Thanks Jeff for really good amount of info.. I have integrated code from below link of HasAESNI() and HasRDRAND() in my application code. AESNI is enabled but RDRAND is not. http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-suport-use-the-intel-aes-ni .
I am using EVP interface and static library already. So in that case I suppose that AES-NI is supported.. Besides this how can it be confirmed that at run-time for operation like enc/dec, AES_NI are getting used instead of normal.. I was assuming if encryption is being done and it's using NI routines, aesni_cbc_cipher() will for sure get executed... In my case, this func is not getting hit.... Is there any other way to confirm the same objective Thanks Mukesh On 18 September 2014 19:16, Jeffrey Walton <noloa...@gmail.com> wrote: > > I have written application code for encryption and decryption using > OpenSSL > > library. > > I am testing on machine where AES-NI support is present. I am not sure > how > > can I confirm > > whether execution is using AES-NI instruction set. > > > > ... > > Any pointers will be appreciated.. > > OpenSSL has a test for AES-NI, but it only works from the static lib. > It only works for static libs because OPENSSL_ia32cap_P[] is not *not* > exported/available from the shared object. Here's the test from > crypto/evp/e_aes.c: > > #define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) > > If you want a test that works from both the static lib and shared > object, then you have to provide it yourself. The stuff I use is > available at > http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-suport-use-the-intel-aes-ni > . > > Even if AES-NI is available, it does not mean you will use it. If you > use low level AES_* functions, then you will not use it because its a > software implementation. To [potentially] use AES-NI, you have to use > the EVP_* functions. There's no guarantee EVP_* functions will use > hardware features like AES-NI, but EVP_* functions will usually use > features like AES-NI, if available. > > believe the OpenSSL docs state the same at > https://www.openssl.org/docs/crypto/EVP_EncryptInit.html: > > Where possible the EVP interface to symmetric ciphers > should be used in preference to the low level interfaces. > This is because the code then becomes transparent to > the cipher used and much more flexible. Additionally, > the EVP interface will ensure the use of platform specific > cryptographic acceleration such as AES-NI (the low level > interfaces do not provide the guarantee). > > AES_* vs EVP_* is also why you see the difference in 'openssl speed > ...' test when using (or not using) the '-evp' option. > > There was also a discussion about it about a year ago at "Verify > AES-NI use at runtime?", > > https://groups.google.com/d/msg/mailing.openssl.users/URRJ7Wx1fvw/ONdhjFxfrb0J > . > > Jeff > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
