Page MenuHomeFreeBSD

crypto: Add support for the XChaCha20-Poly1305 AEAD cipher.
ClosedPublic

Authored by jhb on Dec 17 2021, 12:10 AM.

Details

Summary

This cipher is a wrapper around the ChaCha20-Poly1305 AEAD cipher
which accepts a larger nonce. Part of the nonce is used along with
the key as an input to HChaCha20 to generate a derived key used for
ChaCha20-Poly1305.

This cipher is used by WireGuard.

Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jhb requested review of this revision.Dec 17 2021, 12:10 AM

This does not include cryptocheck support as OpenSSL does not include XChaCha20 (and specifically it does not include HChaCha20).

In theory ossl(4) could support XChaCha20-Poly1305 by using the HChaCha20 routine from libsodium to compute the derived key. However, WireGuard (the only expected consumer of this cipher) will most likely not use OCF but use the enc_xform directly (or a wrapper, see D33524), so patching ossl(4) probably isn't worth it.

gbe added a subscriber: gbe.

LGTM for the man page part.

sys/opencrypto/xform_chacha20_poly1305.c
43
185

Should we zero the nonce buffer?

jhb marked 2 inline comments as done.
  • Explicitly note the C inheritance.
  • zero the temporary nonce
This revision is now accepted and ready to land.Jan 7 2022, 2:42 PM