From: Alejandro Colomar Date: Fri, 26 Dec 2025 14:14:17 +0000 (+0100) Subject: *: Make support for SHA256 and SHA512 unconditional X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a3edefccb66c44485aee5edc911eeb8382cb3a4;p=thirdparty%2Fshadow.git *: Make support for SHA256 and SHA512 unconditional This is necessary for later changing the fallback from the insecure DES to something secure such as SHA512. Link: Reviewed-by: Serge Hallyn Cc: Andre Boscatto Cc: Iker Pedrosa Signed-off-by: Alejandro Colomar --- diff --git a/configure.ac b/configure.ac index 3b2aefd0a..c01264c00 100644 --- a/configure.ac +++ b/configure.ac @@ -169,9 +169,6 @@ AC_ARG_WITH([skey], AC_ARG_WITH([tcb], [AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])], [with_tcb=$withval], [with_tcb=maybe]) -AC_ARG_WITH([sha-crypt], - [AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])], - [with_sha_crypt=$withval], [with_sha_crypt=yes]) AC_ARG_WITH([bcrypt], [AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])], [with_bcrypt=$withval], [with_bcrypt=no]) @@ -204,11 +201,6 @@ AC_SUBST([GROUP_NAME_MAX_LENGTH]) GROUP_NAME_MAX_LENGTH="$with_group_name_max_length" -AM_CONDITIONAL([USE_SHA_CRYPT], [test "x$with_sha_crypt" = "xyes"]) -if test "X$with_sha_crypt" = "Xyes"; then - AC_DEFINE([USE_SHA_CRYPT], [1], [Define to allow the SHA256 and SHA512 password encryption algorithms]) -fi - AM_CONDITIONAL([USE_BCRYPT], [test "x$with_bcrypt" = "xyes"]) if test "X$with_bcrypt" = "Xyes"; then AC_DEFINE([USE_BCRYPT], [1], [Define to allow the bcrypt password encryption algorithm]) @@ -628,7 +620,6 @@ AC_MSG_NOTICE([shadow ${PACKAGE_VERSION} has been configured with the following tcb support (incomplete): $with_tcb shadow group support: $enable_shadowgrp S/Key support: $with_skey - SHA passwords encryption: $with_sha_crypt bcrypt passwords encryption: $with_bcrypt yescrypt passwords encryption: $with_yescrypt nscd support: $with_nscd diff --git a/lib/getdef.c b/lib/getdef.c index f67e00e48..9a16adcb0 100644 --- a/lib/getdef.c +++ b/lib/getdef.c @@ -112,10 +112,8 @@ static struct itemdef def_table[] = { {"PASS_MAX_DAYS", NULL}, {"PASS_MIN_DAYS", NULL}, {"PASS_WARN_AGE", NULL}, -#ifdef USE_SHA_CRYPT {"SHA_CRYPT_MAX_ROUNDS", NULL}, {"SHA_CRYPT_MIN_ROUNDS", NULL}, -#endif #ifdef USE_BCRYPT {"BCRYPT_MAX_ROUNDS", NULL}, {"BCRYPT_MIN_ROUNDS", NULL}, diff --git a/lib/obscure.c b/lib/obscure.c index c572b96a3..9cf6100ab 100644 --- a/lib/obscure.c +++ b/lib/obscure.c @@ -221,10 +221,8 @@ obscure_get_range(int *minlen, int *maxlen) } } else { if ( streq(method, "MD5") -#ifdef USE_SHA_CRYPT || streq(method, "SHA256") || streq(method, "SHA512") -#endif #ifdef USE_BCRYPT || streq(method, "BCRYPT") #endif diff --git a/lib/salt.c b/lib/salt.c index 1efeb2cec..2e6f83197 100644 --- a/lib/salt.c +++ b/lib/salt.c @@ -51,7 +51,6 @@ #define B_ROUNDS_MAX 31 #endif /* USE_BCRYPT */ -#ifdef USE_SHA_CRYPT /* Fixed salt len for sha{256,512}crypt. */ #define SHA_CRYPT_SALT_SIZE 16 /* Default number of rounds if not explicitly specified. */ @@ -60,7 +59,6 @@ #define SHA_ROUNDS_MIN 1000 /* Maximum number of rounds. */ #define SHA_ROUNDS_MAX 999999999 -#endif #ifdef USE_YESCRYPT /* @@ -93,10 +91,8 @@ #if !USE_XCRYPT_GENSALT static /*@observer@*/const char *gensalt (size_t salt_size); #endif /* !USE_XCRYPT_GENSALT */ -#ifdef USE_SHA_CRYPT static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds); static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds); -#endif /* USE_SHA_CRYPT */ #ifdef USE_BCRYPT static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds); static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds); @@ -107,7 +103,6 @@ static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long co #endif /* USE_YESCRYPT */ -#ifdef USE_SHA_CRYPT /* Return the the rounds number for the SHA crypt methods. */ static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds) { @@ -179,7 +174,6 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round (void) snprintf (buf + buf_begin, 18, "rounds=%lu$", rounds); } -#endif /* USE_SHA_CRYPT */ #ifdef USE_BCRYPT /* Return the the rounds number for the BCRYPT method. */ @@ -392,7 +386,6 @@ static /*@observer@*/const char *gensalt (size_t salt_size) rounds = YESCRYPT_get_salt_cost (arg); YESCRYPT_salt_cost_to_buf (result, rounds); #endif /* USE_YESCRYPT */ -#ifdef USE_SHA_CRYPT } else if (streq(method, "SHA256")) { MAGNUM(result, '5'); salt_len = SHA_CRYPT_SALT_SIZE; @@ -403,7 +396,6 @@ static /*@observer@*/const char *gensalt (size_t salt_size) salt_len = SHA_CRYPT_SALT_SIZE; rounds = SHA_get_salt_rounds (arg); SHA_salt_rounds_to_buf (result, rounds); -#endif /* USE_SHA_CRYPT */ } else if (!streq(method, "DES")) { fprintf (log_get_logfd(), _("Invalid ENCRYPT_METHOD value: '%s'.\n" diff --git a/man/chgpasswd.8.xml b/man/chgpasswd.8.xml index d74e11d3e..505e058ae 100644 --- a/man/chgpasswd.8.xml +++ b/man/chgpasswd.8.xml @@ -94,9 +94,10 @@ The available methods are BCRYPT, DES, - MD5, + MD5, SHA256, - SHA512, + SHA512, + YESCRYPT and NONE if your libc supports these methods. @@ -138,7 +139,7 @@ - + , @@ -148,9 +149,8 @@ You can only use this option with crypt method: BCRYPT - SHA256 - SHA512 + SHA512 YESCRYPT @@ -163,12 +163,12 @@ A minimal value of 4 and a maximal value of 31 will be enforced for BCRYPT. The default number of rounds is 13. - + By default, the number of rounds for SHA256 or SHA512 is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs. - + A minimal value of 1000 and a maximal value of 999,999,999 will be enforced for SHA256 and SHA512. The default number of rounds is 5000. diff --git a/man/chpasswd.8.xml b/man/chpasswd.8.xml index b6ae345ef..04c30e13d 100644 --- a/man/chpasswd.8.xml +++ b/man/chpasswd.8.xml @@ -121,9 +121,10 @@ The available methods are BCRYPT, DES, - MD5, + MD5, SHA256, - SHA512, + SHA512, + YESCRYPT and NONE if your libc supports these methods. @@ -195,7 +196,7 @@ - + ,  ROUNDS @@ -207,9 +208,8 @@ You can only use this option with crypt method: BCRYPT - SHA256 - SHA512 + SHA512 YESCRYPT @@ -222,12 +222,12 @@ A minimal value of 4 and a maximal value of 31 will be enforced for BCRYPT. The default number of rounds is 13. - + By default, the number of rounds for SHA256 or SHA512 is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs. - + A minimal value of 1000 and a maximal value of 999,999,999 will be enforced for SHA256 and SHA512. The default number of rounds is 5000. diff --git a/man/generate_mans.mak b/man/generate_mans.mak index 47f906fea..6927b6d7e 100644 --- a/man/generate_mans.mak +++ b/man/generate_mans.mak @@ -19,12 +19,6 @@ else TCB_COND=no_tcb endif -if USE_SHA_CRYPT -SHA_CRYPT_COND=sha_crypt -else -SHA_CRYPT_COND=no_sha_crypt -endif - if USE_BCRYPT BCRYPT_COND=bcrypt else @@ -62,7 +56,7 @@ if ENABLE_REGENERATE_MAN fi man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml - $(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(BCRYPT_COND);$(YESCRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \ + $(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(BCRYPT_COND);$(YESCRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \ --param "man.authors.section.enabled" "0" \ --stringparam "man.output.base.dir" "" \ --stringparam vendordir "$(VENDORDIR)" \ diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml index 239154f02..18acbd240 100644 --- a/man/login.defs.5.xml +++ b/man/login.defs.5.xml @@ -256,8 +256,7 @@ BCRYPT_MAX_ROUNDS BCRYPT_MIN_ROUNDS ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB - SHA_CRYPT_MAX_ROUNDS - SHA_CRYPT_MIN_ROUNDS + SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS YESCRYPT_COST_FACTOR @@ -270,8 +269,7 @@ BCRYPT_MIN_ROUNDS ENCRYPT_METHOD MD5_CRYPT_ENAB - SHA_CRYPT_MAX_ROUNDS - SHA_CRYPT_MIN_ROUNDS + SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS YESCRYPT_COST_FACTOR @@ -293,8 +291,7 @@ BCRYPT_MAX_ROUNDS BCRYPT_MIN_ROUNDS ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB - SHA_CRYPT_MAX_ROUNDS - SHA_CRYPT_MIN_ROUNDS + SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS YESCRYPT_COST_FACTOR @@ -398,8 +395,7 @@ MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB HOME_MODE PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE - SHA_CRYPT_MAX_ROUNDS - SHA_CRYPT_MIN_ROUNDS + SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN @@ -417,8 +413,7 @@ BCRYPT_MIN_ROUNDS ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN - SHA_CRYPT_MAX_ROUNDS - SHA_CRYPT_MIN_ROUNDS + SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS YESCRYPT_COST_FACTOR diff --git a/man/login.defs.d/ENCRYPT_METHOD.xml b/man/login.defs.d/ENCRYPT_METHOD.xml index 4ae1f087e..68853791f 100644 --- a/man/login.defs.d/ENCRYPT_METHOD.xml +++ b/man/login.defs.d/ENCRYPT_METHOD.xml @@ -13,9 +13,10 @@ It can take one of these values: BCRYPT, DES (default), - MD5, + MD5, SHA256, - SHA512, + SHA512, + YESCRYPT. MD5 and DES should not be used for new hashes, see crypt5 diff --git a/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml b/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml index 64cd8dceb..53d00ac1c 100644 --- a/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml +++ b/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml @@ -2,7 +2,7 @@ SPDX-FileCopyrightText: 2007 - 2008, Nicolas François SPDX-License-Identifier: BSD-3-Clause --> - + (number) (number) diff --git a/man/newusers.8.xml b/man/newusers.8.xml index 7fff1a8c1..fbc6620da 100644 --- a/man/newusers.8.xml +++ b/man/newusers.8.xml @@ -320,7 +320,7 @@ - + , @@ -330,9 +330,8 @@ You can only use this option with crypt method: BCRYPT - SHA256 - SHA512 + SHA512 YESCRYPT @@ -345,12 +344,12 @@ A minimal value of 4 and a maximal value of 31 will be enforced for BCRYPT. The default is 13. - + By default, the number of rounds for SHA256 or SHA512 is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs. - + A minimal value of 1000 and a maximal value of 999,999,999 will be enforced for SHA256 and SHA512. The default is 5000. diff --git a/src/chgpasswd.c b/src/chgpasswd.c index 334d44872..d9e37002e 100644 --- a/src/chgpasswd.c +++ b/src/chgpasswd.c @@ -48,15 +48,11 @@ struct option_flags { static const char Prog[] = "chgpasswd"; static bool eflg = false; static bool md5flg = false; -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) static bool sflg = false; -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ static /*@null@*//*@observer@*/const char *crypt_method = NULL; #define cflg (NULL != crypt_method) -#ifdef USE_SHA_CRYPT static long sha_rounds = 5000; -#endif #ifdef USE_BCRYPT static long bcrypt_rounds = 13; #endif @@ -120,9 +116,7 @@ usage (int status) (void) fprintf (usageout, _(" -c, --crypt-method METHOD the crypt method (one of %s)\n"), "NONE DES MD5" -#if defined(USE_SHA_CRYPT) " SHA256 SHA512" -#endif #if defined(USE_BCRYPT) " BCRYPT" #endif @@ -136,11 +130,9 @@ usage (int status) " the MD5 algorithm\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" " or YESCRYPT crypt algorithms\n"), usageout); -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ (void) fputs ("\n", usageout); exit (status); @@ -154,26 +146,18 @@ usage (int status) static void process_flags (int argc, char **argv, struct option_flags *flags) { int c; -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) int bad_s; -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ static struct option long_options[] = { {"crypt-method", required_argument, NULL, 'c'}, {"encrypted", no_argument, NULL, 'e'}, {"help", no_argument, NULL, 'h'}, {"md5", no_argument, NULL, 'm'}, {"root", required_argument, NULL, 'R'}, -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) {"sha-rounds", required_argument, NULL, 's'}, -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ {NULL, 0, NULL, '\0'} }; while ((c = getopt_long (argc, argv, -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) "c:ehmR:s:", -#else - "c:ehmR:", -#endif long_options, NULL)) != -1) { switch (c) { case 'c': @@ -191,7 +175,6 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) case 'R': /* no-op, handled in process_root_flag () */ flags->chroot = true; break; -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) case 's': sflg = true; bad_s = 0; @@ -202,12 +185,10 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) Prog); usage (E_USAGE); } -#if defined(USE_SHA_CRYPT) if ( ( (streq(crypt_method, "SHA256") || streq(crypt_method, "SHA512")) && (-1 == str2sl(&sha_rounds, optarg)))) { bad_s = 1; } -#endif /* USE_SHA_CRYPT */ #if defined(USE_BCRYPT) if ( ( streq(crypt_method, "BCRYPT") && (-1 == str2sl(&bcrypt_rounds, optarg)))) { @@ -227,8 +208,6 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) usage (E_USAGE); } break; -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ - default: usage (E_USAGE); /*@notreached@*/break; @@ -246,14 +225,12 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) */ static void check_flags (void) { -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) if (sflg && !cflg) { fprintf (stderr, _("%s: %s flag is only allowed with the %s flag\n"), Prog, "-s", "-c"); usage (E_USAGE); } -#endif if ((eflg && (md5flg || cflg)) || (md5flg && cflg)) { @@ -267,10 +244,8 @@ static void check_flags (void) if ( !streq(crypt_method, "DES") && !streq(crypt_method, "MD5") && !streq(crypt_method, "NONE") -#ifdef USE_SHA_CRYPT && !streq(crypt_method, "SHA256") && !streq(crypt_method, "SHA512") -#endif /* USE_SHA_CRYPT */ #ifdef USE_BCRYPT && !streq(crypt_method, "BCRYPT") #endif /* USE_BCRYPT */ @@ -454,14 +429,11 @@ int main (int argc, char **argv) if (md5flg) { crypt_method = "MD5"; } -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) if (sflg) { -#if defined(USE_SHA_CRYPT) if ( streq(crypt_method, "SHA256") || streq(crypt_method, "SHA512")) { arg = &sha_rounds; } -#endif /* USE_SHA_CRYPT */ #if defined(USE_BCRYPT) if (streq(crypt_method, "BCRYPT")) { arg = &bcrypt_rounds; @@ -473,7 +445,6 @@ int main (int argc, char **argv) } #endif /* USE_YESCRYPT */ } -#endif salt = crypt_make_salt (crypt_method, arg); cp = pw_encrypt (newpwd, salt); if (NULL == cp) { diff --git a/src/chpasswd.c b/src/chpasswd.c index 0339ecf94..de5c79c70 100644 --- a/src/chpasswd.c +++ b/src/chpasswd.c @@ -52,15 +52,11 @@ struct option_flags { static const char Prog[] = "chpasswd"; static bool eflg = false; static bool md5flg = false; -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) static bool sflg = false; -#endif static /*@null@*//*@observer@*/const char *crypt_method = NULL; #define cflg (NULL != crypt_method) -#ifdef USE_SHA_CRYPT static long sha_rounds = 5000; -#endif #ifdef USE_BCRYPT static long bcrypt_rounds = 13; #endif @@ -122,9 +118,7 @@ usage (int status) (void) fprintf (usageout, _(" -c, --crypt-method METHOD the crypt method (one of %s)\n"), "NONE DES MD5" -#if defined(USE_SHA_CRYPT) " SHA256 SHA512" -#endif #if defined(USE_BCRYPT) " BCRYPT" #endif @@ -139,11 +133,9 @@ usage (int status) usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); (void) fputs (_(" -P, --prefix PREFIX_DIR directory prefix\n"), usageout); -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" " or YESCRYPT crypt algorithms\n"), usageout); -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ (void) fputs ("\n", usageout); exit (status); @@ -157,9 +149,7 @@ usage (int status) static void process_flags (int argc, char **argv, struct option_flags *flags) { int c; -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) int bad_s; -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ static struct option long_options[] = { {"crypt-method", required_argument, NULL, 'c'}, {"encrypted", no_argument, NULL, 'e'}, @@ -167,18 +157,12 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) {"md5", no_argument, NULL, 'm'}, {"root", required_argument, NULL, 'R'}, {"prefix", required_argument, NULL, 'P'}, -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) {"sha-rounds", required_argument, NULL, 's'}, -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ {NULL, 0, NULL, '\0'} }; while ((c = getopt_long (argc, argv, -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) "c:ehmR:P:s:", -#else - "c:ehmR:P:", -#endif long_options, NULL)) != -1) { switch (c) { case 'c': @@ -199,16 +183,13 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) case 'P': /* no-op, handled in process_prefix_flag () */ flags->prefix = true; break; -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) case 's': sflg = true; bad_s = 0; -#if defined(USE_SHA_CRYPT) if ((IS_CRYPT_METHOD("SHA256") || IS_CRYPT_METHOD("SHA512")) && (-1 == str2sl(&sha_rounds, optarg))) { bad_s = 1; } -#endif /* USE_SHA_CRYPT */ #if defined(USE_BCRYPT) if (IS_CRYPT_METHOD("BCRYPT") && (-1 == str2sl(&bcrypt_rounds, optarg))) { @@ -228,8 +209,6 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) usage (E_USAGE); } break; -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ - default: usage (E_USAGE); /*@notreached@*/break; @@ -247,14 +226,12 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) */ static void check_flags (void) { -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) if (sflg && !cflg) { fprintf (stderr, _("%s: %s flag is only allowed with the %s flag\n"), Prog, "-s", "-c"); usage (E_USAGE); } -#endif if ((eflg && (md5flg || cflg)) || (md5flg && cflg)) { @@ -268,10 +245,8 @@ static void check_flags (void) if ((!IS_CRYPT_METHOD("DES")) &&(!IS_CRYPT_METHOD("MD5")) &&(!IS_CRYPT_METHOD("NONE")) -#ifdef USE_SHA_CRYPT &&(!IS_CRYPT_METHOD("SHA256")) &&(!IS_CRYPT_METHOD("SHA512")) -#endif /* USE_SHA_CRYPT */ #ifdef USE_BCRYPT &&(!IS_CRYPT_METHOD("BCRYPT")) #endif /* USE_BCRYPT */ @@ -382,13 +357,10 @@ static const char *get_salt(void) if (md5flg) { crypt_method = "MD5"; } -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) if (sflg) { -#if defined(USE_SHA_CRYPT) if (IS_CRYPT_METHOD("SHA256") || IS_CRYPT_METHOD("SHA512")) { arg = &sha_rounds; } -#endif /* USE_SHA_CRYPT */ #if defined(USE_BCRYPT) if (IS_CRYPT_METHOD("BCRYPT")) { arg = &bcrypt_rounds; @@ -400,7 +372,6 @@ static const char *get_salt(void) } #endif /* USE_YESCRYPT */ } -#endif return crypt_make_salt (crypt_method, arg); } diff --git a/src/newusers.c b/src/newusers.c index 952fa4172..853218fd3 100644 --- a/src/newusers.c +++ b/src/newusers.c @@ -72,12 +72,8 @@ static bool rflg = false; /* create a system account */ #ifndef USE_PAM static /*@null@*//*@observer@*/char *crypt_method = NULL; #define cflg (NULL != crypt_method) -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) static bool sflg = false; -#endif -#ifdef USE_SHA_CRYPT static long sha_rounds = 5000; -#endif /* USE_SHA_CRYPT */ #ifdef USE_BCRYPT static long bcrypt_rounds = 13; #endif /* USE_BCRYPT */ @@ -134,9 +130,7 @@ static void usage (int status) (void) fprintf (usageout, _(" -c, --crypt-method METHOD the crypt method (one of %s)\n"), "NONE DES MD5" -#if defined(USE_SHA_CRYPT) " SHA256 SHA512" -#endif #if defined(USE_BCRYPT) " BCRYPT" #endif @@ -149,11 +143,9 @@ static void usage (int status) (void) fputs (_(" -r, --system create system accounts\n"), usageout); (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout); #ifndef USE_PAM -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) (void) fputs (_(" -s, --sha-rounds number of rounds for the SHA, BCRYPT\n" " or YESCRYPT crypt algorithms\n"), usageout); -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ #endif /* !USE_PAM */ (void) fputs ("\n", usageout); @@ -431,14 +423,12 @@ static int update_passwd (struct passwd *pwd, const char *password) void *crypt_arg = NULL; char *cp; if (NULL != crypt_method) { -#if defined(USE_SHA_CRYPT) if (sflg) { if ( streq(crypt_method, "SHA256") || streq(crypt_method, "SHA512")) { crypt_arg = &sha_rounds; } } -#endif /* USE_SHA_CRYPT */ #if defined(USE_BCRYPT) if (sflg) { if (streq(crypt_method, "BCRYPT")) { @@ -488,7 +478,6 @@ add_passwd(struct passwd *pwd, MAYBE_UNUSED const char *password) #ifndef USE_PAM void *crypt_arg = NULL; if (NULL != crypt_method) { -#if defined(USE_SHA_CRYPT) if (sflg) { if (streq(crypt_method, "SHA256") || streq(crypt_method, "SHA512")) @@ -496,7 +485,6 @@ add_passwd(struct passwd *pwd, MAYBE_UNUSED const char *password) crypt_arg = &sha_rounds; } } -#endif /* USE_SHA_CRYPT */ #if defined(USE_BCRYPT) if (sflg) { if (streq(crypt_method, "BCRYPT")) { @@ -628,9 +616,7 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) { int c; #ifndef USE_PAM -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) int bad_s; -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ #endif /* !USE_PAM */ static struct option long_options[] = { {"badname", no_argument, NULL, 'b'}, @@ -641,20 +627,14 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) {"system", no_argument, NULL, 'r'}, {"root", required_argument, NULL, 'R'}, #ifndef USE_PAM -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) {"sha-rounds", required_argument, NULL, 's'}, -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ #endif /* !USE_PAM */ {NULL, 0, NULL, '\0'} }; while ((c = getopt_long (argc, argv, #ifndef USE_PAM -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) "c:bhrs:", -#else /* !USE_SHA_CRYPT && !USE_BCRYPT && !USE_YESCRYPT */ - "c:bhr", -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ #else /* USE_PAM */ "bhr", #endif @@ -678,7 +658,6 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) flags->chroot = true; break; #ifndef USE_PAM -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) case 's': sflg = true; bad_s = 0; @@ -689,12 +668,10 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) Prog); usage (EXIT_FAILURE); } -#if defined(USE_SHA_CRYPT) if ( ( (streq(crypt_method, "SHA256") || streq(crypt_method, "SHA512")) && (-1 == str2sl(&sha_rounds, optarg)))) { bad_s = 1; } -#endif /* USE_SHA_CRYPT */ #if defined(USE_BCRYPT) if ( ( streq(crypt_method, "BCRYPT") && (-1 == str2sl(&bcrypt_rounds, optarg)))) { @@ -714,7 +691,6 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) usage (EXIT_FAILURE); } break; -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ #endif /* !USE_PAM */ default: usage (EXIT_FAILURE); @@ -749,23 +725,19 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) static void check_flags (void) { #ifndef USE_PAM -#if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT) if (sflg && !cflg) { fprintf (stderr, _("%s: %s flag is only allowed with the %s flag\n"), Prog, "-s", "-c"); usage (EXIT_FAILURE); } -#endif /* USE_SHA_CRYPT || USE_BCRYPT || USE_YESCRYPT */ if (cflg) { if ( !streq(crypt_method, "DES") && !streq(crypt_method, "MD5") && !streq(crypt_method, "NONE") -#ifdef USE_SHA_CRYPT && !streq(crypt_method, "SHA256") && !streq(crypt_method, "SHA512") -#endif /* USE_SHA_CRYPT */ #ifdef USE_BCRYPT && !streq(crypt_method, "BCRYPT") #endif /* USE_BCRYPT */