Main index | Section 3 | Options |
#include <unistd.h>
The first argument to crypt is the data to hash (usually a password), in a NUL-terminated string. The second is the salt, in one of three forms:
Extended | If it begins with an underscore ("_") then the DES Extended Format is used in interpreting both the key and the salt, as outlined below. |
Modular | If it begins with the string "$digit$" then the Modular Crypt Format is used, as outlined below. |
Traditional | |
If neither of the above is true, it assumes the Traditional Format, using the entire string as the salt (or the first portion). | |
All routines are designed to be time-consuming.
The salt is a 9-character array consisting of an underscore followed by 4 bytes of iteration count and 4 bytes of salt. These are encoded as printable characters, 6 bits per character, least significant character first. The values 0 to 63 are encoded as "./0-9A-Za-z". This allows 24 bits for both count and salt.
The salt introduces disorder in the DES algorithm in one of 16777216 or 4096 possible ways ( i.e., with 24 or 12 bits: if bit i of the salt is set, then bits i and i+24 are swapped in the DES E-box output ).
The DES key is used to encrypt a 64-bit constant using count iterations of DES. The value returned is a NUL-terminated string, 20 or 13 bytes (plus NUL) in length, consisting of the salt followed by the encoded 64-bit encryption.
Currently supported algorithms are:
Other crypt formats may be easily added. An example salt would be:
$4$thesalt$rest | |
How the salt is used will depend upon the algorithm for the hash. For best results, specify at least eight characters of salt.
The crypt_get_format() function returns a constant string that represents the name of the algorithm currently used. Valid values are ‘des’, ‘blf’, ‘md5’, ‘sha256’, ‘sha512’ and ‘nth’.
The crypt_set_format() function sets the default encoding format according to the supplied string.
The crypt_r() function behaves identically to crypt(), except that the resulting string is stored in data, making it thread-safe.
The crypt_set_format() function will return 1 if the supplied encoding format was valid. Otherwise, a value of 0 is returned.
The DES section of the code (FreeSec 1.0) was developed outside the United States of America as an unencumbered replacement for the U.S.-only NetBSD libcrypt encryption library.
The crypt_r() function was added in FreeBSD 12.0 .
The NT-hash scheme does not use a salt, and is not hard for a competent attacker to break. Its use is not recommended.
CRYPT (3) | May 26, 2019 |
Main index | Section 3 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
“ | C isn't that hard: void (*(*f[])())() defines f as an array of unspecified size, of pointers to functions that return pointers to functions that return void | ” |