Opened 11 years ago

Last modified 7 years ago

#937 closed defect (Fixed)

Tor does not support OpenSSL dynamic hardware engines

Reported by: coderman Owned by: coderman
Priority: Low Milestone: post 0.2.1.x
Component: Core Tor/Tor Version: 0.2.1.12-alpha
Severity: Keywords:
Cc: coderman, nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

NOTE: fix due in 0.2.2.x.
branch hardware_accel_improvements at git://git.torproject.org/~coderman/git/tor.git

The existing support for crypto acceleration in Tor via the HardwareAccel 1 option is not able to load dynamic engines.

For example, padlock acceleration with Via processors. See also http://archives.seul.org/or/talk/Dec-2008/msg00314.html

To fix this the src/common/crypto.c should be extended to attempt dynamic engine loading.
NOTE: I have fixed the engine name to "padlock"; robust support for this feature will require a config option
like "HardwareEngineName" or such.

In crypto_global_init():
if (useAccel > 0) {

ENGINE *e = NULL;
log_info(LD_CRYPTO, "Initializing OpenSSL engine support.");
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
e = ENGINE_by_id ("padlock");
if (!e) {

log_info(LD_CRYPTO, "Trying to load dynamic Padlock OpenSSL engine.");
e = try_load_engine ("padlock");
if (!e) {

log_info(LD_CRYPTO, "Unable to load Padlock OpenSSL engine.");

}

}
if (e) {

log_info(LD_CRYPTO, "Loaded Padlock OpenSSL engine, setting default ciphers.");
ENGINE_set_default (e, ENGINE_METHOD_ALL);

}

}

Where the try_load_engine for dynamic libs is:

/* Try to load a dynamic engine library. */
static ENGINE *
try_load_engine(const char *engine)
{

ENGINE *e = ENGINE_by_id ("dynamic");
if (e)

{

if (!ENGINE_ctrl_cmd_string (e, "SO_PATH", engine, 0)

!ENGINE_ctrl_cmd_string (e, "LOAD", NULL, 0))

{

ENGINE_free (e);
e = NULL;

}

}

return e;

}

Depending on VIA processor/stepping this results in:
Mar 08 06:32:00.473 [info] crypto_global_init(): Initializing OpenSSL engine support.
Mar 08 06:32:00.473 [info] crypto_global_init(): Loaded Padlock OpenSSL engine, setting default ciphers.
Mar 08 06:32:00.473 [info] Using default implementation for RSA
Mar 08 06:32:00.473 [info] Using default implementation for DH
Mar 08 06:32:00.473 [info] Using default implementation for RAND
Mar 08 06:32:00.473 [notice] Using OpenSSL engine VIA PadLock: RNG (not used) ACE2 PHE(8192) PMM [padlock] for SHA1
Mar 08 06:32:00.473 [info] Using default implementation for 3DES
Mar 08 06:32:00.473 [notice] Using OpenSSL engine VIA PadLock: RNG (not used) ACE2 PHE(8192) PMM [padlock] for AES
...

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (8)

comment:1 Changed 11 years ago by coderman

After some additional testing this only appears necessary if the shared library implementation of the engine is not
located in the usual place OpenSSL expects to find it, like /usr/lib/ssl/engines/ . The engine_set_default should
be sufficient for whatever engine is named in the config option or command line.

comment:2 Changed 11 years ago by nickm

Sounds like a feature; want to write the patch for 0.2.2.x?

comment:3 Changed 11 years ago by coderman

sure; assigned to myself for resolution.

comment:4 Changed 10 years ago by coderman

Prelimary fix in branch hardware_accel_improvements at git://git.torproject.org/~coderman/git/tor.git

Verified on VIA padlock engine:
[info] crypto_global_init(): Initializing OpenSSL engine support.
[info] crypto_global_init(): Initializing dynamic OpenSSL engine "padlock" acceleration support.
[info] crypto_global_init(): Loaded dynamic OpenSSL engine "padlock".
[info] crypto_global_init(): Loaded OpenSSL hardware acceleration engine, setting default ciphers.
[info] Using default implementation for RSA
[info] Using default implementation for DH
[info] Using default implementation for RAND
[notice] Using OpenSSL engine VIA PadLock: RNG (not used) ACE2 PHE(8192) PMM [padlock] for SHA1
[info] Using default implementation for 3DES
[notice] Using OpenSSL engine VIA PadLock: RNG (not used) ACE2 PHE(8192) PMM [padlock] for AES

comment:5 Changed 10 years ago by coderman

See usage for new arguments AccelName for the engine ID to set as default.
AccelDir if your shared library dynamic engine resides somewhere other than the OpenSSL default.
Remember to set HardwareAccel 1 in either case...

comment:6 Changed 10 years ago by nickm

Fix applied as of e84ddead349e5af8c183042d3de27ecb4b6d4e87.

comment:7 Changed 10 years ago by nickm

flyspray2trac: bug closed.

comment:8 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.