Page MenuHomeFreeBSD

crypto: Add support for the XChaCha20-Poly1305 AEAD cipher.

Authored by jhb on Dec 17 2021, 12:10 AM.



This cipher is a wrapper around the ChaCha20-Poly1305 AEAD cipher
which accepts a larger nonce. Part of the nonce is used along with
the key as an input to HChaCha20 to generate a derived key used for

This cipher is used by WireGuard.

Sponsored by: The FreeBSD Foundation

Diff Detail

R10 FreeBSD src repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jhb requested review of this revision.Dec 17 2021, 12:10 AM

This does not include cryptocheck support as OpenSSL does not include XChaCha20 (and specifically it does not include HChaCha20).

In theory ossl(4) could support XChaCha20-Poly1305 by using the HChaCha20 routine from libsodium to compute the derived key. However, WireGuard (the only expected consumer of this cipher) will most likely not use OCF but use the enc_xform directly (or a wrapper, see D33524), so patching ossl(4) probably isn't worth it.

gbe added a subscriber: gbe.

LGTM for the man page part.


Should we zero the nonce buffer?

jhb marked 2 inline comments as done.
  • Explicitly note the C inheritance.
  • zero the temporary nonce
This revision is now accepted and ready to land.Jan 7 2022, 2:42 PM