Using OCF in WireGuard
Contact: John Baldwin <jhb@FreeBSD.org>
I have looked at updating the data path crypto in the upstream WireGuard driver to use the in-kernel OpenCrypto Framework for the data path. Data packets sent over a WireGuard tunnel are encrypted with the Chacha20-Poly1305 AEAD cipher. Unlike TLS and IPsec, Wireguard uses an 8 byte nonce rather than a 12 byte nonce with this cipher.
To date, most of the work has focused on updating OCF to better support multiple nonce (and tag/MAC) lengths for a given cipher. I resurrected an old branch I had previously started on for this aimed at supporting all of the AES-CCM NIST KAT vectors many of which use non-default nonce and tag lengths. I have refined the approach to better fit the existing OCF model where nonce and MAC lengths are properties of a session (similar to key lengths). (My earlier branch had made the nonce length a property of individual operations instead.) Mostly this entailed extending the /dev/crypto interface to permit setting these parameters for a session. Existing tests for OCF run in userland and use the /dev/crypto interface including both the cryptocheck utility and the NIST KAT vector tests.
Building on these framework changes, I have extended the existing Chacha20-Poly1305 cipher in OCF to support both 8 and 12 byte nonces including in the accelerated ossl(4) driver. I also have a patch against the upstream WireGuard FreeBSD driver to make use of this for the dataplane and have verified that it interoperates with the stock WireGuard driver.
Future work will focus on upstreaming the OCF changes as well as additional review of the upstream WireGuard driver.
Sponsor: The FreeBSD Foundation
Last modified on: November 15, 2021 by Daniel Ebdrup Jensen