1.\" $OpenBSD: crypt.3,v 1.24 2005/05/26 22:10:54 millert Exp $ 2.\" 3.\" FreeSec: libcrypt 4.\" 5.\" Copyright (c) 1994 David Burren 6.\" All rights reserved. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 4. Neither the name of the author nor the names of other contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" Manual page, using -mandoc macros 33.\" 34.Dd March 9, 1994 35.Dt CRYPT 3 36.Os 37.Sh NAME 38.Nm crypt , 39.Nm setkey , 40.Nm encrypt , 41.Nm des_setkey , 42.Nm des_cipher 43.Nd DES encryption 44.Sh SYNOPSIS 45.Fd #include <pwd.h> 46.Fd #include <unistd.h> 47.Ft char * 48.Fn crypt "const char *key" "const char *setting" 49.Ft int 50.Fn setkey "const char *key" 51.Ft int 52.Fn encrypt "char *block" "int flag" 53.Ft int 54.Fn des_setkey "const char *key" 55.Ft int 56.Fn des_cipher "const char *in" "char *out" "int32_t salt" "int count" 57.Ft char * 58.Fn bcrypt_gensalt "u_int8_t log_rounds" 59.Ft char * 60.Fn bcrypt "const char *key" "const char *salt" 61.Ft char * 62.Fn md5crypt "const char *key" "const char *salt" 63.Sh DESCRIPTION 64The 65.Fn crypt 66function performs password encryption based on the 67.Tn NBS 68Data Encryption Standard (DES). 69Additional code has been added to deter key search attempts and to use 70stronger hashing algorithms. 71.Pp 72The first argument to 73.Fn crypt 74is a 75.Dv NUL Ns -terminated 76string, typically a user's typed password. 77The second is in one of three forms: 78if it begins with an underscore 79.Pq Ql _ 80then an extended format is used 81in interpreting both the key and the setting, as outlined below. 82If it begins 83with a string character 84.Pq Ql $ 85and a number then a different algorithm is used depending on the number. 86At the moment a 87.Ql $1 88chooses MD5 hashing and a 89.Ql $2 90chooses Blowfish hashing; see below for more information. 91.Ss Extended crypt 92The 93.Ar key 94is divided into groups of 8 characters (the last group is null-padded) 95and the low-order 7 bits of each character (56 bits per group) are 96used to form the DES key as follows: 97the first group of 56 bits becomes the initial DES key. 98For each additional group, the XOR of the encryption of the current DES 99key with itself and the group bits becomes the next DES key. 100.Pp 101The setting is a 9-character array consisting of an underscore followed 102by 4 bytes of iteration count and 4 bytes of salt. 103These are encoded as printable characters, 6 bits per character, 104least significant character first. 105The values 0 to 63 are encoded as 106.Dq \&./0-9A-Za-z . 107This allows 24 bits for both 108.Fa count 109and 110.Fa salt . 111.Ss "MD5" crypt 112For 113.Tn MD5 114crypt the version number, 115.Fa salt 116and the hashed password are separated by the 117.Ql $ 118character. 119The maximum length of a password is limited by 120the length counter of the MD5 context, which is about 1212**64. 122A valid MD5 password entry looks like this: 123.Pp 124.Dq $1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1 . 125.Pp 126The whole MD5 password string is passed as 127.Fa setting 128for interpretation. 129.Ss "Blowfish" crypt 130The 131.Tn Blowfish 132version of crypt has 128 bits of 133.Fa salt 134in order to make building dictionaries of common passwords space consuming. 135The initial state of the 136.Tn Blowfish 137cipher is expanded using the 138.Fa salt 139and the 140.Fa password 141repeating the process a variable number of rounds, which is encoded in 142the password string. 143The maximum password length is 72. 144The final Blowfish password entry is created by encrypting the string 145.Pp 146.Dq OrpheanBeholderScryDoubt 147.Pp 148with the 149.Tn Blowfish 150state 64 times. 151.Pp 152The version number, the logarithm of the number of rounds and 153the concatenation of salt and hashed password are separated by the 154.Ql $ 155character. 156An encoded 157.Sq 8 158would specify 256 rounds. 159A valid Blowfish password looks like this: 160.Pp 161.Dq $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC . 162.Pp 163The whole Blowfish password string is passed as 164.Fa setting 165for interpretation. 166.Ss "Traditional" crypt 167The first 8 bytes of the key are null-padded, and the low-order 7 bits of 168each character is used to form the 56-bit 169.Tn DES 170key. 171.Pp 172The setting is a 2-character array of the ASCII-encoded salt. 173Thus only 12 bits of 174.Fa salt 175are used. 176.Fa count 177is set to 25. 178.Ss DES Algorithm 179The 180.Fa salt 181introduces disorder in the 182.Tn DES 183algorithm in one of 16777216 or 4096 possible ways 184(i.e., with 24 or 12 bits: if bit 185.Em i 186of the 187.Ar salt 188is set, then bits 189.Em i 190and 191.Em i+24 192are swapped in the 193.Tn DES 194E-box output). 195.Pp 196The DES key is used to encrypt a 64-bit constant using 197.Ar count 198iterations of 199.Tn DES . 200The value returned is a 201.Dv NUL Ns -terminated 202string, 20 or 13 bytes (plus NUL) in length, consisting of the 203.Ar setting 204followed by the encoded 64-bit encryption. 205.Pp 206The functions 207.Fn encrypt , 208.Fn setkey , 209.Fn des_setkey , 210and 211.Fn des_cipher 212provide access to the 213.Tn DES 214algorithm itself. 215.Fn setkey 216is passed a 64-byte array of binary values (numeric 0 or 1). 217A 56-bit key is extracted from this array by dividing the 218array into groups of 8, and ignoring the last bit in each group. 219That bit is reserved for a byte parity check by DES, but is ignored 220by these functions. 221.Pp 222The 223.Fa block 224argument to 225.Fn encrypt 226is also a 64-byte array of binary values. 227If the value of 228.Fa flag 229is 0, 230.Fa block 231is encrypted otherwise it is decrypted. 232The result is returned in the original array 233.Fa block 234after using the key specified by 235.Fn setkey 236to process it. 237.Pp 238The argument to 239.Fn des_setkey 240is a character array of length 8. 241The least significant bit (the parity bit) in each character is ignored, 242and the remaining bits are concatenated to form a 56-bit key. 243The function 244.Fn des_cipher 245encrypts (or decrypts if 246.Fa count 247is negative) the 64-bits stored in the 8 characters at 248.Fa in 249using 250.Xr abs 3 251of 252.Fa count 253iterations of 254.Tn DES 255and stores the 64-bit result in the 8 characters at 256.Fa out 257(which may be the same as 258.Fa in ) . 259The 260.Fa salt 261specifies perturbations to the 262.Tn DES 263E-box output as described above. 264.Pp 265The function 266.Fn crypt 267returns a pointer to the encrypted value on success, and 268.Dv NULL 269on failure. 270The functions 271.Fn setkey , 272.Fn encrypt , 273.Fn des_setkey , 274and 275.Fn des_cipher 276return 0 on success and 1 on failure. 277.Pp 278The 279.Fn crypt , 280.Fn setkey , 281and 282.Fn des_setkey 283functions all manipulate the same key space. 284.Sh SEE ALSO 285.Xr login 1 , 286.Xr passwd 1 , 287.Xr blowfish 3 , 288.Xr getpass 3 , 289.Xr md5 3 , 290.Xr passwd 5 291.Sh HISTORY 292A rotor-based 293.Fn crypt 294function appeared in 295.At v3 . 296The current style 297.Fn crypt 298first appeared in 299.At v7 . 300.Pp 301This library (FreeSec 1.0) was developed outside the United States of America 302as an unencumbered replacement for the U.S.-only libcrypt encryption 303library. 304Programs linked against the 305.Fn crypt 306interface may be exported from the U.S.A. only if they use 307.Fn crypt 308solely for authentication purposes and avoid use of 309the other programmer interfaces listed above. 310Special care has been taken 311in the library so that programs which only use the 312.Fn crypt 313interface do not pull in the other components. 314.Sh AUTHORS 315.An David Burren Aq davidb@werj.com.au 316.Sh BUGS 317The 318.Fn crypt 319function returns a pointer to static data, and subsequent calls to 320.Fn crypt 321will modify the same object. 322