Page MenuHomeFreeBSD
Differential D32122

crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes.
ClosedPublic
Actions

Authored by jhb on Sep 24 2021, 6:06 PM.
Tags
None
Referenced Files
F156621738: D32122.id96391.diff
Fri, May 15, 4:36 AM
F156613901: D32122.id.diff
Fri, May 15, 3:20 AM
F156576911: D32122.id95657.diff
Thu, May 14, 7:30 PM
Unknown Object (File)
Tue, May 12, 6:33 PM
Unknown Object (File)
Tue, May 12, 12:35 AM
Unknown Object (File)
Mon, May 11, 9:12 PM
Unknown Object (File)
Mon, May 11, 9:12 PM
Unknown Object (File)
Mon, May 11, 8:44 PM
View All Files
Subscribers
bjk
emaste
imp
jmg

Details

Reviewers
markj
Group Reviewers
manpages
Commits
rG64c043d2d2cf: crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes.
rG42dcd39528c6: crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes.
Summary

This is useful for WireGuard which uses a nonce of 8 bytes rather
than the 12 bytes used for IPsec and TLS.

Note that this also fixes a (should be) harmless bug in ossl(4) where
the counter was incorrectly treated as a 64-bit counter instead of a
32-bit counter in terms of wrapping when using a 12 byte nonce.
However, this required a single message (TLS record) longer than 64 *
(2^32 - 1) bytes (about 256 GB) to trigger.

Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 41724
Build 38613: arc lint + arc unit

Event Timeline

jhb created this revision.Sep 24 2021, 6:06 PM
Herald added a reviewer: manpages. · View Herald TranscriptSep 24 2021, 6:06 PM
Herald added subscribers: jmg, imp. · View Herald Transcript
jhb requested review of this revision.Sep 24 2021, 6:06 PM
Harbormaster completed remote builds in B41724: Diff 95657.Sep 24 2021, 6:06 PM
jhb added a parent revision: D32121: crypto: Test all of the AES-CCM KAT vectors..Sep 24 2021, 6:06 PM
jhb added a comment.Sep 24 2021, 6:22 PM

Both ossl0 and cryptosoft0 pass cryptocheck tests with both nonce sizes. In addition, I have used the 8 byte nonce variant in a patch to the upstream Wireguard FreeBSD driver which passed its own tests as well as an interoperability test with the stock driver on another VM using WireGuard's own Chacha20-Poly1305 implementation.

Once this is merged this will need a __FreeBSD_version followup bump so WireGuard (and other potential consumers) can detect when the 8 byte nonce is supported.

jhb added a reviewer: markj.Sep 27 2021, 9:46 PM
bjk added a subscriber: bjk.EditedSep 29 2021, 3:49 AM

Note that this also fixes a (should be) harmless bug in ossl(4) where
the counter was incorrectly treated as a 64-bit counter instead of a
32-bit counter in terms of wrapping when using a 12 byte nonce.
However, this required a single message (TLS record) longer than 64 *
(2^32 - 1) bytes (about 256 GB) to trigger.

TLS itself doesn't allow records larger than (roughly) 2^14 bytes, so
this does seem pretty harmless

This revision was not accepted when it landed; it landed in state Needs Review.Oct 6 2021, 9:11 PM
Closed by commit rG42dcd39528c6: crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes. (authored by jhb). · Explain Why
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rG42dcd39528c6: crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes..
jhb added a commit: rG64c043d2d2cf: crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes..Oct 21 2021, 10:05 PM

Revision Contents
Changeset List

PathSize
share/
man/
man7/
2 lines
sys/
crypto/
openssl/
14 lines
opencrypto/
7 lines
3 lines
31 lines
tools/
tools/
crypto/
4 lines

Diff 95657

View Options

share/man/man7/crypto.7

Loading...
View Options

sys/crypto/openssl/ossl_chacha20.c

Loading...
View Options

sys/opencrypto/crypto.c

Loading...
View Options

sys/opencrypto/cryptosoft.c

Loading...
View Options

sys/opencrypto/xform_chacha20_poly1305.c

Loading...
View Options

tools/tools/crypto/cryptocheck.c

Loading...