Solaris AESNI OpenSSL Engine for Intel Westmere. Cryptography is a major component of secure e-commerce. Since cryptography is compute intensive and adds a significant load to applications, such as SSL web servers (https), crypto performance is an important factor.
It does indeed seem that the info I linked is out-of-date and that aes-ni is enabled by default: Command A = openssl speed -elapsed -evp aes-128-cbc Command B = OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc Results: Command 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes ----- A 796435.32k 845155.61k 852750.59k Aug 22, 2019 · The tests for each input data size was performed for 3 seconds, for the ciphers that we were interested in. Five modes with 128-bits key, AES-NI enabled and disabled, encryption(the first row means OpenSSL will use ase-ecb with 128-bits key to encrypted 1371968.28k data in 3 seconds): Mar 08, 2020 · Apparently, since 1.0.1 openssl doesn’t need a specific engine anymore to use the AES-NI-instructions; it has native support via evp. To test for AES-NI support in openssl 1.0.1 and newer, simply compare the output of these commands: $ openssl speed aes-256-cbc $ openssl speed -evp aes-256-cbc Nov 08, 2013 · AES-NI acceleration disabled via OPENSSL ia32cap: Brainiarc7@Brainiarc7-PC ~ $ OPENSSL_ia32cap=”~0x200000200000000″ openssl speed -elapsed -evp aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128-cbc for 3s on 16 size blocks: 23114849 aes-128-cbc’s in 3.00s Significantly better performance of the latter command indicates that AES-NI is enabled. Note that the outputs below are shortened for brevity: ~]# openssl speed aes-128-cbc The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128 cbc 99696.17k 107792.98k 109961.22k 110559.91k AES-NI (or the Intel Advanced Encryption Standard New Instructions; AES-NI) was the first major implementation. AES-NI is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008. ライブラリは自動的にAES-NIに切り替わります。 AES-NIが利用可能で、使用したくない場合は、プログラムを起動する前に以下を実行してください。 $ export OPENSSL_ia32cap="~0x200000200000000" 次のOpenSSLコマンドを使用して速度差をテストできます。
AES-NI is just a fast way for the processor to execute the calculations of AES. Normally the computer has to calculate every single step of the AES key schedule and the rounds as a single instruction: Substitute it with the S-boxes, shift the rows, mix the columns, XOR the round key.
Aug 22, 2019 · The tests for each input data size was performed for 3 seconds, for the ciphers that we were interested in. Five modes with 128-bits key, AES-NI enabled and disabled, encryption(the first row means OpenSSL will use ase-ecb with 128-bits key to encrypted 1371968.28k data in 3 seconds): Mar 08, 2020 · Apparently, since 1.0.1 openssl doesn’t need a specific engine anymore to use the AES-NI-instructions; it has native support via evp. To test for AES-NI support in openssl 1.0.1 and newer, simply compare the output of these commands: $ openssl speed aes-256-cbc $ openssl speed -evp aes-256-cbc Nov 08, 2013 · AES-NI acceleration disabled via OPENSSL ia32cap: Brainiarc7@Brainiarc7-PC ~ $ OPENSSL_ia32cap=”~0x200000200000000″ openssl speed -elapsed -evp aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128-cbc for 3s on 16 size blocks: 23114849 aes-128-cbc’s in 3.00s
How does one verify use of AES-NI at runtime? I know I can get 'capability' with: crypto/evp/e_aes.c:#define AESNI_CAPABLE \ (OPENSSL_ia32cap_P[1]&(1<<(57-32))) But grepping the sources for a runtime test does not produce anything that looks useful: $ grep -R -i AESNI * and $ grep -R ENGINE_* * | grep -i aes The reason I ask is it looks like OpenSSL is not recognizing AES-NI even though this
To check whether or not AES NI is enabled check the contents of /proc/crypto $ grep module /proc/crypto | sort -u module : aesni_intel module : aes_x86_64 module : arc4 module : kernel To see if OpenSSL supports AES-NI run openssl engine Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) Fix EVP_EncodeUpdate overflow (CVE-2016-2105) Fix EVP_EncryptUpdate overflow (CVE-2016-2106) Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) EBCDIC overread (CVE-2016-2176)