On Mon, Dec 22, 2014 at 9:30 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:> Although the cryptography is now separated from the rest of the logic in > tinc, it is not really replaceable, since only OpenSSL is supported. > However, there is also a new protocol in tinc 1.1, which uses Ed25519 > and ChaCha-Poly1305. The code for those algorithms is included in tinc, > so the new protocol has no dependencies on external libraries.Any reason not to use libsodium for this? Pedro
Or polarssl ? www.polarssl.org Static link? On 12/28/2014 11:00 AM, Pedro C?rte-Real wrote:> On Mon, Dec 22, 2014 at 9:30 PM, Guus Sliepen <guus at tinc-vpn.org> wrote: >> Although the cryptography is now separated from the rest of the logic in >> tinc, it is not really replaceable, since only OpenSSL is supported. >> However, there is also a new protocol in tinc 1.1, which uses Ed25519 >> and ChaCha-Poly1305. The code for those algorithms is included in tinc, >> so the new protocol has no dependencies on external libraries. > > Any reason not to use libsodium for this? > > Pedro > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >
On Sun, Dec 28, 2014 at 05:00:43PM +0000, Pedro C?rte-Real wrote:> > Although the cryptography is now separated from the rest of the logic in > > tinc, it is not really replaceable, since only OpenSSL is supported. > > However, there is also a new protocol in tinc 1.1, which uses Ed25519 > > and ChaCha-Poly1305. The code for those algorithms is included in tinc, > > so the new protocol has no dependencies on external libraries. > > Any reason not to use libsodium for this?I think that at the moment I was looking at it, libsodium was not yet in Debian. I opted to take libraries for Ed25519 and ChaCha-Poly1305 which looked most convenient and just merged the code into tinc. The reasons I used then might not be valid anymore now, but I don't see a good reason to switch to an external library now. If there are arguments for it, let me know. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141228/c7bcf411/attachment.sig>
On Sun, Dec 28, 2014 at 12:25:38PM -0600, md at rpzdesign.com wrote:> >> Although the cryptography is now separated from the rest of the logic in > >> tinc, it is not really replaceable, since only OpenSSL is supported. > >> However, there is also a new protocol in tinc 1.1, which uses Ed25519 > >> and ChaCha-Poly1305. The code for those algorithms is included in tinc, > >> so the new protocol has no dependencies on external libraries. > > > > Any reason not to use libsodium for this? > > Or polarssl ? > > www.polarssl.orgI actually tried porting tinc to use libgcrypt and libtomcrypt, but unfortunately there is a big impedance mismatch requiring a lot of additional code to be written just to work around it. In the end I decided it's better to incorporate just the necessary crypto primitives into tinc, without depending on external libraries too much. As for PolarSSL, I don't remember it having support for ECC when I started work on the new protocol in tinc 1.1. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20141228/282f47fa/attachment.sig>
Last time I checked there was a number of new libraries implementing Ed25519 and ChaCha-Poly1305, but everything seemed quite immature - I think it would be wise to wait until things settle down (maybe when it gets into OpenSSL). That said, there are significant advantages to using external libraries for this: some of them use heavily optimized (assembly, tuned for SSE etc.) code for ChaCha-Poly1305, which is a big win for tinc because it dramatically lowers CPU usage and increases maximum achievable throughput. See http://bench.cr.yp.to/impl-stream/chacha20.html On Sun, Dec 28, 2014 at 6:00 PM, Pedro C?rte-Real <pedro at pedrocr.net> wrote:> On Mon, Dec 22, 2014 at 9:30 PM, Guus Sliepen <guus at tinc-vpn.org> wrote: >> Although the cryptography is now separated from the rest of the logic in >> tinc, it is not really replaceable, since only OpenSSL is supported. >> However, there is also a new protocol in tinc 1.1, which uses Ed25519 >> and ChaCha-Poly1305. The code for those algorithms is included in tinc, >> so the new protocol has no dependencies on external libraries. > > Any reason not to use libsodium for this? > > Pedro > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
> That said, there are significant advantages to using external > libraries for this: some of them use heavily optimized (assembly, > tuned for SSE etc.) code for ChaCha-Poly1305, which is a big win for > tinc because it dramatically lowers CPU usage and increases maximum > achievable throughput. See > http://bench.cr.yp.to/impl-stream/chacha20.htmlThis is quite a nice point, when you run tinc in OpenWRT on a small (and very limited) router :)
Maybe Matching Threads
- Current state of Tinc 1.1?
- [patch 1/2] use chacha20 from openssl (1.1.0+) when possible
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- [patch 1/2] use chacha20 from openssl (1.1.0+) when possible
- ChaCha20 Rekey Frequency