Enable chacha20-poly1305@openssh.com cipher

[q3cpma]

Hello, since modern OpenSSH removed arcfour and blowfish, this might be the fastest pure CPU (without AES-NI) cipher we have. But it doesn't seem to be available:

sftp -c chacha20-poly1305@openssh.com -P 1234 user@192.168.1.20:
Unable to negotiate with 192.168.1.20 port 1234: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
Connection closed.
Connection closed

A quick read of mina-sshd (https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/cipher/BuiltinCiphers.java#L380) shows it should be available, so why not?

[wolpi]

In this app we have mina sshd 0.x. Your link points to version 2.x.
Why do we have this old version?
In this old code base, and support for old Android versions, we still have Java 6. Mina 2.x demands newer Java.
After a short look it seems that Mina 2.x has completley different API. That means a lot of work to integrate it in this app.

Nevertheless it might be possible to enable chacha20, needs to be checked.

[q3cpma]

On Sun Sep 3, 2023 at 3:58 PM CEST, wolpi wrote: In this app we have mina sshd 0.x. Your link points to version 2.x. Why do we have this old version? In this old code base, and support for old Android versions, we still have Java 6. Mina 2.x demands newer Java. After a short look it seems that Mina 2.x has completley different API. That means a lot of work to integrate it in this app. Nevertheless it might be possible to enable chacha20, needs to be checked.

Thanks for the fast reply. I see...

[wolpi]

There is a new attack on chacha20-poly1305:
https://terrapin-attack.com/