I can see that EVP API doesn't support AES counter mode. My guess is
that it might be because of the fact that current EVP API doesn't have a
parameter for counter length. Is that the reason or is it something else?

the problem is that now one can't offload AES counter modes to the
engine unless the application itself specifies its own EVP functions and
structures. However, even then, counter mode IDs and names are missing from
obj*.h files so functions like OBJ_nid2sn() crash. That happens with
"openssl engine -c", for example. It is enough to add following 3 lines to
objects.txt so that AES counter mode can be offloaded to the engine using
the workaround mentioned:

: AES-128-CTR : aes-128-ctr
: AES-192-CTR : aes-192-ctr
: AES-256-CTR : aes-256-ctr

I'm happy to file a bug and post a patch but I'd like to know if
there is anything I'm missing. I searched through the archives but I didn't
see any discussion related to the AES counter mode with regard to EVP API.

and to put it to some context - SSH protocol always uses 128 bits
long counter for AES counter mode so that's why OpenSSH can work with its
own EVP functions for this mode. However, above mentioned changes are needed
so that CTR mode can be offloaded to the engine.

thanks, Jan.

Jan Pechanec
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org