From 70fdd47e1626fd02ca9431ee3182c3148156c493 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
Date: Fri, 30 Jan 2009 16:35:53 -0200
Subject: [PATCH 02/54] qemu: qcow: use libgcrypt AES implementation
To keep the qcow code simple, keep an API as close as possible to the
old openssl one, wrapping the libgcrypt API. These wrapper functions
are all inline on aes.h.
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
---
qemu/Makefile | 2 +-
qemu/aes.h | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++
qemu/block-qcow.c | 32 +++++++++++++-------
qemu/block-qcow2.c | 35 ++++++++++++++-------
4 files changed, 131 insertions(+), 24 deletions(-)
create mode 100644 qemu/aes.h
diff --git a/qemu/Makefile b/qemu/Makefile
index a83717b..a16ff89 100644
--- a/qemu/Makefile
+++ b/qemu/Makefile
@@ -48,7 +48,7 @@ recurse-all: $(SUBDIR_RULES)
# BLOCK_OBJS is code used by both qemu system emulation and qemu-img
BLOCK_OBJS=cutils.o qemu-malloc.o
-BLOCK_OBJS+=block-cow.o block-qcow.o aes.o block-vmdk.o block-cloop.o
+BLOCK_OBJS+=block-cow.o block-qcow.o block-vmdk.o block-cloop.o
BLOCK_OBJS+=block-dmg.o block-bochs.o block-vpc.o block-vvfat.o
BLOCK_OBJS+=block-qcow2.o block-parallels.o block-nbd.o
BLOCK_OBJS+=nbd.o block.o aio.o
diff --git a/qemu/aes.h b/qemu/aes.h
new file mode 100644
index 0000000..9f46014
--- /dev/null
+++ b/qemu/aes.h
@@ -0,0 +1,86 @@
+/* Simple helpers to libgcrypt AES support
+ *
+ * Author: Eduardo Habkost <ehabkost@redhat.com>
+ *
+ * Copyright (c) 2009, Red Hat, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#ifndef _QEMU_AES_H
+#define _QEMU_AES_H
+
+#include <gcrypt.h>
+
+typedef struct _AES_CBC_CIPHER {
+ gcry_cipher_hd_t cipher;
+} AES_CBC_CIPHER;
+
+static inline int
+AES_CBC_init(AES_CBC_CIPHER *h)
+{
+ if (!gcry_check_version (GCRYPT_VERSION))
+ return -1;
+
+ if (gcry_cipher_open(&h->cipher, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0))
+ return -1;
+ return 0;
+}
+
+static inline int
+AES_CBC_set_key(const void *key, size_t keybits, AES_CBC_CIPHER *h)
+{
+ /* We get the key length in bits, not bytes, here */
+ if ((keybits % 8) != 0)
+ return -1;
+
+ if (gcry_cipher_setkey(h->cipher, key, keybits/8))
+ return -1;
+
+ return 0;
+}
+
+static inline int
+AES_CBC_encrypt(const void *inbuf, void *outbuf, size_t bufbytes,
+ const AES_CBC_CIPHER *h, const unsigned char *iv, size_t ivbytes, int enc)
+{
+ if (gcry_cipher_reset(h->cipher))
+ return -1;
+
+ if (gcry_cipher_setiv(h->cipher, iv, ivbytes))
+ return -1;
+
+ if (enc) {
+ if (gcry_cipher_encrypt(h->cipher, outbuf, bufbytes, inbuf, bufbytes))
+ return -1;
+ } else {
+ if (gcry_cipher_decrypt(h->cipher, outbuf, bufbytes, inbuf, bufbytes))
+ return -1;
+ }
+
+ return 0;
+}
+
+static inline void
+AES_CBC_deinit(AES_CBC_CIPHER *h)
+{
+ gcry_cipher_close(h->cipher);
+}
+
+
+#endif /* _QEMU_AES_H */
diff --git a/qemu/block-qcow.c b/qemu/block-qcow.c
index 91c53b1..ab10e91 100644
--- a/qemu/block-qcow.c
+++ b/qemu/block-qcow.c
@@ -71,8 +71,8 @@ typedef struct BDRVQcowState {
uint64_t cluster_cache_offset;
uint32_t crypt_method; /* current crypt method, 0 if no key yet */
uint32_t crypt_method_header;
- AES_KEY aes_encrypt_key;
- AES_KEY aes_decrypt_key;
+ AES_CBC_CIPHER aes_encrypt_cipher;
+ AES_CBC_CIPHER aes_decrypt_cipher;
} BDRVQcowState;
static int decompress_cluster(BDRVQcowState *s, uint64_t cluster_offset);
@@ -161,6 +161,14 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
goto fail;
bs->backing_file[len] = '\0';
}
+
+ if (header.crypt_method == QCOW_CRYPT_AES) {
+ if (AES_CBC_init(&s->aes_encrypt_cipher))
+ goto fail;
+ if (AES_CBC_init(&s->aes_decrypt_cipher))
+ goto fail;
+ }
+
return 0;
fail:
@@ -189,9 +197,9 @@ static int qcow_set_key(BlockDriverState *bs, const char *key)
}
s->crypt_method = s->crypt_method_header;
- if (AES_set_encrypt_key(keybuf, 128, &s->aes_encrypt_key) != 0)
+ if (AES_CBC_set_key(keybuf, 128, &s->aes_encrypt_cipher) != 0)
return -1;
- if (AES_set_decrypt_key(keybuf, 128, &s->aes_decrypt_key) != 0)
+ if (AES_CBC_set_key(keybuf, 128, &s->aes_decrypt_cipher) != 0)
return -1;
#if 0
/* test */
@@ -220,7 +228,7 @@ static int qcow_set_key(BlockDriverState *bs, const char *key)
static void encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
uint8_t *out_buf, const uint8_t *in_buf,
int nb_sectors, int enc,
- const AES_KEY *key)
+ const AES_CBC_CIPHER *key)
{
union {
uint64_t ll[2];
@@ -231,8 +239,8 @@ static void encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
for(i = 0; i < nb_sectors; i++) {
ivec.ll[0] = cpu_to_le64(sector_num);
ivec.ll[1] = 0;
- AES_cbc_encrypt(in_buf, out_buf, 512, key,
- ivec.b, enc);
+ AES_CBC_encrypt(in_buf, out_buf, 512, key,
+ ivec.b, 16, enc);
sector_num++;
in_buf += 512;
out_buf += 512;
@@ -356,7 +364,7 @@ static uint64_t get_cluster_offset(BlockDriverState *bs,
encrypt_sectors(s, start_sect + i,
s->cluster_data,
s->cluster_data + 512, 1, 1,
- &s->aes_encrypt_key);
+ &s->aes_encrypt_cipher);
if (bdrv_pwrite(s->hd, cluster_offset + i * 512,
s->cluster_data, 512) != 512)
return -1;
@@ -506,7 +514,7 @@ static int qcow_write(BlockDriverState *bs, int64_t sector_num,
return -1;
if (s->crypt_method) {
encrypt_sectors(s, sector_num, s->cluster_data, buf, n, 1,
- &s->aes_encrypt_key);
+ &s->aes_encrypt_cipher);
ret = bdrv_pwrite(s->hd, cluster_offset + index_in_cluster * 512,
s->cluster_data, n * 512);
} else {
@@ -558,7 +566,7 @@ static void qcow_aio_read_cb(void *opaque, int ret)
if (s->crypt_method) {
encrypt_sectors(s, acb->sector_num, acb->buf, acb->buf,
acb->n, 0,
- &s->aes_decrypt_key);
+ &s->aes_decrypt_cipher);
}
}
@@ -682,7 +690,7 @@ static void qcow_aio_write_cb(void *opaque, int ret)
}
}
encrypt_sectors(s, acb->sector_num, acb->cluster_data, acb->buf,
- acb->n, 1, &s->aes_encrypt_key);
+ acb->n, 1, &s->aes_encrypt_cipher);
src_buf = acb->cluster_data;
} else {
src_buf = acb->buf;
@@ -728,6 +736,8 @@ static void qcow_aio_cancel(BlockDriverAIOCB *blockacb)
static void qcow_close(BlockDriverState *bs)
{
BDRVQcowState *s = bs->opaque;
+ AES_CBC_deinit(&s->aes_encrypt_cipher);
+ AES_CBC_deinit(&s->aes_decrypt_cipher);
qemu_free(s->l1_table);
qemu_free(s->l2_cache);
qemu_free(s->cluster_cache);
diff --git a/qemu/block-qcow2.c b/qemu/block-qcow2.c
index 9aa7261..fa4dd83 100644
--- a/qemu/block-qcow2.c
+++ b/qemu/block-qcow2.c
@@ -141,8 +141,8 @@ typedef struct BDRVQcowState {
uint32_t crypt_method; /* current crypt method, 0 if no key yet */
uint32_t crypt_method_header;
- AES_KEY aes_encrypt_key;
- AES_KEY aes_decrypt_key;
+ AES_CBC_CIPHER aes_encrypt_cipher;
+ AES_CBC_CIPHER aes_decrypt_cipher;
uint64_t snapshots_offset;
int snapshots_size;
int nb_snapshots;
@@ -290,12 +290,21 @@ static int qcow_open(BlockDriverState *bs, const char *filename, int flags)
if (qcow_read_snapshots(bs) < 0)
goto fail;
+ if (header.crypt_method == QCOW_CRYPT_AES) {
+ if (AES_CBC_init(&s->aes_encrypt_cipher))
+ goto fail;
+ if (AES_CBC_init(&s->aes_decrypt_cipher))
+ goto fail;
+ }
+
#ifdef DEBUG_ALLOC
check_refcounts(bs);
#endif
return 0;
fail:
+ AES_CBC_deinit(&s->aes_encrypt_cipher);
+ AES_CBC_deinit(&s->aes_decrypt_cipher);
qcow_free_snapshots(bs);
refcount_close(bs);
qemu_free(s->l1_table);
@@ -323,9 +332,9 @@ static int qcow_set_key(BlockDriverState *bs, const char *key)
}
s->crypt_method = s->crypt_method_header;
- if (AES_set_encrypt_key(keybuf, 128, &s->aes_encrypt_key) != 0)
+ if (AES_CBC_set_key(keybuf, 128, &s->aes_encrypt_cipher) != 0)
return -1;
- if (AES_set_decrypt_key(keybuf, 128, &s->aes_decrypt_key) != 0)
+ if (AES_CBC_set_key(keybuf, 128, &s->aes_decrypt_cipher) != 0)
return -1;
#if 0
/* test */
@@ -354,7 +363,7 @@ static int qcow_set_key(BlockDriverState *bs, const char *key)
static void encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
uint8_t *out_buf, const uint8_t *in_buf,
int nb_sectors, int enc,
- const AES_KEY *key)
+ const AES_CBC_CIPHER *key)
{
union {
uint64_t ll[2];
@@ -365,8 +374,8 @@ static void encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
for(i = 0; i < nb_sectors; i++) {
ivec.ll[0] = cpu_to_le64(sector_num);
ivec.ll[1] = 0;
- AES_cbc_encrypt(in_buf, out_buf, 512, key,
- ivec.b, enc);
+ AES_CBC_encrypt(in_buf, out_buf, 512, key,
+ ivec.b, 16, enc);
sector_num++;
in_buf += 512;
out_buf += 512;
@@ -389,7 +398,7 @@ static int copy_sectors(BlockDriverState *bs, uint64_t start_sect,
encrypt_sectors(s, start_sect + n_start,
s->cluster_data,
s->cluster_data, n, 1,
- &s->aes_encrypt_key);
+ &s->aes_encrypt_cipher);
}
ret = bdrv_write(s->hd, (cluster_offset >> 9) + n_start,
s->cluster_data, n);
@@ -1127,7 +1136,7 @@ static int qcow_read(BlockDriverState *bs, int64_t sector_num,
return -1;
if (s->crypt_method) {
encrypt_sectors(s, sector_num, buf, buf, n, 0,
- &s->aes_decrypt_key);
+ &s->aes_decrypt_cipher);
}
}
nb_sectors -= n;
@@ -1159,7 +1168,7 @@ static int qcow_write(BlockDriverState *bs, int64_t sector_num,
return -1;
if (s->crypt_method) {
encrypt_sectors(s, sector_num, s->cluster_data, buf, n, 1,
- &s->aes_encrypt_key);
+ &s->aes_encrypt_cipher);
ret = bdrv_pwrite(s->hd, cluster_offset + index_in_cluster * 512,
s->cluster_data, n * 512);
} else {
@@ -1237,7 +1246,7 @@ fail:
if (s->crypt_method) {
encrypt_sectors(s, acb->sector_num, acb->buf, acb->buf,
acb->n, 0,
- &s->aes_decrypt_key);
+ &s->aes_decrypt_cipher);
}
}
@@ -1391,7 +1400,7 @@ static void qcow_aio_write_cb(void *opaque, int ret)
}
}
encrypt_sectors(s, acb->sector_num, acb->cluster_data, acb->buf,
- acb->n, 1, &s->aes_encrypt_key);
+ acb->n, 1, &s->aes_encrypt_cipher);
src_buf = acb->cluster_data;
} else {
src_buf = acb->buf;
@@ -1432,6 +1441,8 @@ static void qcow_aio_cancel(BlockDriverAIOCB *blockacb)
static void qcow_close(BlockDriverState *bs)
{
BDRVQcowState *s = bs->opaque;
+ AES_CBC_deinit(&s->aes_encrypt_cipher);
+ AES_CBC_deinit(&s->aes_decrypt_cipher);
qemu_free(s->l1_table);
qemu_free(s->l2_cache);
qemu_free(s->cluster_cache);
--
1.6.1
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
media
>
main-src
>
by-pkgid
>
aadbe78a25743146bb784eee19f007c5
>
files
>
3
