On Tue, Mar 27, 2012 at 5:19 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 3/27/2012 10:42 PM, Jeffrey Walton wrote: >> >> On Tue, Mar 27, 2012 at 4:26 PM, Ken Goldman<kgold...@us.ibm.com> wrote: >>> >>> On 3/27/2012 3:51 PM, Jakob Bohm wrote: >>>> >>>> On 3/27/2012 9:37 PM, Dr. Stephen Henson wrote: >>>>> >>>>> You should really be using EVP instead of the low level routines. >>>>> They are well documented with examples. >>>> >>>> Where, precisely? >>>> >>>> I didn't find it either when I was looking a few years ago, so I >>>> settled on the obvious low level APIs too. >>> >>> In fact, neither the low level or the EVP APIs are documented. I don't >>> see >>> any AES documentation at all. >> >> Digest (search for "openssl evp digest example"): >> http://www.openssl.org/docs/crypto/EVP_DigestInit.html > > At least this one is outdated, it recommends SHA1, does not > mention any of the larger algorithms and still shows the > old SSL MD5+SHA1 288 bit length as the maximum MD size. > > openssl/evp.h has later definitions but no documentation in it. > > This document also gives two good reason not to use this > interface when retrofitting existing code: > > 1. The state structure (EVP_MD_CTX) requires an extra call to > free internal memory, which may not fit into existing code > that doesn't have such a requirement of its own. > > 2. The EVP_DigestInit_ex() function is documented as loading > a specific implementation if NULL is passed, thus almost certainly > ensuring that said specific implementation will be linked into > programs that don't use it at all. It is also unclear how > referencing a specific engine avoids loading the entire feature > set of that engine when only a subset is needed. Such granularity > issues basic questions one should always consider in any library > design. > > >> Encrypt (search for "openssl evp encrypt example"): >> http://www.openssl.org/docs/crypto/EVP_EncryptInit.html >> >> Sign (search for "openssl evp sign example"): >> http://www.openssl.org/docs/crypto/EVP_SignInit.html >> >> Verify (search for "openssl evp verify example"): >> http://www.openssl.org/docs/crypto/EVP_VerifyInit.html > > (I have not checked out those yet). > > Explicitly adding the "word" EVP to those searches was > non-obvious because as a programmer I tend not to consider > parts of identifiers as separate search words (except when > doing a raw grep). And besides, how should a newcomer to > OpenSSL guess that something called "EVP" is of any > significance? Good point. I think I learned it the hard way some time ago.
Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
