> I've been thinking about this and the other one. The buffers should > never be hard coded as to length in any way. I was being lazy when I > wrote these bits of code, and now its burnt me.
+1 I patched this myself in the copy I'm distributing with some configure fixes. I was dismayed to find that the EVP_decode routine didn't even let you specify the length and assumed you passed in a buffer as long as the input. Not the right attitude for OpenSSL to take, IMHO. -- Scott
