On 3/27/2012 10:42 PM, Jeffrey Walton wrote:
On Tue, Mar 27, 2012 at 4:26 PM, Ken Goldman<kgold...@us.ibm.com> wrote:
On 3/27/2012 3:51 PM, Jakob Bohm wrote:
On 3/27/2012 9:37 PM, Dr. Stephen Henson wrote:
You should really be using EVP instead of the low level routines.
They are well documented with examples.
Where, precisely?
I didn't find it either when I was looking a few years ago, so I
settled on the obvious low level APIs too.
In fact, neither the low level or the EVP APIs are documented. I don't see
any AES documentation at all.
Digest (search for "openssl evp digest example"):
http://www.openssl.org/docs/crypto/EVP_DigestInit.html
At least this one is outdated, it recommends SHA1, does not
mention any of the larger algorithms and still shows the
old SSL MD5+SHA1 288 bit length as the maximum MD size.
openssl/evp.h has later definitions but no documentation in it.
This document also gives two good reason not to use this
interface when retrofitting existing code:
1. The state structure (EVP_MD_CTX) requires an extra call to
free internal memory, which may not fit into existing code
that doesn't have such a requirement of its own.
2. The EVP_DigestInit_ex() function is documented as loading
a specific implementation if NULL is passed, thus almost certainly
ensuring that said specific implementation will be linked into
programs that don't use it at all. It is also unclear how
referencing a specific engine avoids loading the entire feature
set of that engine when only a subset is needed. Such granularity
issues basic questions one should always consider in any library
design.
Encrypt (search for "openssl evp encrypt example"):
http://www.openssl.org/docs/crypto/EVP_EncryptInit.html
Sign (search for "openssl evp sign example"):
http://www.openssl.org/docs/crypto/EVP_SignInit.html
Verify (search for "openssl evp verify example"):
http://www.openssl.org/docs/crypto/EVP_VerifyInit.html
(I have not checked out those yet).
Explicitly adding the "word" EVP to those searches was
non-obvious because as a programmer I tend not to consider
parts of identifiers as separate search words (except when
doing a raw grep). And besides, how should a newcomer to
OpenSSL guess that something called "EVP" is of any
significance?
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
