATE_XTS */
-
-
static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode,
const uint8_t *key,
@@ -323,12 +231,7 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
gcrymode = GCRY_CIPHER_MODE_ECB;
break;
case QCRYPTO_CIPHER_MODE_XTS:
-#ifdef CONFIG_QEMU_PRIVATE_XTS
- drv = &qcrypto_gcrypt_xts_driver;
- gcrymode = GCRY_CIPHER_MODE_ECB;
-#else
gcrymode = GCRY_CIPHER_MODE_XTS;
-#endif
break;
case QCRYPTO_CIPHER_MODE_CBC:
gcrymode = GCRY_CIPHER_MODE_CBC;
@@ -354,23 +257,6 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
}
ctx->blocksize = gcry_cipher_get_algo_blklen(gcryalg);
-#ifdef CONFIG_QEMU_PRIVATE_XTS
- if (mode == QCRYPTO_CIPHER_MODE_XTS) {
- if (ctx->blocksize != XTS_BLOCK_SIZE) {
- error_setg(errp,
- "Cipher block size %zu must equal XTS block size %d",
- ctx->blocksize, XTS_BLOCK_SIZE);
- goto error;
- }
- err = gcry_cipher_open(&ctx->tweakhandle, gcryalg, gcrymode, 0);
- if (err != 0) {
- error_setg(errp, "Cannot initialize cipher: %s",
- gcry_strerror(err));
- goto error;
- }
- }
-#endif
-
if (alg == QCRYPTO_CIPHER_ALG_DES_RFB) {
/* We're using standard DES cipher from gcrypt, so we need
* to munge the key so that the results are the same as the
@@ -380,16 +266,6 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
err = gcry_cipher_setkey(ctx->handle, rfbkey, nkey);
g_free(rfbkey);
} else {
-#ifdef CONFIG_QEMU_PRIVATE_XTS
- if (mode == QCRYPTO_CIPHER_MODE_XTS) {
- nkey /= 2;
- err = gcry_cipher_setkey(ctx->tweakhandle, key + nkey, nkey);
- if (err != 0) {
- error_setg(errp, "Cannot set key: %s", gcry_strerror(err));
- goto error;
- }
- }
-#endif
err = gcry_cipher_setkey(ctx->handle, key, nkey);
}
if (err != 0) {
@@ -400,9 +276,6 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
return &ctx->base;
error:
-#ifdef CONFIG_QEMU_PRIVATE_XTS
- gcry_cipher_close(ctx->tweakhandle);
-#endif
gcry_cipher_close(ctx->handle);
g_free(ctx);
return NULL;
diff --git a/meson.build b/meson.build
index 945ae9c81d..2821edc0f5 100644
--- a/meson.build
+++ b/meson.build
@@ -838,16 +838,7 @@ if (not get_option('gcrypt').auto() or have_system) and not nettle.found()
method: 'config-tool',
required: get_option('gcrypt'),
kwargs: static_kwargs)
- if gcrypt.found() and cc.compiles('''
- #include <gcrypt.h>
- int main(void) {
- gcry_cipher_hd_t handle;
- gcry_cipher_open(&handle, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_XTS, 0);
- return 0;
- }
- ''', dependencies: gcrypt)
- xts = 'gcrypt'
- endif
+ xts = 'gcrypt'
# Debian has removed -lgpg-error from libgcrypt-config
# as it "spreads unnecessary dependencies" which in
# turn breaks static builds...
@@ -2731,9 +2722,6 @@ summary_info += {'TLS priority': config_host['CONFIG_TLS_PRIORITY']}
summary_info += {'GNUTLS support': gnutls.found()}
# TODO: add back version
summary_info += {'libgcrypt': gcrypt.found()}
-if gcrypt.found()
- summary_info += {' XTS': xts != 'private'}
-endif
# TODO: add back version
summary_info += {'nettle': nettle.found()}
if nettle.found()
--
2.31.1
next prev parent reply other threads:[~2021-07-06 10:01 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-06 9:59 [PATCH 00/18] crypto: misc cleanup and introduce gnutls backend driver Daniel P. Berrangé
2021-07-06 9:59 ` [PATCH 01/18] crypto: remove conditional around 3DES crypto test cases Daniel P. Berrangé
2021-07-08 18:27 ` Eric Blake
2021-07-06 9:59 ` [PATCH 02/18] crypto: remove obsolete crypto test condition Daniel P. Berrangé
2021-07-08 18:28 ` Eric Blake
2021-07-06 9:59 ` [PATCH 03/18] crypto: skip essiv ivgen tests if AES+ECB isn't available Daniel P. Berrangé
2021-07-08 18:29 ` Eric Blake
2021-07-06 9:59 ` [PATCH 04/18] crypto: use &error_fatal in crypto tests Daniel P. Berrangé
2021-07-08 18:33 ` Eric Blake
2021-07-06 9:59 ` [PATCH 05/18] crypto: fix gcrypt min version 1.8 regression Daniel P. Berrangé
2021-07-08 18:34 ` Eric Blake
2021-07-06 9:59 ` [PATCH 06/18] crypto: drop gcrypt thread initialization code Daniel P. Berrangé
2021-07-08 18:36 ` Eric Blake
2021-07-06 9:59 ` Daniel P. Berrangé [this message]
2021-07-08 18:40 ` [PATCH 07/18] crypto: drop custom XTS support in gcrypt driver Eric Blake
2021-07-06 9:59 ` [PATCH 08/18] crypto: add crypto tests for single block DES-ECB and DES-CBC Daniel P. Berrangé
2021-07-08 18:50 ` Eric Blake
2021-07-09 13:53 ` Daniel P. Berrangé
2021-07-06 9:59 ` [PATCH 09/18] crypto: delete built-in DES implementation Daniel P. Berrangé
2021-07-08 18:54 ` Eric Blake
2021-07-06 9:59 ` [PATCH 10/18] crypto: delete built-in XTS cipher mode support Daniel P. Berrangé
2021-07-08 18:56 ` Eric Blake
2021-07-06 9:59 ` [PATCH 11/18] crypto: rename des-rfb cipher to just des Daniel P. Berrangé
2021-07-07 12:47 ` Markus Armbruster
2021-07-07 13:48 ` Daniel P. Berrangé
2021-07-08 14:41 ` Markus Armbruster
2021-07-09 13:59 ` Daniel P. Berrangé
2021-07-08 19:50 ` Eric Blake
2021-07-06 9:59 ` [PATCH 12/18] crypto: flip priority of backends to prefer gcrypt Daniel P. Berrangé
2021-07-08 18:59 ` Eric Blake
2021-07-06 9:59 ` [PATCH 13/18] crypto: introduce build system for gnutls crypto backend Daniel P. Berrangé
2021-07-08 19:03 ` Eric Blake
2021-07-06 9:59 ` [PATCH 14/18] crypto: add gnutls cipher provider Daniel P. Berrangé
2021-07-08 19:13 ` Eric Blake
2021-07-06 9:59 ` [PATCH 15/18] crypto: add gnutls hash provider Daniel P. Berrangé
2021-07-08 19:29 ` Eric Blake
2021-07-06 9:59 ` [PATCH 16/18] crypto: add gnutls hmac provider Daniel P. Berrangé
2021-07-08 19:35 ` Eric Blake
2021-07-09 14:03 ` Daniel P. Berrangé
2021-07-06 9:59 ` [PATCH 17/18] crypto: add gnutls pbkdf provider Daniel P. Berrangé
2021-07-08 19:43 ` Eric Blake
2021-07-06 9:59 ` [PATCH 18/18] crypto: prefer gnutls as the crypto backend if new enough Daniel P. Berrangé
2021-07-08 19:52 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210706095924.764117-8-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).