Bug 2972

Summary: Add build-time option to use OpenSSL for ChaCha20-Poly1305
Product: Portable OpenSSH Reporter: Erik Jensen <businesscorrespondence+openssh>
Component: MiscellaneousAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm, fabio.pedretti, jjelen
Priority: P5    
Version: 7.9p1   
Hardware: ARM   
OS: Linux   

Description Erik Jensen 2019-02-24 08:59:27 AEDT 
I am using an ARM board based on the Marvell ARMADA 38x Cortex-A9+NEON CPU to run a custom NAS server. While the CPU power is limited, OpenSSL ships with a NEON-optimized implementation of ChaCha20-Poly1305 that achieves just over 170MB/s on this CPU (as reported by "openssl speed -elapsed -evp ChaCha20-Poly1305 -aead"), making it by far the fastest algorithm with good security on this CPU. Unfortunately, unlike the other algorithms supported by OpenSSH, it will not use OpenSSL support for ChaCha20-Poly1305 even if building with OpenSSL is enabled. Instead, it will use the bundled generic C implementation, which appears to be slower on this CPU by at least a factor of 3. Indeed, using OpenSSH with 'aes128-ctr' turns out to be faster, as it uses OpenSSL's optimized implementation, despite that implementation being 2-3 times slower according to "openssl speed" than OpenSSL's optimized version of ChaCha20-Poly1305.

As such, it would be really nice to be able to build OpenSSH to use OpenSSL's optimized ChaCha20-Poly1305 implementation rather than the built-in generic one.
Comment 1 Damien Miller 2019-07-12 14:56:56 AEST 
I don't think OpenSSL's combined chacha/poly method is compatible with OpenSSH's. It might be possible to use the individual primitives from libcrypto however. There was a patch sent to the mailing list a while ago for this, I'll see if I can dig it up
Comment 2 Jakub Jelen 2019-11-19 19:13:28 AEDT 
The patches on mailing list are here:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037457.html
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-February/037547.html

Testing and feedback would be welcomed. The author reports significant improvements in performance so I believe this is something worth investigating.
Comment 3 Damien Miller 2019-11-19 22:27:59 AEDT 
See my followup at https://www.spinics.net/lists/openssh-unix-dev/msg05981.html
Comment 4 Fabio 2020-07-19 04:04:42 AEST 
This is done in 8.3:

 * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
   possible instead of the (slower) portable C implementation included
   in OpenSSH.

However, AES ciphers are still a lot faster on AES acceletared hardware, see bug #3194.
Comment 5 Damien Miller 2021-04-23 14:58:11 AEST 
closing resolved bugs as of 8.6p1 release