2972 – Add build-time option to use OpenSSL for ChaCha20-Poly1305

Bug 2972 - Add build-time option to use OpenSSL for ChaCha20-Poly1305

Summary: Add build-time option to use OpenSSL for ChaCha20-Poly1305

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	7.9p1
Hardware:	ARM Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-24 08:59 AEDT by Erik Jensen
Modified:	2021-04-23 14:58 AEST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Jensen 2019-02-24 08:59:27 AEDT

I am using an ARM board based on the Marvell ARMADA 38x Cortex-A9+NEON CPU to run a custom NAS server. While the CPU power is limited, OpenSSL ships with a NEON-optimized implementation of ChaCha20-Poly1305 that achieves just over 170MB/s on this CPU (as reported by "openssl speed -elapsed -evp ChaCha20-Poly1305 -aead"), making it by far the fastest algorithm with good security on this CPU. Unfortunately, unlike the other algorithms supported by OpenSSH, it will not use OpenSSL support for ChaCha20-Poly1305 even if building with OpenSSL is enabled. Instead, it will use the bundled generic C implementation, which appears to be slower on this CPU by at least a factor of 3. Indeed, using OpenSSH with 'aes128-ctr' turns out to be faster, as it uses OpenSSL's optimized implementation, despite that implementation being 2-3 times slower according to "openssl speed" than OpenSSL's optimized version of ChaCha20-Poly1305.

As such, it would be really nice to be able to build OpenSSH to use OpenSSL's optimized ChaCha20-Poly1305 implementation rather than the built-in generic one.

Comment 1 Damien Miller 2019-07-12 14:56:56 AEST

I don't think OpenSSL's combined chacha/poly method is compatible with OpenSSH's. It might be possible to use the individual primitives from libcrypto however. There was a patch sent to the mailing list a while ago for this, I'll see if I can dig it up

Comment 2 Jakub Jelen 2019-11-19 19:13:28 AEDT

The patches on mailing list are here:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037457.html
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-February/037547.html

Testing and feedback would be welcomed. The author reports significant improvements in performance so I believe this is something worth investigating.

Comment 3 Damien Miller 2019-11-19 22:27:59 AEDT

See my followup at https://www.spinics.net/lists/openssh-unix-dev/msg05981.html

Comment 4 Fabio 2020-07-19 04:04:42 AEST

This is done in 8.3:

 * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
   possible instead of the (slower) portable C implementation included
   in OpenSSH.

However, AES ciphers are still a lot faster on AES acceletared hardware, see bug #3194.

Comment 5 Damien Miller 2021-04-23 14:58:11 AEST

closing resolved bugs as of 8.6p1 release