crypt(3)

Dmitry Belyavsky beldmit at gmail.com
Fri Jan 17 07:28:03 UTC 2020


Dear Paul,

The KDF variant seems the best one.

On Fri, Jan 17, 2020 at 9:33 AM Dr Paul Dale <paul.dale at oracle.com> wrote:

> In the deprecation efforts for 3.0, I’ve hit something in the DES code
> that I’d appreciate input on.
>
> There are two functions (DES_crypt and DES_fcrypt) which implement the old
> crypt(3) password algorithm.  Once these are deprecated, they will no
> longer be reachable via EVP.  The confounding point is that they aren’t
> quite DES — close but not identical.  I would be surprised if they aren’t
> still in use for /etc/passwd files on old and/or embedded systems.
>
> I’ve got several choices:
>
>    1. Leave them public and unchanged — that is, don’t deprecate these
>    two functions yet.
>    2. Deprecate them and add KDFs to replace them.
>    3. Deprecate them, leave them alone and hope they go away painlessly
>    at some point.
>
>
> The apps/password.c applet calls these which is how I stumbled over the
> complication.  I’m fine refactoring this based on the solution chosen.  I’d
> also be okay with factoring out all the password derivation functions into
> KDFs if necessary.
>
>
> Thoughts?  Other alternatives?
>
>
> Pauli
> --
> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations
> Phone +61 7 3031 7217
> Oracle Australia
>
>

-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20200117/2035f688/attachment.html>


More information about the openssl-project mailing list