=== Using OCF in WireGuard

Contact: John Baldwin <[email protected]>

I have looked at updating the data path crypto in the upstream
WireGuard driver to use the in-kernel OpenCrypto Framework for the
data path.  Data packets sent over a WireGuard tunnel are encrypted
with the Chacha20-Poly1305 AEAD cipher.  Unlike TLS and IPsec,
Wireguard uses an 8 byte nonce rather than a 12 byte nonce with this
cipher.

To date, most of the work has focused on updating OCF to better
support multiple nonce (and tag/MAC) lengths for a given cipher.  I
resurrected an old branch I had previously started on for this aimed
at supporting all of the AES-CCM NIST KAT vectors many of which use
non-default nonce and tag lengths.  I have refined the approach to
better fit the existing OCF model where nonce and MAC lengths are
properties of a session (similar to key lengths).  (My earlier branch
had made the nonce length a property of individual operations
instead.)  Mostly this entailed extending the /dev/crypto interface to
permit setting these parameters for a session.  Existing tests for OCF
run in userland and use the /dev/crypto interface including both the
cryptocheck utility and the NIST KAT vector tests.

Building on these framework changes, I have extended the existing
Chacha20-Poly1305 cipher in OCF to support both 8 and 12 byte nonces
including in the accelerated ossl(4) driver.  I also have a patch
against the upstream WireGuard FreeBSD driver to make use of this for
the dataplane and have verified that it interoperates with the stock
WireGuard driver.

Future work will focus on upstreaming the OCF changes as well as
additional review of the upstream WireGuard driver.

Sponsor: The FreeBSD Foundation