[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] HW-Accelerated OpenSSL & Tor not playing nicely.



On Sat, 02 May 2015 12:10:33 -0400
12xBTM <12xbtm@xxxxxxxxx> wrote:

> So, I deleted the /usr/local/ssl/ folder and went from there. I got
> the sudo make test going again, and it failed D: . So the last thing 
> remains: How do I get/install that patch that supposedly corrects
> this?

...

Quoting from the README file:
> Note that OpenSSL's cryptodev implementation is outdated, and there
> are issues with it. For that we recommend to use the patches
> below, that we have provided to the openssl project.
>
> http://...

You're making it sound as if the patches are on display in the bottom
of a locked filing cabinet stuck in a disused lavatory with a sign on
the door saying 'Beware of the Leopard'.

Anyway...

 * I haven't bothered to check if the patches apply cleanly, only that
   they weren't ever merged.  Shouldn't be that hard to fix the patches
   if they've rotted.

 * According to one of the writeups linked, in 2013 cryptdev wasn't
   exposing a CTR-AES EVP engine.  If this is still the case, the bulk
   of tor's AES calls will not benefit from the acceleration (Skimming
   the cryptdev code quickly, this would ultimately be a kernel issue).

 * The SHA acceleration will only help TLS, because the bulk of the
   SHA calls in tor don't use the EVP interface (For good reasons in
   the case of SHA1, and "it's a good idea, someone should do it"
   reasons for SHA256).

   I'd expect in a lot of cases that the gains would be fairly minimal
   anyway, since using hardware acceleration with this configuration
   requires a syscall.

> if there's a better way to go about having HW-accelerated crypto for
> Tor (excluding Intel aes-ni), please let me know.

Instead of some garbage TI part, use something that supports ARM-v8's
AES, SHA1, SHA256, and VMULL instructions.

Regards,

-- 
Yawning Angel

Attachment: pgpKaCwmawqDY.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays