{ "content": [ { "type": "text", "text": "# crypt(3) (man)\n\n## TLDR\n\n- Encrypt a file:\n `crypt -e fileToEncrypt outputFile`\n- Decrypt a file:\n `crypt -d fileToDecrypt outputFile`\n\n*Source: cheat.sh*\n\n---\n\n**Summary:** crypt, cryptr, cryptrn, cryptra — passphrase hashing\n\n## See Also\n\n- cryptgensalt(3)\n- getpass(3)\n- getpwent(3)\n- shadow(3)\n- login(1)\n- passwd(1)\n- passwd(5)\n- shadow(5)\n- pam(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **LIBRARY** (2 lines)\n- **SYNOPSIS** (1 lines) — 1 subsections\n - #include (12 lines)\n- **DESCRIPTION** (42 lines)\n- **RETURN VALUES** (26 lines)\n- **ERRORS** (16 lines)\n- **PORTABILITY NOTES** (28 lines)\n- **BUGS** (14 lines)\n- **ATTRIBUTES** (10 lines)\n- **HISTORY** (8 lines)\n- **SEE ALSO** (3 lines)\n- **Openwall Project October 11, 2017 Openwall Project** (1 lines)\n\n## Full Content\n\n### NAME\n\ncrypt, cryptr, cryptrn, cryptra — passphrase hashing\n\n### LIBRARY\n\nCrypt Library (libcrypt, -lcrypt)\n\n### SYNOPSIS\n\n#### #include \n\nchar *\ncrypt(const char *phrase, const char *setting);\n\nchar *\ncryptr(const char *phrase, const char *setting, struct cryptdata *data);\n\nchar *\ncryptrn(const char *phrase, const char *setting, struct cryptdata *data, int size);\n\nchar *\ncryptra(const char *phrase, const char *setting, void data, int *size);\n\n### DESCRIPTION\n\nThe crypt, cryptr, cryptrn, and cryptra functions irreversibly “hash” phrase for storage in\nthe system password database (shadow(5)) using a cryptographic “hashing method.” The result of\nthis operation is called a “hashed passphrase” or just a “hash.” Hashing methods are described\nin crypt(5).\n\nsetting controls which hashing method to use, and also supplies various parameters to the cho‐\nsen method, most importantly a random “salt” which ensures that no two stored hashes are the\nsame, even if the phrase strings are the same.\n\nThe data argument to cryptr is a structure of type struct cryptdata. It has at least these\nfields:\n\nstruct cryptdata {\nchar output[CRYPTOUTPUTSIZE];\nchar setting[CRYPTOUTPUTSIZE];\nchar phrase[CRYPTMAXPASSPHRASESIZE];\nchar initialized;\n};\n\nUpon a successful return from cryptr, the hashed passphrase will be stored in output. Appli‐\ncations are encouraged, but not required, to use the phrase and setting fields to store the\nstrings that they will pass as phrase and setting to cryptr. This will make it easier to\nerase all sensitive data after it is no longer needed.\n\nThe initialized field must be set to zero before the first time a struct cryptdata object is\nfirst used in a call to cryptr(). We recommend zeroing the entire object, not just\ninitialized and not just the documented fields, before the first use. (Of course, do this be‐\nfore storing anything in setting and phrase.)\n\nThe data argument to cryptrn should also point to a struct cryptdata object, and size should\nbe the size of that object, cast to int. When used with cryptrn, the entire data object (ex‐\ncept for the phrase and setting fields) must be zeroed before its first use; this is not just a\nrecommendation, as it is for cryptr. Otherwise, the fields of the object have the same uses\nthat they do for cryptr.\n\nOn the first call to cryptra, data should be the address of a void * variable set to NULL, and\nsize should be the address of an int variable set to zero. cryptra will allocate and initial‐\nize a struct cryptdata object, using malloc(3), and write its address and size into the vari‐\nables pointed to by data and size. These can be reused in subsequent calls. After the appli‐\ncation is done hashing passphrases, it should deallocate the struct cryptdata object using\nfree(3).\n\n### RETURN VALUES\n\nUpon successful completion, crypt, cryptr, cryptrn, and cryptra return a pointer to a string\nwhich encodes both the hashed passphrase, and the settings that were used to encode it. This\nstring is directly usable as setting in other calls to crypt, cryptr, cryptrn, and cryptra,\nand as prefix in calls to cryptgensalt, cryptgensaltrn, and cryptgensaltra. It will be\nentirely printable ASCII, and will not contain whitespace or the characters ‘:’, ‘;’, ‘*’, ‘!’,\nor ‘\\’. See crypt(5) for more detail on the format of hashed passphrases.\n\ncrypt places its result in a static storage area, which will be overwritten by subsequent calls\nto crypt. It is not safe to call crypt from multiple threads simultaneously.\n\ncryptr, cryptrn, and cryptra place their result in the output field of their data argument.\nIt is safe to call them from multiple threads simultaneously, as long as a separate data object\nis used for each thread.\n\nUpon error, cryptr, cryptrn, and cryptra write an invalid hashed passphrase to the output\nfield of their data argument, and crypt writes an invalid hash to its static storage area.\nThis string will be shorter than 13 characters, will begin with a ‘*’, and will not compare\nequal to setting.\n\nUpon error, cryptrn and cryptra return a null pointer. cryptr and crypt may also return a\nnull pointer, or they may return a pointer to the invalid hash, depending on how libcrypt was\nconfigured. (The option to return the invalid hash is for compatibility with old applications\nthat assume that crypt cannot return a null pointer. See PORTABILITY NOTES below.)\n\nAll four functions set errno when they fail.\n\n### ERRORS\n\nEINVAL setting is invalid, or requests a hashing method that is not supported.\n\nERANGE phrase is too long (more than CRYPTMAXPASSPHRASESIZE characters; some\nhashing methods may have lower limits).\ncryptrn only: size is too small for the hashing method requested by\nsetting.\n\nENOMEM Failed to allocate internal scratch memory.\ncryptra only: failed to allocate memory for data.\n\nENOSYS or EOPNOTSUPP\nHashing passphrases is not supported at all on this installation, or the\nhashing method requested by setting is not supported. These error codes are\nnot used by this version of libcrypt, but may be encountered on other sys‐\ntems.\n\n### PORTABILITY NOTES\n\ncrypt is included in POSIX, but cryptr, cryptrn, and cryptra are not part of any standard.\n\nPOSIX does not specify any hashing methods, and does not require hashed passphrases to be por‐\ntable between systems. In practice, hashed passphrases are portable as long as both systems\nsupport the hashing method that was used. However, the set of supported hashing methods varies\nconsiderably from system to system.\n\nThe behavior of crypt on errors isn't well standardized. Some implementations simply can't\nfail (except by crashing the program), others return a null pointer or a fixed string. Most\nimplementations don't set errno, but some do. POSIX specifies returning a null pointer and\nsetting errno, but it defines only one possible error, ENOSYS, in the case where crypt is not\nsupported at all. Some older applications are not prepared to handle null pointers returned by\ncrypt. The behavior described above for this implementation, setting errno and returning an\ninvalid hashed passphrase different from setting, is chosen to make these applications fail\nclosed when an error occurs.\n\nDue to historical restrictions on the export of cryptographic software from the USA, crypt is\nan optional POSIX component. Applications should therefore be prepared for crypt not to be\navailable, or to always fail (setting errno to ENOSYS) at runtime.\n\nPOSIX specifies that crypt is declared in , but only if the macro XOPENCRYPT is de‐\nfined and has a value greater than or equal to zero. Since libcrypt does not provide\n, it declares crypt, cryptr, cryptrn, and cryptra in instead.\n\nOn a minority of systems (notably recent versions of Solaris), crypt uses a thread-specific\nstatic storage buffer, which makes it safe to call from multiple threads simultaneously, but\ndoes not prevent each call within a thread from overwriting the results of the previous one.\n\n### BUGS\n\nSome implementations of crypt, upon error, return an invalid hash that is stored in a read-only\nlocation or only initialized once, which means that it is only safe to erase the buffer pointed\nto by the crypt return value if an error did not occur.\n\nstruct cryptdata may be quite large (32kB in this implementation of libcrypt; over 128kB in\nsome other implementations). This is large enough that it may be unwise to allocate it on the\nstack.\n\nSome recently designed hashing methods need even more scratch memory, but the cryptr interface\nmakes it impossible to change the size of struct cryptdata without breaking binary compatibil‐\nity. The cryptrn interface could accommodate larger allocations for specific hashing methods,\nbut the caller of cryptrn has no way of knowing how much memory to allocate. cryptra does\nthe allocation itself, but can only make a single call to malloc(3).\n\n### ATTRIBUTES\n\nFor an explanation of the terms used in this section, see attributes(7).\n┌───────────────────┬───────────────┬──────────────────────┐\n│Interface │ Attribute │ Value │\n├───────────────────┼───────────────┼──────────────────────┤\n│crypt │ Thread safety │ MT-Unsafe race:crypt │\n├───────────────────┼───────────────┼──────────────────────┤\n│cryptr, cryptrn, │ Thread safety │ MT-Safe │\n│cryptra │ │ │\n└───────────────────┴───────────────┴──────────────────────┘\n\n### HISTORY\n\nA rotor-based crypt function appeared in Version 6 AT&T UNIX. The “traditional” DES-based\ncrypt first appeared in Version 7 AT&T UNIX.\n\ncryptr originates with the GNU C Library. There's also a cryptr function on HP-UX and MKS\nToolkit, but the prototypes and semantics differ.\n\ncryptrn and cryptra originate with the Openwall project.\n\n### SEE ALSO\n\ncryptgensalt(3), getpass(3), getpwent(3), shadow(3), login(1), passwd(1), crypt(5), passwd(5),\nshadow(5), pam(8)\n\n### Openwall Project October 11, 2017 Openwall Project\n\n" } ], "structuredContent": { "command": "crypt", "section": "3", "mode": "man", "summary": "crypt, cryptr, cryptrn, cryptra — passphrase hashing", "synopsis": "", "tldr_summary": "", "tldr_examples": [ { "description": "Encrypt a file", "command": "crypt -e fileToEncrypt outputFile" }, { "description": "Decrypt a file", "command": "crypt -d fileToDecrypt outputFile" } ], "tldr_source": "cheatsh", "flags": [], "examples": [], "see_also": [ { "name": "cryptgensalt", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/cryptgensalt/3/json" }, { "name": "getpass", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/getpass/3/json" }, { "name": "getpwent", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/getpwent/3/json" }, { "name": "shadow", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/shadow/3/json" }, { "name": "login", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/login/1/json" }, { "name": "passwd", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/passwd/1/json" }, { "name": "passwd", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/passwd/5/json" }, { "name": "shadow", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/shadow/5/json" }, { "name": "pam", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/pam/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "LIBRARY", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 1, "subsections": [ { "name": "#include ", "lines": 12 } ] }, { "name": "DESCRIPTION", "lines": 42, "subsections": [] }, { "name": "RETURN VALUES", "lines": 26, "subsections": [] }, { "name": "ERRORS", "lines": 16, "subsections": [] }, { "name": "PORTABILITY NOTES", "lines": 28, "subsections": [] }, { "name": "BUGS", "lines": 14, "subsections": [] }, { "name": "ATTRIBUTES", "lines": 10, "subsections": [] }, { "name": "HISTORY", "lines": 8, "subsections": [] }, { "name": "SEE ALSO", "lines": 3, "subsections": [] }, { "name": "Openwall Project October 11, 2017 Openwall Project", "lines": 1, "subsections": [] } ] } }