Query regarding adding support aes-cbc-hmac-sha1 on non x86 platform through engine

Matt Caswell matt at openssl.org
Mon Jan 13 12:23:12 UTC 2020

On 13/01/2020 06:20, Phani 2004 wrote:
> Hi Team,
> I am trying to add support on an hardware engine for aes-cbc-hmac-sha1.
> I have observed that currently aes-cbc-hmac-sha1 is supported only for
> x86 architecture. 
> "EVP_aes_128_cbc_hmac_sha1" api returns NULL for non-x86 platforms. The
> openssl speed app calls the "EVP_get_cipherbyname" call when it tries to
> parse the given arguments. 
> It calls the above API and it returns NULL for the non-x86 platforms. 
> How do we enable/add support for aes-cbc-hmac-sha1 on non-x86 platforms.
> I mean in the release version and not some local changes in my copy.
> Is this on the roadmap? I am currently using openssl-1.1.1a version.

This is an interesting problem. In order use an ENGINE implementation of
a cipher, your application has to have a non-NULL EVP_CIPHER object to
start with. This particular cipher is a highly specialised one only used
by libssl. There are a handful of other similar ones.

I can't actually think of a way around this problem in 1.1.1. In 3.0 it
will be very different. You will be able to use the EVP_CIPHER_fetch()
API to ask for a cipher implementation even for ciphers that aren't
available from the built-in providers.

So, yes, in a way this is on the roadmap - although you will have to
implement your custom cipher via a provider rather than an engine.


More information about the openssl-users mailing list