crypt(3)
Dmitry Belyavsky
beldmit at gmail.com
Fri Jan 17 07:28:03 UTC 2020
Dear Paul,
The KDF variant seems the best one.
On Fri, Jan 17, 2020 at 9:33 AM Dr Paul Dale <paul.dale at oracle.com> wrote:
> In the deprecation efforts for 3.0, I’ve hit something in the DES code
> that I’d appreciate input on.
>
> There are two functions (DES_crypt and DES_fcrypt) which implement the old
> crypt(3) password algorithm. Once these are deprecated, they will no
> longer be reachable via EVP. The confounding point is that they aren’t
> quite DES — close but not identical. I would be surprised if they aren’t
> still in use for /etc/passwd files on old and/or embedded systems.
>
> I’ve got several choices:
>
> 1. Leave them public and unchanged — that is, don’t deprecate these
> two functions yet.
> 2. Deprecate them and add KDFs to replace them.
> 3. Deprecate them, leave them alone and hope they go away painlessly
> at some point.
>
>
> The apps/password.c applet calls these which is how I stumbled over the
> complication. I’m fine refactoring this based on the solution chosen. I’d
> also be okay with factoring out all the password derivation functions into
> KDFs if necessary.
>
>
> Thoughts? Other alternatives?
>
>
> Pauli
> --
> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations
> Phone +61 7 3031 7217
> Oracle Australia
>
>
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20200117/2035f688/attachment.html>
More information about the openssl-project
mailing list