Thank you Ying.

• That was helpful. I have downloaded the latest version of openssl "openssl-1.0.1e.tar.gz". How do I enable the AES-NI flag while building openssl ?

• I have one more question .Is IPP specific to particular version of linux ? because while installation i have seen "un-supported version" ,or it works irrespective of linux version with the IPP and crypto libraries installed on it ?

Best Regards,

Ravikanth

Hi Ying,

I have figured out how to enable AES-NI on my machine. Followed instructions from the follwing document page 23. Attached the file too just incase the file is moved for future reference. Even though AES-NI is enabled from BIOS i am not seeing the performance improvement. Is there any software flag to enable AES-NI in openssl ?

Is installation of IPP and IPP Crypto manditory for AES-NI enabled machines ?

Will IPP and IPP Crypto work on any intel Xeon machines ? If IPP Crypto is required for performance improvement why is AES-NI required ?

I need RC4 , RSA , DES & 3DES performance improvements too.

I tried to compile openssl 1.0.1e with the following config parameters on AES-NI enabled machine and installed it

• config -g -march=native --prefix=/usr/local/openssl-1.0.1e/ --openssldir=/usr/local/openssl-1.0.1e/

When I try to check

                          ./openssl engine

(rsax) RSAX engine support
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(gost) Reference implementation of GOST engine

I got the following out put but could not find aesni engine in the list.

Can some one give a clear idea on how we test and check on open ssl ? and all my questions on my previous posts please

Hi Ravieeswar,

I try to reply the part of IPP.

1. IPP have supported OS. Please see IPP system requirements in release notes  or http://software.intel.com/en-us/articles/intel-ipp-61-library-system-requirements ,

For example, Intel 64 for Linux" Compatibility (tested with the following)

Linux systems with glibc 2.2.4, 2.2.5, 2.2.93, 2.3.2 or 2.3.3 and the 2.4.x or 2.6.x Linux kernel as represented by the following distributions:

• Red Hat Enterprise Linux* OS 3 ,4 or 5
• SUSE Linux Enterprise Server* 10 or 11
• Debian* 4.0r1 or 5
• Ubuntu* 8 or 9
• Asianux* Server 3.0
• Red Flag* 5.0

Note: not all distributions listed above have been validated and not all distributions are listed.

Generally, IPP should be worked for most of Linux version. What is your OS.?

2. Yes, IPP and IPP crypto worked on Intel Xeon machine.  IPP and IPP crypto are "pure" software, which can work on all supported processors. The processor with AES-NI (hardware) is only one of them.

. The Intel IPP library contains a collection of functionally identical processor-specific optimized libraries that are “dispatched” at run-time. Please see the detials in

http://software.intel.com/en-us/articles/intel-integrated-performance-primitives-intel-ipp-understanding-cpu-optimized-code-used-in-intel-ipp

So if IPP find your processor have suported AES-NI , then it will distribute the binary code which include AES-NI instruction on the machine, otherwise, it may only distribute the code with SSE instruction.

3. NO, IPP and IPP Crypto is not manditory for using the procossor AES-NI.   

Regaring OpenSSL, Not exactly sure , but if . AES-NI is worked, ./openssl engine should show

(ase-ni) Intel AES engine.  you may ask the question in OpenSSL forum too.

Best Ragrds,

Ying

Hi

I did more investigation about openSSL build.  According to all discussions and test, it seems AES-NI is active by default in OpenSSL 1.0.1e, but not show as engine with general config like you did.

Please see http://bugs.alpinelinux.org/issues/925

I did test too on my Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz, Red Hat Enterprise Linux Server release 6.3 (Santiago) which support aes-ni

with the openssl shiped with the OS, it shows

[yhu5@snb04 ~]$ openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Tue May 15 05:55:51 EDT 2012
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM

OPENSSLDIR: "/etc/pki/tls"
engines:  aesni dynamic

and the performance is

[yhu5@snb04 ~]$ openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 91682155 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 24374232 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 6192007 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1554266 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 194510 aes-128-cbc's in 3.00s
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Tue May 15 05:55:51 EDT 2012
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     490606.85k   519983.62k   528384.60k   530522.79k   531141.97k

and if i build the 1.0.1, the engine won't shown, but the performance is amost same.

[yhu5@snb04 openssl-1.0.1e]$ ./apps/openssl speed -evp aes-128-cbc
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Doing aes-128-cbc for 3s on 16 size blocks: 91627894 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 24374965 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 256 size blocks: 6191730 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1554151 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 194482 aes-128-cbc's in 3.00s
OpenSSL 1.0.1e 11 Feb 2013
built on: Tue Jun 25 16:15:01 CST 2013
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=native -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     488682.10k   521738.38k   528360.96k   530483.54k   531065.51k
[yhu5@snb04 openssl-1.0.1e]$ ./apps/openssl engine
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
(rsax) RSAX engine support
(dynamic) Dynamic engine loading support
(4758cca) IBM 4758 CCA hardware engine support
(aep) Aep hardware engine support
(atalla) Atalla hardware engine support
(cswift) CryptoSwift hardware engine support
(chil) CHIL hardware engine support
(nuron) Nuron hardware engine support
(sureware) SureWare hardware engine support
(ubsec) UBSEC hardware engine support
(gost) Reference implementation of GOST engine

So you may go ahead to use OpenSSL directly or use IPP function in code.  The integration is not needed.

Best Regards,
Ying

Hi,

We are using openssl-1.0.1e version and also AESNI is enabled in BIOS.

OpenSSL 1.0.1e 11 Feb 2013built on: Tue Jun 11 19:18:01 IST 2013platform: linux-x86_64options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -march=native -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASMOPENSSLDIR: "/usr/local/openssl-1.0.1e"

I am trying to measure the AES-256-CBC algorithm performance for decryption of 256bytes buffer size. But I am not getting the numbers matching with the 'openssl speed' tool. I have used EVP* APIs in my sample code (code snippet below).

EVP_CipherInit(&ctx, EVP_aes_256_cbc(), &key_block[40], &iv_input[0], 0); 

clock_gettime(CLOCK_REALTIME, &tspec_start);     

outlen1 = EVP_Cipher(&ctx, &outbuf[0], &inbuf[0], sizeof(inbuf)); 

clock_gettime(CLOCK_REALTIME, &tspec_end);

With this I got the number close to135000k Bytes/sec for 256bytes of buffer. But the 'openssl speed -evp ' shows around 569344.00k Bytes/sec. Could someone please advise if I am missing anything? Measuring the time taken by EVP_Ciphrer() API - is it not a valid way to calculate the performance numbers?

-Nilesh