Modernise. Use libcrypto instead of libcipher for DES.

svn path=/head/; revision=115718

secure/usr.bin/bdes/Makefile

@@ -2,7 +2,10 @@
 # $FreeBSD$
 
 PROG=	bdes
-DPADD=	${LIBCIPHER}
-LDADD=	-lcipher
+
+WARNS=	2
+
+DPADD=	${LIBCRYPTO}
+LDADD=	-lcrypto
 
 .include <bsd.prog.mk>

secure/usr.bin/bdes/bdes.1

@@ -40,7 +40,7 @@
 .Os
 .Sh NAME
 .Nm bdes
-.Nd "encrypt/decrypt using the Data Encryption Standard"
+.Nd "encrypt/decrypt using the Data Encryption Standard (DES)"
 .Sh SYNOPSIS
 .Nm
 .Op Fl abdp
@@ -61,22 +61,31 @@ including alternative cipher feedback mode and both authentication
 modes.
 The
 .Nm
-utility reads from the standard input and writes to the standard output.
-By default, the input is encrypted using cipher block chaining mode.
-Using the same key for encryption and decryption preserves plain text.
+utility reads from the standard input
+and writes to the standard output.
+By default,
+the input is encrypted
+using cipher block chaining (CBC) mode.
+Using the same key
+for encryption and decryption
+preserves plain text.
 .Pp
-All modes but the electronic code book mode require an initialization
-vector; if none is supplied, the zero vector is used.
+All modes but the electronic code book (ECB) mode
+require an initialization vector;
+if none is supplied,
+the zero vector is used.
 If no
 .Ar key
-is specified on the command line, the user is prompted for one (see
+is specified on the command line,
+the user is prompted for one (see
 .Xr getpass 3
 for more details).
 .Pp
 The options are as follows:
 .Bl -tag -width indent
 .It Fl a
-The key and initialization vector strings are to be taken as
+The key and initialization vector strings
+are to be taken as
 .Tn ASCII ,
 suppressing the special interpretation given to leading
 .Dq Li 0X ,
@@ -89,21 +98,22 @@ This flag applies to
 .Em both
 the key and initialization vector.
 .It Fl b
-Use electronic code book mode.
+Use ECB mode.
 .It Fl d
 Decrypt the input.
 .It Fl F Ar N
 Use
 .Ar N Ns \-bit
-alternative cipher feedback mode.
+alternative CFB mode.
 Currently
 .Ar N
-must be a multiple of 7 between 7 and 56 inclusive (this does not conform
-to the alternative CFB mode specification).
+must be a multiple of 7
+between 7 and 56 inclusive
+(this does not conform to the alternative CFB mode specification).
 .It Fl f Ar N
 Use
 .Ar N Ns \-bit
-cipher feedback mode.
+CFB mode.
 Currently
 .Ar N
 must be a multiple of 8 between 8 and 64 inclusive (this does not conform
@@ -120,130 +130,182 @@ The value of
 .Ar N
 must be between 1 and 64 inclusive; if
 .Ar N
-is not a multiple of 8, enough 0 bits will be added to pad the MAC length
+is not a multiple of 8,
+enough 0 bits will be added
+to pad the MAC length
 to the nearest multiple of 8.
 Only the MAC is output.
-MACs are only available in cipher block chaining mode or in cipher feedback
-mode.
+MACs are only available
+in CBC mode
+or in CFB mode.
 .It Fl o Ar N
 Use
 .Ar N Ns \-bit
-output feedback mode.
+ouput feedback (OFB) mode.
 Currently
 .Ar N
 must be a multiple of 8 between 8 and 64 inclusive (this does not conform
 to the OFB mode specification).
 .It Fl p
 Disable the resetting of the parity bit.
-This flag forces the parity bit of the key to be used as typed, rather than
-making each character be of odd parity.
+This flag forces
+the parity bit of the key
+to be used as typed,
+rather than making
+each character be of odd parity.
 It is used only if the key is given in
 .Tn ASCII .
 .It Fl v Ar vector
 Set the initialization vector to
 .Ar vector ;
 the vector is interpreted in the same way as the key.
-The vector is ignored in electronic codebook mode.
+The vector is ignored in ECB mode.
 .El
 .Pp
-The key and initialization vector are taken as sequences of
+The key and initialization vector
+are taken as sequences of
 .Tn ASCII
-characters which are then mapped into their bit representations.
+characters which are then mapped
+into their bit representations.
 If either begins with
 .Dq Li 0X
 or
 .Dq Li 0x ,
-that one is taken as a sequence of hexadecimal digits indicating the
-bit pattern;
+that one is taken
+as a sequence of hexadecimal digits
+indicating the bit pattern;
 if either begins with
 .Dq Li 0B
 or
 .Dq Li 0b ,
-that one is taken as a sequence of binary digits indicating the bit pattern.
+that one is taken
+as a sequence of binary digits
+indicating the bit pattern.
 In either case,
-only the leading 64 bits of the key or initialization vector
+only the leading 64 bits
+of the key or initialization vector
 are used,
-and if fewer than 64 bits are provided, enough 0 bits are appended
+and if fewer than 64 bits are provided,
+enough 0 bits are appended
 to pad the key to 64 bits.
 .Pp
 According to the
 .Tn DES
-standard, the low-order bit of each character in the
-key string is deleted.
+standard,
+the low-order bit of each character
+in the key string is deleted.
 Since most
 .Tn ASCII
-representations set the high-order bit to 0, simply
-deleting the low-order bit effectively reduces the size of the key space
+representations
+set the high-order bit to 0,
+simply deleting the low-order bit
+effectively reduces the size of the key space
 from 2^56 to 2^48 keys.
-To prevent this, the high-order bit must be a function depending in part
-upon the low-order bit; so, the high-order bit is set to whatever value
-gives odd parity.
+To prevent this,
+the high-order bit must be a function
+depending in part upon the low-order bit;
+so,
+the high-order bit is set
+to whatever value gives odd parity.
 This preserves the key space size.
 Note this resetting of the parity bit is
 .Em not
-done if the key is given in binary or hex, and can be disabled for
+done if the key
+is given in binary or hex,
+and can be disabled for
 .Tn ASCII
 keys as well.
 .Pp
 The
 .Tn DES
-is considered a very strong cryptosystem, and other than table lookup
-attacks, key search attacks, and Hellman's time-memory tradeoff (all of which
-are very expensive and time-consuming), no cryptanalytic methods for breaking
-the
+is considered a very strong cryptosystem,
+and other than table lookup attacks,
+key search attacks,
+and Hellman's time-memory tradeoff
+(all of which are very expensive and time-consuming),
+no cryptanalytic methods
+for breaking the
 .Tn DES
 are known in the open literature.
-No doubt the choice of keys and key security are the most vulnerable aspect
-of
+No doubt the choice of keys
+and key security
+are the most vulnerable aspect of
 .Nm .
 .Sh IMPLEMENTATION NOTES
-For implementors wishing to write software compatible with this program,
+For implementors wishing to write
+software compatible with this program,
 the following notes are provided.
-This software is believed to be compatible with the implementation of the
-data encryption standard distributed by Sun Microsystems, Inc.
+This software is believed
+to be compatible with the implementation
+of the data encryption standard
+distributed by Sun Microsystems, Inc.
 .Pp
-In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes,
-also called a block).
-To ensure that the plaintext file is encrypted correctly,
+In the ECB and CBC modes,
+plaintext is encrypted in units of 64 bits
+(8 bytes, also called a block).
+To ensure that the plaintext file
+is encrypted correctly,
 .Nm
-will (internally) append from 1 to 8 bytes, the last byte containing an
-integer stating how many bytes of that final block are from the plaintext
-file, and encrypt the resulting block.
-Hence, when decrypting, the last block may contain from 0 to 7 characters
-present in the plaintext file, and the last byte tells how many.
-Note that if during decryption the last byte of the file does not contain an
-integer between 0 and 7, either the file has been corrupted or an incorrect
-key has been given.
-A similar mechanism is used for the OFB and CFB modes, except that those
-simply require the length of the input to be a multiple of the mode size,
-and the final byte contains an integer between 0 and one less than the number
+will (internally) append from 1 to 8 bytes,
+the last byte containing an integer
+stating how many bytes of that final block
+are from the plaintext file,
+and encrypt the resulting block.
+Hence,
+when decrypting,
+the last block may contain from 0 to 7 characters
+present in the plaintext file,
+and the last byte tells how many.
+Note that if during decryption
+the last byte of the file
+does not contain an integer between 0 and 7,
+either the file has been corrupted
+or an incorrect key has been given.
+A similar mechanism is used
+for the OFB and CFB modes,
+except that those
+simply require the length of the input
+to be a multiple of the mode size,
+and the final byte contains an integer
+between 0 and one less than the number
 of bytes being used as the mode.
-(This was another reason that the mode size must be a multiple of 8 for those
-modes.)
+(This was another reason
+that the mode size must be
+a multiple of 8 for those modes.)
 .Pp
-Unlike Sun's implementation, unused bytes of that last block are not filled
-with random data, but instead contain what was in those byte positions in
-the preceding block.
-This is quicker and more portable, and does not weaken the encryption
-significantly.
+Unlike Sun's implementation,
+unused bytes of that last block
+are not filled with random data,
+but instead contain
+what was in those byte positions
+in the preceding block.
+This is quicker and more portable,
+and does not weaken the encryption significantly.
 .Pp
 If the key is entered in
 .Tn ASCII ,
-the parity bits of the key characters are set
-so that each key character is of odd parity.
-Unlike Sun's implementation, it is possible to enter binary or hexadecimal
-keys on the command line, and if this is done, the parity bits are
+the parity bits of the key characters
+are set so that each key character
+is of odd parity.
+Unlike Sun's implementation,
+it is possible to enter binary or hexadecimal
+keys on the command line,
+and if this is done,
+the parity bits are
 .Em not
 reset.
-This allows testing using arbitrary bit patterns as keys.
+This allows testing
+using arbitrary bit patterns as keys.
 .Pp
-The Sun implementation always uses an initialization vector of 0
+The Sun implementation
+always uses an initialization vector of 0
 (that is, all zeroes).
 By default,
 .Nm
-does too, but this may be changed from the command line.
+does too,
+but this may be changed
+from the command line.
 .Sh SEE ALSO
-.Xr crypt 3 ,
 .Xr getpass 3
 .Rs
 .%T "Data Encryption Standard"
@@ -289,21 +351,33 @@ There is a controversy raging over whether the
 .Tn DES
 will still be secure
 in a few years.
-The advent of special-purpose hardware could reduce the cost of any of the
-methods of attack named above so that they are no longer computationally
-infeasible.
+The advent of special-purpose hardware
+could reduce the cost of any of the
+methods of attack named above
+so that they are no longer
+computationally infeasible.
 .Pp
-As the key or key schedule is stored in memory, the encryption can be
+As the key or key schedule
+is stored in memory,
+the encryption can be
 compromised if memory is readable.
-Additionally, programs which display programs' arguments may compromise the
-key and initialization vector, if they are specified on the command line.
+Additionally,
+programs which display programs' arguments
+may compromise the key and initialization vector,
+if they are specified on the command line.
 To avoid this
 .Nm
-overwrites its arguments, however, the obvious race cannot currently be
-avoided.
+overwrites its arguments,
+however,
+the obvious race
+cannot currently be avoided.
 .Pp
-Certain specific keys should be avoided because they introduce potential
-weaknesses; these keys, called the
+Certain specific keys
+should be avoided
+because they introduce
+potential weaknesses;
+these keys,
+called the
 .Em weak
 and
 .Em semiweak
@@ -328,7 +402,8 @@ or
 .Pp
 This is inherent in the
 .Tn DES
-algorithm; see
+algorithm;
+see
 .Rs
 .%A Moore
 .%A Simmons