[tor-relays] Declining Relay Usage

Roman Mamedov rm at romanrm.net
Mon Dec 18 16:09:39 UTC 2023 

On Mon, 18 Dec 2023 15:58:52 +0000
George Hartley <hartley_george at proton.me> wrote:

> I had a quick look at the manual, and it stated:
> 
> > HardwareAccel 0|1
> 
> > If non-zero, try to use built-in (static) crypto hardware acceleration > when available. Can not be changed while tor is running. (Default: 0)
> 
> A quick look at the source code tells me that Tor relies entirely on OpenSSL.
> 
> The call-chain here is as follows:
> 
> crypto_set_options first determines whether to enable any available OpenSSL engines based on if the variable mentioned above is non-zero or if an accelerator name has been set:
> 
> > const bool hardware_accel = options->HardwareAccel || options->AccelName;
> 
> This bool is then passed into crypto_global_init, where it is the first argument, fittingly named "useAccel".
> 
> useAccel is then passed into crypto_openssl_late_init, where if HardwareAccel is the default (0) or no engine name has been specified, OpenSSL will make no attempt to load any acceleration engines.
> 
> Here is a permalink to that last relevant function in the call chain:
> 
> https://gitlab.torproject.org/tpo/core/tor/-/blob/main/src/lib/crypt_ops/crypto_openssl_mgt.c?ref_type=heads#L382
> 
> So yes, I think it is pretty safe to assume that if you do not set either configuration option, no OpenSSL engine will be used.
> 
> Thank you for questioning me though, thanks to you I learned some more about Tor's inner workings, and you hopefully too :)

It is not entirely clear to me what conclusion you came to after this
research. If you mean that HardwareAccel is needed, I would still disagee.

If I'm not mistaken the AES-NI support is implemented in OpenSSL not via an
"engine" that you have to "use", it is just built-in internally on some deeper
level. For a proof you can run "openssl engine" in the console of any
AES-supporting machine, and you will not see any loadable engines there, aside
from rdrand, which is unrelated, and "dynamic" which just means it can load
some acceleration engines if it had any. And for instance VIA Padlock would
show up as "padlock" in that list.

Please use reply to all the mailing list. Sorry for bringing out your mail
into the public, but it didn't seem to be strictly private in any case.

-- 
With respect,
Roman

More information about the tor-relays mailing list