1.\" $NetBSD: crypt.3,v 1.29 2019/10/21 05:16:51 wiz Exp $ 2.\" 3.\" Copyright (c) 1989, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)crypt.3 8.2 (Berkeley) 12/11/93 31.\" 32.Dd January 1, 2012 33.Dt CRYPT 3 34.Os 35.Sh NAME 36.Nm crypt , 37.Nm setkey , 38.Nm encrypt , 39.Nm des_setkey , 40.Nm des_cipher 41.Nd password encryption 42.Sh LIBRARY 43.Lb libcrypt 44.Sh SYNOPSIS 45.In unistd.h 46.Ft "char *" 47.Fn crypt "const char *key" "const char *setting" 48.Ft int 49.Fn encrypt "char *block" "int flag" 50.Ft int 51.Fn des_setkey "const char *key" 52.Ft int 53.Fn des_cipher "const char *in" "char *out" "long salt" "int count" 54.In stdlib.h 55.Ft int 56.Fn setkey "const char *key" 57.Sh DESCRIPTION 58The 59.Fn crypt 60function 61performs password encryption. 62The encryption scheme used by 63.Fn crypt 64is dependent upon the contents of the 65.Dv NUL Ns -terminated 66string 67.Ar setting . 68If it begins 69with a string character 70.Pq Ql $ 71and a number then a different algorithm is used depending on the number. 72At the moment a 73.Ql $1 74chooses MD5 hashing and a 75.Ql $2 76chooses Blowfish hashing; see below for more information. 77If 78.Ar setting 79begins with the ``_'' character, DES encryption with a user specified number 80of perturbations is selected. 81If 82.Ar setting 83begins with any other character, DES encryption with a fixed number 84of perturbations is selected. 85.Ss DES encryption 86The DES encryption scheme is derived from the 87.Tn NBS 88Data Encryption Standard. 89Additional code has been added to deter key search attempts and to use 90stronger hashing algorithms. 91In the DES case, the second argument to 92.Fn crypt 93is a character array, 9 bytes in length, consisting of an underscore (``_'') 94followed by 4 bytes of iteration count and 4 bytes of salt. 95Both the iteration 96.Fa count 97and the 98.Fa salt 99are encoded with 6 bits per character, least significant bits first. 100The values 0 to 63 are encoded by the characters ``./0-9A-Za-z'', 101respectively. 102.Pp 103The 104.Fa salt 105is used to induce disorder in to the 106.Tn DES 107algorithm 108in one of 16777216 109possible ways 110(specifically, if bit 111.Em i 112of the 113.Ar salt 114is set then bits 115.Em i 116and 117.Em i+24 118are swapped in the 119.Tn DES 120``E'' box output). 121The 122.Ar key 123is divided into groups of 8 characters (a short final group is null-padded) 124and the low-order 7 bits of each character (56 bits per group) are 125used to form the DES key as follows: the first group of 56 bits becomes the 126initial DES key. 127For each additional group, the XOR of the group bits and the encryption of 128the DES key with itself becomes the next DES key. 129Then the final DES key is used to perform 130.Ar count 131cumulative encryptions of a 64-bit constant. 132The value returned is a 133.Dv NUL Ns -terminated 134string, 20 bytes in length, consisting 135of the 136.Ar setting 137followed by the encoded 64-bit encryption. 138.Pp 139For compatibility with historical versions of 140.Fn crypt , 141the 142.Ar setting 143may consist of 2 bytes of salt, encoded as above, in which case an 144iteration 145.Ar count 146of 25 is used, fewer perturbations of 147.Tn DES 148are available, at most 8 149characters of 150.Ar key 151are used, and the returned value is a 152.Dv NUL Ns -terminated 153string 13 bytes in length. 154.Pp 155The 156functions 157.Fn encrypt , 158.Fn setkey , 159.Fn des_setkey 160and 161.Fn des_cipher 162allow limited access to the 163.Tn DES 164algorithm itself. 165The 166.Ar key 167argument to 168.Fn setkey 169is a 64 character array of 170binary values (numeric 0 or 1). 171A 56-bit key is derived from this array by dividing the array 172into groups of 8 and ignoring the last bit in each group. 173.Pp 174The 175.Fn encrypt 176argument 177.Fa block 178is also a 64 character array of 179binary values. 180If the value of 181.Fa flag 182is 0, 183the argument 184.Fa block 185is encrypted, otherwise it 186is decrypted. 187The encryption or decryption is returned in the original 188array 189.Fa block 190after using the 191key specified 192by 193.Fn setkey 194to process it. 195.Pp 196The 197.Fn des_setkey 198and 199.Fn des_cipher 200functions are faster but less portable than 201.Fn setkey 202and 203.Fn encrypt . 204The argument to 205.Fn des_setkey 206is a character array of length 8. 207The 208.Em least 209significant bit in each character is ignored and the next 7 bits of each 210character are concatenated to yield a 56-bit key. 211The function 212.Fn des_cipher 213encrypts (or decrypts if 214.Fa count 215is negative) the 64-bits stored in the 8 characters at 216.Fa in 217using 218.Xr abs 3 219of 220.Fa count 221iterations of 222.Tn DES 223and stores the 64-bit result in the 8 characters at 224.Fa out . 225The 226.Fa salt 227specifies perturbations to 228.Tn DES 229as described above. 230.Ss MD5 encryption 231For the 232.Tn MD5 233encryption scheme, the version number (in this case ``1''), 234.Fa salt 235and the hashed password are separated 236by the ``$'' character. 237A valid password looks like this: 238.Pp 239``$1$2qGr5PPQ$eT08WBFev3RPLNChixg0H.''. 240.Pp 241The entire password string is passed as 242.Fa setting 243for interpretation. 244.Ss Argon2 encryption 245Argon2 is a memory-hard hashing algorithm. 246.Fn crypt 247provides all three variants: argon2i, argon2d, and argon2id. 248It is recommended to use argon2id, which provides a hybrid combination 249using argon2i on the first pass, and argon2d on the remaining 250passes. 251We parameterize on three variables. 252First, m_cost (m), specifies the memory usage in KB. 253Second, t_cost (t), specfies the number of iterations. 254Third, parallelism (p) specifies the number of threads. 255A valid Argon2 encoded password looks similar to 256.Bd -literal 257$argon2id$v=19$m=4096,t=6,p=1$qCatF9a1s/6TgcYB$ \ 258 yeYYrU/rh7E+LI2CAeHTSHVB3iO+OXiNIUHu6NPeTfo 259.Ed 260containing five fields delimited by '$'. 261The fields, in order, are variant name, version, parameter set, 262128-bit salt, and encoded password. 263The complete password string is required to be processed correctly. 264.Ss "Blowfish" crypt 265The 266.Tn Blowfish 267version of 268.Fn crypt 269has 128 bits of 270.Fa salt 271in order to make building dictionaries of common passwords space consuming. 272The initial state of the 273.Tn Blowfish 274cipher is expanded using the 275.Fa salt 276and the 277.Fa password 278repeating the process a variable number of rounds, which is encoded in 279the password string. 280The maximum password length is 72. 281The final Blowfish password entry is created by encrypting the string 282.Pp 283.Dq OrpheanBeholderScryDoubt 284.Pp 285with the 286.Tn Blowfish 287state 64 times. 288.Pp 289The version number, the logarithm of the number of rounds and 290the concatenation of salt and hashed password are separated by the 291.Ql $ 292character. 293An encoded 294.Sq 8 295would specify 256 rounds. 296A valid Blowfish password looks like this: 297.Pp 298.Dq $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC . 299.Pp 300The whole Blowfish password string is passed as 301.Fa setting 302for interpretation. 303.Sh RETURN VALUES 304The function 305.Fn crypt 306returns a pointer to the encrypted value on success. 307.Pp 308The behavior of 309.Fn crypt 310on errors isn't well standardized. 311Some implementations simply can't fail (unless the process dies, in which 312case they obviously can't return), others return 313.Dv NULL 314or a fixed string. 315Most implementations don't set 316.Va errno , 317but some do. 318.St -susv2 319specifies 320only returning 321.Dv NULL 322and setting 323.Va errno 324as a valid behavior, and defines 325only one possible error 326.Er ( ENOSYS , 327.Dq "The functionality is not supported on this implementation." ) 328Unfortunately, most existing applications aren't prepared to handle 329.Dv NULL 330returns from 331.Fn crypt . 332The description below corresponds to this implementation of 333.Fn crypt 334only. 335The behavior may change to match standards, other implementations or existing 336applications. 337.Pp 338.Fn crypt 339may only fail (and return) when passed an invalid or unsupported 340.Fa setting , 341in which case it returns a pointer to a magic string that is shorter than 13 342characters and is guaranteed to differ from 343.Fa setting . 344This behavior is safe for older applications which assume that 345.Fn crypt 346can't fail, when both setting new passwords and authenticating against 347existing password hashes. 348.Pp 349The functions 350.Fn setkey , 351.Fn encrypt , 352.Fn des_setkey , 353and 354.Fn des_cipher 355return 0 on success and 1 on failure. 356Historically, the functions 357.Fn setkey 358and 359.Fn encrypt 360did not return any value. 361They have been provided return values primarily to distinguish 362implementations where hardware support is provided but not 363available or where the DES encryption is not available due to the 364usual political silliness. 365.Sh SEE ALSO 366.Xr login 1 , 367.Xr passwd 1 , 368.Xr pwhash 1 , 369.Xr getpass 3 , 370.Xr md5 3 , 371.Xr passwd 5 , 372.Xr passwd.conf 5 373.Rs 374.%T "Mathematical Cryptology for Computer Scientists and Mathematicians" 375.%A Wayne Patterson 376.%D 1987 377.%N ISBN 0-8476-7438-X 378.Re 379.Rs 380.%T "Password Security: A Case History" 381.%A R. Morris 382.%A Ken Thompson 383.%J "Communications of the ACM" 384.%V vol. 22 385.%P pp. 594-597 386.%D Nov. 1979 387.Re 388.Rs 389.%T "DES will be Totally Insecure within Ten Years" 390.%A M.E. Hellman 391.%J "IEEE Spectrum" 392.%V vol. 16 393.%P pp. 32-39 394.%D July 1979 395.Re 396.Sh HISTORY 397A rotor-based 398.Fn crypt 399function appeared in 400.At v6 . 401The current style 402.Fn crypt 403first appeared in 404.At v7 . 405.Sh BUGS 406Dropping the 407.Em least 408significant bit in each character of the argument to 409.Fn des_setkey 410is ridiculous. 411.Pp 412The 413.Fn crypt 414function leaves its result in an internal static object and returns 415a pointer to that object. 416Subsequent calls to 417.Fn crypt 418will modify the same object. 419.Pp 420Before 421.Nx 6.0 422.Fn crypt 423returned either 424.Dv NULL 425or 426.Dv \&: 427on error. 428