In message <[email protected]> on Mon, 11 Jun 2018 15:06:01 +0000, "Salz, Rich" <[email protected]> said:
rsalz> > If B<-pass8bit> is given, the password is taken to be encoded in the current rsalz> > locale, but is still used directly. rsalz> > A future release might automatically convert the password to valid UTF-8 rsalz> > encoding if this flag is given. rsalz> rsalz> I would propose that "-pass8bit" means that each byte of the input is rsalz> a unicode code point value (i.e. ASCII or LATIN1 supplement) and we'll rsalz> convert to UCS-2 by prepending 0x00 to each one. If so, I would expect rsalz> this flag to NOT ever change its meaning. rsalz> rsalz> I don't see the point of this. rsalz> rsalz> My goal, with the two flags, was to allow users to make explicit what they want, and to warn them that *one* of the cases might/will change in the future. Well, that is what's done in PKCS12_generate_mac(), so this isn't something that should be done by the application. What the appication *must* do when getting '-pass8bit' is to do a naïve UTF-8 encode of the input pass phrase string. PKCS12_generate_mac() will then decode it and zero extend every resulting byte to 16 bits. If you *don't* do this, you risk having any byte sequence that looks like UTF-8 in the original input to be decoded and made into something other than what the user intended. Cheers, Richard -- Richard Levitte [email protected] OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ openssl-project mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-project
