Thanks a lot for that thorough answer, Dave. Today I discovered EVP_Seal and related functions (actually I discovered their counterparts in PHP and then searched for the C side). It looks like this is exactly what I'm looking for; maybe people just assume that everyone knows about these "envelope" functions. I suspected something like that existed, but nobody mentions it in any of the numerous forum posts and answers about scenarios like this.
It looks like EVP will take care of most of the low-level concerns, right? I'm just looking for the easiest means of wrapping this up; the amount of security I need is really minimal.
