[Bug 2972] New: Add build-time option to use OpenSSL for ChaCha20-Poly1305

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2972

            Bug ID: 2972
           Summary: Add build-time option to use OpenSSL for
                    ChaCha20-Poly1305
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: ARM
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: businesscorrespondence+openssh at rkjnsn.net

I am using an ARM board based on the Marvell ARMADA 38x Cortex-A9+NEON
CPU to run a custom NAS server. While the CPU power is limited, OpenSSL
ships with a NEON-optimized implementation of ChaCha20-Poly1305 that
achieves just over 170MB/s on this CPU (as reported by "openssl speed
-elapsed -evp ChaCha20-Poly1305 -aead"), making it by far the fastest
algorithm with good security on this CPU. Unfortunately, unlike the
other algorithms supported by OpenSSH, it will not use OpenSSL support
for ChaCha20-Poly1305 even if building with OpenSSL is enabled.
Instead, it will use the bundled generic C implementation, which
appears to be slower on this CPU by at least a factor of 3. Indeed,
using OpenSSH with 'aes128-ctr' turns out to be faster, as it uses
OpenSSL's optimized implementation, despite that implementation being
2-3 times slower according to "openssl speed" than OpenSSL's optimized
version of ChaCha20-Poly1305.

As such, it would be really nice to be able to build OpenSSH to use
OpenSSL's optimized ChaCha20-Poly1305 implementation rather than the
built-in generic one.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.