docs: Added All NetBSD Manuals

1 files changed, 529 insertions, 0 deletions

diff --git a/static/netbsd/man3/crypt.3 b/static/netbsd/man3/crypt.3
new file mode 100644
index 00000000..7989a632
--- /dev/null
+++ b/static/netbsd/man3/crypt.3
@@ -0,0 +1,529 @@
+.\"	$NetBSD: crypt.3,v 1.37 2025/11/17 21:28:37 uwe Exp $
+.\"
+.\" Copyright (c) 1989, 1991, 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     @(#)crypt.3	8.2 (Berkeley) 12/11/93
+.\"
+.Dd November 17, 2025
+.Dt CRYPT 3
+.Os
+.
+.Sh NAME
+.Nm crypt ,
+.Nm setkey ,
+.Nm encrypt ,
+.Nm des_setkey ,
+.Nm des_cipher
+.Nd password hashing
+.
+.Sh LIBRARY
+.Lb libcrypt
+.
+.Sh SYNOPSIS
+.
+.In unistd.h
+.
+.Ft "char *"
+.Fn crypt "const char *key" "const char *setting"
+.
+.Ft int
+.Fn encrypt "char *block" "int flag"
+.
+.Ft int
+.Fn des_setkey "const char *key"
+.
+.Ft int
+.Fn des_cipher "const char *in" "char *out" "long salt" "int count"
+.
+.In stdlib.h
+.
+.Ft int
+.Fn setkey "const char *key"
+.
+.Sh DESCRIPTION
+.
+The
+.Fn crypt
+function performs password hashing.
+The password hashing scheme used by
+.Fn crypt
+is dependent upon the contents of the
+.Tn NUL Ns -terminated
+string
+.Fa setting\| :
+.Pp
+If
+.Fa setting
+begins with a string character
+.Pq Ql $
+then a different algorithm is used depending on the
+following characters.
+At the moment a
+.Ql $1
+chooses MD5 hashing,
+.Ql $2
+chooses Blowfish hashing, and
+.Ql $argon2d ,
+.Ql $argon2i ,
+or
+.Ql $argon2id
+choose Argon2 hashing.
+In either case, the additional parameters for the
+hashing algorithm are separated by further
+.Ql $
+characters;
+see below for more information.
+.Pp
+If
+.Fa setting
+begins with the
+.Ql _
+character,
+.Tn DES
+password hashing with a user specified number of
+perturbations is selected.
+If
+.Fa setting
+begins with any other character,
+.Tn DES
+password hashing with a fixed
+number of perturbations is selected.
+.
+.Ss DES password hashing
+.
+The
+.Tn DES
+password hashing scheme is derived from the
+.Tn NBS
+Data Encryption Standard.
+Additional code has been added to deter key search attempts and to use
+stronger hashing algorithms.
+In the
+.Tn DES
+case, the second argument to
+.Fn crypt
+is a character array, 9 bytes in length, consisting of an underscore
+.Pq Ql _
+followed by 4 bytes of iteration count and 4 bytes of salt.
+Both the iteration
+.Fa count
+and the
+.Fa salt
+are encoded with 6 bits per character, least significant bits first.
+The values 0 to 63 are encoded by the characters
+.Ql ./0-9A-Za-z ,
+respectively.
+.Pp
+The
+.Fa salt
+is used to induce disorder in to the
+.Tn DES
+algorithm in one of 16777216 possible ways
+.Po
+specifically, if bit
+.Em i
+of the
+.Fa salt
+is set then bits
+.Em i
+and
+.Em i+24
+are swapped in the
+.Tn DES
+.Dq E
+box output
+.Pc .
+The
+.Fa key
+is divided into groups of 8 characters
+.Po
+a short final group is
+.Tn NUL Ns -padded
+.Pc
+and the low-order 7 bits of each character
+.Pq 56 bits per group
+are used to form the
+.Tn DES
+key as follows: the first group of 56 bits becomes the initial
+.Tn DES
+key.
+For each additional group, the XOR of the group bits and the encryption of the
+.Tn DES
+key with itself becomes the next
+.Tn DES
+key.
+Then the final
+.Tn DES
+key is used to perform
+.Fa count
+cumulative encryptions of a 64-bit constant yielding a
+.Dq ciphertext .
+The value returned is a
+.Tn NUL Ns -terminated
+string, 20 bytes in length, consisting of the
+.Fa setting
+followed by the encoded 64-bit
+.Dq ciphertext .
+.Pp
+For compatibility with historical versions of
+.Fn crypt ,
+the
+.Fa setting
+may consist of 2 bytes of salt, encoded as above, in which case an
+iteration
+.Fa count
+of 25 is used, fewer perturbations of
+.Tn DES
+are available, at most 8 characters of
+.Fa key
+are used, and the returned value is a
+.Tn NUL Ns -terminated
+string 13 bytes in length.
+.Pp
+The functions
+.Fn encrypt ,
+.Fn setkey ,
+.Fn des_setkey
+and
+.Fn des_cipher
+allow limited access to the
+.Tn DES
+algorithm itself.
+The
+.Fa key
+argument to
+.Fn setkey
+is a 64 character array of binary values
+.Pq numeric 0 or\~1 .
+A 56-bit key is derived from this array by dividing the array
+into groups of 8 and ignoring the last bit in each group.
+.Pp
+The
+.Fn encrypt
+argument
+.Fa block
+is also a 64 character array of binary values.
+If the value of
+.Fa flag
+is 0,
+the argument
+.Fa block
+is encrypted, otherwise it is decrypted.
+The encryption or decryption is returned in the original array
+.Fa block
+after using the key specified by
+.Fn setkey
+to process it.
+.Pp
+The
+.Fn des_setkey
+and
+.Fn des_cipher
+functions are faster but less portable than
+.Fn setkey
+and
+.Fn encrypt .
+The argument to
+.Fn des_setkey
+is a character array of length 8.
+The
+.Em least
+significant bit in each character is ignored and the next 7 bits of each
+character are concatenated to yield a 56-bit key.
+The function
+.Fn des_cipher
+encrypts
+.Po
+or decrypts if
+.Fa count
+is negative
+.Pc
+the 64-bits stored in the 8 characters at
+.Fa in
+using
+.Xr abs 3
+of
+.Fa count
+iterations of
+.Tn DES
+and stores the 64-bit result in the 8 characters at
+.Fa out .
+The
+.Fa salt
+specifies perturbations to
+.Tn DES
+as described above.
+.
+.Ss MD5 password hashing
+.
+For the
+.Tn MD5
+password hashing scheme, the version number
+.Pq in this case Ql 1
+and
+.Fa salt
+are separated by the
+.Ql $
+character and passed to
+.Nm
+via the
+.Fa setting
+argument as, e.g.,
+.Ql $1$2qGr5PPQ .
+Only the first 8 characters of the
+.Fa salt
+are used; any other characters are silently ignored.
+.
+.Ss Argon2 password hashing
+.
+Argon2 is a memory-hard password hashing algorithm.
+.Fn crypt
+provides all three variants: Argon2d, Argon2i, and Argon2id.
+It is recommended to use Argon2id, which provides a hybrid combination
+using Argon2i on the first pass, and Argon2d on the remaining passes.
+We parameterize on three variables,
+although four variables separated by
+.Ql $
+are specified:
+.Pp
+The first parameter,
+.Va version ( Li v ) ,
+specifies the version of Argon to be used.
+This version is currently fixed per RFC9106 as decimal\~19.
+Next,
+.Va m_cost ( Li m ) ,
+specifies the memory usage in
+.Tn KB ;
+.Va t_cost ( Li t ) ,
+specifies the number of iterations, and lastly
+.Va parallelism ( Li p )
+specifies the number of threads.
+This is currently ignored and one thread will always be used.
+Following these parameters is the salt.
+.Pp
+A complete Argon2
+.Fa setting
+string might be
+.Pp
+.Dl $argon2id$v=19$m=4096,t=6,p=1$qCatF9a1s/6TgcYB
+.
+.Ss \(lqBlowfish\(rq bcrypt
+.
+The Blowfish version of
+.Fn crypt
+has 128 bits of
+.Fa salt
+in order to make building dictionaries of common passwords space consuming.
+The initial state of the Blowfish cipher is expanded using the
+.Fa salt
+and the
+.Fa password
+repeating the process a variable number of rounds, which is encoded in
+the password hash.
+The maximum password length is 72.
+The final Blowfish password output is created by encrypting the string
+.Pp
+.Dl OrpheanBeholderScryDoubt
+.Pp
+with the Blowfish state 64 times.
+.Pp
+The version number, the logarithm of the number of rounds, and
+the concatenation of salt and hashed password are separated by the
+.Ql $
+character.
+Currently, the only supported version number on
+.Nx
+is
+.Ql 2a .
+An encoded
+.Ql 12
+would specify 4096 rounds.
+Only the first 22 characters of the
+.Fa salt
+are used; any other characters are silently ignored.
+.Pp
+A complete Blowfish
+.Fa setting
+string might be
+.Pp
+.Dl $2a$12$eIAq8PR8sIUnJ1HaohxX2O
+.
+.Sh RETURN VALUES
+.
+The function
+.Fn crypt
+returns a pointer to the encoded hash on success.
+.Pp
+The behavior of
+.Fn crypt
+on errors isn't well standardized.
+Some implementations simply can't fail
+.Po
+unless the process dies, in which case they obviously can't return
+.Pc ,
+others return
+.Dv NULL
+or a fixed string.
+Most implementations don't set
+.Va errno ,
+but some do.
+.St -susv2
+specifies only returning
+.Dv NULL
+and setting
+.Va errno
+as a valid behavior, and defines only one possible error
+.Po
+.Er ENOSYS ,
+.Dq The functionality is not supported on this implementation.
+.Pc
+Unfortunately, most existing applications aren't prepared to handle
+.Dv NULL
+returns from
+.Fn crypt .
+The description below corresponds to this implementation of
+.Fn crypt
+only.
+The behavior may change to match standards, other implementations or existing
+applications.
+.Pp
+.Fn crypt
+may only fail (and return) when passed an invalid or unsupported
+.Fa setting ,
+in which case it returns a pointer to a magic string that is shorter
+than 13 characters and is guaranteed to differ from
+.Fa setting .
+This behavior is safe for older applications which assume that
+.Fn crypt
+can't fail, when both setting new passwords and authenticating against
+existing password hashes.
+.Pp
+The functions
+.Fn setkey ,
+.Fn encrypt ,
+.Fn des_setkey ,
+and
+.Fn des_cipher
+return 0 on success and 1 on failure.
+Historically, the functions
+.Fn setkey
+and
+.Fn encrypt
+did not return any value.
+They have been provided return values primarily to distinguish
+implementations where hardware support is provided but not
+available or where the
+.Tn DES
+encryption is not available due to the usual political silliness.
+.
+.Sh SEE ALSO
+.
+.Xr login 1 ,
+.Xr passwd 1 ,
+.Xr pwhash 1 ,
+.Xr getpass 3 ,
+.Xr md5 3 ,
+.Xr passwd 5 ,
+.Xr passwd.conf 5
+.Rs
+.%T "Argon2: the memory-hard function for password hashing and other applications"
+.%A Alex Biryukov
+.%A Daniel Dinu
+.%A Dmitry Khovratovich
+.%D 2017
+.%I University of Luxembourg
+.%U https://www.password-hashing.net/
+.Re
+.Rs
+.%T "Mathematical Cryptology for Computer Scientists and Mathematicians"
+.%A Wayne Patterson
+.%D 1987
+.%N ISBN 0-8476-7438-X
+.Re
+.Rs
+.%T "Password Security: A Case History"
+.%A R. Morris
+.%A Ken Thompson
+.%J "Communications of the ACM"
+.%V vol. 22
+.%P pp. 594-597
+.%D Nov. 1979
+.Re
+.Rs
+.%T "DES will be Totally Insecure within Ten Years"
+.%A M.E. Hellman
+.%J "IEEE Spectrum"
+.%V vol. 16
+.%P pp. 32-39
+.%D July 1979
+.Re
+.
+.Sh HISTORY
+.
+A rotor-based
+.Fn crypt
+function appeared in
+.At v6 .
+The current style
+.Fn crypt
+first appeared in
+.At v7 .
+.
+.Sh BUGS
+.
+Dropping the
+.Em least
+significant bit in each character of the argument to
+.Fn des_setkey
+is ridiculous.
+.Pp
+The
+.Fn crypt
+function leaves its result in an internal static object and returns
+a pointer to that object.
+Subsequent calls to
+.Fn crypt
+will modify the same object.
+.Pp
+Before
+.Nx 6.0
+.Fn crypt
+returned either
+.Dv NULL
+or
+.Li \*q:\*q
+on error.
+.Pp
+The term
+.Dq encryption
+for password hashing does not match the terminology of modern
+cryptography, but the name of the library is entrenched.
+.Pp
+A library for password hashing has no business directly exposing the
+.Tn DES
+cipher itself, which is obsolete and broken as a cipher.