[openssl-project] To use or not use the iconv API, and to use or not use other libraries
levitte at openssl.org
Mon Jun 11 15:21:14 UTC 2018
In message <D50FD4D3-F34F-474A-B89C-62B58E6DE076 at akamai.com> on Mon, 11 Jun 2018 15:06:01 +0000, "Salz, Rich" <rsalz at akamai.com> said:
rsalz> > If B<-pass8bit> is given, the password is taken to be encoded in the current
rsalz> > locale, but is still used directly.
rsalz> > A future release might automatically convert the password to valid UTF-8
rsalz> > encoding if this flag is given.
rsalz> I would propose that "-pass8bit" means that each byte of the input is
rsalz> a unicode code point value (i.e. ASCII or LATIN1 supplement) and we'll
rsalz> convert to UCS-2 by prepending 0x00 to each one. If so, I would expect
rsalz> this flag to NOT ever change its meaning.
rsalz> I don't see the point of this.
rsalz> My goal, with the two flags, was to allow users to make explicit what they want, and to warn them that *one* of the cases might/will change in the future.
Well, that is what's done in PKCS12_generate_mac(), so this isn't
something that should be done by the application. What the appication
*must* do when getting '-pass8bit' is to do a naïve UTF-8 encode of
the input pass phrase string. PKCS12_generate_mac() will then decode
it and zero extend every resulting byte to 16 bits. If you *don't* do
this, you risk having any byte sequence that looks like UTF-8 in the
original input to be decoded and made into something other than what
the user intended.
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-project