Re: setkey -- twofish-cbc unsupported algorithm

To: Pierre-Philipp Braun <pbraun%nethence.com@localhost>
Subject: Re: setkey -- twofish-cbc unsupported algorithm
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 28 Apr 2020 12:03:33 -0400

Pierre-Philipp Braun <pbraun%nethence.com@localhost> writes:

> Of course, the only symmetric cipher that can compete with hardware
> accelerated AES in terms of throughput is Chacha20 and we don't have
> it in setkey.  It's there in the OpenSSH code, though, it's even
> builtin without OpenSSL.

I'm not clear on if Chacha20 is specified for IPsec.

> I am not clear however on how to test crypto hardware acceleration on
> netbsd.  I could try the `openssl speed` feature but the first thing I
> would be looking for is whether my CPU has the AES-NI, AVX and AVX2
> flags available.  Is there a way to do that on NetBSD?  Then how to
> check of /dev/crypto is leveraged at various places in userland?

See the cpuctl man page.

NetBSD has support for various crypto offload devices.  Aside from
AES-NI instrucions, my impression is that offload devices are mostly
useful for public-key operations.

Run "openssl engine" and read any associated man pages.

See crypto(4) and opencrypto(9).

Follow-Ups:
- Re: setkey -- twofish-cbc unsupported algorithm
  - From: Pierre-Philipp Braun

References:
- setkey -- twofish-cbc unsupported algorithm
  - From: Pierre-Philipp Braun
- Re: setkey -- twofish-cbc unsupported algorithm
  - From: Greg Troxel
- Re: setkey -- twofish-cbc unsupported algorithm
  - From: Pierre-Philipp Braun

Prev by Date: Re: setkey -- twofish-cbc unsupported algorithm
Next by Date: Re: setkey -- twofish-cbc unsupported algorithm
Previous by Thread: Re: setkey -- twofish-cbc unsupported algorithm
Next by Thread: Re: setkey -- twofish-cbc unsupported algorithm
Indexes:

Home | Main Index | Thread Index | Old Index