Re: Query reg AES_NI usage with OpenSSL-1.0.1h

Thu, 18 Sep 2014 06:53:04 -0700 

> I have written application code for encryption and decryption using OpenSSL
> library.
> I am testing on machine where AES-NI support is present. I am not sure how
> can I confirm
> whether execution is using AES-NI instruction set.
>
> ...
> Any pointers will be appreciated..

OpenSSL has a test for AES-NI, but it only works from the static lib.
It only works for static libs because OPENSSL_ia32cap_P[] is not *not*
exported/available from the shared object. Here's the test from
crypto/evp/e_aes.c:

    #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))

If you want a test that works from both the static lib and shared
object, then you have to provide it yourself. The stuff I use is
available at 
http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-suport-use-the-intel-aes-ni.

Even if AES-NI is available, it does not mean you will use it. If you
use low level AES_* functions, then you will not use it because its a
software implementation. To [potentially] use AES-NI, you have to use
the EVP_* functions. There's no guarantee EVP_* functions will use
hardware features like AES-NI, but EVP_* functions will usually use
features like AES-NI, if available.

 believe the OpenSSL docs state the same at
https://www.openssl.org/docs/crypto/EVP_EncryptInit.html:

    Where possible the EVP interface to symmetric ciphers
    should be used in preference to the low level interfaces.
    This is because the code then becomes transparent to
    the cipher used and much more flexible. Additionally,
    the EVP interface will ensure the use of platform specific
    cryptographic acceleration such as AES-NI (the low level
    interfaces do not provide the guarantee).

AES_* vs EVP_* is also why you see the difference in 'openssl speed
...' test when using (or not using) the '-evp' option.

There was also a discussion about it about a year ago at "Verify
AES-NI use at runtime?",
https://groups.google.com/d/msg/mailing.openssl.users/URRJ7Wx1fvw/ONdhjFxfrb0J.

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to