> From: [email protected] On Behalf Of Alexander Lamaison > Sent: Friday, 07 August, 2009 08:15
> 2009/8/7 Dave Thompson <[email protected]>: > <snip: applink> > I our case (the libssh2 library) we don't have an EXE to > compile OpenSSL_Applink into (you cant just compile it into a > DLL because it doesn't get called. <snip> Ah, I didn't realize your code is in a DLL itself (as well as using OpenSSL DLLs). > > There's a third way in some cases -- don't have OpenSSL access the > > file(s) itself, but instead app reads the file and pass in > the data, > > and/or get out the data and app writes the file. > > This is how it is being done at the moment but we're capping > the read length at some arbitrary maximum to prevent the user > accidentally specifying a large file and allocating gigabytes > of memory. This doesn't seem 'neat' and when OpenSSL reads > the files itself it just reads as much as it needs as it > parses them. Hence, my plan to use BIO_new_file. > Well, most of the files used in the library (as opposed to commandline enc and dgst/sign etc.) cannot reasonably be very large; really the only exception is if you have a truststore of many certs and possibly CRLs in one file. In theory a single cert, CRL, key etc. can be huge, but in practice that's unusable and (hence) not done. So I think this can work. But I agree it's unaesthetic; it's that much more code to manage, and even if there's only a small risk of a problem due to hitting a limit that's still some risk that shouldn't be needed. <snip> > Ok. So I'll just ignore [NO_FP_API]. Even more confusingly, > there's another one called OPENSSL_NO_STDIO. I'll just have > to be careful not to call any FP functions. > > > OTOH you can build OpenSSL normally and just never call *fp*. > > Using a DLL this is easy to verify; just do (MS) > dumpbin/imports, and > > I think (sysinternals-now-MS) dependency-walker can do it too. > > Hmmm. I don't entirely follow. I'm familiar with > dependency-walker but I don't see how I can use it to verify > no FP function calls. > I've used dumpbin when I needed to do this sort of thing. I thought I saw/heard d-w could also do it -- it must be reading the import information -- but never needed to try it myself and I could well be wrong. Or it might have been another product in the same category, that has now fuzzed over in my mind -- lots of people have tried to mitigate DLL hell over the years. Sorry. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
