[PATCH v2 1-2/2] use ecdh/X25519 from openssl when possible (openssl-1.1.1+)

Yuriy M. Kaminskiy yumkam at gmail.com
Tue Feb 19 07:29:31 AEDT 2019 

On 17.02.2019 15:46, Yuriy M. Kaminskiy wrote:
> See attached:
> 
> (1) patch against 7.9p1, tested with openssl 1.1.0j and openssl
> 1.1.1a on linux/i386; passes regression test and connects to
> unpatched sshd without problems;
As ed25519-from-openssl patch came out a bit less convoluted, I've
tried to do same with ecdh/x25519.

So, here are V2:
(1) use openssl-1.1.1a api,
(2) [optional] emulate openssl-1.1.1a api for openssl-1.1.0.

Unfortunately, it was a bit slower (as it needs to (de)serialize
private key):

> I hacked a bit regress/unittests/kex, and benchmarked
>     do_kex_with_key("curve25519-sha256 at libssh.org", KEY_ED25519, 256);
> Before:
>   0.3295s per call
> After:>   0.2183s per call

openssl/1.1.0j, curve25519 + ecdsa-sha256 (openssh's builtin eddsa is too slow,
so difference between V1 and V2 is lost in noise, so I replaced ed25519
with ecdsa/p256 for this test)

ecdh/25519 V1:
   0.0185s per call
ecdh/25519 V2:
   0.0205s per call

openssl/1.1.1a, curve25519 + ed25519 (with ed25519 patch)
ecdh/25519 V1:
    0.0115s per call
ecdh/25519 V2:
    0.0131s per call (worse by 14%)

> That is, 50% speedup; assuming ed25519 (added to openssl in 1.1.1)
> takes about same time as ecdh/x25519, there are potential for total
> 200% speedup in KEX.
> 
> (2) rebased patch against git master; passes regression test;
> 
> I relied on presence of NID_X25519 for autodetection; probably it
> makes sense to check if is actually working it autoconf; then again,
> maybe not (it won't work when cross-compiling anyway).
> 
> P.S. given amount of feedback I received so far, it seems everyone
> follows motto "it cannot be secure if it is not slow".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: master-0001-use-curve25519-ecdh-from-openssl-1.1.1a-when-possibl.patch
Type: text/x-patch
Size: 6638 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190218/a5d30a2d/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: master-0002-curve25519-ecdh-emulate-openssl-1.1.1-API-on-openssl.patch
Type: text/x-patch
Size: 4836 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190218/a5d30a2d/attachment-0003.bin>

More information about the openssh-unix-dev mailing list