Currently the crypto layer has a choice of backend drivers
* builtin - AES/DES for ciphers using in-tree impl,
glib for hash / hmac
* gcrypt - all ciphers and al hash/hmac algs
* nettle - all ciphers and al hash/hmac algs
We currently default to nettle because that minimizes the
deps from QEMU, as gnutls already pulls in nettle.
In retrospect, however, this was the wrong metric to optimize
for. Instead we should have picked backend based on the
performance of the drivers.
The nettle impls have some limited CPU hardware acceleration,
but aside from in ECB mode, nettle is slower than gcrypt in
every case. In the most important AES-XTS case used for luks
disk encryption, nettle is achieves just 15% of the performance
of gcrypt. It is clear we should prefer gcrypt over nettle.
gnutls uses nettle internally and also exposes many of the
ciphers for direct usage. Unexpectedly, gnutls is actually
faster than nettle, despite using nettle. The reason for
this is that gnutls provides CPU accelerated code for handling
CBC and XTS modes. This lets gnutls get in the same ballpark as
gcrypt for the most important encryption modes. It is also good
for hash impls.
This series thus does a number of things
- Introduce gnutls as a backe driver
- Change priority order gnutls > gcrypt > nettle > builtin
- Cleanup cruft from older versions of crypto libraries
- Make some tests more robust and easier to debug
- Drop support for built-in XTS impl, as it is too slow
to be useful for LUKS
- Drop support for built-in DES impl, to minize amount of
custom crypto code carried. VNC password auth will
require use of an grypt/nettle/gnutls
Daniel P. Berrangé (18):
crypto: remove conditional around 3DES crypto test cases
crypto: remove obsolete crypto test condition
crypto: skip essiv ivgen tests if AES+ECB isn't available
crypto: use &error_fatal in crypto tests
crypto: fix gcrypt min version 1.8 regression
crypto: drop gcrypt thread initialization code
crypto: drop custom XTS support in gcrypt driver
crypto: add crypto tests for single block DES-ECB and DES-CBC
crypto: delete built-in DES implementation
crypto: delete built-in XTS cipher mode support
crypto: rename des-rfb cipher to just des
crypto: flip priority of backends to prefer gcrypt
crypto: introduce build system for gnutls crypto backend
crypto: add gnutls cipher provider
crypto: add gnutls hash provider
crypto: add gnutls hmac provider
crypto: add gnutls pbkdf provider
crypto: prefer gnutls as the crypto backend if new enough
crypto/cipher-builtin.c.inc | 132 ----------
crypto/cipher-gcrypt.c.inc | 143 +----------
crypto/cipher-gnutls.c.inc | 325 +++++++++++++++++++++++++
crypto/cipher-nettle.c.inc | 26 +-
crypto/cipher.c | 30 +--
crypto/desrfb.c | 416 --------------------------------
crypto/hash-gnutls.c | 104 ++++++++
crypto/hmac-gnutls.c | 136 +++++++++++
crypto/init.c | 62 -----
crypto/meson.build | 9 +-
crypto/pbkdf-gnutls.c | 90 +++++++
meson.build | 102 +++++---
qapi/crypto.json | 4 +-
tests/unit/test-crypto-cipher.c | 31 ++-
tests/unit/test-crypto-hash.c | 12 +-
tests/unit/test-crypto-hmac.c | 28 +--
tests/unit/test-crypto-ivgen.c | 14 +-
tests/unit/test-crypto-pbkdf.c | 5 +-
ui/vnc.c | 20 +-
19 files changed, 814 insertions(+), 875 deletions(-)
create mode 100644 crypto/cipher-gnutls.c.inc
delete mode 100644 crypto/desrfb.c
create mode 100644 crypto/hash-gnutls.c
create mode 100644 crypto/hmac-gnutls.c
create mode 100644 crypto/pbkdf-gnutls.c
--
2.31.1
