mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Merge branch 'hardware_accel_improvements'
This commit is contained in:
commit
e84ddead34
@ -1,5 +1,9 @@
|
|||||||
Changes in version 0.2.2.1-alpha - 2009-??-??
|
Changes in version 0.2.2.1-alpha - 2009-??-??
|
||||||
o Minor features
|
o Major features:
|
||||||
|
- Add support for dynamic OpenSSL hardware crypto acceleration engines
|
||||||
|
via new AccelName and AccelDir options.
|
||||||
|
|
||||||
|
o Minor features:
|
||||||
- New --digests command-line switch to output the digests of the
|
- New --digests command-line switch to output the digests of the
|
||||||
source files Tor was built with.
|
source files Tor was built with.
|
||||||
- The "torify" script now uses torsocks where available.
|
- The "torify" script now uses torsocks where available.
|
||||||
|
15
doc/tor.1.in
15
doc/tor.1.in
@ -350,8 +350,19 @@ On startup, setuid to this user and setgid to their primary group.
|
|||||||
.LP
|
.LP
|
||||||
.TP
|
.TP
|
||||||
\fBHardwareAccel \fR\fB0\fR|\fB1\fP
|
\fBHardwareAccel \fR\fB0\fR|\fB1\fP
|
||||||
If non-zero, try to use crypto hardware acceleration when
|
If non-zero, try to use built-in (static) crypto hardware acceleration when
|
||||||
available. This is untested and probably buggy. (Default: 0)
|
available. (Default: 0)
|
||||||
|
.LP
|
||||||
|
.TP
|
||||||
|
\fBAccelName \fR\fINAME\fP
|
||||||
|
When using OpenSSL hardware crypto acceleration attempt to load the dynamic
|
||||||
|
engine of this name. This must be used for any dynamic hardware engine. Names
|
||||||
|
can be verified with the openssl engine command.
|
||||||
|
.LP
|
||||||
|
.TP
|
||||||
|
\fBAccelDir \fR\fIDIR\fP
|
||||||
|
Specify this option if using dynamic hardware acceleration and the engine
|
||||||
|
implementation library resides somewhere other than the OpenSSL default.
|
||||||
.LP
|
.LP
|
||||||
.TP
|
.TP
|
||||||
\fBAvoidDiskWrites \fR\fB0\fR|\fB1\fP
|
\fBAvoidDiskWrites \fR\fB0\fR|\fB1\fP
|
||||||
|
@ -27,6 +27,7 @@
|
|||||||
#include <openssl/rsa.h>
|
#include <openssl/rsa.h>
|
||||||
#include <openssl/pem.h>
|
#include <openssl/pem.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/engine.h>
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
#include <openssl/opensslv.h>
|
#include <openssl/opensslv.h>
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
@ -166,36 +167,70 @@ log_engine(const char *fn, ENGINE *e)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Try to load an engine in a shared library via fully qualified path.
|
||||||
|
*/
|
||||||
|
static ENGINE *
|
||||||
|
try_load_engine(const char *path, const char *engine)
|
||||||
|
{
|
||||||
|
ENGINE *e = ENGINE_by_id("dynamic");
|
||||||
|
if (e) {
|
||||||
|
if (!ENGINE_ctrl_cmd_string(e, "ID", engine, 0) ||
|
||||||
|
!ENGINE_ctrl_cmd_string(e, "DIR_LOAD", "2", 0) ||
|
||||||
|
!ENGINE_ctrl_cmd_string(e, "DIR_ADD", path, 0) ||
|
||||||
|
!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
|
||||||
|
ENGINE_free(e);
|
||||||
|
e = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return e;
|
||||||
|
}
|
||||||
|
|
||||||
/** Initialize the crypto library. Return 0 on success, -1 on failure.
|
/** Initialize the crypto library. Return 0 on success, -1 on failure.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
crypto_global_init(int useAccel)
|
crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
|
||||||
{
|
{
|
||||||
if (!_crypto_global_initialized) {
|
if (!_crypto_global_initialized) {
|
||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
OpenSSL_add_all_algorithms();
|
OpenSSL_add_all_algorithms();
|
||||||
_crypto_global_initialized = 1;
|
_crypto_global_initialized = 1;
|
||||||
setup_openssl_threading();
|
setup_openssl_threading();
|
||||||
/* XXX the below is a bug, since we can't know if we're supposed
|
|
||||||
* to be using hardware acceleration or not. we should arrange
|
|
||||||
* for this function to be called before init_keys. But make it
|
|
||||||
* not complain loudly, at least until we make acceleration work. */
|
|
||||||
if (useAccel < 0) {
|
|
||||||
log_info(LD_CRYPTO, "Initializing OpenSSL via tor_tls_init().");
|
|
||||||
}
|
|
||||||
if (useAccel > 0) {
|
if (useAccel > 0) {
|
||||||
|
ENGINE *e = NULL;
|
||||||
log_info(LD_CRYPTO, "Initializing OpenSSL engine support.");
|
log_info(LD_CRYPTO, "Initializing OpenSSL engine support.");
|
||||||
ENGINE_load_builtin_engines();
|
ENGINE_load_builtin_engines();
|
||||||
if (!ENGINE_register_all_complete())
|
ENGINE_register_all_complete();
|
||||||
return -1;
|
if (accelName) {
|
||||||
|
if (accelDir) {
|
||||||
/* XXXX make sure this isn't leaking. */
|
log_info(LD_CRYPTO, "Trying to load dynamic OpenSSL engine \"%s\""
|
||||||
|
" via path \"%s\".", accelName, accelDir);
|
||||||
|
e = try_load_engine(accelName, accelDir);
|
||||||
|
} else {
|
||||||
|
log_info(LD_CRYPTO, "Initializing dynamic OpenSSL engine \"%s\""
|
||||||
|
" acceleration support.", accelName);
|
||||||
|
e = ENGINE_by_id(accelName);
|
||||||
|
}
|
||||||
|
if (!e) {
|
||||||
|
log_warn(LD_CRYPTO, "Unable to load dynamic OpenSSL engine \"%s\".",
|
||||||
|
accelName);
|
||||||
|
} else {
|
||||||
|
log_info(LD_CRYPTO, "Loaded dynamic OpenSSL engine \"%s\".",
|
||||||
|
accelName);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (e) {
|
||||||
|
log_info(LD_CRYPTO, "Loaded OpenSSL hardware acceleration engine,"
|
||||||
|
" setting default ciphers.");
|
||||||
|
ENGINE_set_default(e, ENGINE_METHOD_ALL);
|
||||||
|
}
|
||||||
log_engine("RSA", ENGINE_get_default_RSA());
|
log_engine("RSA", ENGINE_get_default_RSA());
|
||||||
log_engine("DH", ENGINE_get_default_DH());
|
log_engine("DH", ENGINE_get_default_DH());
|
||||||
log_engine("RAND", ENGINE_get_default_RAND());
|
log_engine("RAND", ENGINE_get_default_RAND());
|
||||||
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
|
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
|
||||||
log_engine("3DES", ENGINE_get_cipher_engine(NID_des_ede3_ecb));
|
log_engine("3DES", ENGINE_get_cipher_engine(NID_des_ede3_ecb));
|
||||||
log_engine("AES", ENGINE_get_cipher_engine(NID_aes_128_ecb));
|
log_engine("AES", ENGINE_get_cipher_engine(NID_aes_128_ecb));
|
||||||
|
} else {
|
||||||
|
log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
|
||||||
}
|
}
|
||||||
return crypto_seed_rng(1);
|
return crypto_seed_rng(1);
|
||||||
}
|
}
|
||||||
|
@ -55,7 +55,9 @@ typedef struct crypto_digest_env_t crypto_digest_env_t;
|
|||||||
typedef struct crypto_dh_env_t crypto_dh_env_t;
|
typedef struct crypto_dh_env_t crypto_dh_env_t;
|
||||||
|
|
||||||
/* global state */
|
/* global state */
|
||||||
int crypto_global_init(int hardwareAccel);
|
int crypto_global_init(int hardwareAccel,
|
||||||
|
const char *accelName,
|
||||||
|
const char *accelPath);
|
||||||
void crypto_thread_cleanup(void);
|
void crypto_thread_cleanup(void);
|
||||||
int crypto_global_cleanup(void);
|
int crypto_global_cleanup(void);
|
||||||
|
|
||||||
|
@ -308,7 +308,6 @@ tor_tls_init(void)
|
|||||||
if (!tls_library_is_initialized) {
|
if (!tls_library_is_initialized) {
|
||||||
SSL_library_init();
|
SSL_library_init();
|
||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
||||||
crypto_global_init(-1);
|
|
||||||
tls_library_is_initialized = 1;
|
tls_library_is_initialized = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -222,6 +222,8 @@ static config_var_t _option_vars[] = {
|
|||||||
#endif
|
#endif
|
||||||
OBSOLETE("Group"),
|
OBSOLETE("Group"),
|
||||||
V(HardwareAccel, BOOL, "0"),
|
V(HardwareAccel, BOOL, "0"),
|
||||||
|
V(AccelName, STRING, NULL),
|
||||||
|
V(AccelDir, FILENAME, NULL),
|
||||||
V(HashedControlPassword, LINELIST, NULL),
|
V(HashedControlPassword, LINELIST, NULL),
|
||||||
V(HidServDirectoryV2, BOOL, "1"),
|
V(HidServDirectoryV2, BOOL, "1"),
|
||||||
VAR("HiddenServiceDir", LINELIST_S, RendConfigLines, NULL),
|
VAR("HiddenServiceDir", LINELIST_S, RendConfigLines, NULL),
|
||||||
@ -444,6 +446,10 @@ static config_var_description_t options_description[] = {
|
|||||||
* FetchUselessDescriptors */
|
* FetchUselessDescriptors */
|
||||||
{ "HardwareAccel", "If set, Tor tries to use hardware crypto accelerators "
|
{ "HardwareAccel", "If set, Tor tries to use hardware crypto accelerators "
|
||||||
"when it can." },
|
"when it can." },
|
||||||
|
{ "AccelName", "If set, try to use hardware crypto accelerator with this "
|
||||||
|
"specific ID." },
|
||||||
|
{ "AccelDir", "If set, look in this directory for the dynamic hardware "
|
||||||
|
"engine in addition to OpenSSL default path." },
|
||||||
/* HashedControlPassword */
|
/* HashedControlPassword */
|
||||||
{ "HTTPProxy", "Force Tor to make all HTTP directory requests through this "
|
{ "HTTPProxy", "Force Tor to make all HTTP directory requests through this "
|
||||||
"host:port (or host:80 if port is not set)." },
|
"host:port (or host:80 if port is not set)." },
|
||||||
@ -3611,6 +3617,11 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||||||
"testing Tor network!");
|
"testing Tor network!");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (options->AccelName && !options->HardwareAccel)
|
||||||
|
options->HardwareAccel = 1;
|
||||||
|
if (options->AccelDir && !options->AccelName)
|
||||||
|
REJECT("Can't use hardware crypto accelerator dir without engine name.");
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
#undef REJECT
|
#undef REJECT
|
||||||
#undef COMPLAIN
|
#undef COMPLAIN
|
||||||
@ -3668,9 +3679,11 @@ options_transition_allowed(or_options_t *old, or_options_t *new_val,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (old->HardwareAccel != new_val->HardwareAccel) {
|
if ((old->HardwareAccel != new_val->HardwareAccel)
|
||||||
*msg = tor_strdup("While Tor is running, changing HardwareAccel is "
|
|| !opt_streq(old->AccelName, new_val->AccelName)
|
||||||
"not allowed.");
|
|| !opt_streq(old->AccelDir, new_val->AccelDir)) {
|
||||||
|
*msg = tor_strdup("While Tor is running, changing OpenSSL hardware "
|
||||||
|
"acceleration engine is not allowed.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1810,7 +1810,9 @@ tor_init(int argc, char *argv[])
|
|||||||
"and you probably shouldn't.");
|
"and you probably shouldn't.");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (crypto_global_init(get_options()->HardwareAccel)) {
|
if (crypto_global_init(get_options()->HardwareAccel,
|
||||||
|
get_options()->AccelName,
|
||||||
|
get_options()->AccelDir)) {
|
||||||
log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
|
log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -2416,6 +2416,8 @@ typedef struct {
|
|||||||
* log whether it was DNS-leaking or not? */
|
* log whether it was DNS-leaking or not? */
|
||||||
int HardwareAccel; /**< Boolean: Should we enable OpenSSL hardware
|
int HardwareAccel; /**< Boolean: Should we enable OpenSSL hardware
|
||||||
* acceleration where available? */
|
* acceleration where available? */
|
||||||
|
char *AccelName; /**< Optional hardware acceleration engine name. */
|
||||||
|
char *AccelDir; /**< Optional hardware acceleration engine search dir. */
|
||||||
int UseEntryGuards; /**< Boolean: Do we try to enter from a smallish number
|
int UseEntryGuards; /**< Boolean: Do we try to enter from a smallish number
|
||||||
* of fixed nodes? */
|
* of fixed nodes? */
|
||||||
int NumEntryGuards; /**< How many entry guards do we try to establish? */
|
int NumEntryGuards; /**< How many entry guards do we try to establish? */
|
||||||
|
@ -442,7 +442,9 @@ init_keys(void)
|
|||||||
key_lock = tor_mutex_new();
|
key_lock = tor_mutex_new();
|
||||||
|
|
||||||
/* There are a couple of paths that put us here before */
|
/* There are a couple of paths that put us here before */
|
||||||
if (crypto_global_init(get_options()->HardwareAccel)) {
|
if (crypto_global_init(get_options()->HardwareAccel,
|
||||||
|
get_options()->AccelName,
|
||||||
|
get_options()->AccelDir)) {
|
||||||
log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
|
log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -4793,7 +4793,7 @@ main(int c, char**v)
|
|||||||
}
|
}
|
||||||
|
|
||||||
options->command = CMD_RUN_UNITTESTS;
|
options->command = CMD_RUN_UNITTESTS;
|
||||||
crypto_global_init(0);
|
crypto_global_init(0, NULL, NULL);
|
||||||
rep_hist_init();
|
rep_hist_init();
|
||||||
network_init();
|
network_init();
|
||||||
setup_directory();
|
setup_directory();
|
||||||
|
@ -29,7 +29,7 @@ int main(int c, char **v)
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (crypto_global_init(0)) {
|
if (crypto_global_init(0, NULL, NULL)) {
|
||||||
fprintf(stderr, "Couldn't initialize crypto library.\n");
|
fprintf(stderr, "Couldn't initialize crypto library.\n");
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
@ -496,7 +496,7 @@ main(int argc, char **argv)
|
|||||||
init_logging();
|
init_logging();
|
||||||
|
|
||||||
/* Don't bother using acceleration. */
|
/* Don't bother using acceleration. */
|
||||||
if (crypto_global_init(0)) {
|
if (crypto_global_init(0, NULL, NULL)) {
|
||||||
fprintf(stderr, "Couldn't initialize crypto library.\n");
|
fprintf(stderr, "Couldn't initialize crypto library.\n");
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user