Suggestion: Add CHACHA20-POLY1305 and TLS_CHACHA20_POLY1305_SHA256 for speed on Raspberry Pi etc

[brozkeff]

Modern versions of OpenSSL and OpenVPN support new ciphers based on ChaCha20-Poly1305.

Using them instead of AES-GCM dramatically improves performance especially on Raspberry Pis or other low-end CPU swhich do not have HW AES acceleration.

Supported from OpenVPN2.5+ and compatible SSL library needed so allowing such ciphers as optional should check if these are supported by the running system.

Below is a quick and dirty patch I used to test it and deploy on RPi (just overwriting the default parameters). Proper way would be of course new selectable option, checks if algos are supported on the particular system, etc.

diff ./original/openvpn-install.sh ./patched/openvpn-install.sh 
393,394c393,394
< 		# Use default, sane and fast parameters
< 		CIPHER="AES-128-GCM"
---
> 		# Use modern ChaCha20-Poly1305 for faster operation on Raspberry Pi or other low-end HW
> 		CIPHER="CHACHA20-POLY1305"
397c397
< 		CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
---
> 		CC_CIPHER="TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"

Test comparion on RPi4 1GB RAM shows ChaCha20-Poly1305 is cca 4.5× faster than AES-128-GCM:

$ openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing AES-128-GCM for 3s on 16 size blocks: 8399910 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 64 size blocks: 2530334 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 256 size blocks: 762014 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 1024 size blocks: 200959 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 8192 size blocks: 25868 AES-128-GCM's in 3.00s
Doing AES-128-GCM for 3s on 16384 size blocks: 12978 AES-128-GCM's in 3.00s
version: 3.0.13
built on: Mon Apr 29 14:39:02 2024 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-928mA1/openssl-3.0.13=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_armcap=0x81
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
AES-128-GCM      44799.52k    53980.46k    65025.19k    68594.01k    70636.89k    70877.18k

$ openssl speed -elapsed -evp chacha20-poly1305
You have chosen to measure elapsed time instead of user CPU time.
Doing ChaCha20-Poly1305 for 3s on 16 size blocks: 15080966 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 64 size blocks: 6477209 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 256 size blocks: 2940868 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 1024 size blocks: 909247 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 8192 size blocks: 118162 ChaCha20-Poly1305's in 3.00s
Doing ChaCha20-Poly1305 for 3s on 16384 size blocks: 58899 ChaCha20-Poly1305's in 3.00s
version: 3.0.13
built on: Mon Apr 29 14:39:02 2024 UTC
options: bn(64,64)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-928mA1/openssl-3.0.13=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
CPUINFO: OPENSSL_armcap=0x81
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
ChaCha20-Poly1305    80431.82k   138180.46k   250954.07k   310356.31k   322661.03k   321667.07k