[cryptography] Just how bad is OpenSSL ?

Jeffrey Walton noloader at gmail.com
Wed Oct 31 15:34:08 EDT 2012


On Tue, Oct 30, 2012 at 4:47 PM, danimoth <danimoth at cryptolab.net> wrote:
> On 27/10/12 at 06:47pm, Patrick Pelletier wrote:
> [cut]
>> Besides the poor documentation, the other thing about OpenSSL is
>> that it is definitely not "batteries included."  Now, I'm not
> [cut]
>
> I think they use a "batteries included" approach in the enc code:
> man pages [2] talks about a IV/key generation, so OpenSSL doesn't
> provide the primitive block cipher (and you, user, need to take care of
> stream cipher mode when you need it) but instead they offer an all-included
> solution, absolutely non-standard IMHO, which derives key and IV from
> passphrase, with a salt.
> Am I wrong in something?
>
> BTW, a concurrent library, Crypto++, does the exact opposite [1].
>
> [1] http://www.cryptopp.com/wiki/Advanced_Encryption_Standard
> [2] http://www.openssl.org/docs/apps/enc.html
I think that's apples and oranges - a comparison is being made between
openssl.exe and Crypto++'s AES class. Perhaps it would be better to
compare OpenSSL's utility (openssl.exe) to Crypto++'s utility
(cryptest.exe).

If you look in default.cpp
(http://www.cryptopp.com/docs/ref/default_8cpp_source.html), you will
see GenerateKeyIV(...). Its uses a Mash(..) function, too. The
functions are used by cryptest.exe in its encryption/decryption
routines.

Jeff



More information about the cryptography mailing list