On Wed, Mar 09, 2005, Rafael Cividanes wrote: > IŽd like to know if the use of EVP API for symetric encryption is a > good choice when using OpenSSL. > > "Use the raw OpenSSL API only when absolutely necessary because there is > a huge potential for introducing a security vulnerability by accident. > For general-purpose use, we recommend a high-level abstraction, such as > that discussed in Recipe 5.16 > <0596003943_secureprgckbk-chp-5-sect-16.html#secureprgckbk-CHP-5-SECT-16>." > - Secure Programming Cookbook for C and C++, Viega & Messier. > > Is Viega asking in the sentence above to not use the EVP API? What > is the "raw OpenSSL API"? >
Hard to say without knowing what that recipe refers to. There is something commonly referred to as the "low level API" in OpenSSL which is the direct interface to ciphers. That should be avoided where possible because it can result in non-portable code. As far as the EVP (a "higher level API") is concerned there aren't any inherent insecurities in using it. It could be a reference to designing your own protocol. It is *very* easy for a newbie to design what looks reasonable but which is very insecure. Use of tried and tested secure protocols is to be preferred where this is possible. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
