openssh bugs - Feb 2019 - [Bug 2972] New: Add build-time option to use OpenSSL for ChaCha20-Poly1305

https://bugzilla.mindrot.org/show_bug.cgi?id=2972

            Bug ID: 2972
           Summary: Add build-time option to use OpenSSL for
                    ChaCha20-Poly1305
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: ARM
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: businesscorrespondence+openssh at rkjnsn.net

I am using an ARM board based on the Marvell ARMADA 38x Cortex-A9+NEON
CPU to run a custom NAS server. While the CPU power is limited, OpenSSL
ships with a NEON-optimized implementation of ChaCha20-Poly1305 that
achieves just over 170MB/s on this CPU (as reported by "openssl speed
-elapsed -evp ChaCha20-Poly1305 -aead"), making it by far the fastest
algorithm with good security on this CPU. Unfortunately, unlike the
other algorithms supported by OpenSSH, it will not use OpenSSL support
for ChaCha20-Poly1305 even if building with OpenSSL is enabled.
Instead, it will use the bundled generic C implementation, which
appears to be slower on this CPU by at least a factor of 3. Indeed,
using OpenSSH with 'aes128-ctr' turns out to be faster, as it uses
OpenSSL's optimized implementation, despite that implementation being
2-3 times slower according to "openssl speed" than OpenSSL's
optimized
version of ChaCha20-Poly1305.

As such, it would be really nice to be able to build OpenSSH to use
OpenSSL's optimized ChaCha20-Poly1305 implementation rather than the
built-in generic one.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2972

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I don't think OpenSSL's combined chacha/poly method is compatible with
OpenSSH's. It might be possible to use the individual primitives from
libcrypto however. There was a patch sent to the mailing list a while
ago for this, I'll see if I can dig it up

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2972

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
The patches on mailing list are here:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037457.html
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-February/037547.html

Testing and feedback would be welcomed. The author reports significant
improvements in performance so I believe this is something worth
investigating.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2972

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
See my followup at
https://www.spinics.net/lists/openssh-unix-dev/msg05981.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2972

Fabio <fabio.pedretti at unibs.it> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
                 CC|                            |fabio.pedretti at unibs.it

--- Comment #4 from Fabio <fabio.pedretti at unibs.it> ---
This is done in 8.3:

 * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
   possible instead of the (slower) portable C implementation included
   in OpenSSH.

However, AES ciphers are still a lot faster on AES acceletared
hardware, see bug #3194.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2972

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.