From: Alejandro Colomar <alx@kernel.org>
Date: Wed, 7 Jan 2026 22:44:26 +0000 (+0100)
Subject: lib/chkhash.c: is_valid_hash(): Accept '*' as the hash
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ddc2549f87e3001f663d5179e9b6d7fe2e1f3b3f;p=thirdparty%2Fshadow.git

lib/chkhash.c: is_valid_hash(): Accept '*' as the hash

This is widely accepted as an invalid hash, to remove password access
for an account (that is, no passwords will match the "hash").

Fixes: c44f1e096a19 (2025-07-20; "chpasswd: Check hash before write when using -e")
Closes: <https://github.com/shadow-maint/shadow/issues/1483>
Closes: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
Reported-by: Chris Hofstaedtler <zeha@debian.org>
Reviewed-by: Chris Hofstaedtler <zeha@debian.org>
Cc: vinz <mmpx09@protonmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---

diff --git a/lib/chkhash.c b/lib/chkhash.c
index cb45f3aa9..71e0fb4ed 100644
--- a/lib/chkhash.c
+++ b/lib/chkhash.c
@@ -7,6 +7,7 @@
 #include <stddef.h>
 #include <string.h>
 
+#include "string/strcmp/streq.h"
 #include "string/strcmp/strprefix.h"
 
 
@@ -41,6 +42,9 @@ is_valid_hash(const char *hash)
 {
 	hash = strprefix(hash, "!") ?: hash;
 
+	if (streq(hash, "*"))
+		return true;
+
 	// Minimum hash length
 	if (strlen(hash) < 13)
 		return false;