make login.conf(5) and crypt_newhash(3) and the underlying code
consistant regarding bcrypt,a instead of blowfish,a. "blowfish"
is a historical alias which we don't need to document as firmly
as "bcrypt".
report about difficult manual page discovery from ataraxia937
ok millert

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Wrap <unistd.h> so that internal calls go direct and they're all weak symbols
Delete unused 'fd' argument from internal function oldttyname()

permit "bcrypt" as an alias for "blowfish". this is, after all, what
99% of the world calls it.
allow just "bcrypt" without params to mean auto-tune ("bcrypt,a").
default remains 8 rounds (for now)
ok deraadt

Set errno to EINVAL, instead of letting ERANGE escape out.
Printing strerror() in that case will say result too large, even if rounds is
actually too small. invalid is less specific, but less incorrect.
ok millert

remove unused variable

ok tedu@

copy bcrypt autotune from encrypt(1) and expose via crypt_newhash
ok deraadt miod

simplify crypt_checkpass. The API promise is that this function doesn't
use global data. The simplest fix is to only check blowfish passwords,
and implicitly lock out DES passwords.
crypt_checkpass is currently only used in one place, passwd, to verify
the local user's password, so this is probably acceptable.
Gives people a little more time to migrate away from DES before introduing
checkpass into more places.

check crypt() for null. noticed by Jonas Termansen

Let crypt_checkpass() set EACCES after bcrypt_checkpass() failure;
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

add new function crypt_newhash to simplify creating new hashes.
does most of the work pwd_gensalt did, but also creates the hash.
(unused yet)

remove md5crypt.
while changing things, add a crypt_checkpass wrapper that handles most of
the edge cases. (not quite ready for production, though.)
ok deraadt

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Wrap <unistd.h> so that internal calls go direct and they're all weak symbols
Delete unused 'fd' argument from internal function oldttyname()

permit "bcrypt" as an alias for "blowfish". this is, after all, what
99% of the world calls it.
allow just "bcrypt" without params to mean auto-tune ("bcrypt,a").
default remains 8 rounds (for now)
ok deraadt

Set errno to EINVAL, instead of letting ERANGE escape out.
Printing strerror() in that case will say result too large, even if rounds is
actually too small. invalid is less specific, but less incorrect.
ok millert

remove unused variable

ok tedu@

copy bcrypt autotune from encrypt(1) and expose via crypt_newhash
ok deraadt miod

simplify crypt_checkpass. The API promise is that this function doesn't
use global data. The simplest fix is to only check blowfish passwords,
and implicitly lock out DES passwords.
crypt_checkpass is currently only used in one place, passwd, to verify
the local user's password, so this is probably acceptable.
Gives people a little more time to migrate away from DES before introduing
checkpass into more places.

check crypt() for null. noticed by Jonas Termansen

Let crypt_checkpass() set EACCES after bcrypt_checkpass() failure;
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

add new function crypt_newhash to simplify creating new hashes.
does most of the work pwd_gensalt did, but also creates the hash.
(unused yet)

remove md5crypt.
while changing things, add a crypt_checkpass wrapper that handles most of
the edge cases. (not quite ready for production, though.)
ok deraadt