From fd9e2f7245212f2b652652f4669648260e59f9e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?John=20Ankarstr=C3=B6m?= Date: Sun, 19 Sep 2021 22:27:31 +0200 Subject: Add bcrypt --- crypt/crypt.3 | 575 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 575 insertions(+) create mode 100644 crypt/crypt.3 (limited to 'crypt/crypt.3') diff --git a/crypt/crypt.3 b/crypt/crypt.3 new file mode 100644 index 0000000..b4c0895 --- /dev/null +++ b/crypt/crypt.3 @@ -0,0 +1,575 @@ +.\" Written and revised by Solar Designer in 2000-2011. +.\" No copyright is claimed, and this man page is hereby placed in the public +.\" domain. In case this attempt to disclaim copyright and place the man page +.\" in the public domain is deemed null and void, then the man page is +.\" Copyright (c) 2000-2011 Solar Designer and it is hereby released to the +.\" general public under the following terms: +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted. +.\" +.\" There's ABSOLUTELY NO WARRANTY, express or implied. +.\" +.\" This manual page in its current form is intended for use on systems +.\" based on the GNU C Library with crypt_blowfish patched into libcrypt. +.\" +.TH CRYPT 3 "July 7, 2014" "Openwall Project" "Library functions" +.ad l +.\" No macros in NAME to keep makewhatis happy. +.SH NAME +\fBcrypt\fR, \fBcrypt_r\fR, \fBcrypt_rn\fR, \fBcrypt_ra\fR, +\fBcrypt_gensalt\fR, \fBcrypt_gensalt_rn\fR, \fBcrypt_gensalt_ra\fR +\- password hashing +.SH SYNOPSIS +.B #define _XOPEN_SOURCE +.br +.B #include +.sp +.in +8 +.ti -8 +.BI "char *crypt(const char *" key ", const char *" setting ); +.in -8 +.sp +.B #define _GNU_SOURCE +.br +.B #include +.sp +.in +8 +.ti -8 +.BI "char *crypt_r(const char *" key ", const char *" setting ", struct crypt_data *" data ); +.in -8 +.sp +.B #define _OW_SOURCE +.br +.B #include +.sp +.in +8 +.ti -8 +.BI "char *crypt_rn(const char *" key ", const char *" setting ", void *" data ", int " size ); +.ti -8 +.BI "char *crypt_ra(const char *" key ", const char *" setting ", void **" data ", int *" size ); +.ti -8 +.BI "char *crypt_gensalt(const char *" prefix ", unsigned long " count ", const char *" input ", int " size ); +.ti -8 +.BI "char *crypt_gensalt_rn(const char *" prefix ", unsigned long " count ", const char *" input ", int " size ", char *" output ", int " output_size ); +.ti -8 +.BI "char *crypt_gensalt_ra(const char *" prefix ", unsigned long " count ", const char *" input ", int " size ); +.ad b +.de crypt +.BR crypt , +.BR crypt_r , +.BR crypt_rn ", \\$1" +.ie "\\$2"" .B crypt_ra +.el .BR crypt_ra "\\$2" +.. +.de crypt_gensalt +.BR crypt_gensalt , +.BR crypt_gensalt_rn ", \\$1" +.ie "\\$2"" .B crypt_gensalt_ra +.el .BR crypt_gensalt_ra "\\$2" +.. +.SH DESCRIPTION +The +.crypt and +functions calculate a cryptographic hash function of +.I key +with one of a number of supported methods as requested with +.IR setting , +which is also used to pass a salt and possibly other parameters to +the chosen method. +The hashing methods are explained below. +.PP +Unlike +.BR crypt , +the functions +.BR crypt_r , +.BR crypt_rn " and" +.B crypt_ra +are reentrant. +They place their result and possibly their private data in a +.I data +area of +.I size +bytes as passed to them by an application and/or in memory they +allocate dynamically. Some hashing algorithms may use the data area to +cache precomputed intermediate values across calls. Thus, applications +must properly initialize the data area before its first use. +.B crypt_r +requires that only +.I data->initialized +be reset to zero; +.BR crypt_rn " and " crypt_ra +require that either the entire data area is zeroed or, in the case of +.BR crypt_ra , +.I *data +is NULL. When called with a NULL +.I *data +or insufficient +.I *size +for the requested hashing algorithm, +.B crypt_ra +uses +.BR realloc (3) +to allocate the required amount of memory dynamically. Thus, +.B crypt_ra +has the additional requirement that +.IR *data , +when non-NULL, must point to an area allocated either with a previous +call to +.B crypt_ra +or with a +.BR malloc (3) +family call. +The memory allocated by +.B crypt_ra +should be freed with +.BR free "(3)." +.PP +The +.crypt_gensalt and +functions compile a string for use as +.I setting +\- with the given +.I prefix +(used to choose a hashing method), the iteration +.I count +(if supported by the chosen method) and up to +.I size +cryptographically random +.I input +bytes for use as the actual salt. +If +.I count +is 0, a low default will be picked. +The random bytes may be obtained from +.BR /dev/urandom . +Unlike +.BR crypt_gensalt , +the functions +.BR crypt_gensalt_rn " and " crypt_gensalt_ra +are reentrant. +.B crypt_gensalt_rn +places its result in the +.I output +buffer of +.I output_size +bytes. +.B crypt_gensalt_ra +allocates memory for its result dynamically. The memory should be +freed with +.BR free "(3)." +.SH RETURN VALUE +Upon successful completion, the functions +.crypt and +return a pointer to a string containing the setting that was actually used +and a printable encoding of the hash function value. +The entire string is directly usable as +.I setting +with other calls to +.crypt and +and as +.I prefix +with calls to +.crypt_gensalt and . +.PP +The behavior of +.B crypt +on errors isn't well standardized. Some implementations simply can't fail +(unless the process dies, in which case they obviously can't return), +others return NULL or a fixed string. Most implementations don't set +.IR errno , +but some do. SUSv2 specifies only returning NULL and setting +.I errno +as a valid behavior, and defines only one possible error +.RB "(" ENOSYS , +"The functionality is not supported on this implementation.") +Unfortunately, most existing applications aren't prepared to handle +NULL returns from +.BR crypt . +The description below corresponds to this implementation of +.BR crypt " and " crypt_r +only, and to +.BR crypt_rn " and " crypt_ra . +The behavior may change to match standards, other implementations or +existing applications. +.PP +.BR crypt " and " crypt_r +may only fail (and return) when passed an invalid or unsupported +.IR setting , +in which case they return a pointer to a magic string that is +shorter than 13 characters and is guaranteed to differ from +.IR setting . +This behavior is safe for older applications which assume that +.B crypt +can't fail, when both setting new passwords and authenticating against +existing password hashes. +.BR crypt_rn " and " crypt_ra +return NULL to indicate failure. All four functions set +.I errno +when they fail. +.PP +The functions +.crypt_gensalt and +return a pointer to the compiled string for +.IR setting , +or NULL on error in which case +.I errno +is set. +.SH ERRORS +.TP +.B EINVAL +.crypt "" : +.I setting +is invalid or not supported by this implementation; +.sp +.crypt_gensalt "" : +.I prefix +is invalid or not supported by this implementation; +.I count +is invalid for the requested +.IR prefix ; +the input +.I size +is insufficient for the smallest valid salt with the requested +.IR prefix ; +.I input +is NULL. +.TP +.B ERANGE +.BR crypt_rn : +the provided data area +.I size +is insufficient for the requested hashing algorithm; +.sp +.BR crypt_gensalt_rn : +.I output_size +is too small to hold the compiled +.I setting +string. +.TP +.B ENOMEM +.B crypt +(original glibc only): +failed to allocate memory for the output buffer (which subsequent calls +would re-use); +.sp +.BR crypt_ra : +.I *data +is NULL or +.I *size +is insufficient for the requested hashing algorithm and +.BR realloc (3) +failed; +.sp +.BR crypt_gensalt_ra : +failed to allocate memory for the compiled +.I setting +string. +.TP +.B ENOSYS +.B crypt +(SUSv2): +the functionality is not supported on this implementation; +.sp +.BR crypt , +.B crypt_r +(glibc 2.0 to 2.0.1 only): +.de no-crypt-add-on +the crypt add-on is not compiled in and +.I setting +requests something other than the MD5-based algorithm. +.. +.no-crypt-add-on +.TP +.B EOPNOTSUPP +.BR crypt , +.B crypt_r +(glibc 2.0.2 to 2.1.3 only): +.no-crypt-add-on +.SH HASHING METHODS +The implemented hashing methods are intended specifically for processing +user passwords for storage and authentication; +they are at best inefficient for most other purposes. +.PP +It is important to understand that password hashing is not a replacement +for strong passwords. +It is always possible for an attacker with access to password hashes +to try guessing candidate passwords against the hashes. +There are, however, certain properties a password hashing method may have +which make these key search attacks somewhat harder. +.PP +All of the hashing methods use salts such that the same +.I key +may produce many possible hashes. +Proper use of salts may defeat a number of attacks, including: +.TP +1. +The ability to try candidate passwords against multiple hashes at the +price of one. +.TP +2. +The use of pre-hashed lists of candidate passwords. +.TP +3. +The ability to determine whether two users (or two accounts of one user) +have the same or different passwords without actually having to guess +one of the passwords. +.PP +The key search attacks depend on computing hashes of large numbers of +candidate passwords. +Thus, the computational cost of a good password hashing method must be +high \- but of course not too high to render it impractical. +.PP +All hashing methods implemented within the +.crypt and +interfaces use multiple iterations of an underlying cryptographic +primitive specifically in order to increase the cost of trying a +candidate password. +Unfortunately, due to hardware improvements, the hashing methods which +have a fixed cost become increasingly less secure over time. +.PP +In addition to salts, modern password hashing methods accept a variable +iteration +.IR count . +This makes it possible to adapt their cost to the hardware improvements +while still maintaining compatibility. +.PP +The following hashing methods are or may be implemented within the +described interfaces: +.PP +.de hash +.ad l +.TP +.I prefix +.ie "\\$1"" \{\ +"" (empty string); +.br +a string matching ^[./0-9A-Za-z]{2} (see +.BR regex (7)) +.\} +.el "\\$1" +.TP +.B Encoding syntax +\\$2 +.TP +.B Maximum password length +\\$3 (uses \\$4-bit characters) +.TP +.B Effective key size +.ie "\\$5"" limited by the hash size only +.el up to \\$5 bits +.TP +.B Hash size +\\$6 bits +.TP +.B Salt size +\\$7 bits +.TP +.B Iteration count +\\$8 +.ad b +.. +.ti -2 +.B Traditional DES-based +.br +This method is supported by almost all implementations of +.BR crypt . +Unfortunately, it no longer offers adequate security because of its many +limitations. +Thus, it should not be used for new passwords unless you absolutely have +to be able to migrate the password hashes to other systems. +.hash "" "[./0-9A-Za-z]{13}" 8 7 56 64 12 25 +.PP +.ti -2 +.B Extended BSDI-style DES-based +.br +This method is used on BSDI and is also available on at least NetBSD, +OpenBSD, and FreeBSD due to the use of David Burren's FreeSec library. +.hash _ "_[./0-9A-Za-z]{19}" unlimited 7 56 64 24 "1 to 2**24-1 (must be odd)" +.PP +.ti -2 +.B FreeBSD-style MD5-based +.br +This is Poul-Henning Kamp's MD5-based password hashing method originally +developed for FreeBSD. +It is currently supported on many free Unix-like systems, on Solaris 10 +and newer, and it is part of the official glibc. +Its main disadvantage is the fixed iteration count, which is already +too low for the currently available hardware. +.hash "$1$" "\e$1\e$[^$]{1,8}\e$[./0-9A-Za-z]{22}" unlimited 8 "" 128 "6 to 48" 1000 +.PP +.ti -2 +.BR "OpenBSD-style Blowfish-based" " (" bcrypt ) +.br +.B bcrypt +was originally developed by Niels Provos and David Mazieres for OpenBSD +and is also supported on recent versions of FreeBSD and NetBSD, +on Solaris 10 and newer, and on several GNU/*/Linux distributions. +It is, however, not part of the official glibc. +.PP +While both +.B bcrypt +and the BSDI-style DES-based hashing offer a variable iteration count, +.B bcrypt +may scale to even faster hardware, doesn't allow for certain optimizations +specific to password cracking only, doesn't have the effective key size +limitation, and uses 8-bit characters in passwords. +.hash "$2b$" "\e$2[abxy]\e$[0-9]{2}\e$[./A-Za-z0-9]{53}" 72 8 "" 184 128 "2**4 to 2**99 (current implementations are limited to 2**31 iterations)" +.PP +With +.BR bcrypt , +the +.I count +passed to +.crypt_gensalt and +is the base-2 logarithm of the actual iteration count. +.PP +.B bcrypt +hashes used the "$2a$" prefix since 1997. +However, in 2011 an implementation bug was discovered in crypt_blowfish +(versions up to 1.0.4 inclusive) affecting handling of password characters with +the 8th bit set. +Besides fixing the bug, +to provide for upgrade strategies for existing systems, two new prefixes were +introduced: "$2x$", which fully re-introduces the bug, and "$2y$", which +guarantees correct handling of both 7- and 8-bit characters. +OpenBSD 5.5 introduced the "$2b$" prefix for behavior that exactly matches +crypt_blowfish's "$2y$", and current crypt_blowfish supports it as well. +Unfortunately, the behavior of "$2a$" on password characters with the 8th bit +set has to be considered system-specific. +When generating new password hashes, the "$2b$" or "$2y$" prefix should be used. +(If such hashes ever need to be migrated to a system that does not yet support +these new prefixes, the prefix in migrated copies of the already-generated +hashes may be changed to "$2a$".) +.PP +.crypt_gensalt and +support the "$2b$", "$2y$", and "$2a$" prefixes (the latter for legacy programs +or configurations), but not "$2x$" (which must not be used for new hashes). +.crypt and +support all four of these prefixes. +.SH PORTABILITY NOTES +Programs using any of these functions on a glibc 2.x system must be +linked against +.BR libcrypt . +However, many Unix-like operating systems and older versions of the +GNU C Library include the +.BR crypt " function in " libc . +.PP +The +.BR crypt_r , +.BR crypt_rn , +.BR crypt_ra , +.crypt_gensalt and +functions are very non-portable. +.PP +The set of supported hashing methods is implementation-dependent. +.SH CONFORMING TO +The +.B crypt +function conforms to SVID, X/OPEN, and is available on BSD 4.3. +The strings returned by +.B crypt +are not required to be portable among conformant systems. +.PP +.B crypt_r +is a GNU extension. +There's also a +.B crypt_r +function on HP-UX and MKS Toolkit, but the prototypes and semantics differ. +.PP +.B crypt_gensalt +is an Openwall extension. +There's also a +.B crypt_gensalt +function on Solaris 10 and newer, but the prototypes and semantics differ. +.PP +.BR crypt_rn , +.BR crypt_ra , +.BR crypt_gensalt_rn , +and +.B crypt_gensalt_ra +are Openwall extensions. +.SH HISTORY +A rotor-based +.B crypt +function appeared in Version 6 AT&T UNIX. +The "traditional" +.B crypt +first appeared in Version 7 AT&T UNIX. +.PP +The +.B crypt_r +function was introduced during glibc 2.0 development. +.SH BUGS +The return values of +.BR crypt " and " crypt_gensalt +point to static buffers that are overwritten by subsequent calls. +These functions are not thread-safe. +.RB ( crypt +on recent versions of Solaris uses thread-specific data and actually is +thread-safe.) +.PP +The strings returned by certain other implementations of +.B crypt +on error may be stored in read-only locations or only initialized once, +which makes it unsafe to always attempt to zero out the buffer normally +pointed to by the +.B crypt +return value as it would otherwise be preferable for security reasons. +The problem could be avoided with the use of +.BR crypt_r , +.BR crypt_rn , +or +.B crypt_ra +where the application has full control over output buffers of these functions +(and often over some of their private data as well). +Unfortunately, the functions aren't (yet?) available on platforms where +.B crypt +has this undesired property. +.PP +Applications using the thread-safe +.B crypt_r +need to allocate address space for the large (over 128 KB) +.I struct crypt_data +structure. Each thread needs a separate instance of the structure. The +.B crypt_r +interface makes it impossible to implement a hashing algorithm which +would need to keep an even larger amount of private data, without breaking +binary compatibility. +.B crypt_ra +allows for dynamically increasing the allocation size as required by the +hashing algorithm that is actually used. Unfortunately, +.B crypt_ra +is even more non-portable than +.BR crypt_r . +.PP +Multi-threaded applications or library functions which are meant to be +thread-safe should use +.BR crypt_gensalt_rn " or " crypt_gensalt_ra +rather than +.BR crypt_gensalt . +.SH SEE ALSO +.BR login (1), +.BR passwd (1), +.BR crypto (3), +.BR encrypt (3), +.BR free (3), +.BR getpass (3), +.BR getpwent (3), +.BR malloc (3), +.BR realloc (3), +.BR shadow (3), +.BR passwd (5), +.BR shadow (5), +.BR regex (7), +.BR pam (8) +.sp +Niels Provos and David Mazieres. A Future-Adaptable Password Scheme. +Proceedings of the 1999 USENIX Annual Technical Conference, June 1999. +.br +http://www.usenix.org/events/usenix99/provos.html +.sp +Robert Morris and Ken Thompson. Password Security: A Case History. +Unix Seventh Edition Manual, Volume 2, April 1978. +.br +http://plan9.bell-labs.com/7thEdMan/vol2/password -- cgit v1.2.3