Lines 1-6
Link Here
|
1 |
.\" FreeSec: libcrypt for NetBSD |
1 |
.\" FreeSec: libcrypt for NetBSD |
2 |
.\" |
2 |
.\" |
3 |
.\" Copyright (c) 1994 David Burren |
3 |
.\" Copyright (c) 1994 David Burren |
|
|
4 |
.\" Copyright (c) 2015 Derek Marcotte |
4 |
.\" All rights reserved. |
5 |
.\" All rights reserved. |
5 |
.\" |
6 |
.\" |
6 |
.\" Redistribution and use in source and binary forms, with or without |
7 |
.\" Redistribution and use in source and binary forms, with or without |
Lines 15-24
Link Here
|
15 |
.\" may be used to endorse or promote products derived from this software |
16 |
.\" may be used to endorse or promote products derived from this software |
16 |
.\" without specific prior written permission. |
17 |
.\" without specific prior written permission. |
17 |
.\" |
18 |
.\" |
18 |
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
19 |
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND |
19 |
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
20 |
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
20 |
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
21 |
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
21 |
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
22 |
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE |
22 |
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
23 |
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
23 |
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
24 |
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
24 |
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
25 |
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
Lines 27-310
Link Here
|
27 |
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
28 |
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
28 |
.\" SUCH DAMAGE. |
29 |
.\" SUCH DAMAGE. |
29 |
.\" |
30 |
.\" |
30 |
.\" $FreeBSD: head/lib/libcrypt/crypt.3 267773 2014-06-23 08:23:05Z bapt $ |
31 |
.\" $FreeBSD: $ |
31 |
.\" |
32 |
.\" |
32 |
.Dd March 9, 2014 |
33 |
.Dd March 9, 2015 |
33 |
.Dt CRYPT 3 |
34 |
.Dt LIBCRYPT 3 |
34 |
.Os |
35 |
.Os |
35 |
.Sh NAME |
36 |
.Sh NAME |
36 |
.Nm crypt |
37 |
.Nm crypt , |
37 |
.Nd Trapdoor encryption |
38 |
.Nm crypt_makesalt , |
|
|
39 |
.Nm crypt_get_format , |
40 |
.Nm crypt_set_format |
41 |
.Nd "library for password hashing" |
38 |
.Sh LIBRARY |
42 |
.Sh LIBRARY |
39 |
.Lb libcrypt |
43 |
.Lb libcrypt |
40 |
.Sh SYNOPSIS |
44 |
.Sh SYNOPSIS |
41 |
.In unistd.h |
45 |
.In unistd.h |
42 |
.Ft char * |
46 |
.Ft "char *" |
43 |
.Fn crypt "const char *key" "const char *salt" |
47 |
.Fn crypt "const char *key" "const char *salt" |
44 |
.Ft const char * |
48 |
.Ft "int" |
|
|
49 |
.Fn crypt_makesalt "char *output" "const char *format" "size_t *out_len" |
50 |
.Ft "const char *" |
45 |
.Fn crypt_get_format "void" |
51 |
.Fn crypt_get_format "void" |
46 |
.Ft int |
52 |
.Ft "int" |
47 |
.Fn crypt_set_format "const char *string" |
53 |
.Fn crypt_set_format "const char *string" |
48 |
.Sh DESCRIPTION |
54 |
.Sh DESCRIPTION |
49 |
The |
55 |
The |
50 |
.Fn crypt |
56 |
.Nm libcrypt |
51 |
function performs password hashing with additional code added to |
57 |
library covers functions related to password hashing. |
52 |
deter key search attempts. |
58 |
.Pp |
53 |
Different algorithms can be used to |
59 |
Password hashing is different than a standard one way hash function. Password hashing tries to make it difficult to recover a low-entropy key |
54 |
in the hash. |
60 |
.Pq e.g. a typed password |
55 |
.\" |
61 |
from the resultant output hash. Offline recovery by exhaustive key search |
56 |
.\" NOTICE: |
62 |
.Pq brute-force and dictionary attacks |
57 |
.\" If you add more algorithms, make sure to update this list |
63 |
is stymied by the password hashing being one-way, and often computationally expensive. Different algorithms can be selected to produce the password hash, with varying ability to effectively deter key search attempts. |
58 |
.\" and the default used for the Traditional format, below. |
64 |
.Pp |
59 |
.\" |
65 |
The hashing algorithm to be used for an invocation of crypt is chosen by supplying a salt parameter of a particular format. The algorithms currently supported are: |
60 |
Currently these include the |
66 |
.Sx bcrypt , |
61 |
.Tn NBS |
67 |
.Sx sha512-crypt , |
62 |
.Tn Data Encryption Standard (DES) , |
68 |
.Sx sha256-crypt , |
63 |
.Tn MD5 |
69 |
.Sx md5-crypt , |
64 |
hash, |
70 |
.Sx DES Extended Format , |
65 |
.Tn NT-Hash |
71 |
.Sx Traditional DES Format , |
66 |
.Pq compatible with Microsoft's NT scheme |
72 |
and |
67 |
and |
73 |
.Sx NT-Hash . |
68 |
.Tn Blowfish . |
74 |
.Pp |
69 |
The algorithm used will depend upon the format of the Salt |
75 |
Current computational capabilities make all but the bcrypt and sha-crypt families known to be susceptible to exhaustive key searches. The tuneable work factor of the bcrypt and sha-crypt families has allowed them to be set to be more computationally intensive over time. The use of the other families is not recommended at this time, but are maintained for legacy compatibility. |
70 |
.Po |
76 |
.Pp |
71 |
following |
77 |
The first argument to |
72 |
the Modular Crypt Format |
78 |
.Fn crypt |
73 |
.Pq MCF |
79 |
is the |
74 |
.Pc , |
80 |
.Fa key |
75 |
if |
81 |
to hash |
76 |
.Tn DES |
82 |
.Pq usually a password , |
77 |
and/or |
83 |
as a NUL-terminated string. The second is the |
78 |
.Tn Blowfish |
84 |
.Fa salt . |
79 |
is installed or not, and whether |
85 |
A salt is a random value that assists in complicating offline recovery. The length and format of the salt, and how it will be used is algorithm dependent. For best results, specify at least sixteen characters of salt. |
|
|
86 |
.Pp |
87 |
If the salt begins with the string |
88 |
.Qq $digit , |
89 |
then the |
90 |
.Sx Modular Crypt Format |
91 |
is used. If it begins with an underscore |
92 |
.Qq _ , |
93 |
then the |
94 |
.Sx DES Extended Format |
95 |
is used. If the salt is 2 or 13 characters and includes only 0-9, a-z, A-Z a dot . or a slash /, then |
96 |
.Sx Traditional DES Format |
97 |
is used. If none of these conditions are true, crypt will use the default hash function set by crypt_set_format, |
98 |
.Pq or Traditional DES Format if no default has been set, for systems with DES support . |
99 |
.Pp |
100 |
The |
101 |
.Fn crypt_makesalt |
102 |
function populates an |
103 |
.Fa output |
104 |
buffer with a newly generated salt for the specified valid |
105 |
.Fa format . |
106 |
The size of the pre-allocated buffer is passed via |
107 |
.Fa out_len . |
108 |
If the output buffer is too small, the required size is set in |
109 |
.Fa out_len . |
110 |
.Pp |
111 |
The |
112 |
.Fn crypt_get_format |
113 |
function returns a constant string that represents the name of the algorithm set as the default. Its use is deprecated. |
114 |
.Pp |
115 |
The |
80 |
.Fn crypt_set_format |
116 |
.Fn crypt_set_format |
81 |
has been called to change the default. |
117 |
function sets the default encoding |
82 |
.Pp |
118 |
.Fa format |
83 |
The first argument to |
119 |
according to the supplied string. Its use is deprecated. |
84 |
.Nm |
120 |
.Pp |
85 |
is the data to hash |
121 |
The salts, formats, and algorithms are outlined below. |
86 |
.Pq usually a password , |
122 |
|
87 |
in a |
123 |
.Sh Modular Crypt Format |
88 |
.Dv NUL Ns -terminated |
124 |
.Pp |
89 |
string. |
125 |
Modular Crypt Format is the current standard way to describe which algorithm and parameters to use for a particular crypt invocation. Salts that are prefixed with $digit are using the modular crypt format. The prefix selects the algorithm to use. Valid prefixes are: |
90 |
The second is the salt, in one of three forms: |
126 |
.Bl -column -offset indent ".Sy Prefix" ".Sy Algorithm" |
91 |
.Pp |
127 |
.It Sy Prefix Ta Sy Algorithm |
92 |
.Bl -tag -width Traditional -compact -offset indent |
128 |
.It Li $1$ Ta |
93 |
.It Extended |
129 |
.Sx md5-crypt |
94 |
If it begins with an underscore |
130 |
.It Li $2 Ta |
95 |
.Pq Dq _ |
131 |
.Sx bcrypt |
96 |
then the |
132 |
.It Li $3$ Ta |
97 |
.Tn DES |
133 |
.Sx NT-Hash |
98 |
Extended Format |
134 |
.It Li $5$ Ta |
99 |
is used in interpreting both the key and the salt, as outlined below. |
135 |
.Sx sha256-crypt |
100 |
.It Modular |
136 |
.It Li $6$ Ta |
101 |
If it begins with the string |
137 |
.Sx sha512-crypt |
102 |
.Dq $digit$ |
|
|
103 |
then the Modular Crypt Format is used, as outlined below. |
104 |
.It Traditional |
105 |
If neither of the above is true, it assumes the Traditional Format, |
106 |
using the entire string as the salt |
107 |
.Pq or the first portion . |
108 |
.El |
138 |
.El |
109 |
.Pp |
139 |
.Pp |
110 |
All routines are designed to be time-consuming. |
140 |
Everything following the prefix in the salt parameter is algorithm dependant, but includes things like work factor, and an actual salt |
111 |
.Ss DES Extended Format: |
141 |
.Pq random value for that particular invocation . |
112 |
The |
142 |
|
113 |
.Ar key |
143 |
.Ss md5-crypt |
114 |
is divided into groups of 8 characters |
144 |
.Bl -column ".Sy Output Hash Example:" ".Sy 8 characters from the set [a-zA-Z0-9./]" |
115 |
.Pq the last group is NUL-padded |
145 |
.It Li Format Strings: Ta $1$, md5 |
116 |
and the low-order 7 bits of each character |
146 |
.It Li Salt Format: Ta 8 characters from the set [a-zA-Z0-9./] |
117 |
.Pq 56 bits per group |
147 |
.It Li Full Salt Example: Ta $1$deadbeef$ |
118 |
are used to form the |
148 |
.It Li Output Hash Example: Ta $1$deadbeef$0Huu6KHrKLVWfqa4WljDE0 |
119 |
.Tn DES |
149 |
.El |
120 |
key as follows: |
|
|
121 |
the first group of 56 bits becomes the initial |
122 |
.Tn DES |
123 |
key. |
124 |
For each additional group, the XOR of the encryption of the current |
125 |
.Tn DES |
126 |
key with itself and the group bits becomes the next |
127 |
.Tn DES |
128 |
key. |
129 |
.Pp |
130 |
The salt is a 9-character array consisting of an underscore followed |
131 |
by 4 bytes of iteration count and 4 bytes of salt. |
132 |
These are encoded as printable characters, 6 bits per character, |
133 |
least significant character first. |
134 |
The values 0 to 63 are encoded as |
135 |
.Dq ./0-9A-Za-z . |
136 |
This allows 24 bits for both |
137 |
.Fa count |
138 |
and |
139 |
.Fa salt . |
140 |
.Pp |
150 |
.Pp |
141 |
The |
151 |
md5-crypt was the default crypt format in FreeBSD for many years, developed by Poul-Henning Kamp. |
142 |
.Fa salt |
|
|
143 |
introduces disorder in the |
144 |
.Tn DES |
145 |
algorithm in one of 16777216 or 4096 possible ways |
146 |
.Po |
147 |
i.e., with 24 or 12 bits: if bit |
148 |
.Em i |
149 |
of the |
150 |
.Ar salt |
151 |
is set, then bits |
152 |
.Em i |
153 |
and |
154 |
.Em i+24 |
155 |
are swapped in the |
156 |
.Tn DES |
157 |
E-box output |
158 |
.Pc . |
159 |
.Pp |
152 |
.Pp |
160 |
The |
153 |
It has seen widespread use in many commercial products, and for a long time was good enough. It has a fixed work factor, which means that as computers became faster, the ability to attack it has increased proportionally. |
161 |
.Tn DES |
154 |
.Pp |
162 |
key is used to encrypt a 64-bit constant using |
155 |
Its use is no longer recommended. |
163 |
.Ar count |
156 |
|
164 |
iterations of |
157 |
.Ss bcrypt |
165 |
.Tn DES . |
158 |
.Bl -column ".Sy Output Hash Example:" ".Sy $2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK" |
166 |
The value returned is a |
159 |
.It Li Format Strings: Ta $2$[rounds]$, $2a$[rounds]$, $2b$[rounds]$, blf |
167 |
.Dv NUL Ns -terminated |
160 |
.It Li Salt Format: Ta 16 bytes then base-64 encoded from the set [a-zA-Z0-9./] |
168 |
string, 20 or 13 bytes |
161 |
.It Li Full Salt Example: Ta $2a$05$CCCCCCCCCCCCCCCCCCCCC. |
169 |
.Pq plus NUL |
162 |
.It Li Output Hash Example: Ta $2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK |
170 |
in length, consisting of the |
|
|
171 |
.Ar salt |
172 |
followed by the encoded 64-bit encryption. |
173 |
.Ss Modular crypt: |
174 |
If the salt begins with the string |
175 |
.Fa $digit$ |
176 |
then the Modular Crypt Format is used. |
177 |
The |
178 |
.Fa digit |
179 |
represents which algorithm is used in encryption. |
180 |
Following the token is |
181 |
the actual salt to use in the encryption. |
182 |
The maximum length of the salt used depends upon the module. |
183 |
The salt must be terminated with the end of the string character |
184 |
.Pq NUL |
185 |
or a dollar sign. |
186 |
Any characters after the dollar sign are ignored. |
187 |
.Pp |
188 |
Currently supported algorithms are: |
189 |
.Pp |
190 |
.Bl -enum -compact -offset indent |
191 |
.It |
192 |
MD5 |
193 |
.It |
194 |
Blowfish |
195 |
.It |
196 |
NT-Hash |
197 |
.It |
198 |
(unused) |
199 |
.It |
200 |
SHA-256 |
201 |
.It |
202 |
SHA-512 |
203 |
.El |
163 |
.El |
204 |
.Pp |
164 |
.Pp |
205 |
Other crypt formats may be easily added. |
165 |
bcrypt is the first algorithm to support a tuneable work factor. It was initially introduced in OpenBSD, by Niels Provos, based on the Usenix paper "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. |
206 |
An example salt would be: |
166 |
.Pp |
207 |
.Bl -tag -width 6n -offset indent |
167 |
There are three variations supported, each with minor bug fixes. 2b is the recommended variation. |
208 |
.It Cm "$4$thesalt$rest" |
168 |
.Pp |
|
|
169 |
The work factor is specified by the rounds parameter in the format string. These rounds are logarithmic. That is, |
170 |
.Qq $2b$08$ |
171 |
will take approximately twice as long as |
172 |
.Qq $2b$07$ |
173 |
for the same salt and key. 04 is the lowest supported work factor, and 31 is the highest. |
174 |
.Pp |
175 |
When the format string |
176 |
.Qq blf |
177 |
is specified, it is equivalent to specifying |
178 |
.Qq $2b$04$ . |
179 |
|
180 |
.Ss NT-Hash |
181 |
.Bl -column ".Sy Output Hash Example:" ".Sy $3$sdlksjfdlksjdlfk" |
182 |
.It Li Format Strings: Ta $3$, nth |
183 |
.It Li Salt Format: Ta no salt |
184 |
.It Li Full Salt Example: Ta $3$ |
185 |
.It Li Output Hash Example: Ta $3$$cc0fb8a290eebbfe74e7207f2ace5927 |
209 |
.El |
186 |
.El |
210 |
.Ss Traditional crypt: |
|
|
211 |
The algorithm used will depend upon whether |
212 |
.Fn crypt_set_format |
213 |
has been called and whether a global default format has been specified. |
214 |
Unless a global default has been specified or |
215 |
.Fn crypt_set_format |
216 |
has set the format to something else, the built-in default format is |
217 |
used. |
218 |
This is currently |
219 |
.\" |
220 |
.\" NOTICE: Also make sure to update this |
221 |
.\" |
222 |
DES |
223 |
if it is available, or MD5 if not. |
224 |
.Pp |
187 |
.Pp |
225 |
How the salt is used will depend upon the algorithm for the hash. |
188 |
nt-hash is supported for compatibility reasons only. It is strongly discouraged for any production uses. |
226 |
For |
189 |
|
227 |
best results, specify at least eight characters of salt. |
190 |
.Ss sha256-crypt |
|
|
191 |
.Bl -column ".Sy Output Hash Example:" ".Sy $5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5, $5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA " |
192 |
.It Li Format Strings: Ta $5$, $5$rounds=[rounds]$, sha256 |
193 |
.It Li Salt Format: Ta 16 characters from the set [a-zA-Z0-9./] |
194 |
.It Li Full Salt Examples: Ta $5$saltstring$, $5$rounds=10000$saltstringsaltst$ |
195 |
.It Li Output Hash Examples: Ta $5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5, $5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA |
196 |
.El |
228 |
.Pp |
197 |
.Pp |
229 |
The |
198 |
sha256 supports a tunable work factor. It was developed by Ulrich Drepper of Red Hat, and is detailed in |
230 |
.Fn crypt_get_format |
199 |
.Qq Unix crypt using SHA-256 and SHA-512 . |
231 |
function returns a constant string that represents the name of the |
|
|
232 |
algorithm currently used. |
233 |
Valid values are |
234 |
.\" |
235 |
.\" NOTICE: Also make sure to update this, too, as well |
236 |
.\" |
237 |
.Ql des , |
238 |
.Ql blf , |
239 |
.Ql md5 , |
240 |
.Ql sha256 , |
241 |
.Ql sha512 |
242 |
and |
243 |
.Ql nth . |
244 |
.Pp |
200 |
.Pp |
245 |
The |
201 |
From that document: |
|
|
202 |
.Pp |
203 |
.Qo |
204 |
Security departments in companies are trying to phase out all uses of MD5. They demand a method which is officially sanctioned. For US-based users this means tested by the NIST. |
205 |
.Pp |
206 |
This rules out the use of another already implemented method with limited spread: the use of the Blowfish encryption method. The choice comes down to tested encryption |
207 |
.Pq 3DES, AES |
208 |
or hash sums |
209 |
.Pq the SHA family . |
210 |
.Qc |
211 |
.Pp |
212 |
The prepositions in the above statement are misleading. Blowfish as a primitive, like 3DES or AES, has stood up to years of scrutinty by the cryptographic communinty. bcrypt, the password hashing function, is ubiquitous. It also currently provides greater resilience against pipe-lined or GPU-based attacks for the approximate same CPU workload as the sha-crypt family, based on its limited memory requirements. This is not expected to remain true with future improvements to GPUs. An additional subtle difference between bcrypt and the sha families is that bcrypt's salt is 2^128 bits, while the sha family is 2^96 bits. |
213 |
.Pp |
214 |
If you require a algorithm that includes NIST sanctioned primitives, choose one of the sha-crypt methods. |
215 |
.Pp |
216 |
The work factor is specified by the rounds parameter in the format string. These rounds are linear. That is, |
217 |
.Qq $5$rounds=20000$ |
218 |
will take approximately twice as long as |
219 |
.Qq $5$rounds=10000$ |
220 |
for the same salt and key. 1000 is the minimum number of rounds, 999999999 is the maximum. |
221 |
.Pp |
222 |
When the format string |
223 |
.Qq sha256 , |
224 |
or |
225 |
.Qq $5$ |
226 |
is specified, it is equivalent to specifying |
227 |
.Qq $5$rounds=5000$ . |
228 |
|
229 |
|
230 |
.Ss sha512-crypt |
231 |
.Bl -column ".Sy Output Hash Example:" ".Sy $6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1, $6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v." |
232 |
.It Li Format Strings: Ta $6$, $6$rounds=[rounds]$, sha512 |
233 |
.It Li Salt Format: Ta 16 characters from the set [a-zA-Z0-9./] |
234 |
.It Li Full Salt Examples: Ta $6$saltstring$, $6$rounds=10000$saltstringsaltst$ |
235 |
.It Li Output Hash Examples: Ta $6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1, $6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v. |
236 |
.El |
237 |
sha512 is nearly equivalent to sha256, except that it uses SHA512 as a primitive. See Unix crypt using SHA-256 and SHA-512 for more details. |
238 |
|
239 |
The details provided in sha256 apply here as well. |
240 |
|
241 |
When the format string |
242 |
.Qq sha512 , |
243 |
or |
244 |
.Qq $6$ |
245 |
is specified, it is equivalent to specifying |
246 |
.Qq $6$rounds=5000$ . |
247 |
|
248 |
.Sh DES Extended Format: |
249 |
.Pp |
250 |
The key is divided into groups of 8 characters |
251 |
.Pq the last group is NUL-padded |
252 |
and the low-order 7 bits of each character |
253 |
.Pq 56 bits per group |
254 |
are used to form the DES key as follows: the first group of 56 bits becomes the initial DES key. For each additional group, the XOR of the encryption of the current DES key with itself and the group bits becomes the next DES key. |
255 |
.Pp |
256 |
The salt is a 9-character array consisting of an underscore followed by 4 bytes of iteration count and 4 bytes of salt. These are encoded as printable characters, 6 bits per character, least significant character first. The values 0 to 63 are encoded as |
257 |
.Qq ./0-9A-Za-z . |
258 |
This allows 24 bits for both count and salt. |
259 |
.Pp |
260 |
The salt introduces disorder in the DES algorithm in one of 16777216 or 4096 possible ways |
261 |
.Pq i.e., with 24 or 12 bits: if bit i of the salt is set, then bits i and i+24 are swapped in the DES E-box output . |
262 |
.Pp |
263 |
The DES key is used to encrypt a 64-bit constant using count iterations of DES. The value returned is a NUL-terminated string, 20 or 13 bytes |
264 |
.Pq plus NUL |
265 |
in length, consisting of the salt followed by the encoded 64-bit encryption. |
266 |
|
267 |
.Sh Traditional DES Format: |
268 |
.Pp |
269 |
The algorithm used will depend upon whether |
246 |
.Fn crypt_set_format |
270 |
.Fn crypt_set_format |
247 |
function sets the default encoding format according to the supplied |
271 |
has been called to set the global default. The built-in default format is used, if no default is set. This is currently |
248 |
.Fa string . |
272 |
.Qq des |
|
|
273 |
if it is available, or |
274 |
.Qq sha512 |
275 |
if not. |
276 |
|
249 |
.Sh RETURN VALUES |
277 |
.Sh RETURN VALUES |
250 |
The |
278 |
.Pp |
|
|
279 |
The |
251 |
.Fn crypt |
280 |
.Fn crypt |
252 |
function returns a pointer to the encrypted value on success, and NULL on |
281 |
function returns a pointer to the encrypted value on success, |
253 |
failure. |
282 |
and NULL on failure. Note: this is not a standard behaviour, AT&T |
254 |
Note: this is not a standard behaviour, AT&T |
|
|
255 |
.Fn crypt |
283 |
.Fn crypt |
256 |
will always return a pointer to a string. |
284 |
will always return a pointer to a string. |
257 |
.Pp |
285 |
.Pp |
258 |
The |
286 |
The |
|
|
287 |
.Fn crypt_makesalt |
288 |
function will return a 1 on success, or 0 on failure. It may fail in one of two |
289 |
ways. If |
290 |
.Fa out_len |
291 |
has changed, the |
292 |
.Fa output |
293 |
buffer was not large enough to store the salt. The required size will be stored |
294 |
in |
295 |
.Fa out_len . |
296 |
If |
297 |
.Fa out_len |
298 |
has not changed, then the |
299 |
.Fa format |
300 |
passed was invalid. |
301 |
.Pp |
302 |
The |
259 |
.Fn crypt_set_format |
303 |
.Fn crypt_set_format |
260 |
function will return 1 if the supplied encoding format was valid. |
304 |
function will return 1 if the supplied encoding format was valid. Otherwise, a value of 0 is returned. |
261 |
Otherwise, a value of 0 is returned. |
305 |
|
|
|
306 |
|
307 |
.Sh EXAMPLES |
308 |
.Bd -literal |
309 |
#include <stdio.h> |
310 |
#include <string.h> |
311 |
#include <pthread.h> |
312 |
|
313 |
#include <pwd.h> |
314 |
#include <unistd.h> |
315 |
|
316 |
#include <sys/param.h> |
317 |
|
318 |
int |
319 |
main() |
320 |
{ |
321 |
char *global_static_buffer; |
322 |
char final[_PASSWORD_LEN + 1]; |
323 |
char test[_PASSWORD_LEN + 1]; |
324 |
char salt[CRYPT_SALT_MAX_LEN + 1]; |
325 |
size_t salt_sz = sizeof(salt); |
326 |
|
327 |
int exit_code = 0; |
328 |
|
329 |
/* threaded implementations should use a mutex around crypt */ |
330 |
pthread_mutex_t mtx; |
331 |
if (pthread_mutex_init(&mtx, NULL) ) { |
332 |
exit_code = 1; |
333 |
goto exit1; |
334 |
} |
335 |
|
336 |
if (crypt_makesalt(salt, "$2b$08$", &salt_sz) ) { |
337 |
if ( salt_sz != sizeof(salt) ) { |
338 |
printf("Destination buffer too small for algorithm salt\\n"); |
339 |
exit_code = 2; |
340 |
goto exit; |
341 |
} |
342 |
|
343 |
printf("Invalid format specified\\n"); |
344 |
exit_code = 3; |
345 |
goto exit; |
346 |
} |
347 |
printf("crypt_makesalt result: %s\\n", salt); |
348 |
|
349 |
/* |
350 |
* Generate a crypt for storage |
351 |
*/ |
352 |
|
353 |
/* crypt buffer is global static */ |
354 |
pthread_mutex_lock(&mtx); |
355 |
global_static_buffer = crypt("you'll never guess me!", salt); |
356 |
strncpy(final, global_static_buffer, sizeof(final) ); |
357 |
pthread_mutex_unlock(&mtx); |
358 |
|
359 |
if (global_static_buffer == NULL) { |
360 |
printf("crypt failed\\n"); |
361 |
exit_code = 4; |
362 |
goto exit; |
363 |
} |
364 |
|
365 |
printf("crypt result: %s\\n", final); |
366 |
|
367 |
/* |
368 |
* Compare a string against a stored crypt |
369 |
*/ |
370 |
|
371 |
pthread_mutex_lock(&mtx); |
372 |
global_static_buffer = crypt("is this it?", final); |
373 |
strncpy(test, global_static_buffer, sizeof(test) ); |
374 |
pthread_mutex_unlock(&mtx); |
375 |
|
376 |
if (global_static_buffer == NULL) { |
377 |
printf("second crypt failed\\n"); |
378 |
exit_code = 5; |
379 |
goto exit; |
380 |
} |
381 |
|
382 |
printf("test result: %s\\n", test); |
383 |
|
384 |
/* a timing-safe string compare would be better */ |
385 |
if ( strncmp(test, final, MAX(sizeof(test), sizeof(final) ) ) == 0 ) { |
386 |
printf("The two buffers match.\\n"); |
387 |
} else { |
388 |
printf("The two buffers do not match.\\n"); |
389 |
} |
390 |
|
391 |
exit: |
392 |
pthread_mutex_destroy(&mtx); |
393 |
exit1: |
394 |
return exit_code; |
395 |
} |
396 |
.Ed |
262 |
.Sh SEE ALSO |
397 |
.Sh SEE ALSO |
263 |
.Xr login 1 , |
398 |
.Xr login 1 , |
264 |
.Xr passwd 1 , |
399 |
.Xr passwd 1 , |
265 |
.Xr getpass 3 , |
400 |
.Xr getpass 3 , |
266 |
.Xr passwd 5 |
401 |
.Xr login_getcapstr 3 , |
|
|
402 |
.Xr passwd 5 , |
403 |
|
267 |
.Sh HISTORY |
404 |
.Sh HISTORY |
268 |
A rotor-based |
405 |
.Pp |
|
|
406 |
A rotor-based |
269 |
.Fn crypt |
407 |
.Fn crypt |
270 |
function appeared in |
408 |
function appeared in Version 6 AT&T UNIX. The |
271 |
.At v6 . |
409 |
current style |
272 |
The current style |
|
|
273 |
.Fn crypt |
410 |
.Fn crypt |
274 |
first appeared in |
411 |
first appeared in Version 7 AT&T UNIX. |
275 |
.At v7 . |
|
|
276 |
.Pp |
412 |
.Pp |
277 |
The |
413 |
The DES section of the code |
278 |
.Tn DES |
414 |
.Pq FreeSec 1.0 |
279 |
section of the code (FreeSec 1.0) was developed outside the United |
415 |
was developed outside the |
280 |
States of America as an unencumbered replacement for the U.S.-only |
416 |
United States of America as an unencumbered replacement for the U.S.-only |
281 |
.Nx |
417 |
NetBSD libcrypt encryption library. |
282 |
libcrypt encryption library. |
418 |
|
283 |
.Sh AUTHORS |
419 |
.Sh AUTHORS |
284 |
.An -nosplit |
420 |
Originally written by David Burren |
285 |
Originally written by |
421 |
.Mt davidb@werj.com.au , |
286 |
.An David Burren Aq Mt davidb@werj.com.au , |
422 |
later additions and changes by Poul-Henning Kamp, Mark R V Murray, Michael |
287 |
later additions and changes by |
423 |
Bretterklieber, Kris Kennaway, Brian Feldman, Paul Herman, Niels Provos, and |
288 |
.An Poul-Henning Kamp , |
424 |
Derek Marcotte. |
289 |
.An Mark R V Murray , |
425 |
|
290 |
.An Michael Bretterklieber , |
|
|
291 |
.An Kris Kennaway , |
292 |
.An Brian Feldman , |
293 |
.An Paul Herman |
294 |
and |
295 |
.An Niels Provos . |
296 |
.Sh BUGS |
426 |
.Sh BUGS |
297 |
The |
427 |
The |
298 |
.Fn crypt |
428 |
.Fn crypt |
299 |
function returns a pointer to static data, and subsequent calls to |
429 |
function returns a pointer to static data, and subsequent |
|
|
430 |
calls to |
300 |
.Fn crypt |
431 |
.Fn crypt |
301 |
will modify the same data. |
432 |
will modify the same data. Likewise, |
302 |
Likewise, |
|
|
303 |
.Fn crypt_set_format |
433 |
.Fn crypt_set_format |
304 |
modifies static data. |
434 |
modifies static data. |
|
|
435 |
|
436 |
.Sh SECURITY CONSIDERATIONS |
437 |
The following algorithms are considered insecure, and are not recommended |
438 |
for new implementations: |
439 |
.Sx md5-crypt , |
440 |
.Sx DES Extended Format , |
441 |
.Sx Traditional DES Format , |
442 |
and |
443 |
.Sx NT-Hash . |
305 |
.Pp |
444 |
.Pp |
306 |
The NT-hash scheme does not use a salt, |
445 |
.Sx bcrypt |
307 |
and is not hard |
446 |
is preferred over |
308 |
for a competent attacker |
447 |
.Sx sha512-crypt , |
309 |
to break. |
448 |
or |
310 |
Its use is not recommended. |
449 |
.Sx sha256-crypt , |
|
|
450 |
because of |
451 |
its resiliance to pipelined, and GPU based attacks - unless having a |
452 |
NIST-approved algorithm is a requirement. |