Add a warning to des.h. DES being deprecated is hopefully well-established enough that no one is going start complaining our implementation isn't constant-time. But I think this is the only non-constant-time code left without a warning, so add one for completeness. (It is possible to implement DES with bitslicing, but 3DES TLS ciphers are too slow as it is and hopefully not long for the world.) Change-Id: I6b0de915e89ffe2d11372f7109642fcff44b11bf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43244 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>

commit: 38bcb5368cae46458a501760e023b5f25de92d92 [log] [tgz]
author: David Benjamin <davidben@google.com> Wed Sep 30 15:38:25 2020 -0400
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Sep 30 20:32:54 2020 +0000
tree: f60155efc81200931f0bf0784e94939ac08f66fe
parent: 9bf1634b93394385651858960309be05010015fe [diff]
diff --git a/include/openssl/des.h b/include/openssl/des.h
index af1c822..539b2c5 100644
--- a/include/openssl/des.h
+++ b/include/openssl/des.h

@@ -65,6 +65,12 @@
 
 
 // DES.
+//
+// This module is deprecated and retained for legacy reasons only. It is slow
+// and may leak key material with timing or cache side channels. Moreover,
+// single-keyed DES is broken and can be brute-forced in under a day.
+//
+// Use a modern cipher, such as AES-GCM or ChaCha20-Poly1305, instead.
 
 
 typedef struct DES_cblock_st {
commit	38bcb5368cae46458a501760e023b5f25de92d92	[log] [tgz]
author	David Benjamin <davidben@google.com>	Wed Sep 30 15:38:25 2020 -0400
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Wed Sep 30 20:32:54 2020 +0000
tree	f60155efc81200931f0bf0784e94939ac08f66fe
parent	9bf1634b93394385651858960309be05010015fe [diff]