search

siomiz / SoftEtherVPN

A Docker Automated Build Repository for SoftEther VPN
https://hub.docker.com/r/siomiz/softethervpn/
MIT License
460 stars 176 forks source link

AES-NI support #61

Closed radioactivetoy closed 5 years ago

radioactivetoy commented 5 years ago

Sofether server is reporting that it's not using aes-ni instructions. my processor has aes-ni extensions and is shown on /proc/cpuinfo on the container. softether uses aes-ni if libssl supports it according to http://www.vpnusers.com/viewtopic.php?t=4291 . image

siomiz commented 5 years ago

I believe this is a problem with the upstream; their official stable binary doesn't support it either: https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/tag/v4.28-9669-beta

Now, I glanced at their codes and found a typo in Makefile preventing the build to go into the intelaes part...

Makefile specifies -DCPU_64

OPTIONS_COMPILE_RELEASE=-DNDEBUG -DVPN_SPEED -DUNIX -DUNIX_LINUX -DCPU_64 -D_REENTRANT -DREENTRANT -D_THREAD_SAFE -D_THREADSAFE -DTHREAD_SAFE -DTHREADSAFE -D_FILE_OFFSET_BITS=64 -I./src/ -I./src/Cedar/ -I./src/Mayaqua/ -O2 -fsigned-char -m64

https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/blob/master/src/makefiles/linux_64bit.mak#L32

But the code expects CPU_X64

// About Intel AES-NI Library
#if (defined(OS_WIN32) || (defined(UNIX_LINUX) && (defined(CPU_X86) || defined(CPU_X64))))
// Supports only for Linux (x86 / x64) or Windows
#define USE_INTEL_AESNI_LIBRARY
#endif

https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/blob/master/src/Mayaqua/Mayaqua.h#L218-L222

Tried to simply patch it locally but it seems many more things are involved (it actually needs the said "Intel AES-NI Library" in order to compile). You can file a bug in the upstream (their stable repo), but they are probably busy with the upcoming v5 stable release, which might have already fixed this issue.

radioactivetoy commented 5 years ago

I will file a bug on their repo, thanks for the debuging! I will link them your the info you have provided if you don´t mind.

siomiz commented 5 years ago

Sure, you can link to this page, no problem.

I did read their v5 codes on the "Developer Edition" repo and it looks like they are now delegating the encryption handling to OpenSSL, which has proper AES-NI support, so I believe this issue is fixed there already (and they will probably tell you the same thing).

In the new AesEncrypt function:

ret = EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, k->KeyValue, ivec);

https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/src/Mayaqua/Encrypt.c#L4152

[...] the EVP interface will ensure the use of platform specific cryptographic acceleration such as AES-NI.

https://www.openssl.org/docs/man1.0.2/crypto/EVP_EncryptInit.html

I will try to have a new test Docker image based on that repo... hopefully next week (they updated the build process in v5 so it will take some time for me to catch up).

siomiz commented 5 years ago

Ok, I've made a very crude version of this image (:5-beta) using their dev repo and...

 docker run --rm -e VPNCMD_SERVER=Caps siomiz/softethervpn:5-beta echo | grep AES-NI
CPU AES Acceleration (AES-NI) is Active,Yes

As I feared they've changed a lot of things internally so this image may not be usable (yet), but it looks promising.