OpenSSL using EVP vs. algorithm API for symmetric crypto

c linux cryptography openssl

20,360

Solution 1

Using the EVP API has the advantage that you can use the same API for all the symmetric ciphers that OpenSSL supports, in a generic way. This makes it way easier to replace the algorithm used, or make the algorithm user-configurable at a later stage. Most of the code you write is not specific to the encryption algorithm you selected.

Here's a simple example for encryption with AES-256 in CBC mode:

#include <stdio.h>
#include <openssl/evp.h>

int main()
{
    EVP_CIPHER_CTX ctx;
    unsigned char key[32] = {0};
    unsigned char iv[16] = {0};
    unsigned char in[16] = {0};
    unsigned char out[32]; /* at least one block longer than in[] */
    int outlen1, outlen2;

    EVP_EncryptInit(&ctx, EVP_aes_256_cbc(), key, iv);
    EVP_EncryptUpdate(&ctx, out, &outlen1, in, sizeof(in));
    EVP_EncryptFinal(&ctx, out + outlen1, &outlen2);

    printf("ciphertext length: %d\n", outlen1 + outlen2);

    return 0;
}

For simplicity, I omitted error handling.

IMO one of the most important pieces of documentation on OpenSSL is Network Security with OpenSSL by Viega/Messier/Chandra. It is from 2002 (0.9.7), so does not cover changes to OpenSSL during the last 10 years, but it is IMO still a less painful way to learn OpenSSL than by using only the manual pages.

Solution 2

Currently OpenSSL wiki has good documentation on how to use the EVP family of functions: http://wiki.openssl.org/index.php/EVP

The other upside of using the EVP over algorithm API is that EVP will automatically use hardware acceleration (like AES-NI instruction set) if available. With algorithm API you need to enable it manually.

20,360

abhi

Updated on July 09, 2022

Comments

abhi almost 2 years

Hi i have installed openssl on my linux machine and going through the header files and documentation (which is highly insufficint :( ).

i am trying to build a project(in 'c') which uses symmetric crypto algos (i am focusing on aes256cbc). The problem is i am confused as in how to use the library functions in my code.

For my implementation of aes256cbc i can directly use the functions defined in the 'aes.h' header file(which appeared to me at the first place).

But on googling i came accross some tutorial for this which are using 'evp.h' functions to do this http://saju.net.in/code/misc/openssl_aes.c.txt

Is there a specific reason for this or directly accessing the aes.h functions is better.

And also if someone can point me to a good documentation/tutorial of any kind on using the crypto library of openssl will be much appreciated.

many thanks

P.S forgive me if i am being naive
abhi about 12 years

thanks a lot for the crisp explanation and the book recommendation. I was fed up after searching for a good resource on net for the explanation for the crypto api. One more question where can i find the crypto library where i can see the actual implementation of all the evp.h and other *.h files. I tried reading various libraries which gets installed with openssl in the lib folder but they are object code i guess. Any pointers in this direction.. Many thanks
Daniel Roethlisberger about 12 years

You can grab the source tarball from openssl.org/source matching your installed version of OpenSSL.
abhi about 12 years

Many many thanks for recomending the above said book.. it helped me a loy esp the chapter 6 cleared much of doubts i had regarding the EVP api.. thanks once again..