>> I have looked at implementing AES CCM, which could be much faster,
>> particularly on platforms with AES implemented in CPU instructions, but
>> it doesn't fit nicely in the cipher and MAC negotiation mechanism.

> That would actually be amazingly cool.

Keep in mind that CCM mode calls encryption function twice per each
block, meaning that it's ~2 as slow as encryption alone. Therefore
performance gain can be observed only if hash function is slower than
AES, which is not necessarily case. At least it's not the case with
currently widely used hash functions. As of now hardware AES is
virtually the only occasion, when it's beneficial to favor CCM over
combination with e.g. SHA1 [provided that SHA1 is implemented in
software], but as new slower hash functions are adopted, CCM becomes
more attractive even for software-only systems. It makes sense to
implement the mode algorithm at OpenSSL level [it would be possible to
optimize it at lower level in both hardware and software cases], so
when/if you figure out negotiation, give me a note. A.

openssh-unix-dev mailing list