1.\" $NetBSD: crypt.3,v 1.33 2021/10/20 20:29:33 nia Exp $ 2.\" 3.\" Copyright (c) 1989, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)crypt.3 8.2 (Berkeley) 12/11/93 31.\" 32.Dd October 20, 2021 33.Dt CRYPT 3 34.Os 35.Sh NAME 36.Nm crypt , 37.Nm setkey , 38.Nm encrypt , 39.Nm des_setkey , 40.Nm des_cipher 41.Nd password encryption 42.Sh LIBRARY 43.Lb libcrypt 44.Sh SYNOPSIS 45.In unistd.h 46.Ft "char *" 47.Fn crypt "const char *key" "const char *setting" 48.Ft int 49.Fn encrypt "char *block" "int flag" 50.Ft int 51.Fn des_setkey "const char *key" 52.Ft int 53.Fn des_cipher "const char *in" "char *out" "long salt" "int count" 54.In stdlib.h 55.Ft int 56.Fn setkey "const char *key" 57.Sh DESCRIPTION 58The 59.Fn crypt 60function 61performs password encryption. 62The encryption scheme used by 63.Fn crypt 64is dependent upon the contents of the 65.Dv NUL Ns -terminated 66string 67.Ar setting . 68If it begins 69with a string character 70.Pq Ql $ 71and a number then a different algorithm is used depending on the number. 72At the moment a 73.Ql $1 74chooses MD5 hashing and a 75.Ql $2 76chooses Blowfish hashing; see below for more information. 77If 78.Ar setting 79begins with the ``_'' character, DES encryption with a user specified number 80of perturbations is selected. 81If 82.Ar setting 83begins with any other character, DES encryption with a fixed number 84of perturbations is selected. 85.Ss DES encryption 86The DES encryption scheme is derived from the 87.Tn NBS 88Data Encryption Standard. 89Additional code has been added to deter key search attempts and to use 90stronger hashing algorithms. 91In the DES case, the second argument to 92.Fn crypt 93is a character array, 9 bytes in length, consisting of an underscore (``_'') 94followed by 4 bytes of iteration count and 4 bytes of salt. 95Both the iteration 96.Fa count 97and the 98.Fa salt 99are encoded with 6 bits per character, least significant bits first. 100The values 0 to 63 are encoded by the characters ``./0-9A-Za-z'', 101respectively. 102.Pp 103The 104.Fa salt 105is used to induce disorder in to the 106.Tn DES 107algorithm 108in one of 16777216 109possible ways 110(specifically, if bit 111.Em i 112of the 113.Ar salt 114is set then bits 115.Em i 116and 117.Em i+24 118are swapped in the 119.Tn DES 120``E'' box output). 121The 122.Ar key 123is divided into groups of 8 characters (a short final group is null-padded) 124and the low-order 7 bits of each character (56 bits per group) are 125used to form the DES key as follows: the first group of 56 bits becomes the 126initial DES key. 127For each additional group, the XOR of the group bits and the encryption of 128the DES key with itself becomes the next DES key. 129Then the final DES key is used to perform 130.Ar count 131cumulative encryptions of a 64-bit constant. 132The value returned is a 133.Dv NUL Ns -terminated 134string, 20 bytes in length, consisting 135of the 136.Ar setting 137followed by the encoded 64-bit encryption. 138.Pp 139For compatibility with historical versions of 140.Fn crypt , 141the 142.Ar setting 143may consist of 2 bytes of salt, encoded as above, in which case an 144iteration 145.Ar count 146of 25 is used, fewer perturbations of 147.Tn DES 148are available, at most 8 149characters of 150.Ar key 151are used, and the returned value is a 152.Dv NUL Ns -terminated 153string 13 bytes in length. 154.Pp 155The 156functions 157.Fn encrypt , 158.Fn setkey , 159.Fn des_setkey 160and 161.Fn des_cipher 162allow limited access to the 163.Tn DES 164algorithm itself. 165The 166.Ar key 167argument to 168.Fn setkey 169is a 64 character array of 170binary values (numeric 0 or 1). 171A 56-bit key is derived from this array by dividing the array 172into groups of 8 and ignoring the last bit in each group. 173.Pp 174The 175.Fn encrypt 176argument 177.Fa block 178is also a 64 character array of 179binary values. 180If the value of 181.Fa flag 182is 0, 183the argument 184.Fa block 185is encrypted, otherwise it 186is decrypted. 187The encryption or decryption is returned in the original 188array 189.Fa block 190after using the 191key specified 192by 193.Fn setkey 194to process it. 195.Pp 196The 197.Fn des_setkey 198and 199.Fn des_cipher 200functions are faster but less portable than 201.Fn setkey 202and 203.Fn encrypt . 204The argument to 205.Fn des_setkey 206is a character array of length 8. 207The 208.Em least 209significant bit in each character is ignored and the next 7 bits of each 210character are concatenated to yield a 56-bit key. 211The function 212.Fn des_cipher 213encrypts (or decrypts if 214.Fa count 215is negative) the 64-bits stored in the 8 characters at 216.Fa in 217using 218.Xr abs 3 219of 220.Fa count 221iterations of 222.Tn DES 223and stores the 64-bit result in the 8 characters at 224.Fa out . 225The 226.Fa salt 227specifies perturbations to 228.Tn DES 229as described above. 230.Ss MD5 encryption 231For the 232.Tn MD5 233encryption scheme, the version number (in this case ``1''), 234.Fa salt 235and the hashed password are separated 236by the ``$'' character. 237A valid password looks like this: 238.Pp 239``$1$2qGr5PPQ$eT08WBFev3RPLNChixg0H.''. 240.Pp 241The entire password string is passed as 242.Fa setting 243for interpretation. 244.Ss Argon2 encryption 245Argon2 is a memory-hard hashing algorithm. 246.Fn crypt 247provides all three variants: argon2i, argon2d, and argon2id. 248It is recommended to use argon2id, which provides a hybrid combination 249using argon2i on the first pass, and argon2d on the remaining 250passes. 251We parameterize on three variables. 252First, m_cost (m), specifies the memory usage in KB. 253Second, t_cost (t), specifies the number of iterations. 254Third, parallelism (p) specifies the number of threads. 255This is currently ignored and one thread will always be used. 256A valid Argon2 encoded password looks similar to 257.Bd -literal 258$argon2id$v=19$m=4096,t=6,p=1$qCatF9a1s/6TgcYB$ \ 259 yeYYrU/rh7E+LI2CAeHTSHVB3iO+OXiNIUHu6NPeTfo 260.Ed 261containing five fields delimited by '$'. 262The fields, in order, are variant name, version, parameter set, 263128-bit salt, and encoded password. 264The complete password string is required to be processed correctly. 265.Ss "Blowfish" crypt 266The 267.Tn Blowfish 268version of 269.Fn crypt 270has 128 bits of 271.Fa salt 272in order to make building dictionaries of common passwords space consuming. 273The initial state of the 274.Tn Blowfish 275cipher is expanded using the 276.Fa salt 277and the 278.Fa password 279repeating the process a variable number of rounds, which is encoded in 280the password string. 281The maximum password length is 72. 282The final Blowfish password entry is created by encrypting the string 283.Pp 284.Dq OrpheanBeholderScryDoubt 285.Pp 286with the 287.Tn Blowfish 288state 64 times. 289.Pp 290The version number, the logarithm of the number of rounds and 291the concatenation of salt and hashed password are separated by the 292.Ql $ 293character. 294An encoded 295.Sq 8 296would specify 256 rounds. 297A valid Blowfish password looks like this: 298.Pp 299.Dq $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC . 300.Pp 301The whole Blowfish password string is passed as 302.Fa setting 303for interpretation. 304.Sh RETURN VALUES 305The function 306.Fn crypt 307returns a pointer to the encrypted value on success. 308.Pp 309The behavior of 310.Fn crypt 311on errors isn't well standardized. 312Some implementations simply can't fail (unless the process dies, in which 313case they obviously can't return), others return 314.Dv NULL 315or a fixed string. 316Most implementations don't set 317.Va errno , 318but some do. 319.St -susv2 320specifies 321only returning 322.Dv NULL 323and setting 324.Va errno 325as a valid behavior, and defines 326only one possible error 327.Er ( ENOSYS , 328.Dq "The functionality is not supported on this implementation." ) 329Unfortunately, most existing applications aren't prepared to handle 330.Dv NULL 331returns from 332.Fn crypt . 333The description below corresponds to this implementation of 334.Fn crypt 335only. 336The behavior may change to match standards, other implementations or existing 337applications. 338.Pp 339.Fn crypt 340may only fail (and return) when passed an invalid or unsupported 341.Fa setting , 342in which case it returns a pointer to a magic string that is shorter than 13 343characters and is guaranteed to differ from 344.Fa setting . 345This behavior is safe for older applications which assume that 346.Fn crypt 347can't fail, when both setting new passwords and authenticating against 348existing password hashes. 349.Pp 350The functions 351.Fn setkey , 352.Fn encrypt , 353.Fn des_setkey , 354and 355.Fn des_cipher 356return 0 on success and 1 on failure. 357Historically, the functions 358.Fn setkey 359and 360.Fn encrypt 361did not return any value. 362They have been provided return values primarily to distinguish 363implementations where hardware support is provided but not 364available or where the DES encryption is not available due to the 365usual political silliness. 366.Sh SEE ALSO 367.Xr login 1 , 368.Xr passwd 1 , 369.Xr pwhash 1 , 370.Xr getpass 3 , 371.Xr md5 3 , 372.Xr passwd 5 , 373.Xr passwd.conf 5 374.Rs 375.%T "Argon2: the memory-hard function for password hashing and other applications" 376.%A Alex Biryukov 377.%A Daniel Dinu 378.%A Dmitry Khovratovich 379.%D 2017 380.%I University of Luxembourg 381.%U https://www.password-hashing.net/ 382.Re 383.Rs 384.%T "Mathematical Cryptology for Computer Scientists and Mathematicians" 385.%A Wayne Patterson 386.%D 1987 387.%N ISBN 0-8476-7438-X 388.Re 389.Rs 390.%T "Password Security: A Case History" 391.%A R. Morris 392.%A Ken Thompson 393.%J "Communications of the ACM" 394.%V vol. 22 395.%P pp. 594-597 396.%D Nov. 1979 397.Re 398.Rs 399.%T "DES will be Totally Insecure within Ten Years" 400.%A M.E. Hellman 401.%J "IEEE Spectrum" 402.%V vol. 16 403.%P pp. 32-39 404.%D July 1979 405.Re 406.Sh HISTORY 407A rotor-based 408.Fn crypt 409function appeared in 410.At v6 . 411The current style 412.Fn crypt 413first appeared in 414.At v7 . 415.Sh BUGS 416Dropping the 417.Em least 418significant bit in each character of the argument to 419.Fn des_setkey 420is ridiculous. 421.Pp 422The 423.Fn crypt 424function leaves its result in an internal static object and returns 425a pointer to that object. 426Subsequent calls to 427.Fn crypt 428will modify the same object. 429.Pp 430Before 431.Nx 6.0 432.Fn crypt 433returned either 434.Dv NULL 435or 436.Dv \&: 437on error. 438