[openssl-project] To use or not use the iconv API, and to use or not use other libraries

Richard Levitte levitte at openssl.org
Mon Jun 11 15:21:14 UTC 2018

In message <D50FD4D3-F34F-474A-B89C-62B58E6DE076 at akamai.com> on Mon, 11 Jun 2018 15:06:01 +0000, "Salz, Rich" <rsalz at akamai.com> said:

rsalz>     > If B<-pass8bit> is given, the password is taken to be encoded in the current
rsalz>     > locale, but is still used directly.
rsalz>     > A future release might automatically convert the password to valid UTF-8
rsalz>     > encoding if this flag is given.
rsalz>     I would propose that "-pass8bit" means that each byte of the input is
rsalz>     a unicode code point value (i.e. ASCII or LATIN1 supplement) and we'll
rsalz>     convert to UCS-2 by prepending 0x00 to each one.  If so, I would expect
rsalz>     this flag to NOT ever change its meaning.
rsalz> I don't see the point of this.
rsalz> My goal, with the two flags, was to allow users to make explicit what they want, and to warn them that *one* of the cases might/will change in the future.

Well, that is what's done in PKCS12_generate_mac(), so this isn't
something that should be done by the application.  What the appication
*must* do when getting '-pass8bit' is to do a naïve UTF-8 encode of
the input pass phrase string.  PKCS12_generate_mac() will then decode
it and zero extend every resulting byte to 16 bits.  If you *don't* do
this, you risk having any byte sequence that looks like UTF-8 in the
original input to be decoded and made into something other than what
the user intended.


Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-project mailing list