1 files changed, 56 insertions, 5 deletions
diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3
index 3e0e59287b..19806bb707 100644
--- a/src/lib/libc/crypt/crypt.3
+++ b/src/lib/libc/crypt/crypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: crypt.3,v 1.6 1997/03/31 02:38:44 deraadt Exp $
+.\" $OpenBSD: crypt.3,v 1.7 1997/11/05 11:44:49 provos Exp $
 .\"
 .\" FreeSec: libcrypt
 .\"
@@ -59,15 +59,19 @@ The
 function performs password encryption, based on the
 .Tn NBS
 Data Encryption Standard (DES).
-Additional code has been added to deter key search attempts.
+Additional code has been added to deter key search attempts and to use
+stronger hashing algorithms.
 The first argument to
 .Fn crypt
 is a
 .Dv null Ns -terminated
 string, typically a user's typed password.
-The second is in one of two forms:
+The second is in one of three forms:
 if it begins with an underscore (``_'') then an extended format is used
-in interpreting both the key and the setting, as outlined below.
+in interpreting both the key and the setting, as outlined below. If it begins
+with an string character (``$'') and a number then a different algorithm
+is used depending on the number. At the moment a ``$1'' chooses MD5 hashing
+and a ``$2'' chooses Blowfish hashing, see below for more information.
 .Ss Extended crypt:
 .Pp
 The
@@ -88,6 +92,51 @@ This allows 24 bits for both
 .Fa count
 and
 .Fa salt .
+.Ss "MD5" crypt:
+.Pp
+For 
+.Tn MD5 
+crypt the version number, 
+.Fa salt 
+and the hashed password are separated
+by the ``$'' character. A valid password looks like this: 
+.Pp
+``$1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1''.
+.Pp
+The whole password string is passed as 
+.Fa setting
+for interpretation.
+.Ss "Blowfish" crypt:
+.Pp
+The 
+.Tn Blowfish 
+version of crypt has 128 bits of 
+.Fa salt 
+in order to make building
+dictionaries of common passwords space consuming. The initial state
+of the 
+.Tn Blowfish 
+cipher is expanded using the 
+.Fa salt
+and the
+.Fa password 
+repeating the process a variable number of rounds, which is encoded in
+the password string. The final password entry is created by encrypting
+the string ``OrpheanBeholderScryDoubt'' with the 
+.Tn Blowfish 
+state 64 times.
+.Pp
+The version number, the logarithm of the number of rounds and 
+the concatenation of salt and
+hashed password are separated by the ``$'' character. An encoded ``8''
+would specify 64 rounds.
+A valid password looks like this:
+.Pp
+``$2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC''.
+.Pp
+The whole password string is passed as 
+.Fa setting
+for interpretation.
 .Ss "Traditional" crypt:
 .Pp
 The first 8 bytes of the key are null-padded, and the low-order 7 bits of
@@ -101,7 +150,7 @@ Thus only 12 bits of
 are used.
 .Fa count
 is set to 25.
-.Ss Algorithm:
+.Ss DES Algorithm:
 .Pp
 The
 .Fa salt
@@ -210,7 +259,9 @@ functions all manipulate the same key space.
 .Sh SEE ALSO
 .Xr login 1 ,
 .Xr passwd 1 ,
+.Xr blowfish 3 ,
 .Xr getpass 3 ,
+.Xr md5 3 ,
 .Xr passwd 5
 .Sh BUGS
 The

diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3 index 3e0e59287b..19806bb707 100644 --- a/src/lib/libc/crypt/crypt.3 +++ b/src/lib/libc/crypt/crypt.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: crypt.3,v 1.6 1997/03/31 02:38:44 deraadt Exp $	1	.\" $OpenBSD: crypt.3,v 1.7 1997/11/05 11:44:49 provos Exp $
2	.\"	2	.\"
3	.\" FreeSec: libcrypt	3	.\" FreeSec: libcrypt
4	.\"	4	.\"
@@ -59,15 +59,19 @@ The
59	function performs password encryption, based on the	59	function performs password encryption, based on the
60	.Tn NBS	60	.Tn NBS
61	Data Encryption Standard (DES).	61	Data Encryption Standard (DES).
62	Additional code has been added to deter key search attempts.	62	Additional code has been added to deter key search attempts and to use
		63	stronger hashing algorithms.
63	The first argument to	64	The first argument to
64	.Fn crypt	65	.Fn crypt
65	is a	66	is a
66	.Dv null Ns -terminated	67	.Dv null Ns -terminated
67	string, typically a user's typed password.	68	string, typically a user's typed password.
68	The second is in one of two forms:	69	The second is in one of three forms:
69	if it begins with an underscore (``_'') then an extended format is used	70	if it begins with an underscore (``_'') then an extended format is used
70	in interpreting both the key and the setting, as outlined below.	71	in interpreting both the key and the setting, as outlined below. If it begins
		72	with an string character (``$'') and a number then a different algorithm
		73	is used depending on the number. At the moment a ``$1'' chooses MD5 hashing
		74	and a ``$2'' chooses Blowfish hashing, see below for more information.
71	.Ss Extended crypt:	75	.Ss Extended crypt:
72	.Pp	76	.Pp
73	The	77	The
@@ -88,6 +92,51 @@ This allows 24 bits for both
88	.Fa count	92	.Fa count
89	and	93	and
90	.Fa salt .	94	.Fa salt .
		95	.Ss "MD5" crypt:
		96	.Pp
		97	For
		98	.Tn MD5
		99	crypt the version number,
		100	.Fa salt
		101	and the hashed password are separated
		102	by the ``$'' character. A valid password looks like this:
		103	.Pp
		104	``$1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1''.
		105	.Pp
		106	The whole password string is passed as
		107	.Fa setting
		108	for interpretation.
		109	.Ss "Blowfish" crypt:
		110	.Pp
		111	The
		112	.Tn Blowfish
		113	version of crypt has 128 bits of
		114	.Fa salt
		115	in order to make building
		116	dictionaries of common passwords space consuming. The initial state
		117	of the
		118	.Tn Blowfish
		119	cipher is expanded using the
		120	.Fa salt
		121	and the
		122	.Fa password
		123	repeating the process a variable number of rounds, which is encoded in
		124	the password string. The final password entry is created by encrypting
		125	the string ``OrpheanBeholderScryDoubt'' with the
		126	.Tn Blowfish
		127	state 64 times.
		128	.Pp
		129	The version number, the logarithm of the number of rounds and
		130	the concatenation of salt and
		131	hashed password are separated by the ``$'' character. An encoded ``8''
		132	would specify 64 rounds.
		133	A valid password looks like this:
		134	.Pp
		135	``$2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC''.
		136	.Pp
		137	The whole password string is passed as
		138	.Fa setting
		139	for interpretation.
91	.Ss "Traditional" crypt:	140	.Ss "Traditional" crypt:
92	.Pp	141	.Pp
93	The first 8 bytes of the key are null-padded, and the low-order 7 bits of	142	The first 8 bytes of the key are null-padded, and the low-order 7 bits of
@@ -101,7 +150,7 @@ Thus only 12 bits of
101	are used.	150	are used.
102	.Fa count	151	.Fa count
103	is set to 25.	152	is set to 25.
104	.Ss Algorithm:	153	.Ss DES Algorithm:
105	.Pp	154	.Pp
106	The	155	The
107	.Fa salt	156	.Fa salt
@@ -210,7 +259,9 @@ functions all manipulate the same key space.
210	.Sh SEE ALSO	259	.Sh SEE ALSO
211	.Xr login 1 ,	260	.Xr login 1 ,
212	.Xr passwd 1 ,	261	.Xr passwd 1 ,
		262	.Xr blowfish 3 ,
213	.Xr getpass 3 ,	263	.Xr getpass 3 ,
		264	.Xr md5 3 ,
214	.Xr passwd 5	265	.Xr passwd 5
215	.Sh BUGS	266	.Sh BUGS
216	The	267	The