[tor-relays] Is AES-NI enabled in tor?

Patrice mailinglist at pboenig.de
Thu Dec 22 23:09:17 UTC 2016


> Please don't mix multiple questions into one thread.
Sorry, my bad.

> Tor does not implement crypto itself (mostly) and relies on a
> cryptolibrary (which is OpenSSL/LibreSSL/etc) instead. Thus you should
> check if AES-NI is enabled in your cryptolibrary.
>
> An excerpt from StackOverflow answer [1] about it:
>
> $ openssl speed -elapsed -evp aes-128-cbc
>
> $ OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp
> aes-128-cbc
>
> "Output of the first line should be significantly faster than the
> second." If there is no AES-NI enabled in "OpenSSL" these two should
> give similar results.
I couldn't do that test. OpenSSL was not installed.
After I installed it I could perform that test and it was positive.
Here is the output:

$ openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 33370007 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 13118341 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 3915543 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1029134 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 130438 aes-128-cbc's in 3.00s
OpenSSL 1.0.1t  3 May 2016
built on: Fri Sep 23 17:53:23 2016
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) 
blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC 
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 
-DL_ENDIAN -DTERMIO -g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro 
-Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM 
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes 8192 bytes
aes-128-cbc     177973.37k   279857.94k   334126.34k   351277.74k 356182.70k


$ OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp 
aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 6232419 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 1776077 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 454887 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 114409 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 14327 aes-128-cbc's in 3.00s
OpenSSL 1.0.1t  3 May 2016
built on: Fri Sep 23 17:53:23 2016
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) 
blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC 
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 
-DL_ENDIAN -DTERMIO -g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro 
-Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM 
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes 8192 bytes
aes-128-cbc      33239.57k    37889.64k    38817.02k    39051.61k 39122.26k


But it is a little confusing for me because there is this line in the logs:

Tor 0.2.9.8 (git-a0df013ea241b026) running on Linux with Libevent 
2.0.21-stable, OpenSSL 1.0.1t and Zlib 1.2.8.

 From that I thought Tor used already OpenSSL but it wasn't installed. :S

I bought this board with this CPU (incl. AES-NI support) because I 
thought it would give a benefit.

> N.B. AES-NI is not a feature of*motherboard*  - it's CPU instructions
> (NI stands for "New Instructions").
I simply forgot that. ;)


Cheers,
Patrice
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161223/10a865f6/attachment.html>


More information about the tor-relays mailing list