|
|
.\" $OpenBSD: crypt.3,v 1.45 2015/04/06 20:49:41 tedu Exp $
|
|
|
.\"
|
|
|
.\" FreeSec: libcrypt
|
|
|
.\"
|
|
|
.\" Copyright (c) 1994 David Burren
|
|
|
.\" All rights reserved.
|
|
|
.\"
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
.\" are met:
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
.\" 4. Neither the name of the author nor the names of other contributors
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
.\" without specific prior written permission.
|
|
|
.\"
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
.\" SUCH DAMAGE.
|
|
|
.\"
|
|
|
.\" Manual page, using -mandoc macros
|
|
|
.\"
|
|
|
.Dd $Mdocdate: April 6 2015 $
|
|
|
.Dt CRYPT 3
|
|
|
.Os
|
|
|
.Sh NAME
|
|
|
.Nm crypt ,
|
|
|
.Nm bcrypt_gensalt ,
|
|
|
.Nm bcrypt
|
|
|
.Nd password hashing
|
|
|
.Sh SYNOPSIS
|
|
|
.In stdlib.h
|
|
|
.Pp
|
|
|
.In unistd.h
|
|
|
.Ft char *
|
|
|
.Fn crypt "const char *key" "const char *setting"
|
|
|
.In pwd.h
|
|
|
.Ft char *
|
|
|
.Fn bcrypt_gensalt "u_int8_t log_rounds"
|
|
|
.Ft char *
|
|
|
.Fn bcrypt "const char *key" "const char *salt"
|
|
|
.Sh DESCRIPTION
|
|
|
These functions are deprecated in favor of
|
|
|
.Xr crypt_checkpass 3
|
|
|
and
|
|
|
.Xr crypt_newhash 3 .
|
|
|
.Pp
|
|
|
The
|
|
|
.Fn crypt
|
|
|
function performs password hashing.
|
|
|
Additional code has been added to deter key search attempts and to use
|
|
|
stronger hashing algorithms.
|
|
|
.Pp
|
|
|
The first argument to
|
|
|
.Fn crypt
|
|
|
is a NUL-terminated
|
|
|
string
|
|
|
.Fa key ,
|
|
|
typically a user's typed password.
|
|
|
The second,
|
|
|
.Fa setting ,
|
|
|
currently supports a single form.
|
|
|
If it begins
|
|
|
with a string character
|
|
|
.Pq Ql $
|
|
|
and a number then a different algorithm is used depending on the number.
|
|
|
At the moment
|
|
|
.Ql $2
|
|
|
chooses Blowfish hashing; see below for more information.
|
|
|
.Ss Blowfish crypt
|
|
|
The Blowfish version of crypt has 128 bits of
|
|
|
.Fa salt
|
|
|
in order to make building dictionaries of common passwords space consuming.
|
|
|
The initial state of the
|
|
|
Blowfish cipher is expanded using the
|
|
|
.Fa salt
|
|
|
and the
|
|
|
.Fa password
|
|
|
repeating the process a variable number of rounds, which is encoded in
|
|
|
the password string.
|
|
|
The maximum password length is 72.
|
|
|
The final Blowfish password entry is created by encrypting the string
|
|
|
.Pp
|
|
|
.Dq OrpheanBeholderScryDoubt
|
|
|
.Pp
|
|
|
with the Blowfish state 64 times.
|
|
|
.Pp
|
|
|
The version number, the logarithm of the number of rounds and
|
|
|
the concatenation of salt and hashed password are separated by the
|
|
|
.Ql $
|
|
|
character.
|
|
|
An encoded
|
|
|
.Sq 8
|
|
|
would specify 256 rounds.
|
|
|
A valid Blowfish password looks like this:
|
|
|
.Pp
|
|
|
.Dq $2b$12$FPWWO2RJ3CK4FINTw0Hi8OiPKJcX653gzSS.jqltHFMxyDmmQ0Hqq .
|
|
|
.Pp
|
|
|
The whole Blowfish password string is passed as
|
|
|
.Fa setting
|
|
|
for interpretation.
|
|
|
.Sh RETURN VALUES
|
|
|
The function
|
|
|
.Fn crypt
|
|
|
returns a pointer to the encrypted value on success, and
|
|
|
.Dv NULL
|
|
|
on failure.
|
|
|
.Sh SEE ALSO
|
|
|
.Xr encrypt 1 ,
|
|
|
.Xr login 1 ,
|
|
|
.Xr passwd 1 ,
|
|
|
.Xr blowfish 3 ,
|
|
|
.Xr crypt_checkpass 3 ,
|
|
|
.Xr getpass 3 ,
|
|
|
.Xr passwd 5
|
|
|
.Sh HISTORY
|
|
|
A rotor-based
|
|
|
.Fn crypt
|
|
|
function appeared in
|
|
|
.At v3 .
|
|
|
A DES-based
|
|
|
.Fn crypt
|
|
|
first appeared in
|
|
|
.At v7 .
|
|
|
.Fn bcrypt
|
|
|
first appeared in
|
|
|
.Ox 2.1 .
|
|
|
.Sh BUGS
|
|
|
The
|
|
|
.Fn crypt
|
|
|
function returns a pointer to static data, and subsequent calls to
|
|
|
.Fn crypt
|
|
|
will modify the same object.
|