5

When using the OpenSSL crypto libraries in C/C++, does the EVP interface automatically support AES-NI hardware acceleration (assuming processor support)? Referring to this, it appears command-line OpenSSL does have support. I was wondering if there were specific function calls that I had to use to take advantage of this support.

For instance, if I use EVP_EncryptInit_ex(ctx, type, imp, key, iv), do any of these parameters have to specify NI acceleration? I.e. will EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv) do the trick?

Thanks!

Community
  • 1
  • 1
MadhuVK
  • 73
  • 1
  • 4
  • 1
    The page *you refer to* actually explains that `EVP_` functions automatically detect AES-NI. – Maarten Bodewes Jul 01 '14 at 19:06
  • This question triggered a documentation patch in OpenSSL. See [PR 3416: PATCH: EVP_EncryptionInit and AES-NI note](https://rt.openssl.org/Ticket/Display.html?id=3416). – jww Jul 03 '14 at 06:05

1 Answers1

9

When using the OpenSSL crypto libraries in C/C++, does the EVP interface automatically support AES-NI

Yes. EVP_* is the official/supported way to ensure AES-NI is used (if available). In fact, EVP is the only way to access hardware acceleration in general.

EVP_* is also the only way to obtain other hardware accelerations, like engaging Intel's ia32's SHA acceleration under Skylark; ARM's Crypto extensions available in ARMv8; and VIA's ia32 Padlock extensions on their processors.

Using low level AES routines (like AES_encrypt and AES_decrypt) are software only-implementations, and they will never use hardware acceleration like AES-NI. Also see Dr. Henson's response on the OpenSSL mailing list at Verify AES-NI use at runtime?.

Related questions are (1) how to determine if AES-NI is being used; and (2) what are the benchmarking results. For that, see How can I check if OpenSSL is support/use the Intel AES-NI?

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • 1
    As a follow up, does the command line utility `openssl enc` automatically trigger hardware acceleration as well? Thanks! – MadhuVK Jul 03 '14 at 17:48
  • 2
    @MVK_1 - Sorry about the late reply. YES, subcommands like `openssl enc` and `openssl dec` will use AES-NI if its available. Some subcommands need the `-evp` option, like `openssl speed`. Also see [How can I check if OpenSSL is support/use the Intel AES-NI?](http://stackoverflow.com/q/25284119) – jww Oct 18 '16 at 03:07