From 324d92fa7f658d01382ff72c596358f190772369 Mon Sep 17 00:00:00 2001 From: miod <> Date: Thu, 10 Jul 2014 13:08:58 +0000 Subject: Attempt to (incompletely) document EVP_aes_*(). When EVP_des_cbc() was suggested, suggest EVP_aes_256_cbc() instead. Remove mention of EVP_des_ede3_cbc() being the algorithm of choice for S/MIME. Don't mention US-export limited RC2 algorithms, you'd better not know about them. --- src/lib/libcrypto/doc/EVP_EncryptInit.pod | 16 ++++++++++++++-- src/lib/libcrypto/doc/EVP_SealInit.pod | 2 +- src/lib/libcrypto/doc/PKCS7_encrypt.pod | 7 ------- src/lib/libssl/src/doc/crypto/CMS_encrypt.pod | 3 --- src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod | 16 ++++++++++++++-- src/lib/libssl/src/doc/crypto/EVP_SealInit.pod | 2 +- src/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod | 7 ------- 7 files changed, 30 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod index d42445cf10..a876ac789c 100644 --- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod +++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod @@ -101,7 +101,7 @@ EVP_CIPHER_CTX_init() initializes cipher contex B. EVP_EncryptInit_ex() sets up cipher context B for encryption with cipher B from ENGINE B. B must be initialized before calling this function. B is normally supplied -by a function such as EVP_des_cbc(). If B is NULL then the +by a function such as EVP_aes_256_cbc(). If B is NULL then the default implementation is used. B is the symmetric key to use and B is the IV to use (if necessary), the actual number of bytes used for the key and IV depends on the cipher. It is possible to set @@ -279,10 +279,22 @@ All algorithms have a fixed key length unless otherwise stated. =over 4 -=item EVP_enc_null() +=item EVP_enc_null(void) Null cipher: does nothing. +=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(void), EVP_aes_128_cfb(void), EVP_aes_128_ofb(void) + +128-bit AES in CBC, ECB, CFB and OFB modes respectively. + +=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(void), EVP_aes_192_cfb(void), EVP_aes_192_ofb(void) + +192-bit AES in CBC, ECB, CFB and OFB modes respectively. + +=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(void), EVP_aes_256_cfb(void), EVP_aes_256_ofb(void) + +256-bit AES in CBC, ECB, CFB and OFB modes respectively. + =item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void) DES in CBC, ECB, CFB and OFB modes respectively. diff --git a/src/lib/libcrypto/doc/EVP_SealInit.pod b/src/lib/libcrypto/doc/EVP_SealInit.pod index ff73a04fd9..76eebb72a9 100644 --- a/src/lib/libcrypto/doc/EVP_SealInit.pod +++ b/src/lib/libcrypto/doc/EVP_SealInit.pod @@ -25,7 +25,7 @@ encrypted using this key. EVP_SealInit() initializes a cipher context B for encryption with cipher B using a random secret key and IV. B is normally -supplied by a function such as EVP_des_cbc(). The secret key is encrypted +supplied by a function such as EVP_aes_256_cbc(). The secret key is encrypted using one or more public keys, this allows the same encrypted data to be decrypted using any of the corresponding private keys. B is an array of buffers where the public key encrypted secret key will be written, each buffer diff --git a/src/lib/libcrypto/doc/PKCS7_encrypt.pod b/src/lib/libcrypto/doc/PKCS7_encrypt.pod index e206684384..8bc77407b9 100644 --- a/src/lib/libcrypto/doc/PKCS7_encrypt.pod +++ b/src/lib/libcrypto/doc/PKCS7_encrypt.pod @@ -22,13 +22,6 @@ Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates supplied to this function must all contain RSA public keys, though they do not have to be signed using the RSA algorithm. -EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use -because most clients will support it. - -Some old "export grade" clients may only support weak encryption using 40 or 64 -bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() -respectively. - The algorithm passed in the B parameter must support ASN1 encoding of its parameters. diff --git a/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod b/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod index 4f26e24bf6..f697e87e2b 100644 --- a/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod +++ b/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod @@ -22,9 +22,6 @@ Only certificates carrying RSA keys are supported so the recipient certificates supplied to this function must all contain RSA public keys, though they do not have to be signed using the RSA algorithm. -EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use -because most clients will support it. - The algorithm passed in the B parameter must support ASN1 encoding of its parameters. diff --git a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod index d42445cf10..a876ac789c 100644 --- a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod +++ b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod @@ -101,7 +101,7 @@ EVP_CIPHER_CTX_init() initializes cipher contex B. EVP_EncryptInit_ex() sets up cipher context B for encryption with cipher B from ENGINE B. B must be initialized before calling this function. B is normally supplied -by a function such as EVP_des_cbc(). If B is NULL then the +by a function such as EVP_aes_256_cbc(). If B is NULL then the default implementation is used. B is the symmetric key to use and B is the IV to use (if necessary), the actual number of bytes used for the key and IV depends on the cipher. It is possible to set @@ -279,10 +279,22 @@ All algorithms have a fixed key length unless otherwise stated. =over 4 -=item EVP_enc_null() +=item EVP_enc_null(void) Null cipher: does nothing. +=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(void), EVP_aes_128_cfb(void), EVP_aes_128_ofb(void) + +128-bit AES in CBC, ECB, CFB and OFB modes respectively. + +=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(void), EVP_aes_192_cfb(void), EVP_aes_192_ofb(void) + +192-bit AES in CBC, ECB, CFB and OFB modes respectively. + +=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(void), EVP_aes_256_cfb(void), EVP_aes_256_ofb(void) + +256-bit AES in CBC, ECB, CFB and OFB modes respectively. + =item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void) DES in CBC, ECB, CFB and OFB modes respectively. diff --git a/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod index ff73a04fd9..76eebb72a9 100644 --- a/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod +++ b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod @@ -25,7 +25,7 @@ encrypted using this key. EVP_SealInit() initializes a cipher context B for encryption with cipher B using a random secret key and IV. B is normally -supplied by a function such as EVP_des_cbc(). The secret key is encrypted +supplied by a function such as EVP_aes_256_cbc(). The secret key is encrypted using one or more public keys, this allows the same encrypted data to be decrypted using any of the corresponding private keys. B is an array of buffers where the public key encrypted secret key will be written, each buffer diff --git a/src/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod b/src/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod index e206684384..8bc77407b9 100644 --- a/src/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod +++ b/src/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod @@ -22,13 +22,6 @@ Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates supplied to this function must all contain RSA public keys, though they do not have to be signed using the RSA algorithm. -EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use -because most clients will support it. - -Some old "export grade" clients may only support weak encryption using 40 or 64 -bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() -respectively. - The algorithm passed in the B parameter must support ASN1 encoding of its parameters. -- cgit v1.2.3-55-g6feb