[openssl-project] To use or not use the iconv API, and to use or not use other libraries

Richard Levitte levitte at openssl.org
Mon Jun 11 15:46:58 UTC 2018

In message <8EE45344-9BFC-44F9-9DB2-C384F7645CD6 at akamai.com> on Mon, 11 Jun 2018 15:25:23 +0000, "Salz, Rich" <rsalz at akamai.com> said:

rsalz> >    *must* do when getting '-pass8bit' is to do a naïve UTF-8 encode of
rsalz>     the input pass phrase string.  PKCS12_generate_mac() will then decode
rsalz> I disagree.
rsalz> There are two reasons why users enter "illegal" passwords now, and by now requiring them to make it explicit we can (a) check only for ASCII on current inputs; (b) make them thing about what they're doing and require them to specify; (c) set the expectation that something will change in the future.

A variant is to check if the 8bit string can be decoded as a UTF-8
string and warn the user that such string is going to get screwed.

Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-project mailing list