diff --git a/lib/libipsec/pfkey_dump.c b/lib/libipsec/pfkey_dump.c --- a/lib/libipsec/pfkey_dump.c +++ b/lib/libipsec/pfkey_dump.c @@ -149,6 +149,9 @@ #endif #ifdef SADB_X_AALG_AES_XCBC_MAC { SADB_X_AALG_AES_XCBC_MAC, "aes-xcbc-mac", }, +#endif +#ifdef SADB_X_AALG_CHACHA20POLY1305 + { SADB_X_AALG_CHACHA20POLY1305, "chacha20-poly1305", }, #endif { -1, NULL, }, }; @@ -170,6 +173,9 @@ #endif #ifdef SADB_X_EALG_AESGCM16 { SADB_X_EALG_AESGCM16, "aes-gcm-16", }, +#endif +#ifdef SADB_X_EALG_CHACHA20POLY1305 + { SADB_X_EALG_CHACHA20POLY1305, "chacha20-poly1305", }, #endif { -1, NULL, }, }; diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 13, 2022 +.Dd October 19, 2022 .Dt SETKEY 8 .Os .\" @@ -598,6 +598,7 @@ aes-xcbc-mac 128 ah/esp: 96bit ICV (RFC3566) 128 ah-old/esp-old: 128bit ICV (no document) tcp-md5 8 to 640 tcp: rfc2385 +chacha20-poly1305 256 ah/esp: 128bit ICV (RFC7634) .Ed .Ss Encryption Algorithms The following encryption algorithms can be used as the @@ -613,6 +614,7 @@ aes-cbc 128/192/256 rfc3602 aes-ctr 160/224/288 rfc3686 aes-gcm-16 160/224/288 AEAD; rfc4106 +chacha20-poly1305 256 rfc7634 .Ed .Pp Note that the first 128/192/256 bits of a key for diff --git a/sbin/setkey/token.l b/sbin/setkey/token.l --- a/sbin/setkey/token.l +++ b/sbin/setkey/token.l @@ -147,6 +147,7 @@ /* authentication alogorithm */ {hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); } +chacha20-poly1305 { yylval.num = SADB_X_AALG_CHACHA20POLY1305; BEGIN INITIAL; return(ALG_AUTH); } hmac-sha1 { yylval.num = SADB_AALG_SHA1HMAC; BEGIN INITIAL; return(ALG_AUTH); } hmac-sha2-256 { yylval.num = SADB_X_AALG_SHA2_256; BEGIN INITIAL; return(ALG_AUTH); } hmac-sha2-384 { yylval.num = SADB_X_AALG_SHA2_384; BEGIN INITIAL; return(ALG_AUTH); } @@ -163,6 +164,7 @@ aes-cbc { yylval.num = SADB_X_EALG_AESCBC; BEGIN INITIAL; return(ALG_ENC); } aes-ctr { yylval.num = SADB_X_EALG_AESCTR; BEGIN INITIAL; return(ALG_ENC_SALT); } aes-gcm-16 { yylval.num = SADB_X_EALG_AESGCM16; BEGIN INITIAL; return(ALG_ENC_SALT); } +chacha20-poly1305 { yylval.num = SADB_X_EALG_CHACHA20POLY1305; BEGIN INITIAL; return(ALG_ENC_SALT); } /* compression algorithms */ {hyphen}C { return(F_COMP); } diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -372,6 +372,7 @@ #define SADB_X_AALG_AES128GMAC 11 /* RFC4543 + Errata1821 */ #define SADB_X_AALG_AES192GMAC 12 #define SADB_X_AALG_AES256GMAC 13 +#define SADB_X_AALG_CHACHA20POLY1305 14 #define SADB_X_AALG_MD5 249 /* Keyed MD5 */ #define SADB_X_AALG_SHA 250 /* Keyed SHA */ #define SADB_X_AALG_NULL 251 /* null authentication */ @@ -387,6 +388,7 @@ #define SADB_X_EALG_AES 12 #define SADB_X_EALG_AESCBC 12 #define SADB_X_EALG_AESCTR 13 +#define SADB_X_EALG_CHACHA20POLY1305 15 #define SADB_X_EALG_AESGCM8 18 /* RFC4106 */ #define SADB_X_EALG_AESGCM12 19 #define SADB_X_EALG_AESGCM16 20 diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -592,6 +592,7 @@ { SADB_X_EALG_AESCTR, &enc_xform_aes_icm }, { SADB_X_EALG_AESGCM16, &enc_xform_aes_nist_gcm }, { SADB_X_EALG_AESGMAC, &enc_xform_aes_nist_gmac }, + { SADB_X_EALG_CHACHA20POLY1305, &enc_xform_chacha20_poly1305 }, }; static struct supported_aalgs { @@ -606,6 +607,7 @@ { SADB_X_AALG_AES128GMAC, &auth_hash_nist_gmac_aes_128 }, { SADB_X_AALG_AES192GMAC, &auth_hash_nist_gmac_aes_192 }, { SADB_X_AALG_AES256GMAC, &auth_hash_nist_gmac_aes_256 }, + { SADB_X_AALG_CHACHA20POLY1305, &auth_hash_poly1305 }, }; static struct supported_calgs { diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h --- a/sys/netipsec/keydb.h +++ b/sys/netipsec/keydb.h @@ -200,6 +200,8 @@ (_sav)->alg_enc == SADB_X_EALG_AESGCM12 || \ (_sav)->alg_enc == SADB_X_EALG_AESGCM16) #define SAV_ISCTR(_sav) ((_sav)->alg_enc == SADB_X_EALG_AESCTR) +#define SAV_ISCHACHA(_sav) \ + ((_sav)->alg_enc == SADB_X_EALG_CHACHA20POLY1305) #define SAV_ISCTRORGCM(_sav) (SAV_ISCTR((_sav)) || SAV_ISGCM((_sav))) #define IPSEC_SEQH_SHIFT 32 diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -131,6 +131,7 @@ alen = esph->hashsize / 2; /* RFC4868 2.3 */ break; + case CRYPTO_POLY1305: case CRYPTO_AES_NIST_GMAC: alen = esph->hashsize; break; diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -169,7 +169,8 @@ } /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ - keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; + keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4 - + SAV_ISCHACHA(sav) * 4; if (txform->minkey > keylen || keylen > txform->maxkey) { DPRINTF(("%s: invalid key length %u, must be in the range " "[%u..%u] for algorithm %s\n", __func__, @@ -178,7 +179,7 @@ return EINVAL; } - if (SAV_ISCTRORGCM(sav)) + if (SAV_ISCTRORGCM(sav) || SAV_ISCHACHA(sav)) sav->ivlen = 8; /* RFC4106 3.1 and RFC3686 3.1 */ else sav->ivlen = txform->ivsize; @@ -226,6 +227,12 @@ csp.csp_mode = CSP_MODE_AEAD; if (sav->flags & SADB_X_SAFLAGS_ESN) csp.csp_flags |= CSP_F_SEPARATE_AAD; + } else if (sav->alg_enc == SADB_X_EALG_CHACHA20POLY1305) { + sav->alg_auth = SADB_X_AALG_CHACHA20POLY1305; + sav->tdb_authalgxform = &auth_hash_poly1305; + csp.csp_mode = CSP_MODE_AEAD; + if (sav->flags & SADB_X_SAFLAGS_ESN) + csp.csp_flags |= CSP_F_SEPARATE_AAD; } else if (sav->alg_auth != 0) { csp.csp_mode = CSP_MODE_ETA; if (sav->flags & SADB_X_SAFLAGS_ESN) @@ -238,7 +245,7 @@ if (csp.csp_cipher_alg != CRYPTO_NULL_CBC) { csp.csp_cipher_key = sav->key_enc->key_data; csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 - - SAV_ISCTRORGCM(sav) * 4; + SAV_ISCTRORGCM(sav) * 4 - SAV_ISCHACHA(sav) * 4; }; csp.csp_ivlen = txform->ivsize; @@ -368,7 +375,7 @@ if (esph != NULL) { crp->crp_op = CRYPTO_OP_VERIFY_DIGEST; - if (SAV_ISGCM(sav)) + if (SAV_ISGCM(sav) || SAV_ISCHACHA(sav)) crp->crp_aad_length = 8; /* RFC4106 5, SPI + SN */ else crp->crp_aad_length = hlen; @@ -428,7 +435,7 @@ crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen); /* Generate or read cipher IV. */ - if (SAV_ISCTRORGCM(sav)) { + if (SAV_ISCTRORGCM(sav) || SAV_ISCHACHA(sav)) { ivp = &crp->crp_iv[0]; /* @@ -811,7 +818,7 @@ SECREPLAY_UNLOCK(sav->replay); } cryptoid = sav->tdb_cryptoid; - if (SAV_ISCTRORGCM(sav)) + if (SAV_ISCTRORGCM(sav) || SAV_ISCHACHA(sav)) cntr = sav->cntr++; SECASVAR_RUNLOCK(sav); @@ -878,7 +885,7 @@ /* Generate cipher and ESP IVs. */ ivp = &crp->crp_iv[0]; - if (SAV_ISCTRORGCM(sav)) { + if (SAV_ISCTRORGCM(sav) || SAV_ISCHACHA(sav)) { /* * See comment in esp_input() for details on the * cipher IV. A simple per-SA counter stored in @@ -914,7 +921,7 @@ if (esph) { /* Authentication descriptor. */ crp->crp_op |= CRYPTO_OP_COMPUTE_DIGEST; - if (SAV_ISGCM(sav)) + if (SAV_ISGCM(sav) || SAV_ISCHACHA(sav)) crp->crp_aad_length = 8; /* RFC4106 5, SPI + SN */ else crp->crp_aad_length = hlen;