c - OpenSSL AES_cbc_encrypt vs EVP interfaces -

i need encrypt long lived network data streams using aes-cbc. thinking call evp_encryptinit_ex() once , save evp_cipher_ctx subsequent calls evp_encryptupdate. likewise on decrypt end. first problem discovered evp_decryptupdate 1 block behind. e.g., if encrypt 32 bytes, 1st decrypt update return 16, though know has decrypted 32 bytes. guess means need call evp_decryptfinal after every evp_decryptupdate, , evp_encryptinit_ex() reset iv before next update.

a second concern may have many 1000's of these streams, , trying minimize memory footprint. sizeof(evp_cipher_ctx) 168 bytes, if query memory usage before , after 1000 calls evp_encryptinit_ex(), looks allocates additional 412 bytes per context (this on top of 20k after first call).

correction, see 412 bytes per ctx not 168 + 412

the aes_cbc_encrypt() interface looks better needs. there fixed 260 byte aes_key structure, plus need maintain 16 byte iv myself. however, understand, not use aes-ni intel hardware acceleration. https://security.stackexchange.com/questions/35036/different-performance-of-openssl-speed-on-the-same-hardware-with-aes-256-evp-an there way enable aes-ni on aec_cbc_encrypt() interface? 2x memory requirement of evp not side effect of api, necessary speed improvement? there alternative openssl uses aes-ni?

is there way enable aes-ni on aec_cbc_encrypt() interface?

no. aes_encrypt software implementation. never use hardware acceleration.

also, openssl project tells don't use aes_encrypt , friends. rather, tell use evp_encrypt , friends.

---

is 2x memory requirement of evp not side effect of api, necessary speed improvement?

its hard because i've never profiled it. matter? if need x, don't have choice within openssl. here, x perform authenticated encryption evp interfaces.

---

is there alternative openssl uses aes-ni?

its hard say. maybe articulate requirements, , ask on programmers stack exchange. that's place ask high level design questions.