Hide Forgot
Description of problem: Test of AES-NI Engine is outdated. In current version of openssl the check for AES-NI engine is invalid, the engine won't be shown in the output. According to the developer a proper check that AES-NI is working is: 1. to check if machine has AES instruction set, i.e. grep -o aes /proc/cpuinfo 2. compare results of "openssl speed aes-128-cbc" vs "openssl speed -evp aes-128-cbc" where the latter should be significantly better performing. Please also note that the guide is incorrect in the example of openssl speed command without the -evp option. Without this option AES-NI engine is not used. Version-Release number of selected component (if applicable): current live @ https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/ch03s02s03.html
The reproduced is correct, I just tested in on an AES testing machine # grep -m1 -o aes /proc/cpuinfo aes # openssl speed aes-128-cbc Doing aes-128 cbc for 3s on 16 size blocks: 18693032 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 64 size blocks: 5052796 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 256 size blocks: 1288608 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 1024 size blocks: 323906 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 40555 aes-128 cbc's in 3.00s OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Fri Sep 27 10:09:12 EDT 2013 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128 cbc 99696.17k 107792.98k 109961.22k 110559.91k 110742.19k # openssl speed -evp aes-128-cbc Doing aes-128-cbc for 3s on 16 size blocks: 150084418 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 64 size blocks: 40934523 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 256 size blocks: 10510135 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 2646815 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 8192 size blocks: 330598 aes-128-cbc's in 3.00s OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Fri Sep 27 10:09:12 EDT 2013 options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 800450.23k 873269.82k 896864.85k 903446.19k 902752.94k
The updated text is already on the Portal: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security_Guide/index.html#sect-Security_Guide-Encryption-OpenSSL_Intel_AES-NI_Engine Closing this bug as CLOSED CURRENTRELEASE.