OpenSSL 0.9.8 with AES-NI engine support


#1

What is AES-NI?

OpenSSL 0.9.8 in VyOS 1.0 doesn’t support AES-NI. Intel provides a package called Intel Accelerator OpenSSL Engine [ direct download ]. This engine contains AES-NI support which can be used in OpenSSL 0.9.8 if your hardware is compatible. Intel has a list of processors that support AES-NI on their web site.

[quote=README]…This is essentially a collection of assembler modules from development OpenSSL branch, packed together as a standalone engine.
“Standalone” means that it can be compiled outside OpenSSL source tree without patching the latter. Idea is to provide a way to utilize new code in already released OpenSSL versions constrained by support and release policies limiting their evolvement to genuine bug fixes…[/quote]

To compile the source code, you need to install some packages. Add the debian repository in the configuration:

repository debian {
     components main
      distribution squeeze
      url http://ftp.nl.debian.org/debian
}

Install the following packages:
(I’ve copy/paste this install command from http://community.linuxmint.com/tutorial/view/162. I’m pretty sure the number of packages can be less. Please let me know which packages to remove.)

$ sudo apt-get update
$ sudo apt-get install build-essential automake autoconf libtool pkg-config libcurl4-openssl-dev intltool libxml2-dev libgtk2.0-dev libnotify-dev libglib2.0-dev libevent-dev checkinstall

Download and compile the source code:

$ wget https://www.openssl.org/contrib/intel-accel-1.5.tar.gz
$ tar -zxvf intel-accel-1.5.tar.gz
$ cd intel-accel-1.5
$ make

After compiling, the result is a file called libintel-accel.so.

Place this file in the openssl-engine directory:

$ sudo cp libintel-accel.so /usr/lib/ssl/engines/

You can use test this new setting by testing the openssl speed with/without the intel-accel engine:

$ openssl speed -evp aes-256-cbc #Without the intel-accel engine
......
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      72423.77k   118062.53k   133166.83k   137723.90k   139193.00k

$ openssl speed -evp aes-256-cbc -engine intel-accel #With the intel-accel engine
engine "intel-accel" set.
......
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc     289293.51k   334365.18k   339216.01k   339013.63k   339301.72k

If you do not wish to compile the source code or install the necessary packages. I’ve include an attachment containing the libintel-accel.so file. Unpack the zip file and place it in the directory /usr/lib/ssl/engines and hopefully it works.


#2

This is very interesting :slight_smile:


#3

Hi
First of all thanks for providing this great info. And ik its an old thread but i don’t want to open a new one unless its needed…

I guess link is broken source link
and i can’t find this source anywhere else. Hope u could direct me to source or share if u still have.
Thanks

EDIT: found source on archive.org. Here is a link https://web.archive.org/web/20140326195451/https://www.openssl.org/contrib/
Don’t know how long its gonna keep it there. Someone please add it to some public storage.