Page MenuHomeFreeBSD

crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes.
ClosedPublic

Authored by jhb on Sep 24 2021, 6:06 PM.
Tags
None
Referenced Files
F68192260: D32122.diff
Sun, Sep 24, 5:32 PM
Unknown Object (File)
Sun, Sep 10, 5:40 AM
Unknown Object (File)
Sun, Sep 3, 2:46 PM
Unknown Object (File)
Sun, Sep 3, 2:45 PM
Unknown Object (File)
Sun, Sep 3, 2:40 PM
Unknown Object (File)
Mon, Aug 28, 7:18 PM
Unknown Object (File)
Jul 21 2023, 11:32 PM
Unknown Object (File)
Jun 27 2023, 6:47 AM
Subscribers

Details

Summary

This is useful for WireGuard which uses a nonce of 8 bytes rather
than the 12 bytes used for IPsec and TLS.

Note that this also fixes a (should be) harmless bug in ossl(4) where
the counter was incorrectly treated as a 64-bit counter instead of a
32-bit counter in terms of wrapping when using a 12 byte nonce.
However, this required a single message (TLS record) longer than 64 *
(2^32 - 1) bytes (about 256 GB) to trigger.

Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Sep 24 2021, 6:06 PM

Both ossl0 and cryptosoft0 pass cryptocheck tests with both nonce sizes. In addition, I have used the 8 byte nonce variant in a patch to the upstream Wireguard FreeBSD driver which passed its own tests as well as an interoperability test with the stock driver on another VM using WireGuard's own Chacha20-Poly1305 implementation.

Once this is merged this will need a __FreeBSD_version followup bump so WireGuard (and other potential consumers) can detect when the 8 byte nonce is supported.

Note that this also fixes a (should be) harmless bug in ossl(4) where
the counter was incorrectly treated as a 64-bit counter instead of a
32-bit counter in terms of wrapping when using a 12 byte nonce.
However, this required a single message (TLS record) longer than 64 *
(2^32 - 1) bytes (about 256 GB) to trigger.

TLS itself doesn't allow records larger than (roughly) 2^14 bytes, so
this does seem pretty harmless

This revision was not accepted when it landed; it landed in state Needs Review.Oct 6 2021, 9:11 PM
This revision was automatically updated to reflect the committed changes.