Dear Paul, The KDF variant seems the best one.
On Fri, Jan 17, 2020 at 9:33 AM Dr Paul Dale <paul.d...@oracle.com> wrote: > In the deprecation efforts for 3.0, I’ve hit something in the DES code > that I’d appreciate input on. > > There are two functions (DES_crypt and DES_fcrypt) which implement the old > crypt(3) password algorithm. Once these are deprecated, they will no > longer be reachable via EVP. The confounding point is that they aren’t > quite DES — close but not identical. I would be surprised if they aren’t > still in use for /etc/passwd files on old and/or embedded systems. > > I’ve got several choices: > > 1. Leave them public and unchanged — that is, don’t deprecate these > two functions yet. > 2. Deprecate them and add KDFs to replace them. > 3. Deprecate them, leave them alone and hope they go away painlessly > at some point. > > > The apps/password.c applet calls these which is how I stumbled over the > complication. I’m fine refactoring this based on the solution chosen. I’d > also be okay with factoring out all the password derivation functions into > KDFs if necessary. > > > Thoughts? Other alternatives? > > > Pauli > -- > Dr Paul Dale | Distinguished Architect | Cryptographic Foundations > Phone +61 7 3031 7217 > Oracle Australia > > -- SY, Dmitry Belyavsky