Query reg AES_NI usage with OpenSSL-1.0.1h
Hi, I have written application code for encryption and decryption using OpenSSL library. I am testing on machine where AES-NI support is present. I am not sure how can I confirm whether execution is using AES-NI instruction set. When run command line openssl speed -evp aes128, I was seeing aesni_cbc_cipher() getting hit. But with my sample code, I am not seeing aesni_cbc_cipher() getting executed.. Openssl ver: OpenSSL-1.0.1h Sample high level code is like OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); OPENSSL_config(NULL); EVP_CIPHER_CTX_init(ctx); if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv)) handleErrors(); EVP_CIPHER_CTX_set_padding(ctx, 0); if(1 != EVP_DecryptUpdate(ctx, plaintext, len, ciphertext, ciphertext_len)) handleErrors(); plaintext_len = len; if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, len)) handleErrors(); plaintext_len += len; EVP_CIPHER_CTX_cleanup(ctx); Any pointers will be appreciated.. Thanks Mukesh
Re: Query reg AES_NI usage with OpenSSL-1.0.1h
I have written application code for encryption and decryption using OpenSSL library. I am testing on machine where AES-NI support is present. I am not sure how can I confirm whether execution is using AES-NI instruction set. ... Any pointers will be appreciated.. OpenSSL has a test for AES-NI, but it only works from the static lib. It only works for static libs because OPENSSL_ia32cap_P[] is not *not* exported/available from the shared object. Here's the test from crypto/evp/e_aes.c: #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1](1(57-32))) If you want a test that works from both the static lib and shared object, then you have to provide it yourself. The stuff I use is available at http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-suport-use-the-intel-aes-ni. Even if AES-NI is available, it does not mean you will use it. If you use low level AES_* functions, then you will not use it because its a software implementation. To [potentially] use AES-NI, you have to use the EVP_* functions. There's no guarantee EVP_* functions will use hardware features like AES-NI, but EVP_* functions will usually use features like AES-NI, if available. believe the OpenSSL docs state the same at https://www.openssl.org/docs/crypto/EVP_EncryptInit.html: Where possible the EVP interface to symmetric ciphers should be used in preference to the low level interfaces. This is because the code then becomes transparent to the cipher used and much more flexible. Additionally, the EVP interface will ensure the use of platform specific cryptographic acceleration such as AES-NI (the low level interfaces do not provide the guarantee). AES_* vs EVP_* is also why you see the difference in 'openssl speed ...' test when using (or not using) the '-evp' option. There was also a discussion about it about a year ago at Verify AES-NI use at runtime?, https://groups.google.com/d/msg/mailing.openssl.users/URRJ7Wx1fvw/ONdhjFxfrb0J. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Query reg AES_NI usage with OpenSSL-1.0.1h
Thanks Jeff for really good amount of info.. I have integrated code from below link of HasAESNI() and HasRDRAND() in my application code. AESNI is enabled but RDRAND is not. http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-suport-use-the-intel-aes-ni . I am using EVP interface and static library already. So in that case I suppose that AES-NI is supported.. Besides this how can it be confirmed that at run-time for operation like enc/dec, AES_NI are getting used instead of normal.. I was assuming if encryption is being done and it's using NI routines, aesni_cbc_cipher() will for sure get executed... In my case, this func is not getting hit Is there any other way to confirm the same objective Thanks Mukesh On 18 September 2014 19:16, Jeffrey Walton noloa...@gmail.com wrote: I have written application code for encryption and decryption using OpenSSL library. I am testing on machine where AES-NI support is present. I am not sure how can I confirm whether execution is using AES-NI instruction set. ... Any pointers will be appreciated.. OpenSSL has a test for AES-NI, but it only works from the static lib. It only works for static libs because OPENSSL_ia32cap_P[] is not *not* exported/available from the shared object. Here's the test from crypto/evp/e_aes.c: #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1](1(57-32))) If you want a test that works from both the static lib and shared object, then you have to provide it yourself. The stuff I use is available at http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-suport-use-the-intel-aes-ni . Even if AES-NI is available, it does not mean you will use it. If you use low level AES_* functions, then you will not use it because its a software implementation. To [potentially] use AES-NI, you have to use the EVP_* functions. There's no guarantee EVP_* functions will use hardware features like AES-NI, but EVP_* functions will usually use features like AES-NI, if available. believe the OpenSSL docs state the same at https://www.openssl.org/docs/crypto/EVP_EncryptInit.html: Where possible the EVP interface to symmetric ciphers should be used in preference to the low level interfaces. This is because the code then becomes transparent to the cipher used and much more flexible. Additionally, the EVP interface will ensure the use of platform specific cryptographic acceleration such as AES-NI (the low level interfaces do not provide the guarantee). AES_* vs EVP_* is also why you see the difference in 'openssl speed ...' test when using (or not using) the '-evp' option. There was also a discussion about it about a year ago at Verify AES-NI use at runtime?, https://groups.google.com/d/msg/mailing.openssl.users/URRJ7Wx1fvw/ONdhjFxfrb0J . Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org