MLINKS=		crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3

MLINKS=		crypt.3 crypt_makesalt.3 crypt.3 crypt_get_format.3 crypt.3 crypt_set_format.3

.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND

.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE

.Dd March 9, 2014

.Dd March 9, 2015

.Dt CRYPT 3

.Dt LIBCRYPT 3

.Nm crypt

.Nm crypt ,

.Nd Trapdoor encryption

.Nm crypt_makesalt ,

.Nm crypt_get_format ,

.Nm crypt_set_format

.Nd "library for password hashing"

.Ft char *

.Ft "char *"

.Ft const char *

.Ft "int"

.Fn crypt_makesalt "char *output" "const char *format" "size_t *out_len"

.Ft "const char *"

.Ft int

.Ft "int"

The

The 

.Fn crypt

.Nm libcrypt 

function performs password hashing with additional code added to

library covers functions related to password hashing.  

deter key search attempts.

.Pp

Different algorithms can be used to

Password hashing is different than a standard one way hash function.  Password hashing tries to make it difficult to recover a low-entropy key 

in the hash.

.Pq e.g. a typed password

.\"

from the resultant output hash.  Offline recovery by exhaustive key search 

.\" NOTICE:

.Pq brute-force and dictionary attacks

.\" If you add more algorithms, make sure to update this list

is stymied by the password hashing being one-way, and often computationally expensive.  Different algorithms can be selected to produce the password hash, with varying ability to effectively deter key search attempts.

.\" and the default used for the Traditional format, below.

.Pp

.\"

The hashing algorithm to be used for an invocation of crypt is chosen by supplying a salt parameter of a particular format.  The algorithms currently supported are: 

Currently these include the

.Sx bcrypt , 

.Tn NBS

.Sx sha512-crypt , 

.Tn Data Encryption Standard (DES) ,

.Sx sha256-crypt , 

.Tn MD5

.Sx md5-crypt , 

hash,

.Sx DES Extended Format , 

.Tn NT-Hash

.Sx Traditional DES Format , 

.Pq compatible with Microsoft's NT scheme

and 

and

.Sx NT-Hash .

.Tn Blowfish .

.Pp

The algorithm used will depend upon the format of the Salt

Current computational capabilities make all but the bcrypt and sha-crypt families known to be susceptible to exhaustive key searches.  The tuneable work factor of the bcrypt and sha-crypt families has allowed them to be set to be more computationally intensive over time.  The use of the other families is not recommended at this time, but are maintained for legacy compatibility.

.Po

.Pp

following

The first argument to 

the Modular Crypt Format

.Fn crypt 

.Pq MCF

is the 

.Pc ,

.Fa key 

if

to hash 

.Tn DES

.Pq usually a password , 

and/or

as a NUL-terminated string.  The second is the 

.Tn Blowfish

.Fa salt .  

is installed or not, and whether

A salt is a random value that assists in complicating offline recovery.  The length and format of the salt, and how it will be used is algorithm dependent.  For best results, specify at least sixteen characters of salt.

.Pp

If the salt begins with the string 

.Qq $digit , 

then the 

.Sx Modular Crypt Format 

is used.  If it begins with an underscore 

.Qq _ , 

then the 

.Sx DES Extended Format 

is used.  If the salt is 2 or 13 characters and includes only 0-9, a-z, A-Z a dot . or a slash /, then 

.Sx Traditional DES Format 

is used.  If none of these conditions are true, crypt will use the default hash function set by crypt_set_format, 

.Pq or Traditional DES Format if no default has been set, for systems with DES support .

.Pp

The 

.Fn crypt_makesalt

function populates an 

.Fa output 

buffer with a newly generated salt for the specified valid 

.Fa format .  

The size of the pre-allocated buffer is passed via 

.Fa out_len .

If the output buffer is too small, the required size is set in 

.Fa out_len .

.Pp

The 

.Fn crypt_get_format

function returns a constant string that represents the name of the algorithm set as the default.  Its use is deprecated.

.Pp

The 

has been called to change the default.

function sets the default encoding 

.Pp

.Fa format 

The first argument to

according to the supplied string.  Its use is deprecated.

.Nm

.Pp

is the data to hash

The salts, formats, and algorithms are outlined below.

.Pq usually a password ,

in a

.Sh Modular Crypt Format

.Dv NUL Ns -terminated

.Pp

string.

Modular Crypt Format is the current standard way to describe which algorithm and parameters to use for a particular crypt invocation.  Salts that are prefixed with $digit are using the modular crypt format.  The prefix selects the algorithm to use.  Valid prefixes are:

The second is the salt, in one of three forms:

.Bl -column -offset indent ".Sy Prefix" ".Sy Algorithm"

.Pp

.It Sy Prefix Ta Sy Algorithm

.Bl -tag -width Traditional -compact -offset indent

.It Li $1$       Ta 

.It Extended

.Sx md5-crypt

If it begins with an underscore

.It Li $2        Ta 

.Pq Dq _

.Sx bcrypt

then the

.It Li $3$       Ta 

.Tn DES

.Sx NT-Hash

Extended Format

.It Li $5$       Ta 

is used in interpreting both the key and the salt, as outlined below.

.Sx sha256-crypt

.It Modular

.It Li $6$       Ta 

If it begins with the string

.Sx sha512-crypt

.Dq $digit$

then the Modular Crypt Format is used, as outlined below.

.It Traditional

If neither of the above is true, it assumes the Traditional Format,

using the entire string as the salt

.Pq or the first portion .

All routines are designed to be time-consuming.

Everything following the prefix in the salt parameter is algorithm dependant, but includes things like work factor, and an actual salt 

.Ss DES Extended Format:

.Pq random value for that particular invocation .

The

.Ar key

.Ss md5-crypt

is divided into groups of 8 characters

.Bl -column ".Sy Output Hash Example:" ".Sy 8 characters from the set [a-zA-Z0-9./]"

.Pq the last group is NUL-padded

.It Li Format Strings:  Ta $1$, md5

and the low-order 7 bits of each character

.It Li Salt Format:     Ta 8 characters from the set [a-zA-Z0-9./]

.Pq 56 bits per group

.It Li Full Salt Example:       Ta $1$deadbeef$

are used to form the

.It Li Output Hash Example:     Ta $1$deadbeef$0Huu6KHrKLVWfqa4WljDE0

.Tn DES

.El

key as follows:

the first group of 56 bits becomes the initial

.Tn DES

key.

For each additional group, the XOR of the encryption of the current

.Tn DES

key with itself and the group bits becomes the next

.Tn DES

key.

.Pp

The salt is a 9-character array consisting of an underscore followed

by 4 bytes of iteration count and 4 bytes of salt.

These are encoded as printable characters, 6 bits per character,

least significant character first.

The values 0 to 63 are encoded as

.Dq ./0-9A-Za-z .

This allows 24 bits for both

.Fa count

and

.Fa salt .

The

md5-crypt was the default crypt format in FreeBSD for many years, developed by Poul-Henning Kamp.  

.Fa salt

introduces disorder in the

.Tn DES

algorithm in one of 16777216 or 4096 possible ways

.Po

i.e., with 24 or 12 bits: if bit

.Em i

of the

.Ar salt

is set, then bits

.Em i

and

.Em i+24

are swapped in the

.Tn DES

E-box output

.Pc .

The

It has seen widespread use in many commercial products, and for a long time was good enough.  It has a fixed work factor, which means that as computers became faster, the ability to attack it has increased proportionally.

.Tn DES

.Pp

key is used to encrypt a 64-bit constant using

Its use is no longer recommended.

.Ar count

iterations of

.Ss bcrypt

.Tn DES .

.Bl -column ".Sy Output Hash Example:" ".Sy $2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK"

The value returned is a

.It Li Format Strings:  Ta $2$[rounds]$, $2a$[rounds]$, $2b$[rounds]$, blf

.Dv NUL Ns -terminated

.It Li Salt Format:     Ta 16 bytes then base-64 encoded from the set [a-zA-Z0-9./]

string, 20 or 13 bytes

.It Li Full Salt Example:       Ta $2a$05$CCCCCCCCCCCCCCCCCCCCC.

.Pq plus NUL

.It Li Output Hash Example:     Ta $2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK

in length, consisting of the

.Ar salt

followed by the encoded 64-bit encryption.

.Ss Modular crypt:

If the salt begins with the string

.Fa $digit$

then the Modular Crypt Format is used.

The

.Fa digit

represents which algorithm is used in encryption.

Following the token is

the actual salt to use in the encryption.

The maximum length of the salt used depends upon the module.

The salt must be terminated with the end of the string character

.Pq NUL

or a dollar sign.

Any characters after the dollar sign are ignored.

.Pp

Currently supported algorithms are:

.Pp

.Bl -enum -compact -offset indent

.It

MD5

.It

Blowfish

.It

NT-Hash

.It

(unused)

.It

SHA-256

.It

SHA-512

Other crypt formats may be easily added.

bcrypt is the first algorithm to support a tuneable work factor.  It was initially introduced in OpenBSD, by Niels Provos, based on the Usenix paper "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. 

An example salt would be:

.Pp

.Bl -tag -width 6n -offset indent

There are three variations supported, each with minor bug fixes.  2b is the recommended variation.  

.It Cm "$4$thesalt$rest"

.Pp

The work factor is specified by the rounds parameter in the format string.  These rounds are logarithmic.  That is, 

.Qq $2b$08$ 

will take approximately twice as long as 

.Qq $2b$07$ 

for the same salt and key.  04 is the lowest supported work factor, and 31 is the highest.

.Pp

When the format string 

.Qq blf 

is specified, it is equivalent to specifying 

.Qq $2b$04$ .

.Ss NT-Hash

.Bl -column ".Sy Output Hash Example:" ".Sy $3$sdlksjfdlksjdlfk"

.It Li Format Strings:  Ta $3$, nth

.It Li Salt Format:  Ta no salt

.It Li Full Salt Example:  Ta $3$

.It Li Output Hash Example:  Ta $3$$cc0fb8a290eebbfe74e7207f2ace5927

How the salt is used will depend upon the algorithm for the hash.

nt-hash is supported for compatibility reasons only.  It is strongly discouraged for any production uses.

For

best results, specify at least eight characters of salt.

.Ss sha256-crypt

.Bl -column ".Sy Output Hash Example:" ".Sy $5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5, $5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA "

.It Li Format Strings:  Ta $5$, $5$rounds=[rounds]$, sha256

.It Li Salt Format:     Ta 16 characters from the set [a-zA-Z0-9./]

.It Li Full Salt Examples:      Ta $5$saltstring$, $5$rounds=10000$saltstringsaltst$

.It Li Output Hash Examples:     Ta $5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5, $5$rounds=10000$saltstringsaltst$3xv.VbSHBb41AL9AvLeujZkZRBAwqFMz2.opqey6IcA 

.El

The

sha256 supports a tunable work factor.  It was developed by Ulrich Drepper of Red Hat, and is detailed in 

.Fn crypt_get_format

.Qq Unix crypt using SHA-256 and SHA-512 .

function returns a constant string that represents the name of the

algorithm currently used.

Valid values are

.\"

.\" NOTICE: Also make sure to update this, too, as well

.\"

.Ql des ,

.Ql blf ,

.Ql md5 ,

.Ql sha256 ,

.Ql sha512

and

.Ql nth .

The

From that document:

.Pp

.Qo

Security departments in companies are trying to phase out all uses of MD5.  They demand a method which is officially sanctioned.  For US-based users this means tested by the NIST.

.Pp

This rules out the use of another already implemented method with limited spread: the use of the Blowfish encryption method.  The choice comes down to tested encryption 

.Pq 3DES, AES

or hash sums 

.Pq the SHA family .

.Qc

.Pp

The prepositions in the above statement are misleading.  Blowfish as a primitive, like 3DES or AES, has stood up to years of scrutinty by the cryptographic communinty.  bcrypt, the password hashing function, is ubiquitous.  It also currently provides greater resilience against pipe-lined or GPU-based attacks for the approximate same CPU workload as the sha-crypt family, based on its limited memory requirements.  This is not expected to remain true with future improvements to GPUs.  An additional subtle difference between bcrypt and the sha families is that bcrypt's salt is 2^128 bits, while the sha family is 2^96 bits.

.Pp

If you require a algorithm that includes NIST sanctioned primitives, choose one of the sha-crypt methods.

.Pp

The work factor is specified by the rounds parameter in the format string.  These rounds are linear.  That is, 

.Qq $5$rounds=20000$ 

will take approximately twice as long as 

.Qq $5$rounds=10000$ 

for the same salt and key. 1000 is the minimum number of rounds, 999999999 is the maximum.

.Pp

When the format string 

.Qq sha256 ,

or 

.Qq $5$ 

is specified, it is equivalent to specifying 

.Qq $5$rounds=5000$ .

.Ss sha512-crypt

.Bl -column ".Sy Output Hash Example:" ".Sy $6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1, $6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v."

.It Li Format Strings:  Ta $6$, $6$rounds=[rounds]$, sha512

.It Li Salt Format:     Ta 16 characters from the set [a-zA-Z0-9./]

.It Li Full Salt Examples:      Ta $6$saltstring$, $6$rounds=10000$saltstringsaltst$

.It Li Output Hash Examples:     Ta $6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1, $6$rounds=10000$saltstringsaltst$OW1/O6BYHV6BcXZu8QVeXbDWra3Oeqh0sbHbbMCVNSnCM/UrjmM0Dp8vOuZeHBy/YTBmSK6H9qs/y3RnOaw5v. 

.El

sha512 is nearly equivalent to sha256, except that it uses SHA512 as a primitive.  See Unix crypt using SHA-256 and SHA-512 for more details.

The details provided in sha256 apply here as well.

When the format string 

.Qq sha512 , 

or 

.Qq $6$ 

is specified, it is equivalent to specifying 

.Qq $6$rounds=5000$ .

.Sh DES Extended Format:

.Pp

The key is divided into groups of 8 characters 

.Pq the last group is NUL-padded 

and the low-order 7 bits of each character 

.Pq 56 bits per group

are used to form the DES key as follows: the first group of 56 bits becomes the initial DES key.  For each additional group, the XOR of the encryption of the current DES key with itself and the group bits becomes the next DES key.

.Pp

The salt is a 9-character array consisting of an underscore followed by 4 bytes of iteration count and 4 bytes of salt.  These are encoded as printable characters, 6 bits per character, least significant character first.  The values 0 to 63 are encoded as 

.Qq ./0-9A-Za-z .  

This allows 24 bits for both count and salt.

.Pp

The salt introduces disorder in the DES algorithm in one of 16777216 or 4096 possible ways 

.Pq i.e., with 24 or 12 bits: if bit i of the salt is set, then bits i and i+24 are swapped in the DES E-box output .

.Pp

The DES key is used to encrypt a 64-bit constant using count iterations of DES.  The value returned is a NUL-terminated string, 20 or 13 bytes 

.Pq plus NUL

in length, consisting of the salt followed by the encoded 64-bit encryption.

.Sh Traditional DES Format:

.Pp

The algorithm used will depend upon whether 

function sets the default encoding format according to the supplied

has been called to set the global default.  The built-in default format is used, if no default is set.  This is currently 

.Fa string .

.Qq des

if it is available, or 

.Qq sha512

if not.

The

.Pp

The 

function returns a pointer to the encrypted value on success, and NULL on

function returns a pointer to the encrypted value on success,

failure.

and NULL on failure.  Note: this is not a standard behaviour, AT&T

Note: this is not a standard behaviour, AT&T

function will return 1 if the supplied encoding format was valid.

function will return 1 if the supplied encoding format was valid.  Otherwise, a value of 0 is returned.

Otherwise, a value of 0 is returned.

.Sh EXAMPLES

.Bd -literal

#include <stdio.h>

#include <string.h>

#include <pthread.h>

#include <pwd.h>

#include <unistd.h>

#include <sys/param.h>

int

main()

{

	char *global_static_buffer;

	char final[_PASSWORD_LEN + 1];

	char test[_PASSWORD_LEN + 1];

	char salt[CRYPT_SALT_MAX_LEN + 1];

	size_t salt_sz = sizeof(salt);

	int exit_code = 0;

	/* threaded implementations should use a mutex around crypt */

	pthread_mutex_t mtx;

	if (pthread_mutex_init(&mtx, NULL) ) {

		exit_code = 1;

		goto exit1;

	}

	if (crypt_makesalt(salt, "$2b$08$", &salt_sz) ) {

		if ( salt_sz != sizeof(salt) ) {

			printf("Destination buffer too small for algorithm salt\\n");

			exit_code = 2;

			goto exit;

		}

		printf("Invalid format specified\\n");

		exit_code = 3;

		goto exit;

	}

	printf("crypt_makesalt result: %s\\n", salt);

	/*

	 * Generate a crypt for storage

	 */

	/* crypt buffer is global static */

	pthread_mutex_lock(&mtx);

	global_static_buffer = crypt("you'll never guess me!", salt);

	strncpy(final, global_static_buffer, sizeof(final) );

	pthread_mutex_unlock(&mtx);

	if (global_static_buffer == NULL) { 

		printf("crypt failed\\n");

		exit_code = 4;

		goto exit;

	}

	printf("crypt result: %s\\n", final);

	/*

	 * Compare a string against a stored crypt

	 */

	pthread_mutex_lock(&mtx);

	global_static_buffer = crypt("is this it?", final);

	strncpy(test, global_static_buffer, sizeof(test) );

	pthread_mutex_unlock(&mtx);

	if (global_static_buffer == NULL) { 

		printf("second crypt failed\\n");

		exit_code = 5;

		goto exit;

	}

	printf("test result: %s\\n", test);

	/* a timing-safe string compare would be better */

	if ( strncmp(test, final, MAX(sizeof(test), sizeof(final) ) ) == 0 ) {

		printf("The two buffers match.\\n");

	} else {

		printf("The two buffers do not match.\\n");

	}

exit:

	pthread_mutex_destroy(&mtx);

exit1:

	return exit_code;

}

.Ed

.Xr login 1 ,

.Xr login 1 , 

.Xr passwd 1 ,

.Xr passwd 1 , 

.Xr getpass 3 ,

.Xr getpass 3 , 

.Xr passwd 5

.Xr login_getcapstr 3 , 

.Xr passwd 5 ,

A rotor-based

.Pp

A rotor-based 

function appeared in

function appeared in Version 6 AT&T UNIX.  The

.At v6 .

current style 

The current style

first appeared in

first appeared in Version 7 AT&T UNIX.

.At v7 .

The

The DES section of the code 

.Tn DES

.Pq FreeSec 1.0

section of the code (FreeSec 1.0) was developed outside the United

was developed outside the

States of America as an unencumbered replacement for the U.S.-only

United States of America as an unencumbered replacement for the U.S.-only

.Nx

NetBSD libcrypt encryption library.

libcrypt encryption library.

.An -nosplit

Originally written by David Burren 

Originally written by

.Mt davidb@werj.com.au , 

.An David Burren Aq Mt davidb@werj.com.au ,

later additions and changes by Poul-Henning Kamp, Mark R V Murray, Michael

later additions and changes by

Bretterklieber, Kris Kennaway, Brian Feldman, Paul Herman, Niels Provos, and 

.An Poul-Henning Kamp ,

Derek Marcotte.

.An Mark R V Murray ,

.An Michael Bretterklieber ,

.An Kris Kennaway ,

.An Brian Feldman ,

.An Paul Herman

and

.An Niels Provos .

The

The 

function returns a pointer to static data, and subsequent calls to

function returns a pointer to static data, and subsequent

calls to 

will modify the same data.

will modify the same data.  Likewise, 

Likewise,

The NT-hash scheme does not use a salt,

.Sx bcrypt 

and is not hard

is preferred over 

for a competent attacker

.Sx sha512-crypt ,

to break.

or 

Its use is not recommended.

.Sx sha256-crypt , 

because of 

its resiliance to pipelined, and GPU based attacks - unless having a

NIST-approved algorithm is a requirement.

 * The default algorithm is the last entry in the list (second-to-last

 * Ordered from most probable to least probable[1], for the find algorithm to 

 * array element since the last is a sentinel).  The reason for placing

 * preform a little better in some cases.  Generally, order is not important.

 * the default last rather than first is that DES needs to be at the

 *

 * bottom for the algorithm guessing logic in crypt(3) to work correctly,

 * 1. as guessed by a random person

 * and it needs to be the default for backward compatibility.

 *

	{ "md5",	crypt_md5,		"$1$"	},

	{ "md5",	crypt_md5,	"$1$",	"$1$",		"^\\$1\\$$",				8,	true	},

	{ "sha512",	crypt_sha512,	"$6$",	"$6$",		"^\\$6\\$(rounds=[0-9]{0,9}\\$)?$",	16,	true	},

	{ "blf",	crypt_blowfish,		"$2"	},

	{ "blf",	crypt_blowfish,	"$2",	"$2b$04$",	"^\\$2[ab]?\\$[0-9]{2}\\$$",		22 /* 16 * 1.333 */,	false	},

	{ "des",	crypt_des,		"_"	},

	{ "des",	crypt_des,	NULL,	"",		NULL,					2,	false	},

	{ "des-ext",	crypt_des,	"_",	"_..T.",	"^_[A-Za-z0-9./]{4}$",			4,	false	},

	{ "nth",	crypt_nthash,	"$3$",	"$3$",		"^\\$3\\$$",				0,	false	},

	{ "sha256",	crypt_sha256,	"$5$",	"$5$",		"^\\$5\\$(rounds=[0-9]{0,9}\\$)?$",	16,	true	},

	{ NULL,		NULL,			NULL	}

	{ NULL,		NULL,		NULL,	NULL,		NULL,	0,	NULL	}

static const struct crypt_format *crypt_format =

#ifdef HAS_DES

    &crypt_formats[(sizeof crypt_formats / sizeof *crypt_formats) - 2];

/* must be des if system has des */

static char default_format[CRYPT_FORMAT_MAX_LEN + 1] = "des";

#else 

static char default_format[CRYPT_FORMAT_MAX_LEN + 1] = "sha512";

#endif

/* local-scope only */

static const struct crypt_format *crypt_find_format(const char *);

static bool crypt_validate_format_regex(const char *, const char *);

static bool crypt_format_is_modular(const char*);

	return default_format;

	return (crypt_format->name);

	const struct crypt_format *cf;

	if (crypt_find_format(format) == NULL) {

		return (0);

	}

	strncpy(default_format, format, sizeof(default_format) );

	return (1);

}

/*

 * is the crypt format a recognized as valid

 */

static bool

crypt_format_validate_regex(const char* regex, const char *format) 

{

	regex_t regex_c;

	int res = 0;

	/* We could cache these, but they are simple, and this function won't be

	 * called often.

	 */

	if (regcomp(&regex_c, regex, REG_EXTENDED) != 0) {

		return false;

	}

	res = regexec(&regex_c, format, 0, NULL, 0);

	regfree(&regex_c);

	return !res;

}

/*

 * is the crypt format a fancy-dancy modular format

 */

static bool

crypt_format_is_modular(const char* format) 

{

	/* we'll treat 'new des' as modular, because they can set 24 bits of count via salt */

	return (format[0] == '$' || format[0] == '_');

}

	for (cf = crypt_formats; cf->name != NULL; ++cf) {

/*

		if (strcasecmp(cf->name, format) == 0) {

 * lookup our format in our internal table for a matching crypt_format structure

			crypt_format = cf;

 */

			return (1);

static const struct crypt_format *

crypt_find_format(const char *format)

{

	const struct crypt_format *cf;

	if (strcmp(format, "default") == 0 ) {

		format = default_format;

	}

	if (crypt_format_is_modular(format) ) {

		/* modular crypt magic lookup, force full syntax */

		for (cf = crypt_formats; cf->name != NULL; ++cf) {

			if (cf->magic != NULL && strstr(format, cf->magic) == format && crypt_format_validate_regex(cf->format_regex, format) ) {

				return cf;

			}

		}

	} else {

		/* name lookup */

		for (cf = crypt_formats; cf->name != NULL; ++cf) {

			if (strcasecmp(cf->name, format) == 0) {

				return cf;

			}

	return (0);

	return NULL;

	/* use the magic in the salt for lookup */

	return (crypt_format->func(passwd, salt));

	cf = crypt_find_format(default_format);

	return (cf->func(passwd, salt));

ATF_TC(invalid);

ATF_TC(md5invalid);

ATF_TC_HEAD(invalid, tc)

ATF_TC_HEAD(md5invalid, tc)

	atf_tc_set_md_var(tc, "descr", "Tests that md5invalid password fails");

	atf_tc_set_md_var(tc, "descr", "Tests that invalid password fails");

ATF_TC_BODY(invalid, tc)

ATF_TC_BODY(md5invalid, tc)

	ATF_TP_ADD_TC(tp, invalid);

	ATF_TP_ADD_TC(tp, md5invalid);

	ATF_TP_ADD_TC(tp, sha256_vector_1);

	ATF_TP_ADD_TC(tp, sha256_invalid);

	ATF_TP_ADD_TC(tp, sha256_vector_2);

	ATF_TP_ADD_TC(tp, sha256_vector_3);

	ATF_TP_ADD_TC(tp, sha256_vector_4);

/*

	ATF_TP_ADD_TC(tp, sha256_vector_5);

	ATF_TP_ADD_TC(tp, sha256_vector_6);

*/

	ATF_TP_ADD_TC(tp, sha256_vector_7);

	ATF_TP_ADD_TC(tp, sha512_vector_1);

	ATF_TP_ADD_TC(tp, sha512_invalid);

	ATF_TP_ADD_TC(tp, sha512_vector_2);

	ATF_TP_ADD_TC(tp, sha512_vector_3);

	ATF_TP_ADD_TC(tp, sha512_vector_4);

/*

	ATF_TP_ADD_TC(tp, sha512_vector_5);

	ATF_TP_ADD_TC(tp, sha512_vector_6);

*/

	ATF_TP_ADD_TC(tp, sha512_vector_7);

#ifdef HAS_BLOWFISH	

	ATF_TP_ADD_TC(tp, blf_vector_1);

	ATF_TP_ADD_TC(tp, blf_invalid);

	ATF_TP_ADD_TC(tp, blf_vector_2);

	ATF_TP_ADD_TC(tp, blf_vector_3);

	ATF_TP_ADD_TC(tp, blf_vector_4);

	ATF_TP_ADD_TC(tp, blf_vector_5);

#endif	

	char salt[SALTSIZE + 1];

	char salt[CRYPT_SALT_MAX_LEN + 1];

	size_t salt_sz;

Valid values include "des", "md5", "blf", "sha256" and "sha512"; see

Valid values include Modular Crypt Format strings, 

.Qq des , 

.Qq md5 , 

.Qq blf , 

.Qq sha256

and 

.Qq sha512 ; 

see 

char *pw_pwcrypt(char *password);

char *pw_pwcrypt(const char *password, const char *format);

		grp->gr_passwd = pw_pwcrypt(line);

		grp->gr_passwd = pw_pwcrypt(line, "default");

    bool dryrun);

    char const * format, bool dryrun);

		if (lc == NULL ||

		copy_passwd_format(passwd_format, lc, sizeof(passwd_format) );

				login_setcryptfmt(lc, "sha512", NULL) == NULL)

			warn("setting crypt(3) format");

		pwd->pw_passwd = pw_pwcrypt(line);

		pwd->pw_passwd = pw_pwcrypt(line, passwd_format);

#define	SALTSIZE	32

char           *

pw_pwcrypt(const char *password, const char *format)

static char const chars[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./";

char *

pw_pwcrypt(char *password)

	int             i;

	char            salt[CRYPT_SALT_MAX_LEN + 1];

	char            salt[SALTSIZE + 1];

	size_t		salt_sz = sizeof(salt);

	static char     buf[256];

	static char     buf[_PASSWORD_LEN + 1];

	/*

	if (crypt_makesalt(salt, format, &salt_sz) ) {

	 * Calculate a salt value

		if (salt_sz == sizeof(salt) ) {

	 */

			errx(EX_CONFIG, "Unable to create salt for crypt(3) format: %s", format);

	for (i = 0; i < SALTSIZE; i++)

		} else {

		salt[i] = chars[arc4random_uniform(sizeof(chars) - 1)];

			/* really shouldn't get here */

	salt[SALTSIZE] = '\0';

			errx(EX_CONFIG, "Not enough space to write salt to buffer.  CRYPT_SALT_MAX_LEN is wrong.");

		}

	}

pw_password(struct userconf * cnf, char const * user, bool dryrun)

pw_password(struct userconf * cnf,  char const * user, const char * format, bool dryrun)

	return pw_pwcrypt(pwbuf);

	return pw_pwcrypt(pwbuf, format);

	if (lc == NULL || login_setcryptfmt(lc, "sha512", NULL) == NULL)

	copy_passwd_format(passwd_format, lc, sizeof(passwd_format));

		warn("setting crypt(3) format");

	pwd->pw_passwd = pw_password(cmdcnf, pwd->pw_name, dryrun);

	pwd->pw_passwd = pw_password(cmdcnf, pwd->pw_name, passwd_format, dryrun);