WireGuard is a secure tunneling protocol with both userland and kernel implementations. After an initial flurry of bug fixes, the FreeBSD kernel wireguard codebase is more complete and stable. Automated CI is now set up for each commit, compiling and running a small smoke test on wireguard-freebsd’s supported releases.
The Foundation is sponsoring John Baldwin to work on wireguard by updating the data path crypto in the upstream WireGuard driver to use the in-kernel OpenCrypto Framework for the data path. Data packets sent over a WireGuard tunnel are encrypted with the Chacha20-Poly1305 AEAD cipher. Unlike TLS and IPsec, Wireguard uses an 8 byte nonce rather than a 12 byte nonce with this cipher.
To date, most of the work has focused on updating OCF to better support multiple nonce (and tag/MAC) lengths for a given cipher. John had previously begun work aimed at supporting all of the AES-CCM NIST KAT vectors, many of which use non-default nonce and tag lengths. The approach has been refined to better fit the existing OCF model where nonce and MAC lengths are properties of a session (similar to key lengths). (An earlier branch had made the nonce length a property of individual operations instead.) This mostly entailed extending the /dev/crypto interface to permit setting these parameters for a session. Existing tests for OCF run in userland and use the /dev/crypto interface including both the cryptocheck utility and the NIST KAT vector tests.
Building upon these framework changes, John extended the existing Chacha20-Poly1305 cipher in OCF to support both 8 and 12 byte nonces including in the accelerated ossl(4) driver. A patch against the upstream WireGuard FreeBSD driver to make use of this for the dataplane has been verified to interoperate with the stock WireGuard driver.
Future work will focus on upstreaming the OCF changes as well as additional review of the upstream WireGuard driver.