1@node Cryptographic Functions, Debugging Support, System Configuration, Top 2@chapter Cryptographic Functions 3@c %MENU% Passphrase storage and strongly unpredictable bytes. 4 5@Theglibc{} includes only a few special-purpose cryptographic 6functions: one-way hash functions for passphrase storage, and access 7to a cryptographic randomness source, if one is provided by the 8operating system. Programs that need general-purpose cryptography 9should use a dedicated cryptography library, such as 10@uref{https://www.gnu.org/software/libgcrypt/,,libgcrypt}. 11 12Many countries place legal restrictions on the import, export, 13possession, or use of cryptographic software. We deplore these 14restrictions, but we must still warn you that @theglibc{} may be 15subject to them, even if you do not use the functions in this chapter 16yourself. The restrictions vary from place to place and are changed 17often, so we cannot give any more specific advice than this warning. 18 19@menu 20* Passphrase Storage:: One-way hashing for passphrases. 21* Unpredictable Bytes:: Randomness for cryptographic purposes. 22@end menu 23 24@node Passphrase Storage 25@section Passphrase Storage 26@cindex passphrase hashing 27@cindex one-way hashing 28@cindex hashing, passphrase 29 30Sometimes it is necessary to be sure that a user is authorized 31to use some service a machine provides---for instance, to log in as a 32particular user id (@pxref{Users and Groups}). One traditional way of 33doing this is for each user to choose a secret @dfn{passphrase}; then, the 34system can ask someone claiming to be a user what the user's passphrase 35is, and if the person gives the correct passphrase then the system can 36grant the appropriate privileges. (Traditionally, these were called 37``passwords,'' but nowadays a single word is too easy to guess.) 38 39Programs that handle passphrases must take special care not to reveal 40them to anyone, no matter what. It is not enough to keep them in a 41file that is only accessible with special privileges. The file might 42be ``leaked'' via a bug or misconfiguration, and system administrators 43shouldn't learn everyone's passphrase even if they have to edit that 44file for some reason. To avoid this, passphrases should also be 45converted into @dfn{one-way hashes}, using a @dfn{one-way function}, 46before they are stored. 47 48A one-way function is easy to compute, but there is no known way to 49compute its inverse. This means the system can easily check 50passphrases, by hashing them and comparing the result with the stored 51hash. But an attacker who discovers someone's passphrase hash can 52only discover the passphrase it corresponds to by guessing and 53checking. The one-way functions are designed to make this process 54impractically slow, for all but the most obvious guesses. (Do not use 55a word from the dictionary as your passphrase.) 56 57@Theglibc{} provides an interface to four one-way functions, based on 58the SHA-2-512, SHA-2-256, MD5, and DES cryptographic primitives. New 59passphrases should be hashed with either of the SHA-based functions. 60The others are too weak for newly set passphrases, but we continue to 61support them for verifying old passphrases. The DES-based hash is 62especially weak, because it ignores all but the first eight characters 63of its input. 64 65@deftypefun {char *} crypt (const char *@var{phrase}, const char *@var{salt}) 66@standards{X/Open, unistd.h} 67@standards{GNU, crypt.h} 68@safety{@prelim{}@mtunsafe{@mtasurace{:crypt}}@asunsafe{@asucorrupt{} @asulock{} @ascuheap{} @ascudlopen{}}@acunsafe{@aculock{} @acsmem{}}} 69@c Besides the obvious problem of returning a pointer into static 70@c storage, the DES initializer takes an internal lock with the usual 71@c set of problems for AS- and AC-Safety. 72@c The NSS implementations may leak file descriptors if cancelled. 73@c The MD5, SHA256 and SHA512 implementations will malloc on long keys, 74@c and NSS relies on dlopening, which brings about another can of worms. 75 76The function @code{crypt} converts a passphrase string, @var{phrase}, 77into a one-way hash suitable for storage in the user database. The 78string that it returns will consist entirely of printable ASCII 79characters. It will not contain whitespace, nor any of the characters 80@samp{:}, @samp{;}, @samp{*}, @samp{!}, or @samp{\}. 81 82The @var{salt} parameter controls which one-way function is used, and 83it also ensures that the output of the one-way function is different 84for every user, even if they have the same passphrase. This makes it 85harder to guess passphrases from a large user database. Without salt, 86the attacker could make a guess, run @code{crypt} on it once, and 87compare the result with all the hashes. Salt forces the attacker to 88make separate calls to @code{crypt} for each user. 89 90To verify a passphrase, pass the previously hashed passphrase as the 91@var{salt}. To hash a new passphrase for storage, set @var{salt} to a 92string consisting of a prefix plus a sequence of randomly chosen 93characters, according to this table: 94 95@multitable @columnfractions .2 .1 .3 96@headitem One-way function @tab Prefix @tab Random sequence 97@item SHA-2-512 98@tab @samp{$6$} 99@tab 16 characters 100@item SHA-2-256 101@tab @samp{$5$} 102@tab 16 characters 103@item MD5 104@tab @samp{$1$} 105@tab 8 characters 106@item DES 107@tab @samp{} 108@tab 2 characters 109@end multitable 110 111In all cases, the random characters should be chosen from the alphabet 112@code{./0-9A-Za-z}. 113 114With all of the hash functions @emph{except} DES, @var{phrase} can be 115arbitrarily long, and all eight bits of each byte are significant. 116With DES, only the first eight characters of @var{phrase} affect the 117output, and the eighth bit of each byte is also ignored. 118 119@code{crypt} can fail. Some implementations return @code{NULL} on 120failure, and others return an @emph{invalid} hashed passphrase, which 121will begin with a @samp{*} and will not be the same as @var{salt}. In 122either case, @code{errno} will be set to indicate the problem. Some 123of the possible error codes are: 124 125@table @code 126@item EINVAL 127@var{salt} is invalid; neither a previously hashed passphrase, nor a 128well-formed new salt for any of the supported hash functions. 129 130@item EPERM 131The system configuration forbids use of the hash function selected by 132@var{salt}. 133 134@item ENOMEM 135Failed to allocate internal scratch storage. 136 137@item ENOSYS 138@itemx EOPNOTSUPP 139Hashing passphrases is not supported at all, or the hash function 140selected by @var{salt} is not supported. @Theglibc{} does not use 141these error codes, but they may be encountered on other operating 142systems. 143@end table 144 145@code{crypt} uses static storage for both internal scratchwork and the 146string it returns. It is not safe to call @code{crypt} from multiple 147threads simultaneously, and the string it returns will be overwritten 148by any subsequent call to @code{crypt}. 149 150@code{crypt} is specified in the X/Open Portability Guide and is 151present on nearly all historical Unix systems. However, the XPG does 152not specify any one-way functions. 153 154@code{crypt} is declared in @file{unistd.h}. @Theglibc{} also 155declares this function in @file{crypt.h}. 156@end deftypefun 157 158@deftypefun {char *} crypt_r (const char *@var{phrase}, const char *@var{salt}, struct crypt_data *@var{data}) 159@standards{GNU, crypt.h} 160@safety{@prelim{}@mtsafe{}@asunsafe{@asucorrupt{} @asulock{} @ascuheap{} @ascudlopen{}}@acunsafe{@aculock{} @acsmem{}}} 161@tindex struct crypt_data 162@c Compared with crypt, this function fixes the @mtasurace:crypt 163@c problem, but nothing else. 164 165The function @code{crypt_r} is a thread-safe version of @code{crypt}. 166Instead of static storage, it uses the memory pointed to by its 167@var{data} argument for both scratchwork and the string it returns. 168It can safely be used from multiple threads, as long as different 169@var{data} objects are used in each thread. The string it returns 170will still be overwritten by another call with the same @var{data}. 171 172@var{data} must point to a @code{struct crypt_data} object allocated 173by the caller. All of the fields of @code{struct crypt_data} are 174private, but before one of these objects is used for the first time, 175it must be initialized to all zeroes, using @code{memset} or similar. 176After that, it can be reused for many calls to @code{crypt_r} without 177erasing it again. @code{struct crypt_data} is very large, so it is 178best to allocate it with @code{malloc} rather than as a local 179variable. @xref{Memory Allocation}. 180 181@code{crypt_r} is a GNU extension. It is declared in @file{crypt.h}, 182as is @code{struct crypt_data}. 183@end deftypefun 184 185The following program shows how to use @code{crypt} the first time a 186passphrase is entered. It uses @code{getentropy} to make the salt as 187unpredictable as possible; @pxref{Unpredictable Bytes}. 188 189@smallexample 190@include genpass.c.texi 191@end smallexample 192 193The next program demonstrates how to verify a passphrase. It checks a 194hash hardcoded into the program, because looking up real users' hashed 195passphrases may require special privileges (@pxref{User Database}). 196It also shows that different one-way functions produce different 197hashes for the same passphrase. 198 199@smallexample 200@include testpass.c.texi 201@end smallexample 202 203@node Unpredictable Bytes 204@section Generating Unpredictable Bytes 205@cindex randomness source 206@cindex random numbers, cryptographic 207@cindex pseudo-random numbers, cryptographic 208@cindex cryptographic random number generator 209@cindex deterministic random bit generator 210@cindex CRNG 211@cindex CSPRNG 212@cindex DRBG 213 214Cryptographic applications often need some random data that will be as 215difficult as possible for a hostile eavesdropper to guess. For 216instance, encryption keys should be chosen at random, and the ``salt'' 217strings used by @code{crypt} (@pxref{Passphrase Storage}) should also 218be chosen at random. 219 220Some pseudo-random number generators do not provide unpredictable-enough 221output for cryptographic applications; @pxref{Pseudo-Random Numbers}. 222Such applications need to use a @dfn{cryptographic random number 223generator} (CRNG), also sometimes called a @dfn{cryptographically strong 224pseudo-random number generator} (CSPRNG) or @dfn{deterministic random 225bit generator} (DRBG). 226 227Currently, @theglibc{} does not provide a cryptographic random number 228generator, but it does provide functions that read random data from a 229@dfn{randomness source} supplied by the operating system. The 230randomness source is a CRNG at heart, but it also continually 231``re-seeds'' itself from physical sources of randomness, such as 232electronic noise and clock jitter. This means applications do not need 233to do anything to ensure that the random numbers it produces are 234different on each run. 235 236The catch, however, is that these functions will only produce 237relatively short random strings in any one call. Often this is not a 238problem, but applications that need more than a few kilobytes of 239cryptographically strong random data should call these functions once 240and use their output to seed a CRNG. 241 242Most applications should use @code{getentropy}. The @code{getrandom} 243function is intended for low-level applications which need additional 244control over blocking behavior. 245 246@deftypefun int getentropy (void *@var{buffer}, size_t @var{length}) 247@standards{GNU, sys/random.h} 248@safety{@mtsafe{}@assafe{}@acsafe{}} 249 250This function writes exactly @var{length} bytes of random data to the 251array starting at @var{buffer}. @var{length} can be no more than 256. 252On success, it returns zero. On failure, it returns @math{-1}, and 253@code{errno} is set to indicate the problem. Some of the possible 254errors are listed below. 255 256@table @code 257@item ENOSYS 258The operating system does not implement a randomness source, or does 259not support this way of accessing it. (For instance, the system call 260used by this function was added to the Linux kernel in version 3.17.) 261 262@item EFAULT 263The combination of @var{buffer} and @var{length} arguments specifies 264an invalid memory range. 265 266@item EIO 267@var{length} is larger than 256, or the kernel entropy pool has 268suffered a catastrophic failure. 269@end table 270 271A call to @code{getentropy} can only block when the system has just 272booted and the randomness source has not yet been initialized. 273However, if it does block, it cannot be interrupted by signals or 274thread cancellation. Programs intended to run in very early stages of 275the boot process may need to use @code{getrandom} in non-blocking mode 276instead, and be prepared to cope with random data not being available 277at all. 278 279The @code{getentropy} function is declared in the header file 280@file{sys/random.h}. It is derived from OpenBSD. 281@end deftypefun 282 283@deftypefun ssize_t getrandom (void *@var{buffer}, size_t @var{length}, unsigned int @var{flags}) 284@standards{GNU, sys/random.h} 285@safety{@mtsafe{}@assafe{}@acsafe{}} 286 287This function writes up to @var{length} bytes of random data to the 288array starting at @var{buffer}. The @var{flags} argument should be 289either zero, or the bitwise OR of some of the following flags: 290 291@table @code 292@item GRND_RANDOM 293Use the @file{/dev/random} (blocking) source instead of the 294@file{/dev/urandom} (non-blocking) source to obtain randomness. 295 296If this flag is specified, the call may block, potentially for quite 297some time, even after the randomness source has been initialized. If it 298is not specified, the call can only block when the system has just 299booted and the randomness source has not yet been initialized. 300 301@item GRND_NONBLOCK 302Instead of blocking, return to the caller immediately if no data is 303available. 304 305@item GRND_INSECURE 306Write random data that may not be cryptographically secure. 307@end table 308 309Unlike @code{getentropy}, the @code{getrandom} function is a 310cancellation point, and if it blocks, it can be interrupted by 311signals. 312 313On success, @code{getrandom} returns the number of bytes which have 314been written to the buffer, which may be less than @var{length}. On 315error, it returns @math{-1}, and @code{errno} is set to indicate the 316problem. Some of the possible errors are: 317 318@table @code 319@item ENOSYS 320The operating system does not implement a randomness source, or does 321not support this way of accessing it. (For instance, the system call 322used by this function was added to the Linux kernel in version 3.17.) 323 324@item EAGAIN 325No random data was available and @code{GRND_NONBLOCK} was specified in 326@var{flags}. 327 328@item EFAULT 329The combination of @var{buffer} and @var{length} arguments specifies 330an invalid memory range. 331 332@item EINTR 333The system call was interrupted. During the system boot process, before 334the kernel randomness pool is initialized, this can happen even if 335@var{flags} is zero. 336 337@item EINVAL 338The @var{flags} argument contains an invalid combination of flags. 339@end table 340 341The @code{getrandom} function is declared in the header file 342@file{sys/random.h}. It is a GNU extension. 343 344@end deftypefun 345