[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor plus openssl hardware?

On 2/6/07, Udo van den Heuvel <udovdh@xxxxxxxxx> wrote:

Anybody here got some experience with tor and openssl hardware

seems to work great, but i've only used it as a client.

I run a tiny tor server on my ADSL line, on a VIA EK8000 board which
supports VIA PadLock (no-RNG, ACE). (i.e. AES support and a hardware RNG)
I compiled support in the kernel and patched openssl with patches from
http://www.logix.cz/michal/devel/padlock/ to make padlock static and
default, etc.

as Nick mentioned, Tor can handle engines in openssl with the config option. if you have a C7 with PHE and MONTMULT i've got a temporary patch here:


that includes RSA/DSA acceleration via the new bn_mont_mult extension
backported from 0.9.9 and includes the above patches.  use at your own

you will need a kernel that recognizes the phe_en instruction for the
config to work:

grep flags /proc/cpuinfo
flags           : [...] rng rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en

and simply patch against 0.9.8e and configure via:
./config --prefix=/usr --openssldir=/etc/ssl threads shared

you'll probably need to manually copy the .so*'s into
/usr/lib/i686/cmov/ or appropriate location in your system.  this does
include the patches with so versioning so various debian like systems
won't complain when dynamic linking to these new libs.

BIG WARNING: these binaries are using asm optimized montgomery
multiplication, not as engine, but as platform native optimizations.
this means they will absolutely die on any non-montmult enabled
processor.  C7 only, sorry.

the speed up is impressive:
1.5Ghz C7 with patched openssl speed test:
SHA-1 throughput 268,405.03kB/sec with 8k blocks
SHA2-256 throughput 263,643.08kB/sec with 8k blocks
AES-128-CBC throughput 1,029,006.84kB/sec with 8k blocks
AES-256-CBC throughput 779,103.35kB/sec with 8k blocks
[ montmult accel via openssl 0.9.9 bn_mont_mult via-mont.pl asm optimization ]
rsa 1024 394.1 sign/sec, 8710.6 verify/sec
rsa 2048 84.0 sign/sec, 2973.4 verify/sec
rsa 4096 14.2 sign/sec, 866.8 verify/sec
dsa 1024 1024.0 sign/sec, 852.5 verify/sec
dsa 2048 349.2 sign/sec, 294.6 verify/sec
[ to gather your own stats invoke "openssl speed" ]

best regards,