etc/, lib/, man/, src/, tests/: Remove support for MD5

configure.ac

@@ -187,9 +187,6 @@ AC_ARG_WITH([skey],
 AC_ARG_WITH([tcb],
 	[AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
 	[with_tcb=$withval], [with_tcb=maybe])
-AC_ARG_WITH([sha-crypt],
-	[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
-	[with_sha_crypt=$withval], [with_sha_crypt=yes])
 AC_ARG_WITH([bcrypt],
 	[AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
 	[with_bcrypt=$withval], [with_bcrypt=no])
@@ -222,11 +219,6 @@ AC_SUBST([GROUP_NAME_MAX_LENGTH])
 GROUP_NAME_MAX_LENGTH="$with_group_name_max_length"
 
 
-AM_CONDITIONAL([USE_SHA_CRYPT], [test "x$with_sha_crypt" = "xyes"])
-if test "X$with_sha_crypt" = "Xyes"; then
-	AC_DEFINE([USE_SHA_CRYPT], [1], [Define to allow the SHA256 and SHA512 password encryption algorithms])
-fi
-
 AM_CONDITIONAL([USE_BCRYPT], [test "x$with_bcrypt" = "xyes"])
 if test "X$with_bcrypt" = "Xyes"; then
 	AC_DEFINE([USE_BCRYPT], [1], [Define to allow the bcrypt password encryption algorithm])
@@ -708,7 +700,6 @@ AC_MSG_NOTICE([shadow ${PACKAGE_VERSION} has been configured with the following
 	tcb support (incomplete):	$with_tcb
 	shadow group support:		$enable_shadowgrp
 	S/Key support:			$with_skey
-	SHA passwords encryption:	$with_sha_crypt
 	bcrypt passwords encryption:	$with_bcrypt
 	yescrypt passwords encryption:	$with_yescrypt
 	nscd support:			$with_nscd

etc/login.defs

@@ -273,13 +273,6 @@ PASS_CHANGE_TRIES	5
 #
 PASS_ALWAYS_WARN	yes
 
-#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Only used for DES encryption algorithm.
-#
-#PASS_MAX_LEN		8
-
 #
 # Require password before chfn(1)/chsh(1) can make any changes.
 #
@@ -300,36 +293,17 @@ CHFN_RESTRICT		rwh
 # to use the default which is just "Password: ".
 #LOGIN_STRING		"%s's Password: "
 
-#
-# Only works if compiled with MD5_CRYPT defined:
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm.  Default is "no".
-#
-# Note: if you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
-#
-#MD5_CRYPT_ENAB	no
-
 #
 # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
-# If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
 # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
 # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
-# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
-# Overrides the MD5_CRYPT_ENAB option
 #
 # Note: if you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
-#ENCRYPT_METHOD DES
+#ENCRYPT_METHOD SHA512
 
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.

lib/chkhash.c

@@ -38,7 +38,7 @@ bool
 is_valid_hash(const char *hash) 
 {
 	// Minimum hash length
-	if (strlen(hash) < 13)
+	if (strlen(hash) < 48)
 		return false;
 
 	// Yescrypt: $y$ + algorithm parameters + $ + salt + $ + 43-char (minimum) hash
@@ -57,14 +57,6 @@ is_valid_hash(const char *hash)
 	if (match_regex("^\\$5\\$(rounds=[1-9][0-9]{3,8}\\$)?[^$:\\n]{1,16}\\$[./A-Za-z0-9]{43}$", hash))
 		return true;
 
-	// MD5: $1$ + salt + $ + 22-char hash
-	if (match_regex("^\\$1\\$[^$:\\n]{1,8}\\$[./A-Za-z0-9]{22}$", hash))
-		return true;
-
-	// DES: exactly 13 characters from [A-Za-z0-9./]
-	if (match_regex("^[./A-Za-z0-9]{13}$", hash))
-		return true;
-
 	// Not a valid hash
 	return false;
 }

lib/getdef.c

@@ -63,7 +63,6 @@ struct itemdef {
 	{"OBSCURE_CHECKS_ENAB", NULL},		\
 	{"PASS_ALWAYS_WARN", NULL},		\
 	{"PASS_CHANGE_TRIES", NULL},		\
-	{"PASS_MAX_LEN", NULL},			\
 	{"PASS_MIN_LEN", NULL},			\
 	{"PORTTIME_CHECKS_ENAB", NULL},		\
 	{"QUOTAS_ENAB", NULL},			\
@@ -107,15 +106,12 @@ static struct itemdef def_table[] = {
 	{"MAIL_DIR", NULL},
 	{"MAIL_FILE", NULL},
 	{"MAX_MEMBERS_PER_GROUP", NULL},
-	{"MD5_CRYPT_ENAB", NULL},
 	{"NONEXISTENT", NULL},
 	{"PASS_MAX_DAYS", NULL},
 	{"PASS_MIN_DAYS", NULL},
 	{"PASS_WARN_AGE", NULL},
-#ifdef USE_SHA_CRYPT
 	{"SHA_CRYPT_MAX_ROUNDS", NULL},
 	{"SHA_CRYPT_MIN_ROUNDS", NULL},
-#endif
 #ifdef USE_BCRYPT
 	{"BCRYPT_MAX_ROUNDS", NULL},
 	{"BCRYPT_MIN_ROUNDS", NULL},

lib/obscure.c

@@ -12,6 +12,7 @@
 
 
 #include <ctype.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -26,10 +27,6 @@
 #include "string/strdup/strdup.h"
 
 
-#if WITH_LIBBSD == 0
-#include "freezero.h"
-#endif /* WITH_LIBBSD */
-
 /*
  * can't be a palindrome - like `R A D A R' or `M A D A M'
  */
@@ -59,7 +56,7 @@ static bool similar (/*@notnull@*/const char *old, /*@notnull@*/const char *new)
 
 	/*
 	 * XXX - sometimes this fails when changing from a simple password
-	 * to a really long one (MD5).  For now, I just return success if
+	 * to a really long one.  For now, I just return success if
 	 * the new password is long enough.  Please feel free to suggest
 	 * something better...  --marekm
 	 */
@@ -115,19 +112,8 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
 	/*@notnull@*/const char *old,
 	/*@notnull@*/const char *new)
 {
-	int maxlen, minlen;
-	size_t oldlen, newlen;
-	char *new1, *old1;
-	const char *msg;
-
-	oldlen = strlen (old);
-	newlen = strlen (new);
-
-	obscure_get_range(&minlen, &maxlen);
-
-	if (newlen < (size_t) minlen) {
+	if (strlen(new) < pass_min_len())
 		return _("too short");
-	}
 
 	/*
 	 * Remaining checks are optional.
@@ -136,39 +122,7 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
 		return NULL;
 	}
 
-	msg = password_check(old, new);
-	if (NULL != msg) {
-		return msg;
-	}
-
-	if (maxlen == -1) {
-		return NULL;
-	}
-
-	/* The traditional crypt() truncates passwords to 8 chars.  It is
-	   possible to circumvent the above checks by choosing an easy
-	   8-char password and adding some random characters to it...
-	   Example: "password$%^&*123".  So check it again, this time
-	   truncated to the maximum length.  Idea from npasswd.  --marekm */
-
-	if (   (oldlen <= (size_t) maxlen)
-	    && (newlen <= (size_t) maxlen)) {
-		return NULL;
-	}
-
-	new1 = xstrdup (new);
-	old1 = xstrdup (old);
-	if (newlen > (size_t) maxlen)
-		stpcpy(&new1[maxlen], "");
-	if (oldlen > (size_t) maxlen)
-		stpcpy(&old1[maxlen], "");
-
-	msg = password_check(old1, new1);
-
-	freezero (new1, newlen);
-	freezero (old1, oldlen);
-
-	return msg;
+	return password_check(old, new);
 }
 
 /*
@@ -191,49 +145,12 @@ obscure(const char *old, const char *new)
 	return true;
 }
 
-/*
- * obscure_get_range - retrieve min and max password lengths
- *
- *  Returns minimum and maximum allowed lengths of a password
- *  to pass obscure checks.
- */
-void
-obscure_get_range(int *minlen, int *maxlen)
+size_t
+pass_min_len(void)
 {
-	int        val;
-	const char *method;
+	int  val;
 
 	/* Minimum length is 0, even if -1 is configured. */
 	val = getdef_num("PASS_MIN_LEN", 0);
-	*minlen = val == -1 ? 0 : val;
-
-	/* Maximum password length check is optional. */
-	*maxlen = -1;
-
-	if (!getdef_bool("OBSCURE_CHECKS_ENAB")) {
-		return;
-	}
-
-	method = getdef_str ("ENCRYPT_METHOD");
-	if (NULL == method) {
-		if (getdef_bool ("MD5_CRYPT_ENAB")) {
-			return;
-		}
-	} else {
-		if (   streq(method, "MD5")
-#ifdef USE_SHA_CRYPT
-		    || streq(method, "SHA256")
-		    || streq(method, "SHA512")
-#endif
-#ifdef USE_BCRYPT
-		    || streq(method, "BCRYPT")
-#endif
-#ifdef USE_YESCRYPT
-		    || streq(method, "YESCRYPT")
-#endif
-		    ) {
-			return;
-		}
-	}
-	*maxlen = getdef_num ("PASS_MAX_LEN", 8);
+	return val == -1 ? 0 : val;
 }

lib/prototypes.h

@@ -302,7 +302,7 @@ extern int do_pam_passwd_non_interactive (const char *pam_service,
 
 /* obscure.c */
 extern bool obscure (const char *, const char *);
-extern void obscure_get_range(int *, int *);
+extern size_t pass_min_len(void);
 
 /* pam_pass.c */
 #ifdef USE_PAM