On Sun, 30 Nov 2008 13:01:40 +0100, Dr. Stephen Henson <[EMAIL PROTECTED]>
wrote:
On Fri, Nov 28, 2008, Kosta Welke wrote:
from enc.c:
/* Note that str is NULL if a key was passed on the command
* line, so we get no salt in that case. Is this a bug?
*/
I say yes and have a fix.
Well I'd say the salt is used to derive the key and iv from the
passphrase. If
you specify the key and iv explicitly the salt isn't used.
Well it's probably an academic debate. I assumed you still always use a
salt, because that's how RSA does it. But when I think about it, the usage
scenario is pretty different...
IMHO, we have 3 choices that each make more sense than the current
behavior (silently ignoring the -salt command line option)
a) when specifying key and iv, generate a salt unless -nosalt was set (my
patch)
b) when specifying key and iv, dont use salt unless -salt was set
c) when specifying key and iv, never use salt. Warn on the command line
when using the salt option with key/iv.
But I guess it's totally bikeshed.
best regards,
Kosta
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
