Skip to content
GitLab
Closed (moved) (moved)
Created by coderman@coderman

Tor does not support OpenSSL dynamic hardware engines

NOTE: fix due in 0.2.2.x. branch hardware_accel_improvements at git://git.torproject.org/~coderman/git/tor.git

The existing support for crypto acceleration in Tor via the HardwareAccel 1 option is not able to load dynamic engines.

For example, padlock acceleration with Via processors. See also http://archives.seul.org/or/talk/Dec-2008/msg00314.html

To fix this the src/common/crypto.c should be extended to attempt dynamic engine loading. NOTE: I have fixed the engine name to "padlock"; robust support for this feature will require a config option like "HardwareEngineName" or such.

In crypto_global_init(): if (useAccel > 0) { ENGINE *e = NULL; log_info(LD_CRYPTO, "Initializing OpenSSL engine support."); ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); e = ENGINE_by_id ("padlock"); if (!e) { log_info(LD_CRYPTO, "Trying to load dynamic Padlock OpenSSL engine."); e = try_load_engine ("padlock"); if (!e) { log_info(LD_CRYPTO, "Unable to load Padlock OpenSSL engine."); } } if (e) { log_info(LD_CRYPTO, "Loaded Padlock OpenSSL engine, setting default ciphers."); ENGINE_set_default (e, ENGINE_METHOD_ALL); } }

Where the try_load_engine for dynamic libs is:

/* Try to load a dynamic engine library. */ static ENGINE * try_load_engine(const char *engine) { ENGINE *e = ENGINE_by_id ("dynamic"); if (e) { if (!ENGINE_ctrl_cmd_string (e, "SO_PATH", engine, 0) || !ENGINE_ctrl_cmd_string (e, "LOAD", NULL, 0)) { ENGINE_free (e); e = NULL; } } return e; }

Depending on VIA processor/stepping this results in: Mar 08 06:32:00.473 [info] crypto_global_init(): Initializing OpenSSL engine support. Mar 08 06:32:00.473 [info] crypto_global_init(): Loaded Padlock OpenSSL engine, setting default ciphers. Mar 08 06:32:00.473 [info] Using default implementation for RSA Mar 08 06:32:00.473 [info] Using default implementation for DH Mar 08 06:32:00.473 [info] Using default implementation for RAND Mar 08 06:32:00.473 [notice] Using OpenSSL engine VIA PadLock: RNG (not used) ACE2 PHE(8192) PMM [padlock] for SHA1 Mar 08 06:32:00.473 [info] Using default implementation for 3DES Mar 08 06:32:00.473 [notice] Using OpenSSL engine VIA PadLock: RNG (not used) ACE2 PHE(8192) PMM [padlock] for AES ...

[Automatically added by flyspray2trac: Operating System: All]

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information