xref: /freebsd/lib/libcrypt/crypt.3 (revision b54c79e15f7c76148b33d604e5cec2fadf4d46ac)
1e9a56ad5SMark Murray.\" FreeSec: libcrypt for NetBSD
2e9a56ad5SMark Murray.\"
3e9a56ad5SMark Murray.\" Copyright (c) 1994 David Burren
4e9a56ad5SMark Murray.\" All rights reserved.
5e9a56ad5SMark Murray.\"
6e9a56ad5SMark Murray.\" Redistribution and use in source and binary forms, with or without
7e9a56ad5SMark Murray.\" modification, are permitted provided that the following conditions
8e9a56ad5SMark Murray.\" are met:
9e9a56ad5SMark Murray.\" 1. Redistributions of source code must retain the above copyright
10e9a56ad5SMark Murray.\"    notice, this list of conditions and the following disclaimer.
11e9a56ad5SMark Murray.\" 2. Redistributions in binary form must reproduce the above copyright
12e9a56ad5SMark Murray.\"    notice, this list of conditions and the following disclaimer in the
13e9a56ad5SMark Murray.\"    documentation and/or other materials provided with the distribution.
14e9a56ad5SMark Murray.\" 4. Neither the name of the author nor the names of other contributors
15e9a56ad5SMark Murray.\"    may be used to endorse or promote products derived from this software
16e9a56ad5SMark Murray.\"    without specific prior written permission.
17e9a56ad5SMark Murray.\"
18e9a56ad5SMark Murray.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19e9a56ad5SMark Murray.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20e9a56ad5SMark Murray.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21e9a56ad5SMark Murray.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22e9a56ad5SMark Murray.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23e9a56ad5SMark Murray.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24e9a56ad5SMark Murray.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25e9a56ad5SMark Murray.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26e9a56ad5SMark Murray.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27e9a56ad5SMark Murray.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28e9a56ad5SMark Murray.\" SUCH DAMAGE.
29e9a56ad5SMark Murray.\"
30e9a56ad5SMark Murray.\" $FreeBSD$
31e9a56ad5SMark Murray.\"
32a5c28e29SMark Murray.Dd April 9, 2011
33e9a56ad5SMark Murray.Dt CRYPT 3
34a307d598SRuslan Ermilov.Os
35e9a56ad5SMark Murray.Sh NAME
36e9a56ad5SMark Murray.Nm crypt
37e9a56ad5SMark Murray.Nd Trapdoor encryption
38f45f23ddSAlexey Zelkin.Sh LIBRARY
39f45f23ddSAlexey Zelkin.Lb libcrypt
40e9a56ad5SMark Murray.Sh SYNOPSIS
4132eef9aeSRuslan Ermilov.In unistd.h
42d3f0d184SBruce Evans.Ft char *
43d3f0d184SBruce Evans.Fn crypt "const char *key" "const char *salt"
4404c9749fSBrian Feldman.Ft const char *
4504c9749fSBrian Feldman.Fn crypt_get_format "void"
4604c9749fSBrian Feldman.Ft int
4704c9749fSBrian Feldman.Fn crypt_set_format "const char *string"
48e9a56ad5SMark Murray.Sh DESCRIPTION
49e9a56ad5SMark MurrayThe
50e9a56ad5SMark Murray.Fn crypt
51e9a56ad5SMark Murrayfunction performs password hashing with additional code added to
521a0a9345SRuslan Ermilovdeter key search attempts.
531a0a9345SRuslan ErmilovDifferent algorithms can be used to
54e9a56ad5SMark Murrayin the hash.
55e9a56ad5SMark Murray.\"
56e9a56ad5SMark Murray.\" NOTICE:
57e9a56ad5SMark Murray.\" If you add more algorithms, make sure to update this list
58e9a56ad5SMark Murray.\" and the default used for the Traditional format, below.
59e9a56ad5SMark Murray.\"
60e9a56ad5SMark MurrayCurrently these include the
61e9a56ad5SMark Murray.Tn NBS
62f45f23ddSAlexey Zelkin.Tn Data Encryption Standard (DES) ,
635c129616SMark Murray.Tn MD5
64bf513f69SMark Murrayhash,
65bf513f69SMark Murray.Tn NT-Hash
66bf513f69SMark Murray(compatible with Microsoft's NT scheme)
67f32b1300SKris Kennawayand
685c129616SMark Murray.Tn Blowfish .
6904c9749fSBrian FeldmanThe algorithm used will depend upon the format of the Salt (following
7004c9749fSBrian Feldmanthe Modular Crypt Format (MCF)), if
71f45f23ddSAlexey Zelkin.Tn DES
725c129616SMark Murrayand/or
735c129616SMark Murray.Tn Blowfish
7404c9749fSBrian Feldmanis installed or not, and whether
7504c9749fSBrian Feldman.Fn crypt_set_format
7604c9749fSBrian Feldmanhas been called to change the default.
77e9a56ad5SMark Murray.Pp
78e9a56ad5SMark MurrayThe first argument to
79f45f23ddSAlexey Zelkin.Nm
80e9a56ad5SMark Murrayis the data to hash (usually a password), in a
81e9a56ad5SMark Murray.Dv null Ns -terminated
82e9a56ad5SMark Murraystring.
83e9a56ad5SMark MurrayThe second is the salt, in one of three forms:
84e9a56ad5SMark Murray.Pp
85e9a56ad5SMark Murray.Bl -tag -width Traditional -compact -offset indent
86e9a56ad5SMark Murray.It Extended
87f45f23ddSAlexey ZelkinIf it begins with an underscore
88f45f23ddSAlexey Zelkin.Pq Dq _
89f45f23ddSAlexey Zelkinthen the
90f45f23ddSAlexey Zelkin.Tn DES
91f45f23ddSAlexey ZelkinExtended Format
92a910f192SDima Dorfmanis used in interpreting both the key and the salt, as outlined below.
93e9a56ad5SMark Murray.It Modular
94f45f23ddSAlexey ZelkinIf it begins with the string
95f45f23ddSAlexey Zelkin.Dq $digit$
96f45f23ddSAlexey Zelkinthen the Modular Crypt Format is used, as outlined below.
97e9a56ad5SMark Murray.It Traditional
98e9a56ad5SMark MurrayIf neither of the above is true, it assumes the Traditional Format,
99e9a56ad5SMark Murrayusing the entire string as the salt (or the first portion).
100e9a56ad5SMark Murray.El
101e9a56ad5SMark Murray.Pp
1021a0a9345SRuslan ErmilovAll routines are designed to be time-consuming.
1031a0a9345SRuslan ErmilovA brief test on a
104f45f23ddSAlexey Zelkin.Tn Pentium
105f45f23ddSAlexey Zelkin166/MMX shows the
106f45f23ddSAlexey Zelkin.Tn DES
107f45f23ddSAlexey Zelkincrypt to do approximately 2640 crypts
10800587201SMark Murraya CPU second and MD5 to do about 62 crypts a CPU second.
109e9a56ad5SMark Murray.Ss DES Extended Format:
110e9a56ad5SMark MurrayThe
111e9a56ad5SMark Murray.Ar key
112e9a56ad5SMark Murrayis divided into groups of 8 characters (the last group is null-padded)
113a910f192SDima Dorfmanand the low-order 7 bits of each character (56 bits per group) are
114f45f23ddSAlexey Zelkinused to form the
115f45f23ddSAlexey Zelkin.Tn DES
116f45f23ddSAlexey Zelkinkey as follows:
117f45f23ddSAlexey Zelkinthe first group of 56 bits becomes the initial
118f45f23ddSAlexey Zelkin.Tn DES
119f45f23ddSAlexey Zelkinkey.
120f45f23ddSAlexey ZelkinFor each additional group, the XOR of the encryption of the current
121f45f23ddSAlexey Zelkin.Tn DES
122f45f23ddSAlexey Zelkinkey with itself and the group bits becomes the next
123f45f23ddSAlexey Zelkin.Tn DES
124f45f23ddSAlexey Zelkinkey.
125e9a56ad5SMark Murray.Pp
126e9a56ad5SMark MurrayThe salt is a 9-character array consisting of an underscore followed
127e9a56ad5SMark Murrayby 4 bytes of iteration count and 4 bytes of salt.
128e9a56ad5SMark MurrayThese are encoded as printable characters, 6 bits per character,
129e9a56ad5SMark Murrayleast significant character first.
130e9a56ad5SMark MurrayThe values 0 to 63 are encoded as ``./0-9A-Za-z''.
131e9a56ad5SMark MurrayThis allows 24 bits for both
132e9a56ad5SMark Murray.Fa count
133e9a56ad5SMark Murrayand
134e9a56ad5SMark Murray.Fa salt .
135e9a56ad5SMark Murray.Pp
136e9a56ad5SMark MurrayThe
137e9a56ad5SMark Murray.Fa salt
138e9a56ad5SMark Murrayintroduces disorder in the
139e9a56ad5SMark Murray.Tn DES
140e9a56ad5SMark Murrayalgorithm in one of 16777216 or 4096 possible ways
1411a0a9345SRuslan Ermilov(i.e., with 24 or 12 bits: if bit
142e9a56ad5SMark Murray.Em i
143e9a56ad5SMark Murrayof the
144e9a56ad5SMark Murray.Ar salt
145e9a56ad5SMark Murrayis set, then bits
146e9a56ad5SMark Murray.Em i
147e9a56ad5SMark Murrayand
148e9a56ad5SMark Murray.Em i+24
149e9a56ad5SMark Murrayare swapped in the
150e9a56ad5SMark Murray.Tn DES
151e9a56ad5SMark MurrayE-box output).
152e9a56ad5SMark Murray.Pp
153f45f23ddSAlexey ZelkinThe
154f45f23ddSAlexey Zelkin.Tn DES
155f45f23ddSAlexey Zelkinkey is used to encrypt a 64-bit constant using
156e9a56ad5SMark Murray.Ar count
157e9a56ad5SMark Murrayiterations of
158e9a56ad5SMark Murray.Tn DES .
159e9a56ad5SMark MurrayThe value returned is a
160e9a56ad5SMark Murray.Dv null Ns -terminated
161e9a56ad5SMark Murraystring, 20 or 13 bytes (plus null) in length, consisting of the
162e9a56ad5SMark Murray.Ar salt
163e9a56ad5SMark Murrayfollowed by the encoded 64-bit encryption.
164e9a56ad5SMark Murray.Ss "Modular" crypt:
165e9a56ad5SMark MurrayIf the salt begins with the string
166e9a56ad5SMark Murray.Fa $digit$
1671a0a9345SRuslan Ermilovthen the Modular Crypt Format is used.
1681a0a9345SRuslan ErmilovThe
169e9a56ad5SMark Murray.Fa digit
1701a0a9345SRuslan Ermilovrepresents which algorithm is used in encryption.
1711a0a9345SRuslan ErmilovFollowing the token is
1721a0a9345SRuslan Ermilovthe actual salt to use in the encryption.
1731a0a9345SRuslan ErmilovThe length of the salt is limited
17496f68db5STom Rhodesto 8 characters--because the length of the returned output is also limited
1751a0a9345SRuslan Ermilov(_PASSWORD_LEN).
1761a0a9345SRuslan ErmilovThe salt must be terminated with the end of the string
1771a0a9345SRuslan Ermilov(NULL) or a dollar sign.
1781a0a9345SRuslan ErmilovAny characters after the dollar sign are ignored.
179e9a56ad5SMark Murray.Pp
180e9a56ad5SMark MurrayCurrently supported algorithms are:
181e9a56ad5SMark Murray.Pp
18242635956SRuslan Ermilov.Bl -enum -compact -offset indent
183067f2c3fSRuslan Ermilov.It
184e9a56ad5SMark MurrayMD5
185067f2c3fSRuslan Ermilov.It
1865c129616SMark MurrayBlowfish
187bf513f69SMark Murray.It
188bf513f69SMark MurrayNT-Hash
189a5c28e29SMark Murray.It
190*b54c79e1SEitan Adler(unused)
191*b54c79e1SEitan Adler.It
192a5c28e29SMark MurraySHA-256
193a5c28e29SMark Murray.It
194a5c28e29SMark MurraySHA-512
195e9a56ad5SMark Murray.El
196e9a56ad5SMark Murray.Pp
1971a0a9345SRuslan ErmilovOther crypt formats may be easily added.
1981a0a9345SRuslan ErmilovAn example salt would be:
199e9a56ad5SMark Murray.Bl -tag -offset indent
200bf513f69SMark Murray.It Cm "$4$thesalt$rest"
201e9a56ad5SMark Murray.El
202e9a56ad5SMark Murray.Ss "Traditional" crypt:
203f45f23ddSAlexey ZelkinThe algorithm used will depend upon whether
20404c9749fSBrian Feldman.Fn crypt_set_format
2059886bcdfSPeter Wemmhas been called and whether a global default format has been specified.
2069886bcdfSPeter WemmUnless a global default has been specified or
20704c9749fSBrian Feldman.Fn crypt_set_format
20888b471a1SPeter Wemmhas set the format to something else, the built-in default format is
20988b471a1SPeter Wemmused.
21088b471a1SPeter WemmThis is currently
211e9a56ad5SMark Murray.\"
212e9a56ad5SMark Murray.\" NOTICE: Also make sure to update this
213e9a56ad5SMark Murray.\"
21488b471a1SPeter WemmDES
21588b471a1SPeter Wemmif it is available, or MD5 if not.
216e9a56ad5SMark Murray.Pp
2171a0a9345SRuslan ErmilovHow the salt is used will depend upon the algorithm for the hash.
2181a0a9345SRuslan ErmilovFor
219e9a56ad5SMark Murraybest results, specify at least two characters of salt.
22004c9749fSBrian Feldman.Pp
22104c9749fSBrian FeldmanThe
22204c9749fSBrian Feldman.Fn crypt_get_format
22304c9749fSBrian Feldmanfunction returns a constant string that represents the name of the
22404c9749fSBrian Feldmanalgorithm currently used.
22504c9749fSBrian FeldmanValid values are
22604c9749fSBrian Feldman.\"
22704c9749fSBrian Feldman.\" NOTICE: Also make sure to update this, too, as well
22804c9749fSBrian Feldman.\"
2295c129616SMark Murray.Ql des ,
230bf513f69SMark Murray.Ql blf ,
231a5c28e29SMark Murray.Ql md5 ,
232a5c28e29SMark Murray.Ql sha256 ,
233a5c28e29SMark Murray.Ql sha512
23404c9749fSBrian Feldmanand
235bf513f69SMark Murray.Ql nth .
23604c9749fSBrian Feldman.Pp
23704c9749fSBrian FeldmanThe
23804c9749fSBrian Feldman.Fn crypt_set_format
23904c9749fSBrian Feldmanfunction sets the default encoding format according to the supplied
24004c9749fSBrian Feldman.Fa string .
2419886bcdfSPeter Wemm.Pp
2429886bcdfSPeter WemmThe global default format can be set using the
2439886bcdfSPeter Wemm.Pa /etc/auth.conf
2449886bcdfSPeter Wemmfile using the
2453ea75eb1SRuslan Ermilov.Va crypt_default
2469886bcdfSPeter Wemmproperty.
247e9a56ad5SMark Murray.Sh RETURN VALUES
248e4f2c10bSPhilippe CharnierThe
249e9a56ad5SMark Murray.Fn crypt
250e4f2c10bSPhilippe Charnierfunction returns a pointer to the encrypted value on success, and NULL on
251e4f2c10bSPhilippe Charnierfailure.
252e9a56ad5SMark MurrayNote: this is not a standard behaviour, AT&T
253e9a56ad5SMark Murray.Fn crypt
254e9a56ad5SMark Murraywill always return a pointer to a string.
25504c9749fSBrian Feldman.Pp
256e4f2c10bSPhilippe CharnierThe
25704c9749fSBrian Feldman.Fn crypt_set_format
258e4f2c10bSPhilippe Charnierfunction will return 1 if the supplied encoding format was valid.
25904c9749fSBrian FeldmanOtherwise, a value of 0 is returned.
260e9a56ad5SMark Murray.Sh SEE ALSO
261e9a56ad5SMark Murray.Xr login 1 ,
262e9a56ad5SMark Murray.Xr passwd 1 ,
2639886bcdfSPeter Wemm.Xr auth_getval 3 ,
264e9a56ad5SMark Murray.Xr getpass 3 ,
2659886bcdfSPeter Wemm.Xr auth.conf 5 ,
266eb894267SRuslan Ermilov.Xr passwd 5
267e9a56ad5SMark Murray.Sh HISTORY
268e9a56ad5SMark MurrayA rotor-based
269e9a56ad5SMark Murray.Fn crypt
270e9a56ad5SMark Murrayfunction appeared in
271e9a56ad5SMark Murray.At v6 .
272e9a56ad5SMark MurrayThe current style
273e9a56ad5SMark Murray.Fn crypt
274e9a56ad5SMark Murrayfirst appeared in
275e9a56ad5SMark Murray.At v7 .
276e9a56ad5SMark Murray.Pp
277f45f23ddSAlexey ZelkinThe
278f45f23ddSAlexey Zelkin.Tn DES
279f45f23ddSAlexey Zelkinsection of the code (FreeSec 1.0) was developed outside the United
280f45f23ddSAlexey ZelkinStates of America as an unencumbered replacement for the U.S.-only
281f45f23ddSAlexey Zelkin.Nx
282e9a56ad5SMark Murraylibcrypt encryption library.
283e9a56ad5SMark Murray.Sh AUTHORS
284725ab628SRuslan Ermilov.An -nosplit
285f45f23ddSAlexey ZelkinOriginally written by
286f45f23ddSAlexey Zelkin.An David Burren Aq davidb@werj.com.au ,
287f45f23ddSAlexey Zelkinlater additions and changes by
288725ab628SRuslan Ermilov.An Poul-Henning Kamp ,
28904c9749fSBrian Feldman.An Mark R V Murray ,
290bf513f69SMark Murray.An Michael Bretterklieber ,
2915c129616SMark Murray.An Kris Kennaway ,
2925c129616SMark Murray.An Brian Feldman ,
2935c129616SMark Murray.An Paul Herman
29404c9749fSBrian Feldmanand
2955c129616SMark Murray.An Niels Provos .
29624a0682cSRuslan Ermilov.Sh BUGS
29724a0682cSRuslan ErmilovThe
29824a0682cSRuslan Ermilov.Fn crypt
29924a0682cSRuslan Ermilovfunction returns a pointer to static data, and subsequent calls to
30024a0682cSRuslan Ermilov.Fn crypt
30124a0682cSRuslan Ermilovwill modify the same data.
30224a0682cSRuslan ErmilovLikewise,
30324a0682cSRuslan Ermilov.Fn crypt_set_format
30424a0682cSRuslan Ermilovmodifies static data.
30524a0682cSRuslan Ermilov.Pp
30624a0682cSRuslan ErmilovThe NT-hash scheme does not use a salt,
30724a0682cSRuslan Ermilovand is not hard
30824a0682cSRuslan Ermilovfor a competent attacker
30924a0682cSRuslan Ermilovto break.
31024a0682cSRuslan ErmilovIts use is not recommended.
311