1.\" $NetBSD: crypt.3,v 1.35 2023/01/17 14:27:11 uwe Exp $ 2.\" 3.\" Copyright (c) 1989, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)crypt.3 8.2 (Berkeley) 12/11/93 31.\" 32.Dd October 20, 2021 33.Dt CRYPT 3 34.Os 35.Sh NAME 36.Nm crypt , 37.Nm setkey , 38.Nm encrypt , 39.Nm des_setkey , 40.Nm des_cipher 41.Nd password hashing 42.Sh LIBRARY 43.Lb libcrypt 44.Sh SYNOPSIS 45.In unistd.h 46.Ft "char *" 47.Fn crypt "const char *key" "const char *setting" 48.Ft int 49.Fn encrypt "char *block" "int flag" 50.Ft int 51.Fn des_setkey "const char *key" 52.Ft int 53.Fn des_cipher "const char *in" "char *out" "long salt" "int count" 54.In stdlib.h 55.Ft int 56.Fn setkey "const char *key" 57.Sh DESCRIPTION 58The 59.Fn crypt 60function 61performs password hashing. 62The password hashing scheme used by 63.Fn crypt 64is dependent upon the contents of the 65.Tn NUL Ns -terminated 66string 67.Ar setting . 68If it begins 69with a string character 70.Pq Ql $ 71and a number then a different algorithm is used depending on the number. 72At the moment a 73.Ql $1 74chooses MD5 hashing and a 75.Ql $2 76chooses Blowfish hashing; see below for more information. 77If 78.Ar setting 79begins with the 80.Ql _ 81character, 82.Tn DES 83password hashing with a user specified number of 84perturbations is selected. 85If 86.Ar setting 87begins with any other character, 88.Tn DES 89password hashing with a fixed 90number of perturbations is selected. 91.Ss DES password hashing 92The 93.Tn DES 94password hashing scheme is derived from the 95.Tn NBS 96Data Encryption Standard. 97Additional code has been added to deter key search attempts and to use 98stronger hashing algorithms. 99In the 100.Tn DES 101case, the second argument to 102.Fn crypt 103is a character array, 9 bytes in length, consisting of an underscore 104.Pq Ql _ 105followed by 4 bytes of iteration count and 4 bytes of salt. 106Both the iteration 107.Fa count 108and the 109.Fa salt 110are encoded with 6 bits per character, least significant bits first. 111The values 0 to 63 are encoded by the characters 112.Ql ./0-9A-Za-z , 113respectively. 114.Pp 115The 116.Fa salt 117is used to induce disorder in to the 118.Tn DES 119algorithm 120in one of 16777216 121possible ways 122(specifically, if bit 123.Em i 124of the 125.Ar salt 126is set then bits 127.Em i 128and 129.Em i+24 130are swapped in the 131.Tn DES 132.Dq E 133box output). 134The 135.Ar key 136is divided into groups of 8 characters (a short final group is null-padded) 137and the low-order 7 bits of each character (56 bits per group) are 138used to form the 139.Tn DES 140key as follows: the first group of 56 bits becomes the initial 141.Tn DES 142key. 143For each additional group, the XOR of the group bits and the encryption of the 144.Tn DES 145key with itself becomes the next 146.Tn DES 147key. 148Then the final 149.Tn DES 150key is used to perform 151.Ar count 152cumulative encryptions of a 64-bit constant yielding a 153.Sq ciphertext . 154The value returned is a 155.Tn NUL Ns -terminated 156string, 20 bytes in length, consisting 157of the 158.Ar setting 159followed by the encoded 64-bit 160.Sq ciphertext . 161.Pp 162For compatibility with historical versions of 163.Fn crypt , 164the 165.Ar setting 166may consist of 2 bytes of salt, encoded as above, in which case an 167iteration 168.Ar count 169of 25 is used, fewer perturbations of 170.Tn DES 171are available, at most 8 172characters of 173.Ar key 174are used, and the returned value is a 175.Tn NUL Ns -terminated 176string 13 bytes in length. 177.Pp 178The 179functions 180.Fn encrypt , 181.Fn setkey , 182.Fn des_setkey 183and 184.Fn des_cipher 185allow limited access to the 186.Tn DES 187algorithm itself. 188The 189.Ar key 190argument to 191.Fn setkey 192is a 64 character array of 193binary values (numeric 0 or\~1). 194A 56-bit key is derived from this array by dividing the array 195into groups of 8 and ignoring the last bit in each group. 196.Pp 197The 198.Fn encrypt 199argument 200.Fa block 201is also a 64 character array of 202binary values. 203If the value of 204.Fa flag 205is 0, 206the argument 207.Fa block 208is encrypted, otherwise it 209is decrypted. 210The encryption or decryption is returned in the original 211array 212.Fa block 213after using the 214key specified 215by 216.Fn setkey 217to process it. 218.Pp 219The 220.Fn des_setkey 221and 222.Fn des_cipher 223functions are faster but less portable than 224.Fn setkey 225and 226.Fn encrypt . 227The argument to 228.Fn des_setkey 229is a character array of length 8. 230The 231.Em least 232significant bit in each character is ignored and the next 7 bits of each 233character are concatenated to yield a 56-bit key. 234The function 235.Fn des_cipher 236encrypts (or decrypts if 237.Fa count 238is negative) the 64-bits stored in the 8 characters at 239.Fa in 240using 241.Xr abs 3 242of 243.Fa count 244iterations of 245.Tn DES 246and stores the 64-bit result in the 8 characters at 247.Fa out . 248The 249.Fa salt 250specifies perturbations to 251.Tn DES 252as described above. 253.Ss MD5 password hashing 254For the 255.Tn MD5 256password hashing scheme, the version number (in this case 257.Ql 1 ) , 258.Fa salt 259and the hashed password are separated 260by the 261.Ql $ 262character. 263An encoded password hash looks like: 264.Pp 265.Dl "$1$2qGr5PPQ$eT08WBFev3RPLNChixg0H" 266.Pp 267The entire encoded MD5 password hash is passed as 268.Fa setting 269for interpretation. 270.Ss Argon2 password hashing 271Argon2 is a memory-hard password hashing algorithm. 272.Fn crypt 273provides all three variants: argon2i, argon2d, and argon2id. 274It is recommended to use argon2id, which provides a hybrid combination 275using argon2i on the first pass, and argon2d on the remaining 276passes. 277We parameterize on three variables. 278First, 279.Va m_cost ( Li m ) , 280specifies the memory usage in 281.Tn KB . 282Second, 283.Va t_cost ( Li t ) , 284specifies the number of iterations. 285Third, 286.Va parallelism ( Li p ) 287specifies the number of threads. 288This is currently ignored and one thread will always be used. 289An encoded Argon2 password hash looks like: 290.Bd -literal -offset indent 291$argon2id$v=19$m=4096,t=6,p=1$qCatF9a1s/6TgcYB$ \e 292 yeYYrU/rh7E+LI2CAeHTSHVB3iO+OXiNIUHu6NPeTfo 293.Ed 294.Pp 295containing five fields delimited by 296.Ql $ . 297The fields, in order, are variant name, version, parameter set, 298128-bit salt, and Argon2 hash encoded in base64. 299The entire encoded Argon2 password hash is required to be processed 300correctly. 301.Ss "Blowfish" bcrypt 302The 303.Tn Blowfish 304version of 305.Fn crypt 306has 128 bits of 307.Fa salt 308in order to make building dictionaries of common passwords space consuming. 309The initial state of the 310.Tn Blowfish 311cipher is expanded using the 312.Fa salt 313and the 314.Fa password 315repeating the process a variable number of rounds, which is encoded in 316the password hash. 317The maximum password length is 72. 318The final Blowfish password output is created by encrypting the string 319.Pp 320.Dl OrpheanBeholderScryDoubt 321.Pp 322with the 323.Tn Blowfish 324state 64 times. 325.Pp 326The version number, the logarithm of the number of rounds and 327the concatenation of salt and hashed password are separated by the 328.Ql $ 329character. 330An encoded 331.Sq 8 332would specify 256 rounds. 333An encoded Blowfish password hash looks like: 334.Pp 335.Dl "$2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC" 336.Pp 337The entire encoded Blowfish password hash is passed as 338.Fa setting 339for interpretation. 340.Sh RETURN VALUES 341The function 342.Fn crypt 343returns a pointer to the encoded hash on success. 344.Pp 345The behavior of 346.Fn crypt 347on errors isn't well standardized. 348Some implementations simply can't fail (unless the process dies, in which 349case they obviously can't return), others return 350.Dv NULL 351or a fixed string. 352Most implementations don't set 353.Va errno , 354but some do. 355.St -susv2 356specifies 357only returning 358.Dv NULL 359and setting 360.Va errno 361as a valid behavior, and defines 362only one possible error 363.Er ( ENOSYS , 364.Dq "The functionality is not supported on this implementation." ) 365Unfortunately, most existing applications aren't prepared to handle 366.Dv NULL 367returns from 368.Fn crypt . 369The description below corresponds to this implementation of 370.Fn crypt 371only. 372The behavior may change to match standards, other implementations or existing 373applications. 374.Pp 375.Fn crypt 376may only fail (and return) when passed an invalid or unsupported 377.Fa setting , 378in which case it returns a pointer to a magic string that is shorter than 13 379characters and is guaranteed to differ from 380.Fa setting . 381This behavior is safe for older applications which assume that 382.Fn crypt 383can't fail, when both setting new passwords and authenticating against 384existing password hashes. 385.Pp 386The functions 387.Fn setkey , 388.Fn encrypt , 389.Fn des_setkey , 390and 391.Fn des_cipher 392return 0 on success and 1 on failure. 393Historically, the functions 394.Fn setkey 395and 396.Fn encrypt 397did not return any value. 398They have been provided return values primarily to distinguish 399implementations where hardware support is provided but not 400available or where the 401.Tn DES 402encryption is not available due to the 403usual political silliness. 404.Sh SEE ALSO 405.Xr login 1 , 406.Xr passwd 1 , 407.Xr pwhash 1 , 408.Xr getpass 3 , 409.Xr md5 3 , 410.Xr passwd 5 , 411.Xr passwd.conf 5 412.Rs 413.%T "Argon2: the memory-hard function for password hashing and other applications" 414.%A Alex Biryukov 415.%A Daniel Dinu 416.%A Dmitry Khovratovich 417.%D 2017 418.%I University of Luxembourg 419.%U https://www.password-hashing.net/ 420.Re 421.Rs 422.%T "Mathematical Cryptology for Computer Scientists and Mathematicians" 423.%A Wayne Patterson 424.%D 1987 425.%N ISBN 0-8476-7438-X 426.Re 427.Rs 428.%T "Password Security: A Case History" 429.%A R. Morris 430.%A Ken Thompson 431.%J "Communications of the ACM" 432.%V vol. 22 433.%P pp. 594-597 434.%D Nov. 1979 435.Re 436.Rs 437.%T "DES will be Totally Insecure within Ten Years" 438.%A M.E. Hellman 439.%J "IEEE Spectrum" 440.%V vol. 16 441.%P pp. 32-39 442.%D July 1979 443.Re 444.Sh HISTORY 445A rotor-based 446.Fn crypt 447function appeared in 448.At v6 . 449The current style 450.Fn crypt 451first appeared in 452.At v7 . 453.Sh BUGS 454Dropping the 455.Em least 456significant bit in each character of the argument to 457.Fn des_setkey 458is ridiculous. 459.Pp 460The 461.Fn crypt 462function leaves its result in an internal static object and returns 463a pointer to that object. 464Subsequent calls to 465.Fn crypt 466will modify the same object. 467.Pp 468Before 469.Nx 6.0 470.Fn crypt 471returned either 472.Dv NULL 473or 474.Li \*q:\*q 475on error. 476.Pp 477The term 478.Sq encryption 479for password hashing does not match the terminology of modern 480cryptography, but the name of the library is entrenched. 481.Pp 482A library for password hashing has no business directly exposing the 483.Tn DES 484cipher itself, which is obsolete and broken as a cipher. 485