Add a warning to des.h. DES being deprecated is hopefully well-established enough that no one is going start complaining our implementation isn't constant-time. But I think this is the only non-constant-time code left without a warning, so add one for completeness. (It is possible to implement DES with bitslicing, but 3DES TLS ciphers are too slow as it is and hopefully not long for the world.) Change-Id: I6b0de915e89ffe2d11372f7109642fcff44b11bf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43244 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/include/openssl/des.h b/include/openssl/des.h index af1c822..539b2c5 100644 --- a/include/openssl/des.h +++ b/include/openssl/des.h
@@ -65,6 +65,12 @@ // DES. +// +// This module is deprecated and retained for legacy reasons only. It is slow +// and may leak key material with timing or cache side channels. Moreover, +// single-keyed DES is broken and can be brute-forced in under a day. +// +// Use a modern cipher, such as AES-GCM or ChaCha20-Poly1305, instead. typedef struct DES_cblock_st {