Add support to Transit, keysutil for XChaCha20-Poly1305 #36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for XChaCha20-Poly1305, a variant of ChaCha20-Poly1305 with double the nonce size (12->24). Due to the construction of most AEAD cipher modes which lack a synthetic IV (mostly this and GCM), nonce reuse becomes problematic. A small default nonce size (96 bits) results in only 96/2 = 2^48 message encryptions before reuse becomes likely due to the birthday paradox. As a result, NIST has mandated 2^32 as the upper limit on AES-GCM encryption operations in FIPS to keep the threshold sufficiently small. This necessitates key rotation when the limit is reached.
By using a larger nonce (24-bytes), key rotation can be avoided.
Resolves: #35
cc: @DemiMarie
This can be tested by rebasing on top of my
prune-extra-plugins
branch (to fix the build & most tests) and runninggo test github.com/openbao/openbao/builtin/logical/transit
to avoid hitting issues discussed on matrix.