1 @c This node must have no pointers.
2 @node Cryptographic Functions
3 @c @node Cryptographic Functions, Debugging Support, System Configuration, Top
4 @chapter DES Encryption and Password Handling
5 @c %MENU% DES encryption and password handling
7 On many systems, it is unnecessary to have any kind of user
8 authentication; for instance, a workstation which is not connected to a
9 network probably does not need any user authentication, because to use
10 the machine an intruder must have physical access.
12 Sometimes, however, it is necessary to be sure that a user is authorized
13 to use some service a machine provides---for instance, to log in as a
14 particular user id (@pxref{Users and Groups}). One traditional way of
15 doing this is for each user to choose a secret @dfn{password}; then, the
16 system can ask someone claiming to be a user what the user's password
17 is, and if the person gives the correct password then the system can
18 grant the appropriate privileges.
20 If all the passwords are just stored in a file somewhere, then this file
21 has to be very carefully protected. To avoid this, passwords are run
22 through a @dfn{one-way function}, a function which makes it difficult to
23 work out what its input was by looking at its output, before storing in
26 @Theglibc{} provides a one-way function that is compatible with
27 the behavior of the @code{crypt} function introduced in FreeBSD 2.0.
28 It supports two one-way algorithms: one based on the MD5
29 message-digest algorithm that is compatible with modern BSD systems,
30 and the other based on the Data Encryption Standard (DES) that is
31 compatible with Unix systems.
35 It also provides support for Secure RPC, and some library functions that
36 can be used to perform normal DES encryption. The @code{AUTH_DES}
37 authentication flavor in Secure RPC, as provided by @theglibc{},
38 uses DES and does not comply with FIPS 140-2 nor does any other use of DES
39 within @theglibc{}. It is recommended that Secure RPC should not be used
40 for systems that need to comply with FIPS 140-2 since all flavors of
41 encrypted authentication use normal DES.
44 * Legal Problems:: This software can get you locked up, or worse.
45 * getpass:: Prompting the user for a password.
46 * crypt:: A one-way function for passwords.
47 * DES Encryption:: Routines for DES encryption.
48 * Unpredictable Bytes:: Randomness for cryptography purposes.
52 @section Legal Problems
54 Because of the continuously changing state of the law, it's not possible
55 to provide a definitive survey of the laws affecting cryptography.
56 Instead, this section warns you of some of the known trouble spots; this
57 may help you when you try to find out what the laws of your country are.
59 Some countries require that you have a license to use, possess, or import
60 cryptography. These countries are believed to include Byelorussia,
61 Burma, India, Indonesia, Israel, Kazakhstan, Pakistan, Russia, and Saudi
64 Some countries restrict the transmission of encrypted messages by radio;
65 some telecommunications carriers restrict the transmission of encrypted
66 messages over their network.
68 Many countries have some form of export control for encryption software.
69 The Wassenaar Arrangement is a multilateral agreement between 33
70 countries (Argentina, Australia, Austria, Belgium, Bulgaria, Canada, the
71 Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary,
72 Ireland, Italy, Japan, Luxembourg, the Netherlands, New Zealand, Norway,
73 Poland, Portugal, the Republic of Korea, Romania, the Russian
74 Federation, the Slovak Republic, Spain, Sweden, Switzerland, Turkey,
75 Ukraine, the United Kingdom and the United States) which restricts some
76 kinds of encryption exports. Different countries apply the arrangement
77 in different ways; some do not allow the exception for certain kinds of
78 ``public domain'' software (which would include this library), some
79 only restrict the export of software in tangible form, and others impose
80 significant additional restrictions.
82 The United States has additional rules. This software would generally
83 be exportable under 15 CFR 740.13(e), which permits exports of
84 ``encryption source code'' which is ``publicly available'' and which is
85 ``not subject to an express agreement for the payment of a licensing fee or
86 royalty for commercial production or sale of any product developed with
87 the source code'' to most countries.
89 The rules in this area are continuously changing. If you know of any
90 information in this manual that is out-of-date, please report it to
91 the bug database. @xref{Reporting Bugs}.
94 @section Reading Passwords
96 When reading in a password, it is desirable to avoid displaying it on
97 the screen, to help keep it secret. The following function handles this
102 @deftypefun {char *} getpass (const char *@var{prompt})
103 @safety{@prelim{}@mtunsafe{@mtasuterm{}}@asunsafe{@ascuheap{} @asulock{} @asucorrupt{}}@acunsafe{@acuterm{} @aculock{} @acucorrupt{}}}
104 @c This function will attempt to create a stream for terminal I/O, but
105 @c will fallback to stdio/stderr. It attempts to change the terminal
106 @c mode in a thread-unsafe way, write out the prompt, read the password,
107 @c then restore the terminal mode. It has a cleanup to close the stream
108 @c in case of (synchronous) cancellation, but not to restore the
111 @code{getpass} outputs @var{prompt}, then reads a string in from the
112 terminal without echoing it. It tries to connect to the real terminal,
113 @file{/dev/tty}, if possible, to encourage users not to put plaintext
114 passwords in files; otherwise, it uses @code{stdin} and @code{stderr}.
115 @code{getpass} also disables the INTR, QUIT, and SUSP characters on the
116 terminal using the @code{ISIG} terminal attribute (@pxref{Local Modes}).
117 The terminal is flushed before and after @code{getpass}, so that
118 characters of a mistyped password are not accidentally visible.
120 In other C libraries, @code{getpass} may only return the first
121 @code{PASS_MAX} bytes of a password. @Theglibc{} has no limit, so
122 @code{PASS_MAX} is undefined.
124 The prototype for this function is in @file{unistd.h}. @code{PASS_MAX}
125 would be defined in @file{limits.h}.
128 This precise set of operations may not suit all possible situations. In
129 this case, it is recommended that users write their own @code{getpass}
130 substitute. For instance, a very simple substitute is as follows:
133 @include mygetpass.c.texi
136 The substitute takes the same parameters as @code{getline}
137 (@pxref{Line Input}); the user must print any prompt desired.
140 @section Encrypting Passwords
144 @deftypefun {char *} crypt (const char *@var{key}, const char *@var{salt})
145 @safety{@prelim{}@mtunsafe{@mtasurace{:crypt}}@asunsafe{@asucorrupt{} @asulock{} @ascuheap{} @ascudlopen{}}@acunsafe{@aculock{} @acsmem{}}}
146 @c Besides the obvious problem of returning a pointer into static
147 @c storage, the DES initializer takes an internal lock with the usual
148 @c set of problems for AS- and AC-Safety. The FIPS mode checker and the
149 @c NSS implementations of may leak file descriptors if canceled. The
150 @c The MD5, SHA256 and SHA512 implementations will malloc on long keys,
151 @c and NSS relies on dlopening, which brings about another can of worms.
153 The @code{crypt} function takes a password, @var{key}, as a string, and
154 a @var{salt} character array which is described below, and returns a
155 printable ASCII string which starts with another salt. It is believed
156 that, given the output of the function, the best way to find a @var{key}
157 that will produce that output is to guess values of @var{key} until the
158 original value of @var{key} is found.
160 The @var{salt} parameter does two things. Firstly, it selects which
161 algorithm is used, the MD5-based one or the DES-based one. Secondly, it
162 makes life harder for someone trying to guess passwords against a file
163 containing many passwords; without a @var{salt}, an intruder can make a
164 guess, run @code{crypt} on it once, and compare the result with all the
165 passwords. With a @var{salt}, the intruder must run @code{crypt} once
166 for each different salt.
168 For the MD5-based algorithm, the @var{salt} should consist of the string
169 @code{$1$}, followed by up to 8 characters, terminated by either
170 another @code{$} or the end of the string. The result of @code{crypt}
171 will be the @var{salt}, followed by a @code{$} if the salt didn't end
172 with one, followed by 22 characters from the alphabet
173 @code{./0-9A-Za-z}, up to 34 characters total. Every character in the
174 @var{key} is significant.
176 For the DES-based algorithm, the @var{salt} should consist of two
177 characters from the alphabet @code{./0-9A-Za-z}, and the result of
178 @code{crypt} will be those two characters followed by 11 more from the
179 same alphabet, 13 in total. Only the first 8 characters in the
180 @var{key} are significant.
182 The MD5-based algorithm has no limit on the useful length of the
183 password used, and is slightly more secure. It is therefore preferred
184 over the DES-based algorithm.
186 When the user enters their password for the first time, the @var{salt}
187 should be set to a new string which is reasonably random. To verify a
188 password against the result of a previous call to @code{crypt}, pass
189 the result of the previous call as the @var{salt}.
192 The following short program is an example of how to use @code{crypt} the
193 first time a password is entered. Note that the @var{salt} generation
194 is just barely acceptable; in particular, it is not unique between
195 machines, and in many applications it would not be acceptable to let an
196 attacker know what time the user's password was last set.
199 @include genpass.c.texi
202 The next program shows how to verify a password. It prompts the user
203 for a password and prints ``Access granted.'' if the user types
204 @code{GNU libc manual}.
207 @include testpass.c.texi
212 @deftypefun {char *} crypt_r (const char *@var{key}, const char *@var{salt}, {struct crypt_data *} @var{data})
213 @safety{@prelim{}@mtsafe{}@asunsafe{@asucorrupt{} @asulock{} @ascuheap{} @ascudlopen{}}@acunsafe{@aculock{} @acsmem{}}}
214 @c Compared with crypt, this function fixes the @mtasurace:crypt
215 @c problem, but nothing else.
217 The @code{crypt_r} function does the same thing as @code{crypt}, but
218 takes an extra parameter which includes space for its result (among
219 other things), so it can be reentrant. @code{data@w{->}initialized} must be
220 cleared to zero before the first time @code{crypt_r} is called.
222 The @code{crypt_r} function is a GNU extension.
225 The @code{crypt} and @code{crypt_r} functions are prototyped in the
226 header @file{crypt.h}.
229 @section DES Encryption
232 The Data Encryption Standard is described in the US Government Federal
233 Information Processing Standards (FIPS) 46-3 published by the National
234 Institute of Standards and Technology. The DES has been very thoroughly
235 analyzed since it was developed in the late 1970s, and no new
236 significant flaws have been found.
238 However, the DES uses only a 56-bit key (plus 8 parity bits), and a
239 machine has been built in 1998 which can search through all possible
240 keys in about 6 days, which cost about US$200000; faster searches would
241 be possible with more money. This makes simple DES insecure for most
242 purposes, and NIST no longer permits new US government systems
245 For serious encryption functionality, it is recommended that one of the
246 many free encryption libraries be used instead of these routines.
248 The DES is a reversible operation which takes a 64-bit block and a
249 64-bit key, and produces another 64-bit block. Usually the bits are
250 numbered so that the most-significant bit, the first bit, of each block
253 Under that numbering, every 8th bit of the key (the 8th, 16th, and so
254 on) is not used by the encryption algorithm itself. But the key must
255 have odd parity; that is, out of bits 1 through 8, and 9 through 16, and
256 so on, there must be an odd number of `1' bits, and this completely
257 specifies the unused bits.
261 @deftypefun void setkey (const char *@var{key})
262 @safety{@prelim{}@mtunsafe{@mtasurace{:crypt}}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
263 @c The static buffer stores the key, making it fundamentally
264 @c thread-unsafe. The locking issues are only in the initialization
265 @c path; cancelling the initialization will leave the lock held, it
266 @c would otherwise repeat the initialization on the next call.
268 The @code{setkey} function sets an internal data structure to be an
269 expanded form of @var{key}. @var{key} is specified as an array of 64
270 bits each stored in a @code{char}, the first bit is @code{key[0]} and
271 the 64th bit is @code{key[63]}. The @var{key} should have the correct
277 @deftypefun void encrypt (char *@var{block}, int @var{edflag})
278 @safety{@prelim{}@mtunsafe{@mtasurace{:crypt}}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
279 @c Same issues as setkey.
281 The @code{encrypt} function encrypts @var{block} if
282 @var{edflag} is 0, otherwise it decrypts @var{block}, using a key
283 previously set by @code{setkey}. The result is
284 placed in @var{block}.
286 Like @code{setkey}, @var{block} is specified as an array of 64 bits each
287 stored in a @code{char}, but there are no parity bits in @var{block}.
292 @deftypefun void setkey_r (const char *@var{key}, {struct crypt_data *} @var{data})
293 @c @safety{@prelim{}@mtsafe{}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
296 @deftypefunx void encrypt_r (char *@var{block}, int @var{edflag}, {struct crypt_data *} @var{data})
297 @safety{@prelim{}@mtsafe{}@asunsafe{@asucorrupt{} @asulock{}}@acunsafe{@aculock{}}}
299 These are reentrant versions of @code{setkey} and @code{encrypt}. The
300 only difference is the extra parameter, which stores the expanded
301 version of @var{key}. Before calling @code{setkey_r} the first time,
302 @code{data->initialized} must be cleared to zero.
305 The @code{setkey_r} and @code{encrypt_r} functions are GNU extensions.
306 @code{setkey}, @code{encrypt}, @code{setkey_r}, and @code{encrypt_r} are
307 defined in @file{crypt.h}.
309 @comment rpc/des_crypt.h
311 @deftypefun int ecb_crypt (char *@var{key}, char *@var{blocks}, unsigned int @var{len}, unsigned int @var{mode})
312 @safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
314 The function @code{ecb_crypt} encrypts or decrypts one or more blocks
315 using DES. Each block is encrypted independently.
317 The @var{blocks} and the @var{key} are stored packed in 8-bit bytes, so
318 that the first bit of the key is the most-significant bit of
319 @code{key[0]} and the 63rd bit of the key is stored as the
320 least-significant bit of @code{key[7]}. The @var{key} should have the
323 @var{len} is the number of bytes in @var{blocks}. It should be a
324 multiple of 8 (so that there are a whole number of blocks to encrypt).
325 @var{len} is limited to a maximum of @code{DES_MAXDATA} bytes.
327 The result of the encryption replaces the input in @var{blocks}.
329 The @var{mode} parameter is the bitwise OR of two of the following:
332 @comment rpc/des_crypt.h
335 This constant, used in the @var{mode} parameter, specifies that
336 @var{blocks} is to be encrypted.
338 @comment rpc/des_crypt.h
341 This constant, used in the @var{mode} parameter, specifies that
342 @var{blocks} is to be decrypted.
344 @comment rpc/des_crypt.h
347 This constant, used in the @var{mode} parameter, asks to use a hardware
348 device. If no hardware device is available, encryption happens anyway,
351 @comment rpc/des_crypt.h
354 This constant, used in the @var{mode} parameter, specifies that no
355 hardware device is to be used.
358 The result of the function will be one of these values:
361 @comment rpc/des_crypt.h
364 The encryption succeeded.
366 @comment rpc/des_crypt.h
368 @item DESERR_NOHWDEVICE
369 The encryption succeeded, but there was no hardware device available.
371 @comment rpc/des_crypt.h
374 The encryption failed because of a hardware problem.
376 @comment rpc/des_crypt.h
378 @item DESERR_BADPARAM
379 The encryption failed because of a bad parameter, for instance @var{len}
380 is not a multiple of 8 or @var{len} is larger than @code{DES_MAXDATA}.
384 @comment rpc/des_crypt.h
386 @deftypefun int DES_FAILED (int @var{err})
387 @safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
388 This macro returns 1 if @var{err} is a `success' result code from
389 @code{ecb_crypt} or @code{cbc_crypt}, and 0 otherwise.
392 @comment rpc/des_crypt.h
394 @deftypefun int cbc_crypt (char *@var{key}, char *@var{blocks}, unsigned int @var{len}, unsigned int @var{mode}, char *@var{ivec})
395 @safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
397 The function @code{cbc_crypt} encrypts or decrypts one or more blocks
398 using DES in Cipher Block Chaining mode.
400 For encryption in CBC mode, each block is exclusive-ored with @var{ivec}
401 before being encrypted, then @var{ivec} is replaced with the result of
402 the encryption, then the next block is processed. Decryption is the
403 reverse of this process.
405 This has the advantage that blocks which are the same before being
406 encrypted are very unlikely to be the same after being encrypted, making
407 it much harder to detect patterns in the data.
409 Usually, @var{ivec} is set to 8 random bytes before encryption starts.
410 Then the 8 random bytes are transmitted along with the encrypted data
411 (without themselves being encrypted), and passed back in as @var{ivec}
412 for decryption. Another possibility is to set @var{ivec} to 8 zeroes
413 initially, and have the first block encrypted consist of 8 random
416 Otherwise, all the parameters are similar to those for @code{ecb_crypt}.
419 @comment rpc/des_crypt.h
421 @deftypefun void des_setparity (char *@var{key})
422 @safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
424 The function @code{des_setparity} changes the 64-bit @var{key}, stored
425 packed in 8-bit bytes, to have odd parity by altering the low bits of
429 The @code{ecb_crypt}, @code{cbc_crypt}, and @code{des_setparity}
430 functions and their accompanying macros are all defined in the header
431 @file{rpc/des_crypt.h}.
433 @node Unpredictable Bytes
434 @section Generating Unpredictable Bytes
436 Some cryptographic applications (such as session key generation) need
439 In general, application code should use a deterministic random bit
440 generator, which could call the @code{getentropy} function described
441 below internally to obtain randomness to seed the generator. The
442 @code{getrandom} function is intended for low-level applications which
443 need additional control over the blocking behavior.
445 @comment sys/random.h
447 @deftypefun int getentropy (void *@var{buffer}, size_t @var{length})
448 @safety{@mtsafe{}@assafe{}@acsafe{}}
450 This function writes @var{length} bytes of random data to the array
451 starting at @var{buffer}, which must be at most 256 bytes long. The
452 function returns zero on success. On failure, it returns @code{-1} and
453 @code{errno} is updated accordingly.
455 The @code{getentropy} function is declared in the header file
456 @file{sys/random.h}. It is derived from OpenBSD.
458 The @code{getentropy} function is not a cancellation point. A call to
459 @code{getentropy} can block if the system has just booted and the kernel
460 entropy pool has not yet been initialized. In this case, the function
461 will keep blocking even if a signal arrives, and return only after the
462 entropy pool has been initialized.
464 The @code{getentropy} function can fail with several errors, some of
465 which are listed below.
469 The kernel does not implement the required system call.
472 The combination of @var{buffer} and @var{length} arguments specifies
473 an invalid memory range.
476 More than 256 bytes of randomness have been requested, or the buffer
477 could not be overwritten with random data for an unspecified reason.
483 @comment sys/random.h
485 @deftypefun ssize_t getrandom (void *@var{buffer}, size_t @var{length}, unsigned int @var{flags})
486 @safety{@mtsafe{}@assafe{}@acsafe{}}
488 This function writes @var{length} bytes of random data to the array
489 starting at @var{buffer}. On success, this function returns the number
490 of bytes which have been written to the buffer (which can be less than
491 @var{length}). On error, @code{-1} is returned, and @code{errno} is
494 The @code{getrandom} function is declared in the header file
495 @file{sys/random.h}. It is a GNU extension.
497 The following flags are defined for the @var{flags} argument:
501 Use the @file{/dev/random} (blocking) pool instead of the
502 @file{/dev/urandom} (non-blocking) pool to obtain randomness. If the
503 @code{GRND_RANDOM} flag is specified, the @code{getrandom} function can
504 block even after the randomness source has been initialized.
507 Instead of blocking, return to the caller immediately if no data is
511 The @code{getrandom} function is a cancellation point.
513 Obtaining randomness from the @file{/dev/urandom} pool (i.e., a call
514 without the @code{GRND_RANDOM} flag) can block if the system has just
515 booted and the pool has not yet been initialized.
517 The @code{getrandom} function can fail with several errors, some of
518 which are listed below. In addition, the function may not fill the
519 buffer completely and return a value less than @var{length}.
523 The kernel does not implement the @code{getrandom} system call.
526 No random data was available and @code{GRND_NONBLOCK} was specified in
530 The combination of @var{buffer} and @var{length} arguments specifies
531 an invalid memory range.
534 The system call was interrupted. During the system boot process, before
535 the kernel randomness pool is initialized, this can happen even if
539 The @var{flags} argument contains an invalid combination of flags.