HW-Accelerated OpenSSL & Tor not playing nicely.
Probably (and hopefully) a very obvious fix for those that aren't newbies to Linux, but I'm trying to get Hardware-Accelerated OpenSSL to work with Tor on Jessie. I've gotten the Hardware-Accelerated OpenSSL part done, but the Tor part is giving me problems. I am able to successfully compile Tor by itself, and I'm able to successfully utilize OpenSSL by itself, but getting them to work together isn't working. So, I'll give a run-down of what I've done, and where I'm stuck: Info: Linux beaglebone 3.14.39-ti-r61 #1 SMP PREEMPT Fri Apr 24 18:32:15 UTC 2015 armv7l GNU/Linux Debian 8 Console Tor 2.6.7 Information Sources: https://superuser.com/questions/881404/beaglebone-black-openssl-crypto-accel... and http://datko.net/2013/10/28/tor_cryptodev/ Step 1: Getting OpenSSL to become Hardware-Accelerated sudo apt-get install linux-image-3.14.39-ti-r61 sudo apt-get install linux-headers-3.14.39-ti-r61 wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz tar zxf cryptodev-linux-1.7.tar.gz cd cryptodev-linux-1.7/ sudo make sudo make install sudo depmod -a sudo modprobe cryptodev lsmod sudo sh -c 'echo cryptodev>>/etc/modules' cd ~ wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz tar zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a/ ls ./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS shared sudo make sudo make install Step 2: Test OpenSSL: /usr/local/ssl/bin/openssl speed -evp aes-128-cbc Results confirm hardware acceleration is functional Step 3: Making Tor use OpenSSL Added to /etc/apt/sources.list : deb http://deb.torproject.org/torproject.org jessie main deb-src http://deb.torproject.org/torproject.org jessie main deb http://deb.torproject.org/torproject.org tor-experimental-0.2.6.x-jessie main deb-src http://deb.torproject.org/torproject.org tor-experimental-0.2.6.x-jessie main Fixed the key nonsense sudo apt-get update sudo apt-get install build-essential fakeroot devscripts sudo apt-get build-dep tor mkdir ~/debian-packages; cd ~/debian-packages sudo apt-get source tor cd tor-* And it's here where I believe the problem lies: sudo nano debian/rules Add the two lines as shown on the "guide" such that mine reads: override_dh_auto_configure: ! [ -e debian/micro-revision.i ] || cp debian/micro-revision.i src/or/micro-revision.i dh_auto_configure -- \ $(confflags) \ --enable-static-openssl \ --with-openssl-dir=/usr/local/ssl \ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ --localstatedir=/var \ --sysconfdir=/etc \ --disable-silent-rules \ --enable-gcc-warnings-advisory sudo debuild -rfakeroot -uc -us Error message after 35m: 15/359 TESTS FAILED. (0 skipped) Makefile:6429: recipe for target 'test' failed make[1]: *** [test] Error 1 make[1]: Leaving directory '/home/debian/debian-packages/tor-0.2.6.7/build' dh_auto_test: make -j1 test returned exit code 2 debian/rules:16: recipe for target 'build' failed make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 debuild: fatal error at line 1376: dpkg-buildpackage -rfakeroot -D -us -uc failed My thoughts: I noticed on the Tor FAQ here: https://www.torproject.org/docs/faq.html.en#RelayMemory That adding the malloc flag it done using the ./configure option, while I used nano. If that's the problem, how do I use configure for adding the other flags such as OPenSSL dir and static openssl. Also, I noticed that the path I add to the configure is not quite the same as the path used to test openssl's functionality. Also, the tor confflag mentions static openssl, but the openssl ./configure talked about being shared. Also, does the ordering other confflags matter? Is it asking for a static openssl prior to learning the directory of the correct library? I'm just trying to brainstorm why I'm getting this one error. Looking at the test log, looks like there's some kind of error in the self-test of the cryptographic engine, yet it works in OpenSSL by itself? Any help would be appreciated, thanks. Super long test log: onion_handshake: cryptodev_digest_update: illegal inputs FAIL ../src/test/test.c:84: assert(! onion_skin_TAP_create(pk, &c_dh, c_buf)) [onion_handshake FAILED] bad_onion_handshake: cryptodev_digest_update: illegal inputs cryptodev_digest_update: illegal inputs cryptodev_digest_update: illegal inputs cryptodev_digest_update: illegal inputs FAIL ../src/test/test.c:158: assert(! onion_skin_TAP_create(pk, &c_dh, c_buf)) [bad_onion_handshake FAILED] onion_queues: OK ntor_handshake: OK circuit_timeout: OK rend_fns: OK geoip: OK geoip_with_pt: [forking] OK stats: [forking] OK accounting/bwlimits: [forking] OK addr/basic: OK addr/ip6_helpers: OK addr/parse: OK addr/virtaddr: OK addr/localname: OK addr/dup_ip: OK addr/sockaddr_to_str: OK addr/is_loopback: OK addr/make_null: OK address/get_if_addrs_ifaddrs: [forking] OK address/ifaddrs_to_smartlist: OK address/get_if_addrs_ioctl: [forking] OK address/ifreq_to_smartlist: OK buffer/basic: [forking] OK buffer/copy: [forking] OK buffer/pullup: [forking] OK buffer/ext_or_cmd: [forking] OK buffer/allocation_tracking: [forking] OK buffer/time_tracking: [forking] OK buffer/zlib: [forking] OK buffer/zlib_fin_with_nil: [forking] OK buffer/zlib_fin_at_chunk_end: [forking] OK cellfmt/relay_header: OK cellfmt/begin_cells: OK cellfmt/connected_cells: OK cellfmt/create_cells: OK cellfmt/created_cells: OK cellfmt/extend_cells: OK cellfmt/extended_cells: OK cellfmt/resolved_cells: OK cellfmt/is_destroy: OK cellqueue/basic: [forking] OK cellqueue/circ_n_cells: [forking] OK channel/dumpstats: [forking] OK channel/flush: [forking] OK channel/flushmux: [forking] OK channel/incoming: [forking] OK channel/lifecycle: [forking] OK channel/lifecycle_2: [forking] OK channel/multi: [forking] OK channel/queue_impossible: [forking] OK channel/queue_size: [forking] OK channel/write: [forking] OK channeltls/create: [forking] OK channeltls/num_bytes_queued: [forking] OK channeltls/overhead_estimate: [forking] OK checkdir/perms: [forking] OK circuitlist/maps: [forking] OK circuitlist/rend_token_maps: [forking] OK circuitlist/pick_circid: [forking] OK circuitmux/destroy_cell_queue: [forking] OK config/resolve_my_address: [forking] OK config/addressmap: OK config/parse_bridge_line: OK config/parse_transport_options_line: OK config/parse_transport_plugin_line: [forking] OK config/check_or_create_data_subdir: [forking] OK config/write_to_data_subdir: [forking] OK config/fix_my_family: OK container/smartlist_basic: OK container/smartlist_strings: OK container/smartlist_overlap: OK container/smartlist_digests: OK container/smartlist_join: OK container/smartlist_ints_eq: OK container/bitarray: OK container/digestset: OK container/strmap: OK container/pqueue: OK container/order_functions: OK container/di_map: OK container/fp_pair_map: OK control/bucket_note_empty: OK control/bucket_millis_empty: OK control/sum_up_cell_stats: OK control/append_cell_stats: OK control/format_cell_stats: OK crypto/formats: OK crypto/rng: OK crypto/aes_AES: [forking] OK crypto/aes_EVP: [forking] OK crypto/sha: OK crypto/pk: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_crypto.c:427: assert(128 OP_EQ crypto_pk_public_encrypt(pk2, data1, sizeof(data1), "Hello whirled.", 15, PK_PKCS1_OAEP_PADDING)): 128 vs -1 [pk FAILED] crypto/pk_fingerprints: [forking] OK crypto/digests: OK crypto/dh: OK crypto/aes_iv_AES: [forking] OK crypto/aes_iv_EVP: [forking] OK crypto/base32_decode: OK crypto/kdf_TAP: OK crypto/hkdf_sha256: OK crypto/curve25519_impl: OK crypto/curve25519_impl_hibit: OK crypto/curve25519_wrappers: OK crypto/curve25519_encode: OK crypto/curve25519_persist: OK crypto/ed25519_simple: OK crypto/ed25519_test_vectors: OK crypto/ed25519_encode: OK crypto/ed25519_convert: OK crypto/ed25519_blinding: OK crypto/ed25519_testvectors: OK crypto/siphash: OK dir/nicknames: [forking] OK dir/formats: [forking] OK dir/routerparse_bad: OK dir/extrainfo_parsing: OK dir/parse_router_list: [forking] OK dir/load_routers: [forking] OK dir/load_extrainfo: [forking] OK dir/versions: [forking] OK dir/fp_pairs: [forking] OK dir/split_fps: OK dir/measured_bw_kb: [forking] OK dir/measured_bw_kb_cache: [forking] OK dir/param_voting: [forking] OK dir/v3_networkstatus: [forking] OK dir/random_weighted: OK dir/scale_bw: OK dir/clip_unmeasured_bw_kb: [forking] OK dir/clip_unmeasured_bw_kb_alt: [forking] OK dir/fmt_control_ns: OK dir/http_handling: OK dir/purpose_needs_anonymity: OK dir/fetch_type: OK dir/packages: OK dir/md/cache: [forking] OK dir/md/broken_cache: [forking] OK dir/md/generate: OK dir/md/parse: OK dir/md/reject_cache: [forking] OK entryconn/rewrite_basic: [forking] OK entryconn/rewrite_bad_dotexit: [forking] OK entryconn/rewrite_automap_ipv4: [forking] OK entryconn/rewrite_automap_ipv6: [forking] OK entryconn/rewrite_cached_dns_ipv4: [forking] OK entryconn/rewrite_cached_dns_ipv6: [forking] OK entryconn/rewrite_unmapped_virtual: [forking] OK entryconn/rewrite_mapaddress: [forking] OK entryconn/rewrite_reject_internal_reverse: [forking] OK entryconn/rewrite_automap_exit: [forking] OK entryconn/rewrite_mapaddress_exit: [forking] OK entryconn/rewrite_mapaddress_automap_onion: [forking] OK entryconn/rewrite_mapaddress_automap_onion2: [forking] OK entryconn/rewrite_mapaddress_automap_onion3: [forking] OK entryconn/rewrite_mapaddress_automap_onion4: [forking] OK entrynodes/entry_is_time_to_retry: [forking] OK entrynodes/choose_random_entry_no_guards: [forking] OK entrynodes/choose_random_entry_one_possibleguard: [forking] OK entrynodes/populate_live_entry_guards_1guard: [forking] OK entrynodes/populate_live_entry_guards_3guards: [forking] OK entrynodes/entry_guards_parse_state_simple: [forking] OK entrynodes/entry_guards_parse_state_pathbias: [forking] OK entrynodes/entry_guards_set_from_config: [forking] OK entrynodes/entry_is_live: [forking] OK guardfraction/parse_guardfraction_file_bad: [forking] OK guardfraction/parse_guardfraction_file_good: [forking] OK guardfraction/parse_guardfraction_consensus: [forking] OK guardfraction/get_guardfraction_bandwidth: [forking] OK guardfraction/should_apply_guardfraction: [forking] OK extorport/id_map: [forking] OK extorport/write_command: [forking] OK extorport/init_auth: [forking] OK extorport/cookie_auth: [forking] OK extorport/cookie_auth_testvec: [forking] OK extorport/handshake: [forking] OK hs/hs_desc_event: [forking] OK hs/pick_tor2web_rendezvous_node: [forking] OK hs/pick_bad_tor2web_rendezvous_node: [forking] OK introduce/early_parse_v0: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [early_parse_v0 FAILED] introduce/early_parse_v1: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [early_parse_v1 FAILED] introduce/early_parse_v2: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [early_parse_v2 FAILED] introduce/early_parse_v3: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0)cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [early_parse_v3 FAILED] introduce/decrypt_v0: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [decrypt_v0 FAILED] introduce/decrypt_v1: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [decrypt_v1 FAILED] introduce/decrypt_v2: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [decrypt_v2 FAILED] introduce/decrypt_v3: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0)cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [decrypt_v3 FAILED] introduce/late_parse_v0: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [late_parse_v0 FAILED] introduce/late_parse_v1: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [late_parse_v1 FAILED] introduce/late_parse_v2: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [late_parse_v2 FAILED] introduce/late_parse_v3: cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0)cryptodev_digest_update: illegal inputs FAIL ../src/test/test_introduce.c:381: assert(r >= 0) FAIL ../src/test/test_introduce.c:305: assert(r > 0) [late_parse_v3 FAILED] nodelist/node_get_verbose_nickname_by_id_null_node: [forking] OK nodelist/node_get_verbose_nickname_not_named: [forking] OK oom/circbuf: [forking] OK oom/streambuf: [forking] OK options/validate: [forking] OK policy/router_dump_exit_policy_to_string: OK policy/general: OK pt/parsing: OK pt/protocol: OK pt/get_transport_options: [forking] OK pt/get_extrainfo_string: [forking] OK pt/configure_proxy: [forking] OK pt/get_pt_proxy_uri: [forking] OK relay/append_cell_to_circuit_queue: [forking] OK relaycell/resolved: [forking] OK replaycache/alloc: OK replaycache/badalloc: OK replaycache/free_null: OK replaycache/miss: OK replaycache/hit: OK replaycache/age: OK replaycache/elapsed: OK replaycache/noexpire: OK replaycache/scrub: OK replaycache/future: OK replaycache/realtime: OK routerkeys/write_fingerprint: [forking] OK routerlist/initiate_descriptor_downloads: OK routerlist/launch_descriptor_downloads: OK routerset/routerset_new: [forking] OK routerset/routerset_get_countryname: [forking] OK routerset/routerset_is_list: [forking] OK routerset/routerset_needs_geoip: [forking] OK routerset/routerset_is_empty: [forking] OK routerset/routerset_contains__null_set_or_null_set_list: [forking] OK routerset/routerset_contains__set_and_nickname: [forking] OK routerset/routerset_contains__set_and_null_nickname: [forking] OK routerset/routerset_contains__set_and_no_nickname: [forking] OK routerset/routerset_contains__set_and_digest: [forking] OK routerset/routerset_contains__set_and_no_digest: [forking] OK routerset/routerset_contains__set_and_null_digest: [forking] OK routerset/routerset_contains__set_and_addr: [forking] OK routerset/routerset_contains__set_and_no_addr: [forking] OK routerset/routerset_contains__set_and_null_addr: [forking] OK routerset/routerset_contains__countries_no_geoip: [forking] OK routerset/routerset_contains__countries_geoip: [forking] OK routerset/routerset_add_unknown_ccs__only_flag_and_no_ccs: [forking] OK routerset/routerset_add_unknown_ccs__creates_set: [forking] OK routerset/routerset_add_unknown_ccs__add_unknown: [forking] OK routerset/routerset_add_unknown_ccs__add_a1: [forking] OK routerset/routerset_contains_extendinfo: [forking] OK routerset/routerset_contains_router: [forking] OK routerset/routerset_contains_routerstatus: [forking] OK routerset/routerset_contains_node__none: [forking] OK routerset/routerset_contains_node__routerinfo: [forking] OK routerset/routerset_contains_node__routerstatus: [forking] OK routerset/routerset_get_all_nodes__no_routerset: [forking] OK routerset/routerset_get_all_nodes__list_with_no_nodes: [forking] OK routerset/routerset_get_all_nodes__list_flag_not_running: [forking] OK routerset/routerset_get_all_nodes__list: [forking] OK routerset/routerset_get_all_nodes__nodelist_with_no_nodes: [forking] OK routerset/routerset_get_all_nodes__nodelist_flag_not_running: [forking] OK routerset/routerset_refresh_counties__geoip_not_loaded: [forking] OK routerset/routerset_refresh_counties__no_countries: [forking] OK routerset/routerset_refresh_counties__one_valid_country: [forking] OK routerset/routerset_refresh_counties__one_invalid_country: [forking] OK routerset/routerset_union__source_bad: [forking] OK routerset/routerset_union__one: [forking] OK routerset/routerset_parse__malformed: [forking] OK routerset/routerset_parse__valid_hexdigest: [forking] OK routerset/routerset_parse__valid_nickname: [forking] OK routerset/routerset_parse__get_countryname: [forking] OK routerset/routerset_parse__policy: [forking] OK routerset/routerset_subtract_nodes: [forking] OK routerset/routerset_subtract_nodes__null_routerset: [forking] OK routerset/routerset_to_string: [forking] OK routerset/routerset_equal__empty_empty: [forking] OK routerset/routerset_equal__empty_not_empty: [forking] OK routerset/routerset_equal__differing_lengths: [forking] OK routerset/routerset_equal__unequal: [forking] OK routerset/routerset_equal__equal: [forking] OK routerset/routerset_free__null_routerset: [forking] OK routerset/routerset_free: [forking] OK scheduler/channel_states: [forking] OK scheduler/compare_channels: [forking] OK scheduler/initfree: [forking] OK scheduler/loop: [forking] OK scheduler/queue_heuristic: [forking] OK socks/4_unsupported_commands: [forking] OK socks/4_supported_commands: [forking] OK socks/5_unsupported_commands: [forking] OK socks/5_supported_commands: [forking] OK socks/5_no_authenticate: [forking] OK socks/5_auth_before_negotiation: [forking] OK socks/5_authenticate: [forking] OK socks/5_authenticate_with_data: [forking] OK socks/5_malformed_commands: [forking] OK status/count_circuits: [forking] OK status/secs_to_uptime: [forking] OK status/bytes_to_usage: [forking] OK status/log_heartbeat__fails: [forking] OK status/log_heartbeat__simple: [forking] OK status/log_heartbeat__not_in_consensus: [forking] OK status/log_heartbeat__calls_log_accounting: [forking] OK status/log_heartbeat__packaged_cell_fullness: [forking] OK status/log_heartbeat__tls_write_overhead: [forking] OK util/time: OK util/parse_http_time: OK util/config_line: OK util/config_line_quotes: OK util/config_line_comment_character: OK util/config_line_escaped_content: OK util/expand_filename: OK util/escape_string_socks: OK util/string_is_key_value: OK util/strmisc: OK util/pow2: OK util/gzip: OK util/datadir: OK util/memarea: OK util/control_formats: OK util/mmap: OK util/sscanf: OK util/format_time_interval: OK util/path_is_relative: OK util/strtok: OK util/di_ops: OK util/round_to_next_multiple_of: OK util/laplace: OK util/strclear: OK util/find_str_at_start_of_line: OK util/string_is_C_identifier: OK util/asprintf: OK util/listdir: OK util/parent_dir: OK util/ftruncate: OK util/exit_status: OK util/fgets_eagain: OK util/format_hex_number: OK util/format_dec_number: OK util/join_win_cmdline: OK util/split_lines: OK util/n_bits_set: OK util/eat_whitespace: OK util/sl_new_from_text_lines: OK util/envnames: OK util/make_environment: OK util/set_env_var_in_sl: OK util/read_file_eof_tiny_limit: OK util/read_file_eof_one_loop_a: OK util/read_file_eof_one_loop_b: OK util/read_file_eof_two_loops: OK util/read_file_eof_two_loops_b: OK util/read_file_eof_zero_bytes: OK util/write_chunks_to_file: OK util/mathlog: OK util/weak_random: OK util/socket: [forking] OK util/socketpair: [forking] OK util/socketpair_ersatz: [forking] OK util/max_mem: OK util/hostname_validation: OK util/ipv4_validation: OK util/logging/sigsafe_err_fds: [forking] OK util/logging/sigsafe_err: [forking] OK util/thread/basic: [forking] OK util/thread/conditionvar: [forking] OK util/thread/conditionvar_timeout: [forking] OK
On Sat, 02 May 2015 09:42:42 -0400 12xBTM <12xbtm@gmail.com> wrote:
Step 1: Getting OpenSSL to become Hardware-Accelerated
sudo apt-get install linux-image-3.14.39-ti-r61 sudo apt-get install linux-headers-3.14.39-ti-r61 wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz tar zxf cryptodev-linux-1.7.tar.gz cd cryptodev-linux-1.7/ sudo make sudo make install sudo depmod -a sudo modprobe cryptodev lsmod sudo sh -c 'echo cryptodev>>/etc/modules' cd ~ wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz tar zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a/
You left out, patching OpenSSL's cryptodev support to function.
ls ./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS shared sudo make sudo make install
And you left out "running the test suite, which according to the bug in OpenSSL's bugtracker, would have failed". Both of these dastardly details are hidden in the depths of the file misleadingly titled "README" in cryptodev-linux-1.7.tar.gz, under the heading "* OpenSSL:". Regards, -- Yawning Angel
Thanks for your help. I left it out of my email, but I actually did do it. Except for the ls bit. I originally ran the config without "shared", encountered an error later down the road, deleted the extracted directory, and redid the config correctly, and then just simply did "sudo make" and then "sudo made install" without doing anything about the original library, which i assume was overwritten. But maybe I just corrupted it? Do I just delete the library's directory and retry, or is there something more? The "DUSE_CRYPTODEV_DIGESTS" is seen in the Tor error log because cryptodev digests are giving errors. I also don't see an entry about the "running the test suite" in the README. I see mention of a patch for Crytodev for OPENSSL, but, when on the site it links, I have no idea how to apply the patch for it says nothing patching it. (Sorry, I'm a total linux newb) Also, on the cryptodev-linux page: https://github.com/cryptodev-linux/cryptodev-linux/blob/master/NEWS , it says 1.7 was released in 07 Feb, 2015, which is long after the release of the patch that is talked about in the readme. Likewise, the patch linked is a whole year older than the version of OpenSSL I'm using, but it may not be part of the standard distribution of OpenSSL. Also, I see the mention of GnuTLS in Crypodev, if there's a better way to go about having HW-accelerated crypto for Tor (excluding Intel aes-ni), please let me know. On 2.5.15 10:46, Yawning Angel wrote:
On Sat, 02 May 2015 09:42:42 -0400 12xBTM <12xbtm@gmail.com> wrote:
Step 1: Getting OpenSSL to become Hardware-Accelerated
sudo apt-get install linux-image-3.14.39-ti-r61 sudo apt-get install linux-headers-3.14.39-ti-r61 wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz tar zxf cryptodev-linux-1.7.tar.gz cd cryptodev-linux-1.7/ sudo make sudo make install sudo depmod -a sudo modprobe cryptodev lsmod sudo sh -c 'echo cryptodev>>/etc/modules' cd ~ wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz tar zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a/ You left out, patching OpenSSL's cryptodev support to function.
ls ./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS shared sudo make sudo make install And you left out "running the test suite, which according to the bug in OpenSSL's bugtracker, would have failed".
Both of these dastardly details are hidden in the depths of the file misleadingly titled "README" in cryptodev-linux-1.7.tar.gz, under the heading "* OpenSSL:".
Regards,
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Yawning, Oh, I think I see what's going on. So, to shorten this, there are three points: #1: Where do I get this patch and how do I apply it? #2: Where is this "testing suite." #3: How do I delete the library so I can install it completely new? On 2.5.15 10:46, Yawning Angel wrote:
On Sat, 02 May 2015 09:42:42 -0400 12xBTM <12xbtm@gmail.com> wrote:
Step 1: Getting OpenSSL to become Hardware-Accelerated
sudo apt-get install linux-image-3.14.39-ti-r61 sudo apt-get install linux-headers-3.14.39-ti-r61 wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz tar zxf cryptodev-linux-1.7.tar.gz cd cryptodev-linux-1.7/ sudo make sudo make install sudo depmod -a sudo modprobe cryptodev lsmod sudo sh -c 'echo cryptodev>>/etc/modules' cd ~ wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz tar zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a/ You left out, patching OpenSSL's cryptodev support to function.
ls ./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS shared sudo make sudo make install And you left out "running the test suite, which according to the bug in OpenSSL's bugtracker, would have failed".
Both of these dastardly details are hidden in the depths of the file misleadingly titled "README" in cryptodev-linux-1.7.tar.gz, under the heading "* OpenSSL:".
Regards,
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
FYI: sudo make install is bad, use checkinstall -D sudo make uninstall should do the trick, but I'm not sure On Sat, May 2, 2015 at 6:15 PM 12xBTM <12xbtm@gmail.com> wrote:
Yawning,
Oh, I think I see what's going on. So, to shorten this, there are three points:
#1: Where do I get this patch and how do I apply it?
#2: Where is this "testing suite."
#3: How do I delete the library so I can install it completely new?
On 2.5.15 10:46, Yawning Angel wrote:
On Sat, 02 May 2015 09:42:42 -0400 12xBTM <12xbtm@gmail.com> <12xbtm@gmail.com> wrote:
Step 1: Getting OpenSSL to become Hardware-Accelerated
sudo apt-get install linux-image-3.14.39-ti-r61 sudo apt-get install linux-headers-3.14.39-ti-r61 wgethttp://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz tar zxf cryptodev-linux-1.7.tar.gz cd cryptodev-linux-1.7/ sudo make sudo make install sudo depmod -a sudo modprobe cryptodev lsmod sudo sh -c 'echo cryptodev>>/etc/modules' cd ~ wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz tar zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a/
You left out, patching OpenSSL's cryptodev support to function.
ls ./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS shared sudo make sudo make install
And you left out "running the test suite, which according to the bug in OpenSSL's bugtracker, would have failed".
Both of these dastardly details are hidden in the depths of the file misleadingly titled "README" in cryptodev-linux-1.7.tar.gz, under the heading "* OpenSSL:".
Regards,
_______________________________________________ tor-relays mailing listtor-relays@lists.torproject.orghttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hey Igor, sudo make uninstall didn't work "no rule to make target 'uninstall'. Remember, there are two versions of OpenSSL involved, the normal OpenSSL, that came with Jessie, which no one cares about. And this self-compiled one in /usr/local/ssl/ that we're trying to get to work with cryptodev and Tor. Should I just delete the /ssl/ folder in /usr/local/? I have no idea where Cryptodev is installed because it's a mod that's loaded. But, from what I understand, the problem lies in OpenSSL needing a patch or something to play nicely with Cryptodev in the first place. So, for now, I don't see the need to reinstall Cryptodev. Naturally, I could be completely mistaken. On 2.5.15 11:19, Igor Chelnokov wrote:
FYI: sudo make install is bad, use checkinstall -D sudo make uninstall should do the trick, but I'm not sure
On Sat, May 2, 2015 at 6:15 PM 12xBTM <12xbtm@gmail.com <mailto:12xbtm@gmail.com>> wrote:
Yawning,
Oh, I think I see what's going on. So, to shorten this, there are three points:
#1: Where do I get this patch and how do I apply it?
#2: Where is this "testing suite."
#3: How do I delete the library so I can install it completely new?
On 2.5.15 10:46, Yawning Angel wrote:
On Sat, 02 May 2015 09:42:42 -0400 12xBTM<12xbtm@gmail.com> <mailto:12xbtm@gmail.com> wrote:
Step 1: Getting OpenSSL to become Hardware-Accelerated
sudo apt-get install linux-image-3.14.39-ti-r61 sudo apt-get install linux-headers-3.14.39-ti-r61 wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz tar zxf cryptodev-linux-1.7.tar.gz cd cryptodev-linux-1.7/ sudo make sudo make install sudo depmod -a sudo modprobe cryptodev lsmod sudo sh -c 'echo cryptodev>>/etc/modules' cd ~ wgethttps://www.openssl.org/source/openssl-1.0.2a.tar.gz tar zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a/
You left out, patching OpenSSL's cryptodev support to function.
ls ./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS shared sudo make sudo make install
And you left out "running the test suite, which according to the bug in OpenSSL's bugtracker, would have failed".
Both of these dastardly details are hidden in the depths of the file misleadingly titled "README" in cryptodev-linux-1.7.tar.gz, under the heading "* OpenSSL:".
Regards,
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
So, I deleted the /usr/local/ssl/ folder and went from there. I got the sudo make test going again, and it failed D: . So the last thing remains: How do I get/install that patch that supposedly corrects this? On 2.5.15 11:19, Igor Chelnokov wrote:
FYI: sudo make install is bad, use checkinstall -D sudo make uninstall should do the trick, but I'm not sure
On Sat, May 2, 2015 at 6:15 PM 12xBTM <12xbtm@gmail.com <mailto:12xbtm@gmail.com>> wrote:
Yawning,
Oh, I think I see what's going on. So, to shorten this, there are three points:
#1: Where do I get this patch and how do I apply it?
#2: Where is this "testing suite."
#3: How do I delete the library so I can install it completely new?
On 2.5.15 10:46, Yawning Angel wrote:
On Sat, 02 May 2015 09:42:42 -0400 12xBTM<12xbtm@gmail.com> <mailto:12xbtm@gmail.com> wrote:
Step 1: Getting OpenSSL to become Hardware-Accelerated
sudo apt-get install linux-image-3.14.39-ti-r61 sudo apt-get install linux-headers-3.14.39-ti-r61 wget http://download.gna.org/cryptodev-linux/cryptodev-linux-1.7.tar.gz tar zxf cryptodev-linux-1.7.tar.gz cd cryptodev-linux-1.7/ sudo make sudo make install sudo depmod -a sudo modprobe cryptodev lsmod sudo sh -c 'echo cryptodev>>/etc/modules' cd ~ wgethttps://www.openssl.org/source/openssl-1.0.2a.tar.gz tar zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a/
You left out, patching OpenSSL's cryptodev support to function.
ls ./config -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS shared sudo make sudo make install
And you left out "running the test suite, which according to the bug in OpenSSL's bugtracker, would have failed".
Both of these dastardly details are hidden in the depths of the file misleadingly titled "README" in cryptodev-linux-1.7.tar.gz, under the heading "* OpenSSL:".
Regards,
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sat, 02 May 2015 12:10:33 -0400 12xBTM <12xbtm@gmail.com> wrote:
So, I deleted the /usr/local/ssl/ folder and went from there. I got the sudo make test going again, and it failed D: . So the last thing remains: How do I get/install that patch that supposedly corrects this?
... Quoting from the README file:
Note that OpenSSL's cryptodev implementation is outdated, and there are issues with it. For that we recommend to use the patches below, that we have provided to the openssl project.
http://...
You're making it sound as if the patches are on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'. Anyway... * I haven't bothered to check if the patches apply cleanly, only that they weren't ever merged. Shouldn't be that hard to fix the patches if they've rotted. * According to one of the writeups linked, in 2013 cryptdev wasn't exposing a CTR-AES EVP engine. If this is still the case, the bulk of tor's AES calls will not benefit from the acceleration (Skimming the cryptdev code quickly, this would ultimately be a kernel issue). * The SHA acceleration will only help TLS, because the bulk of the SHA calls in tor don't use the EVP interface (For good reasons in the case of SHA1, and "it's a good idea, someone should do it" reasons for SHA256). I'd expect in a lot of cases that the gains would be fairly minimal anyway, since using hardware acceleration with this configuration requires a syscall.
if there's a better way to go about having HW-accelerated crypto for Tor (excluding Intel aes-ni), please let me know.
Instead of some garbage TI part, use something that supports ARM-v8's AES, SHA1, SHA256, and VMULL instructions. Regards, -- Yawning Angel
Thanks Yawning, I was trying to make due with the equipment I had laying around, but, anyways, I did learn a bit along the way. Thanks for your input. On 3.5.15 0:40, Yawning Angel wrote:
On Sat, 02 May 2015 12:10:33 -0400 12xBTM <12xbtm@gmail.com> wrote:
So, I deleted the /usr/local/ssl/ folder and went from there. I got the sudo make test going again, and it failed D: . So the last thing remains: How do I get/install that patch that supposedly corrects this? ...
Quoting from the README file:
Note that OpenSSL's cryptodev implementation is outdated, and there are issues with it. For that we recommend to use the patches below, that we have provided to the openssl project.
http://... You're making it sound as if the patches are on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'.
Anyway...
* I haven't bothered to check if the patches apply cleanly, only that they weren't ever merged. Shouldn't be that hard to fix the patches if they've rotted.
* According to one of the writeups linked, in 2013 cryptdev wasn't exposing a CTR-AES EVP engine. If this is still the case, the bulk of tor's AES calls will not benefit from the acceleration (Skimming the cryptdev code quickly, this would ultimately be a kernel issue).
* The SHA acceleration will only help TLS, because the bulk of the SHA calls in tor don't use the EVP interface (For good reasons in the case of SHA1, and "it's a good idea, someone should do it" reasons for SHA256).
I'd expect in a lot of cases that the gains would be fairly minimal anyway, since using hardware acceleration with this configuration requires a syscall.
if there's a better way to go about having HW-accelerated crypto for Tor (excluding Intel aes-ni), please let me know. Instead of some garbage TI part, use something that supports ARM-v8's AES, SHA1, SHA256, and VMULL instructions.
Regards,
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (3)
-
12xBTM -
Igor Chelnokov -
Yawning Angel