Dr Paul Dale paul.dale at
Fri Jan 17 06:31:06 UTC 2020

In the deprecation efforts for 3.0, I’ve hit something in the DES code that I’d appreciate input on.

There are two functions (DES_crypt and DES_fcrypt) which implement the old crypt(3) password algorithm.  Once these are deprecated, they will no longer be reachable via EVP.  The confounding point is that they aren’t quite DES — close but not identical.  I would be surprised if they aren’t still in use for /etc/passwd files on old and/or embedded systems.

I’ve got several choices:
Leave them public and unchanged — that is, don’t deprecate these two functions yet.
Deprecate them and add KDFs to replace them.
Deprecate them, leave them alone and hope they go away painlessly at some point.

The apps/password.c applet calls these which is how I stumbled over the complication.  I’m fine refactoring this based on the solution chosen.  I’d also be okay with factoring out all the password derivation functions into KDFs if necessary.

Thoughts?  Other alternatives?

Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-project mailing list