Hello,
I'm pretty sure you know there is a patch to backport AES-NI support for openssl 1.0.0. How can I determine if this patch is installed? The sourcefiles are not on the system. So comparing them with the gitdiff of this patch is not possible. openssl engine says aesni is available. Using the -evp flag at openssl speed produces a very good performance so I think there is a kind of HW Acceleration. To encrypt some datafiles the direct usage of openssl aes-256-cbc performs also very good. BUT: Forcing s_server with the -engine param to use aesni brings no better performance than the normal way (May it does not use it because it is not available? Output of s_server : "aesni set"). And the differences to the results of openssl speed are that big, there can't by any HW Acceleration. I've coded some simple c-tools to encrypt and decrypt some random data using the EVP interface. There is no performance overhead or something. Just read to memory call the EVP functions need for encryption and write back. But there is also very slow performance. If I use google I find a lot of comments like: "EVP switches dynamically and hidden from you to AES-NI if it is available" BUT: Can it be available if there is no aesni-engine lib in /usr/lib64/openssl/engines oder in /usr/lib/openssl/engine ?? May it is static linked in den executables to perform openssl speed using it and no other guy can use it because it does not need to be on the system as a separate file? I'm a little confused to get the "available" message by openssl engine but not to find a engine lib. Here is the output of openssl speed -evp aes-256-cbc: openssl speed -evp aes-256-cbc Doing aes-256-cbc for 3s on 16 size blocks: 111106887 aes-256-cbc's in 2.99s Doing aes-256-cbc for 3s on 64 size blocks: 29709138 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 256 size blocks: 7559638 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 1024 size blocks: 1898551 aes-256-cbc's in 3.00s Doing aes-256-cbc for 3s on 8192 size blocks: 237190 aes-256-cbc's in 2.99s OpenSSL 1.0.0-fips 29 Mar 2010 built on: Mon Oct 31 10:18:42 EDT 2011 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-cbc 594551.90k 633794.94k 645089.11k 648038.74k 649853.00k I hope some one out there is not confused and is able to help me out. Best regards Stefan Renner ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
