[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Is AES-NI enabled in tor?




Please don't mix multiple questions into one thread.
Sorry, my bad.

Tor does not implement crypto itself (mostly) and relies on a
cryptolibrary (which is OpenSSL/LibreSSL/etc) instead. Thus you should
check if AES-NI is enabled in your cryptolibrary.

An excerpt from StackOverflow answer [1] about it:

$ openssl speed -elapsed -evp aes-128-cbc

$ OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp
aes-128-cbc

"Output of the first line should be significantly faster than the
second." If there is no AES-NI enabled in "OpenSSL" these two should
give similar results.
I couldn't do that test. OpenSSL was not installed.
After I installed it I could perform that test and it was positive.
Here is the output:

$ openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 33370007 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 13118341 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 3915543 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1029134 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 130438 aes-128-cbc's in 3.00s
OpenSSL 1.0.1t  3 May 2016
built on: Fri Sep 23 17:53:23 2016
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     177973.37k   279857.94k   334126.34k   351277.74k   356182.70k


$ OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 6232419 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 1776077 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 454887 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 114409 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 14327 aes-128-cbc's in 3.00s
OpenSSL 1.0.1t  3 May 2016
built on: Fri Sep 23 17:53:23 2016
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      33239.57k    37889.64k    38817.02k    39051.61k    39122.26k


But it is a little confusing for me because there is this line in the logs:

Tor 0.2.9.8 (git-a0df013ea241b026) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1t and Zlib 1.2.8.

From that I thought Tor used already OpenSSL but it wasn't installed. :S

I bought this board with this CPU (incl. AES-NI support) because I thought it would give a benefit.

N.B. AES-NI is not a feature of *motherboard* - it's CPU instructions
(NI stands for "New Instructions").
I simply forgot that. ;)


Cheers,
Patrice
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays