7 files changed, 804 insertions, 0 deletions

diff --git a/lib/libcrypt/Makefile b/lib/libcrypt/Makefile
new file mode 100644
index 0000000..3a27e70
--- /dev/null
+++ b/lib/libcrypt/Makefile
@@ -0,0 +1,38 @@
+#
+# $FreeBSD$
+#
+
+SHLIBDIR?=	/lib
+
+.include <bsd.own.mk>
+
+SHLIB_MAJOR=	3
+LIB=		crypt
+
+.PATH:		${.CURDIR}/../libmd
+SRCS=		crypt.c misc.c \
+		crypt-md5.c md5c.c \
+		crypt-nthash.c md4c.c
+MAN=		crypt.3
+MLINKS=		crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3
+CFLAGS+=	-I${.CURDIR}/../libmd -I${.CURDIR}/../libutil
+
+# Pull in the strong crypto, if it is present.
+.if exists(${.CURDIR}/../../secure/lib/libcrypt) && ${MK_CRYPT} != "no"
+.PATH:		${.CURDIR}/../../secure/lib/libcrypt
+SRCS+=		crypt-des.c crypt-blowfish.c blowfish.c
+CFLAGS+=	-I${.CURDIR} -DHAS_DES -DHAS_BLOWFISH
+.endif
+
+# And the auth_getval() code and support.
+.PATH:		${.CURDIR}/../libutil
+SRCS+=		auth.c property.c
+.for sym in auth_getval property_find properties_read properties_free \
+	    MD4Init MD4Final MD4Update MD4Pad \
+	    MD5Init MD5Final MD5Update MD5Pad
+CFLAGS+=	-D${sym}=__${sym}
+.endfor
+
+PRECIOUSLIB=
+
+.include <bsd.lib.mk>
diff --git a/lib/libcrypt/crypt-md5.c b/lib/libcrypt/crypt-md5.c
new file mode 100644
index 0000000..33186cd
--- /dev/null
+++ b/lib/libcrypt/crypt-md5.c
@@ -0,0 +1,153 @@
+/*-
+ * Copyright (c) 2003 Poul-Henning Kamp
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+
+#include <err.h>
+#include <md5.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "crypt.h"
+
+/*
+ * UNIX password
+ */
+
+char *
+crypt_md5(const char *pw, const char *salt)
+{
+	MD5_CTX	ctx,ctx1;
+	unsigned long l;
+	int sl, pl;
+	u_int i;
+	u_char final[MD5_SIZE];
+	static const char *sp, *ep;
+	static char passwd[120], *p;
+	static const char *magic = "$1$";
+
+	/* Refine the Salt first */
+	sp = salt;
+
+	/* If it starts with the magic string, then skip that */
+	if(!strncmp(sp, magic, strlen(magic)))
+		sp += strlen(magic);
+
+	/* It stops at the first '$', max 8 chars */
+	for(ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
+		continue;
+
+	/* get the length of the true salt */
+	sl = ep - sp;
+
+	MD5Init(&ctx);
+
+	/* The password first, since that is what is most unknown */
+	MD5Update(&ctx, (const u_char *)pw, strlen(pw));
+
+	/* Then our magic string */
+	MD5Update(&ctx, (const u_char *)magic, strlen(magic));
+
+	/* Then the raw salt */
+	MD5Update(&ctx, (const u_char *)sp, (u_int)sl);
+
+	/* Then just as many characters of the MD5(pw,salt,pw) */
+	MD5Init(&ctx1);
+	MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
+	MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
+	MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
+	MD5Final(final, &ctx1);
+	for(pl = (int)strlen(pw); pl > 0; pl -= MD5_SIZE)
+		MD5Update(&ctx, (const u_char *)final,
+		    (u_int)(pl > MD5_SIZE ? MD5_SIZE : pl));
+
+	/* Don't leave anything around in vm they could use. */
+	memset(final, 0, sizeof(final));
+
+	/* Then something really weird... */
+	for (i = strlen(pw); i; i >>= 1)
+		if(i & 1)
+		    MD5Update(&ctx, (const u_char *)final, 1);
+		else
+		    MD5Update(&ctx, (const u_char *)pw, 1);
+
+	/* Now make the output string */
+	strcpy(passwd, magic);
+	strncat(passwd, sp, (u_int)sl);
+	strcat(passwd, "$");
+
+	MD5Final(final, &ctx);
+
+	/*
+	 * and now, just to make sure things don't run too fast
+	 * On a 60 Mhz Pentium this takes 34 msec, so you would
+	 * need 30 seconds to build a 1000 entry dictionary...
+	 */
+	for(i = 0; i < 1000; i++) {
+		MD5Init(&ctx1);
+		if(i & 1)
+			MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
+		else
+			MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
+
+		if(i % 3)
+			MD5Update(&ctx1, (const u_char *)sp, (u_int)sl);
+
+		if(i % 7)
+			MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
+
+		if(i & 1)
+			MD5Update(&ctx1, (const u_char *)final, MD5_SIZE);
+		else
+			MD5Update(&ctx1, (const u_char *)pw, strlen(pw));
+		MD5Final(final, &ctx1);
+	}
+
+	p = passwd + strlen(passwd);
+
+	l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
+	_crypt_to64(p, l, 4); p += 4;
+	l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
+	_crypt_to64(p, l, 4); p += 4;
+	l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
+	_crypt_to64(p, l, 4); p += 4;
+	l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
+	_crypt_to64(p, l, 4); p += 4;
+	l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
+	_crypt_to64(p, l, 4); p += 4;
+	l = final[11];
+	_crypt_to64(p, l, 2); p += 2;
+	*p = '\0';
+
+	/* Don't leave anything around in vm they could use. */
+	memset(final, 0, sizeof(final));
+
+	return (passwd);
+}
diff --git a/lib/libcrypt/crypt-nthash.c b/lib/libcrypt/crypt-nthash.c
new file mode 100644
index 0000000..19b84ce
--- /dev/null
+++ b/lib/libcrypt/crypt-nthash.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 2003 Michael Bretterklieber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+
+#include <ctype.h>
+#include <err.h>
+#include <md4.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "crypt.h"
+
+/*
+ * NT HASH = md4(str2unicode(pw))
+ */
+
+/* ARGSUSED */
+char *
+crypt_nthash(const char *pw, const char *salt __unused)
+{
+	size_t unipwLen;
+	int i, j;
+	static char hexconvtab[] = "0123456789abcdef";
+	static const char *magic = "$3$";
+	static char passwd[120];
+	u_int16_t unipw[128];
+	char final[MD4_SIZE*2 + 1];
+	u_char hash[MD4_SIZE];
+	const char *s;
+	MD4_CTX	ctx;
+  
+	bzero(unipw, sizeof(unipw)); 
+	/* convert to unicode (thanx Archie) */
+	unipwLen = 0;
+	for (s = pw; unipwLen < sizeof(unipw) / 2 && *s; s++)
+		unipw[unipwLen++] = htons(*s << 8);
+        
+	/* Compute MD4 of Unicode password */
+ 	MD4Init(&ctx);
+	MD4Update(&ctx, (u_char *)unipw, unipwLen*sizeof(u_int16_t));
+	MD4Final(hash, &ctx);  
+	
+	for (i = j = 0; i < MD4_SIZE; i++) {
+		final[j++] = hexconvtab[hash[i] >> 4];
+		final[j++] = hexconvtab[hash[i] & 15];
+	}
+	final[j] = '\0';
+
+	strcpy(passwd, magic);
+	strcat(passwd, "$");
+	strncat(passwd, final, MD4_SIZE*2);
+
+	/* Don't leave anything around in vm they could use. */
+	memset(final, 0, sizeof(final));
+
+	return (passwd);
+}
diff --git a/lib/libcrypt/crypt.3 b/lib/libcrypt/crypt.3
new file mode 100644
index 0000000..27ff750
--- /dev/null
+++ b/lib/libcrypt/crypt.3
@@ -0,0 +1,307 @@
+.\" FreeSec: libcrypt for NetBSD
+.\"
+.\" Copyright (c) 1994 David Burren
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 4. Neither the name of the author nor the names of other contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd January 19, 1997
+.Dt CRYPT 3
+.Os
+.Sh NAME
+.Nm crypt
+.Nd Trapdoor encryption
+.Sh LIBRARY
+.Lb libcrypt
+.Sh SYNOPSIS
+.In unistd.h
+.Ft char *
+.Fn crypt "const char *key" "const char *salt"
+.Ft const char *
+.Fn crypt_get_format "void"
+.Ft int
+.Fn crypt_set_format "const char *string"
+.Sh DESCRIPTION
+The
+.Fn crypt
+function performs password hashing with additional code added to
+deter key search attempts.
+Different algorithms can be used to
+in the hash.
+.\"
+.\" NOTICE:
+.\" If you add more algorithms, make sure to update this list
+.\" and the default used for the Traditional format, below.
+.\"
+Currently these include the
+.Tn NBS
+.Tn Data Encryption Standard (DES) ,
+.Tn MD5
+hash,
+.Tn NT-Hash
+(compatible with Microsoft's NT scheme)
+and
+.Tn Blowfish .
+The algorithm used will depend upon the format of the Salt (following
+the Modular Crypt Format (MCF)), if
+.Tn DES
+and/or
+.Tn Blowfish
+is installed or not, and whether
+.Fn crypt_set_format
+has been called to change the default.
+.Pp
+The first argument to
+.Nm
+is the data to hash (usually a password), in a
+.Dv null Ns -terminated
+string.
+The second is the salt, in one of three forms:
+.Pp
+.Bl -tag -width Traditional -compact -offset indent
+.It Extended
+If it begins with an underscore
+.Pq Dq _
+then the
+.Tn DES
+Extended Format
+is used in interpreting both the key and the salt, as outlined below.
+.It Modular
+If it begins with the string
+.Dq $digit$
+then the Modular Crypt Format is used, as outlined below.
+.It Traditional
+If neither of the above is true, it assumes the Traditional Format,
+using the entire string as the salt (or the first portion).
+.El
+.Pp
+All routines are designed to be time-consuming.
+A brief test on a
+.Tn Pentium
+166/MMX shows the
+.Tn DES
+crypt to do approximately 2640 crypts
+a CPU second and MD5 to do about 62 crypts a CPU second.
+.Ss DES Extended Format:
+.Pp
+The
+.Ar key
+is divided into groups of 8 characters (the last group is null-padded)
+and the low-order 7 bits of each character (56 bits per group) are
+used to form the
+.Tn DES
+key as follows:
+the first group of 56 bits becomes the initial
+.Tn DES
+key.
+For each additional group, the XOR of the encryption of the current
+.Tn DES
+key with itself and the group bits becomes the next
+.Tn DES
+key.
+.Pp
+The salt is a 9-character array consisting of an underscore followed
+by 4 bytes of iteration count and 4 bytes of salt.
+These are encoded as printable characters, 6 bits per character,
+least significant character first.
+The values 0 to 63 are encoded as ``./0-9A-Za-z''.
+This allows 24 bits for both
+.Fa count
+and
+.Fa salt .
+.Pp
+The
+.Fa salt
+introduces disorder in the
+.Tn DES
+algorithm in one of 16777216 or 4096 possible ways
+(i.e., with 24 or 12 bits: if bit
+.Em i
+of the
+.Ar salt
+is set, then bits
+.Em i
+and
+.Em i+24
+are swapped in the
+.Tn DES
+E-box output).
+.Pp
+The
+.Tn DES
+key is used to encrypt a 64-bit constant using
+.Ar count
+iterations of
+.Tn DES .
+The value returned is a
+.Dv null Ns -terminated
+string, 20 or 13 bytes (plus null) in length, consisting of the
+.Ar salt
+followed by the encoded 64-bit encryption.
+.Ss "Modular" crypt:
+.Pp
+If the salt begins with the string
+.Fa $digit$
+then the Modular Crypt Format is used.
+The
+.Fa digit
+represents which algorithm is used in encryption.
+Following the token is
+the actual salt to use in the encryption.
+The length of the salt is limited
+to 8 characters--because the length of the returned output is also limited
+(_PASSWORD_LEN).
+The salt must be terminated with the end of the string
+(NULL) or a dollar sign.
+Any characters after the dollar sign are ignored.
+.Pp
+Currently supported algorithms are:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+MD5
+.It
+Blowfish
+.It
+NT-Hash
+.El
+.Pp
+Other crypt formats may be easily added.
+An example salt would be:
+.Bl -tag -offset indent
+.It Cm "$4$thesalt$rest"
+.El
+.Pp
+.Ss "Traditional" crypt:
+.Pp
+The algorithm used will depend upon whether
+.Fn crypt_set_format
+has been called and whether a global default format has been specified.
+Unless a global default has been specified or
+.Fn crypt_set_format
+has set the format to something else, the built-in default format is
+used.
+This is currently
+.\"
+.\" NOTICE: Also make sure to update this
+.\"
+DES
+if it is available, or MD5 if not.
+.Pp
+How the salt is used will depend upon the algorithm for the hash.
+For
+best results, specify at least two characters of salt.
+.Pp
+The
+.Fn crypt_get_format
+function returns a constant string that represents the name of the
+algorithm currently used.
+Valid values are
+.\"
+.\" NOTICE: Also make sure to update this, too, as well
+.\"
+.Ql des ,
+.Ql blf ,
+.Ql md5
+and
+.Ql nth .
+.Pp
+The
+.Fn crypt_set_format
+function sets the default encoding format according to the supplied
+.Fa string .
+.Pp
+The global default format can be set using the
+.Pa /etc/auth.conf
+file using the
+.Va crypt_default
+property.
+.Sh RETURN VALUES
+The
+.Fn crypt
+function returns a pointer to the encrypted value on success, and NULL on
+failure.
+Note: this is not a standard behaviour, AT&T
+.Fn crypt
+will always return a pointer to a string.
+.Pp
+The
+.Fn crypt_set_format
+function will return 1 if the supplied encoding format was valid.
+Otherwise, a value of 0 is returned.
+.Sh SEE ALSO
+.Xr login 1 ,
+.Xr passwd 1 ,
+.Xr auth_getval 3 ,
+.Xr cipher 3 ,
+.Xr getpass 3 ,
+.Xr auth.conf 5 ,
+.Xr passwd 5
+.Sh HISTORY
+A rotor-based
+.Fn crypt
+function appeared in
+.At v6 .
+The current style
+.Fn crypt
+first appeared in
+.At v7 .
+.Pp
+The
+.Tn DES
+section of the code (FreeSec 1.0) was developed outside the United
+States of America as an unencumbered replacement for the U.S.-only
+.Nx
+libcrypt encryption library.
+.Sh AUTHORS
+.An -nosplit
+Originally written by
+.An David Burren Aq davidb@werj.com.au ,
+later additions and changes by
+.An Poul-Henning Kamp ,
+.An Mark R V Murray ,
+.An Michael Bretterklieber ,
+.An Kris Kennaway ,
+.An Brian Feldman ,
+.An Paul Herman
+and
+.An Niels Provos .
+.Sh BUGS
+The
+.Fn crypt
+function returns a pointer to static data, and subsequent calls to
+.Fn crypt
+will modify the same data.
+Likewise,
+.Fn crypt_set_format
+modifies static data.
+.Pp
+The NT-hash scheme does not use a salt,
+and is not hard
+for a competent attacker
+to break.
+Its use is not recommended.
diff --git a/lib/libcrypt/crypt.c b/lib/libcrypt/crypt.c
new file mode 100644
index 0000000..a6b91f5
--- /dev/null
+++ b/lib/libcrypt/crypt.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 1999
+ *      Mark Murray.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY MARK MURRAY AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL MARK MURRAY OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <string.h>
+#include <libutil.h>
+#include <unistd.h>
+#include "crypt.h"
+
+static const struct {
+	const char *const name;
+	char *(*const func)(const char *, const char *);
+	const char *const magic;
+} crypt_types[] = {
+#ifdef HAS_DES
+	{
+		"des",
+		crypt_des,
+		NULL
+	},
+#endif
+	{
+		"md5",
+		crypt_md5,
+		"$1$"
+	},
+#ifdef HAS_BLOWFISH
+	{
+		"blf",
+		crypt_blowfish,
+		"$2"
+	},
+#endif
+	{
+		"nth",
+		crypt_nthash,
+		"$3$"
+	},
+	{
+		NULL,
+		NULL,
+		NULL
+	}
+};
+
+static int crypt_type = -1;
+
+static void
+crypt_setdefault(void)
+{
+	char *def;
+	size_t i;
+
+	if (crypt_type != -1)
+		return;
+	def = auth_getval("crypt_default");
+	if (def == NULL) {
+		crypt_type = 0;
+		return;
+	}
+	for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) {
+		if (strcmp(def, crypt_types[i].name) == 0) {
+			crypt_type = (int)i;
+			return;
+		}
+	}
+	crypt_type = 0;
+}
+
+const char *
+crypt_get_format(void)
+{
+
+	crypt_setdefault();
+	return (crypt_types[crypt_type].name);
+}
+
+int
+crypt_set_format(const char *type)
+{
+	size_t i;
+
+	crypt_setdefault();
+	for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) {
+		if (strcmp(type, crypt_types[i].name) == 0) {
+			crypt_type = (int)i;
+			return (1);
+		}
+	}
+	return (0);
+}
+
+char *
+crypt(const char *passwd, const char *salt)
+{
+	size_t i;
+
+	crypt_setdefault();
+	for (i = 0; i < sizeof(crypt_types) / sizeof(crypt_types[0]) - 1; i++) {
+		if (crypt_types[i].magic != NULL && strncmp(salt,
+		    crypt_types[i].magic, strlen(crypt_types[i].magic)) == 0)
+			return (crypt_types[i].func(passwd, salt));
+	}
+	return (crypt_types[crypt_type].func(passwd, salt));
+}
diff --git a/lib/libcrypt/crypt.h b/lib/libcrypt/crypt.h
new file mode 100644
index 0000000..c677160
--- /dev/null
+++ b/lib/libcrypt/crypt.h
@@ -0,0 +1,40 @@
+/* LINTLIBRARY */
+/*
+ * Copyright (c) 1999
+ *      Mark Murray.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY MARK MURRAY AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL MARK MURRAY OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ *
+ */
+
+/* magic sizes */
+#define MD4_SIZE 16
+#define MD5_SIZE 16
+
+char *crypt_des(const char *pw, const char *salt);
+char *crypt_md5(const char *pw, const char *salt);
+char *crypt_nthash(const char *pw, const char *salt);
+char *crypt_blowfish(const char *pw, const char *salt);
+
+extern void _crypt_to64(char *s, u_long v, int n);
diff --git a/lib/libcrypt/misc.c b/lib/libcrypt/misc.c
new file mode 100644
index 0000000..594c580
--- /dev/null
+++ b/lib/libcrypt/misc.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 1999
+ *      University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the author nor the names of any co-contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY CONTRIBUTORS ``AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+ * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+ * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+
+#include "crypt.h"
+
+static char itoa64[] =		/* 0 ... 63 => ascii - 64 */
+	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+void
+_crypt_to64(char *s, u_long v, int n)
+{
+	while (--n >= 0) {
+		*s++ = itoa64[v&0x3f];
+		v >>= 6;
+	}
+}