Browse Source

macro cleanup; kaspars at bankovskis dot net

OPENBSD_5_7
schwarze 10 years ago
parent
commit
734e6f28a1
2 changed files with 55 additions and 49 deletions
  1. +41
    -44
      src/lib/libc/crypt/crypt.3
  2. +14
    -5
      src/lib/libc/crypt/crypt_checkpass.3

+ 41
- 44
src/lib/libc/crypt/crypt.3 View File

@ -1,4 +1,4 @@
.\" $OpenBSD: crypt.3,v 1.42 2014/11/25 03:36:34 tedu Exp $
.\" $OpenBSD: crypt.3,v 1.43 2014/12/02 07:39:58 schwarze Exp $
.\"
.\" FreeSec: libcrypt
.\"
@ -31,7 +31,7 @@
.\"
.\" Manual page, using -mandoc macros
.\"
.Dd $Mdocdate: November 25 2014 $
.Dd $Mdocdate: December 2 2014 $
.Dt CRYPT 3
.Os
.Sh NAME
@ -71,21 +71,27 @@ and
The
.Fn crypt
function performs password hashing based on the
.Tn NBS
Data Encryption Standard (DES).
NBS Data Encryption Standard (DES).
Additional code has been added to deter key search attempts and to use
stronger hashing algorithms.
.Pp
The first argument to
.Fn crypt
is a
.Dv NUL Ns -terminated
string, typically a user's typed password.
The second is in one of three forms:
is a NUL-terminated
string
.Fa key ,
typically a user's typed password.
The second,
.Fa setting ,
is in one of three forms:
if it begins with an underscore
.Pq Ql _
then an extended format is used
in interpreting both the key and the setting, as outlined below.
in interpreting both the
.Fa key
and the
.Fa setting ,
as outlined below.
If it begins
with a string character
.Pq Ql $
@ -95,7 +101,7 @@ At the moment
chooses Blowfish hashing; see below for more information.
.Ss Extended crypt
The
.Ar key
.Fa key
is divided into groups of 8 characters (the last group is null-padded)
and the low-order 7 bits of each character (56 bits per group) are
used to form the DES key as follows:
@ -103,7 +109,9 @@ the first group of 56 bits becomes the initial DES key.
For each additional group, the XOR of the encryption of the current DES
key with itself and the group bits becomes the next DES key.
.Pp
The setting is a 9-character array consisting of an underscore followed
The
.Fa setting
is a 9-character array consisting of an underscore followed
by 4 bytes of iteration count and 4 bytes of salt.
These are encoded as printable characters, 6 bits per character,
least significant character first.
@ -113,15 +121,12 @@ This allows 24 bits for both
.Fa count
and
.Fa salt .
.Ss "Blowfish" crypt
The
.Tn Blowfish
version of crypt has 128 bits of
.Ss Blowfish crypt
The Blowfish version of crypt has 128 bits of
.Fa salt
in order to make building dictionaries of common passwords space consuming.
The initial state of the
.Tn Blowfish
cipher is expanded using the
Blowfish cipher is expanded using the
.Fa salt
and the
.Fa password
@ -132,9 +137,7 @@ The final Blowfish password entry is created by encrypting the string
.Pp
.Dq OrpheanBeholderScryDoubt
.Pp
with the
.Tn Blowfish
state 64 times.
with the Blowfish state 64 times.
.Pp
The version number, the logarithm of the number of rounds and
the concatenation of salt and hashed password are separated by the
@ -150,13 +153,15 @@ A valid Blowfish password looks like this:
The whole Blowfish password string is passed as
.Fa setting
for interpretation.
.Ss "Traditional" crypt
The first 8 bytes of the key are null-padded, and the low-order 7 bits of
each character is used to form the 56-bit
.Tn DES
key.
.Ss Traditional crypt
The first 8 bytes of the
.Fa key
are null-padded, and the low-order 7 bits of
each character is used to form the 56-bit DES key.
.Pp
The setting is a 2-character array of the ASCII-encoded salt.
The
.Fa setting
is a 2-character array of the ASCII-encoded salt.
Thus only 12 bits of
.Fa salt
are used.
@ -165,29 +170,24 @@ is set to 25.
.Ss DES Algorithm
The
.Fa salt
introduces disorder in the
.Tn DES
introduces disorder in the DES
algorithm in one of 16777216 or 4096 possible ways
(i.e., with 24 or 12 bits: if bit
.Em i
of the
.Ar salt
.Fa salt
is set, then bits
.Em i
and
.Em i+24
are swapped in the
.Tn DES
E-box output).
are swapped in the DES E-box output).
.Pp
The DES key is used to encrypt a 64-bit constant using
.Ar count
iterations of
.Tn DES .
The value returned is a
.Dv NUL Ns -terminated
.Fa count
iterations of DES.
The value returned is a NUL-terminated
string, 20 or 13 bytes (plus NUL) in length, consisting of the
.Ar setting
.Fa setting
followed by the encoded 64-bit encryption.
.Pp
The functions
@ -197,8 +197,7 @@ The functions
and
.Fn des_cipher
provide access to the
.Tn DES
algorithm itself.
DES algorithm itself.
.Fn setkey
is passed a 64-byte array of binary values (numeric 0 or 1).
A 56-bit key is extracted from this array by dividing the
@ -237,16 +236,14 @@ using
.Xr abs 3
of
.Fa count
iterations of
.Tn DES
iterations of DES
and stores the 64-bit result in the 8 characters at
.Fa out
(which may be the same as
.Fa in ) .
The
.Fa salt
specifies perturbations to the
.Tn DES
specifies perturbations to the DES
E-box output as described above.
.Pp
The


+ 14
- 5
src/lib/libc/crypt/crypt_checkpass.3 View File

@ -1,4 +1,4 @@
.\" $OpenBSD: crypt_checkpass.3,v 1.4 2014/11/21 12:52:54 jmc Exp $
.\" $OpenBSD: crypt_checkpass.3,v 1.5 2014/12/02 07:39:58 schwarze Exp $
.\"
.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: November 21 2014 $
.Dd $Mdocdate: December 2 2014 $
.Dt CRYPT_CHECKPASS 3
.Os
.Sh NAME
@ -31,10 +31,19 @@
The
.Fn crypt_checkpass
function is provided to simplify checking a user's password.
If both the hash and the password are the empty string, authentication
If both the
.Fa hash
and the
.Fa password
are the empty string, authentication
is a success.
Otherwise, the password is hashed and compared to the provided hash.
If the hash is
Otherwise, the
.Fa password
is hashed and compared to the provided
.Fa hash .
If the
.Fa hash
is
.Dv NULL ,
authentication will always fail, but a default
amount of work is performed to simulate the hashing operation.


Loading…
Cancel
Save