We are updating our products with support for OpenSSL 1.0.0d, and I am
unable to locate an Intel AES-NI patch which will sucessfully patch it.
Is there is newer version available then "openssl-1.0.0-aesni-v4.patch"?
This patch worked for OpenSSL 1.0.0b, but fails with 1.0.0d as shown below:
> C:\\openssl-1.0.0d>\\system\\bin\\patch -p0 0
> patching file Configure
> Hunk #2 FAILED at 491.
> Hunk #3 succeeded at 1410 (offset 19 lines).
> 1 out of 3 hunks FAILED -- saving rejects to file Configure.rej
> patching file crypto/aes/Makefile
> patching file crypto/engine/Makefile
> patching file crypto/engine/eng_all.c
> Hunk #3 succeeded at 114 with fuzz 1 (offset -3 lines).
> patching file crypto/engine/engine.h
> Hunk #1 succeeded at 344 (offset -4 lines).
> patching file crypto/evp/evp.h
> Hunk #1 succeeded at 1190 (offset 13 lines).
> patching file crypto/evp/evp_err.c
> patching file crypto/aes/asm/aesni-x86.pl
> patching file crypto/aes/asm/aesni-x86_64.pl
> patching file crypto/engine/eng_aesni.c
> patching file test/test_aesni
> patching file util/libeay.num
> Hunk #1 FAILED at 4176.
> 1 out of 1 hunk FAILED -- saving rejects to file util/libeay.num.rej
I found the Intel v4 patch and previous versions here:
I don't think we have updated with a new patch yet. When i get a chance, I'll take a look to see where the existing patch breaks and see if there is a quick fix/workaround.
BTW, the OpenSSL CVS repo does have AES-NI support (http://cvs.openssl.org/rlog?f=openssl/crypto/aes/asm/aesni-x86_64.pl), its just that it hasn't been included into a formal build yet. We are working with the maintainers to make this happen, but ETA is stillTBD.
I applied the same patch to openssl 1.0.0d and everything worked fine. There are some patch errors and the changes need to be made "by hand" to the source files. The reason is not because the openssl aesni engine changes are different, but because the surrounding source context changed in minor ways. The patch program can't handle that in many cases. Make the changes yourself to the two files (Configure and libeay.num) and you'll be fine.
The modified engine compiles and runs without error on Solaris (and it's faster!).
- (another) Dan
Edit (11/2011): Here's a blog about the OpenSSL AESNI engine on Solaris 11: