Page MenuHomeFreeBSD

crypto: Add support for the XChaCha20-Poly1305 AEAD cipher.
ClosedPublic

Authored by jhb on Dec 17 2021, 12:10 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Mar 14, 12:24 PM
Unknown Object (File)
Thu, Mar 14, 12:24 PM
Unknown Object (File)
Thu, Mar 14, 12:24 PM
Unknown Object (File)
Thu, Mar 14, 12:20 PM
Unknown Object (File)
Mon, Mar 11, 12:48 AM
Unknown Object (File)
Jan 14 2024, 6:22 PM
Unknown Object (File)
Jan 13 2024, 7:25 AM
Unknown Object (File)
Jan 3 2024, 5:11 PM

Details

Summary

This cipher is a wrapper around the ChaCha20-Poly1305 AEAD cipher
which accepts a larger nonce. Part of the nonce is used along with
the key as an input to HChaCha20 to generate a derived key used for
ChaCha20-Poly1305.

This cipher is used by WireGuard.

Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 43748
Build 40636: arc lint + arc unit

Event Timeline

jhb requested review of this revision.Dec 17 2021, 12:10 AM

This does not include cryptocheck support as OpenSSL does not include XChaCha20 (and specifically it does not include HChaCha20).

In theory ossl(4) could support XChaCha20-Poly1305 by using the HChaCha20 routine from libsodium to compute the derived key. However, WireGuard (the only expected consumer of this cipher) will most likely not use OCF but use the enc_xform directly (or a wrapper, see D33524), so patching ossl(4) probably isn't worth it.

gbe added a subscriber: gbe.

LGTM for the man page part.

sys/opencrypto/xform_chacha20_poly1305.c
44
186

Should we zero the nonce buffer?

jhb marked 2 inline comments as done.
  • Explicitly note the C inheritance.
  • zero the temporary nonce
This revision is now accepted and ready to land.Jan 7 2022, 2:42 PM