summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/libcrypt/crypt.366
1 files changed, 37 insertions, 29 deletions
diff --git a/lib/libcrypt/crypt.3 b/lib/libcrypt/crypt.3
index f14a6eb..50829c2 100644
--- a/lib/libcrypt/crypt.3
+++ b/lib/libcrypt/crypt.3
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd April 9, 2011
+.Dd March 9, 2014
.Dt CRYPT 3
.Os
.Sh NAME
@@ -63,11 +63,16 @@ Currently these include the
.Tn MD5
hash,
.Tn NT-Hash
-(compatible with Microsoft's NT scheme)
+.Pq compatible with Microsoft's NT scheme
and
.Tn Blowfish .
-The algorithm used will depend upon the format of the Salt (following
-the Modular Crypt Format (MCF)), if
+The algorithm used will depend upon the format of the Salt
+.Po
+following
+the Modular Crypt Format
+.Pq MCF
+.Pc ,
+if
.Tn DES
and/or
.Tn Blowfish
@@ -77,8 +82,10 @@ has been called to change the default.
.Pp
The first argument to
.Nm
-is the data to hash (usually a password), in a
-.Dv null Ns -terminated
+is the data to hash
+.Pq usually a password ,
+in a
+.Dv NUL Ns -terminated
string.
The second is the salt, in one of three forms:
.Pp
@@ -96,22 +103,19 @@ If it begins with the string
then the Modular Crypt Format is used, as outlined below.
.It Traditional
If neither of the above is true, it assumes the Traditional Format,
-using the entire string as the salt (or the first portion).
+using the entire string as the salt
+.Pq or the first portion .
.El
.Pp
All routines are designed to be time-consuming.
-A brief test on a
-.Tn Pentium
-166/MMX shows the
-.Tn DES
-crypt to do approximately 2640 crypts
-a CPU second and MD5 to do about 62 crypts a CPU second.
.Ss DES Extended Format:
The
.Ar key
-is divided into groups of 8 characters (the last group is null-padded)
-and the low-order 7 bits of each character (56 bits per group) are
-used to form the
+is divided into groups of 8 characters
+.Pq the last group is NUL-padded
+and the low-order 7 bits of each character
+.Pq 56 bits per group
+are used to form the
.Tn DES
key as follows:
the first group of 56 bits becomes the initial
@@ -127,7 +131,8 @@ The salt is a 9-character array consisting of an underscore followed
by 4 bytes of iteration count and 4 bytes of salt.
These are encoded as printable characters, 6 bits per character,
least significant character first.
-The values 0 to 63 are encoded as ``./0-9A-Za-z''.
+The values 0 to 63 are encoded as
+.Dq ./0-9A-Za-z .
This allows 24 bits for both
.Fa count
and
@@ -138,7 +143,8 @@ The
introduces disorder in the
.Tn DES
algorithm in one of 16777216 or 4096 possible ways
-(i.e., with 24 or 12 bits: if bit
+.Po
+i.e., with 24 or 12 bits: if bit
.Em i
of the
.Ar salt
@@ -148,7 +154,8 @@ and
.Em i+24
are swapped in the
.Tn DES
-E-box output).
+E-box output
+.Pc .
.Pp
The
.Tn DES
@@ -157,11 +164,13 @@ key is used to encrypt a 64-bit constant using
iterations of
.Tn DES .
The value returned is a
-.Dv null Ns -terminated
-string, 20 or 13 bytes (plus null) in length, consisting of the
+.Dv NUL Ns -terminated
+string, 20 or 13 bytes
+.Pq plus NUL
+in length, consisting of the
.Ar salt
followed by the encoded 64-bit encryption.
-.Ss "Modular" crypt:
+.Ss Modular crypt:
If the salt begins with the string
.Fa $digit$
then the Modular Crypt Format is used.
@@ -170,11 +179,10 @@ The
represents which algorithm is used in encryption.
Following the token is
the actual salt to use in the encryption.
-The length of the salt is limited
-to 8 characters--because the length of the returned output is also limited
-(_PASSWORD_LEN).
-The salt must be terminated with the end of the string
-(NULL) or a dollar sign.
+The maximum length of the salt used depends upon the module.
+The salt must be terminated with the end of the string character
+.Pq NUL
+or a dollar sign.
Any characters after the dollar sign are ignored.
.Pp
Currently supported algorithms are:
@@ -199,7 +207,7 @@ An example salt would be:
.Bl -tag -width 6n -offset indent
.It Cm "$4$thesalt$rest"
.El
-.Ss "Traditional" crypt:
+.Ss Traditional crypt:
The algorithm used will depend upon whether
.Fn crypt_set_format
has been called and whether a global default format has been specified.
@@ -216,7 +224,7 @@ if it is available, or MD5 if not.
.Pp
How the salt is used will depend upon the algorithm for the hash.
For
-best results, specify at least two characters of salt.
+best results, specify at least eight characters of salt.
.Pp
The
.Fn crypt_get_format
OpenPOWER on IntegriCloud