NAME    [Toc]    [Back]

       EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope
       encryption

SYNOPSIS    [Toc]    [Back]

       #include <openssl/evp.h>

       int EVP_SealInit(
               EVP_CIPHER_CTX *ctx,
               EVP_CIPHER *type,
               unsigned char **ek,
               int *ekl,
               unsigned char *iv,
               EVP_PKEY **pubk,
               int npubk ); int EVP_SealUpdate(
               EVP_CIPHER_CTX *ctx,
               unsigned char *out,
               int *outl,
               unsigned char *in,
               int inl ); int EVP_SealFinal(
               EVP_CIPHER_CTX *ctx,
               unsigned char *out,
               int *outl );

DESCRIPTION    [Toc]    [Back]

       The EVP envelope routines are a high  level  interface  to
       envelope  encryption.  They generate a random key and then
       envelope it by using public key encryption.  Data can then
       be encrypted using this key.

       The  EVP_SealInit()  function initializes a cipher context
       ctx for encryption with cipher type using a random  secret
       key and IV supplied in the iv parameter.  The type is normally
 supplied by a function such  as  EVP_des_cbc().  The
       secret  key  is  encrypted  using one or more public keys.
       This allows the same encrypted data to be decrypted  using
       any  of the corresponding private keys. The ek is an array
       of buffers where the public key encrypted secret key  will
       be  written.  Each buffer must contain enough room for the
       corresponding encrypted key: that is, ek[i] must have room
       for  EVP_PKEY_size(pubk[i]) bytes. The actual size of each
       encrypted secret key is written to the array ekl. The pubk
       is an array of npubk public keys.

       The  EVP_SealUpdate()  and  EVP_SealFinal() functions have
       the  same  properties  as  the   EVP_EncryptUpdate()   and
       EVP_EncryptFinal() functions, as  documented on the

       EVP_EncryptInit(3)reference page.

NOTES    [Toc]    [Back]

       Because a random secret key is generated the random number
       generator must be seeded before calling EVP_SealInit().

       The public key must be RSA because it is the only  OpenSSL
       public key algorithm that supports key transport.

       Envelope  encryption  is  the usual method of using public
       key encryption on large amounts of data. This  is  because
       public  key encryption is slow but symmetric encryption is
       fast. So symmetric encryption is used for bulk  encryption
       and  the  small  random  symmetric key used is transferred
       using public key encryption.

       It is possible to call EVP_SealInit() twice  in  the  same
       way as EVP_EncryptInit(). The first call should have npubk
       set to 0 and (after  setting  any  cipher  parameters)  it
       should be called again with type set to NULL.

RETURN VALUES    [Toc]    [Back]

       The EVP_SealInit() function returns 0 on error or npubk if
       successful.

       The EVP_SealUpdate() and EVP_SealFinal() functions  return
       1 for success and 0 for failure.

SEE ALSO    [Toc]    [Back]

       Functions:    evp(3),   rand_ssl(3),   EVP_EncryptInit(3),
       EVP_OpenInit(3)



                                                  EVP_SealInit(3)