*/: Remove support for MD5

Signed-off-by: Alejandro Colomar <alx@kernel.org>

Author: alejandro-colomar

etc/login.defs

@@ -295,12 +295,10 @@ CHFN_RESTRICT		rwh
 
 #
 # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
-# If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
 # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
 # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
-# MD5 should not be used for new hashes, see crypt(5) for recommendations.
 #
 # Note: if you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.

lib/chkhash.c

@@ -57,10 +57,6 @@ is_valid_hash(const char *hash)
 	if (match_regex("^\\$5\\$(rounds=[1-9][0-9]{3,8}\\$)?[^$:\\n]{1,16}\\$[./A-Za-z0-9]{43}$", hash))
 		return true;
 
-	// MD5: $1$ + salt + $ + 22-char hash
-	if (match_regex("^\\$1\\$[^$:\\n]{1,8}\\$[./A-Za-z0-9]{22}$", hash))
-		return true;
-
 	// Not a valid hash
 	return false;
 }

lib/obscure.c

@@ -56,7 +56,7 @@ static bool similar (/*@notnull@*/const char *old, /*@notnull@*/const char *new)
 
 	/*
 	 * XXX - sometimes this fails when changing from a simple password
-	 * to a really long one (MD5).  For now, I just return success if
+	 * to a really long one.  For now, I just return success if
 	 * the new password is long enough.  Please feel free to suggest
 	 * something better...  --marekm
 	 */

lib/salt.c

@@ -77,9 +77,6 @@
 #define Y_COST_MAX 11
 #endif
 
-/* Fixed salt len for md5crypt. */
-#define MD5_CRYPT_SALT_SIZE 8
-
 /* Generate salt of size salt_size. */
 #define MAX_SALT_SIZE 44
 #define MIN_SALT_SIZE 8
@@ -357,10 +354,11 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
 
 	method = meth ?: getdef_str("ENCRYPT_METHOD") ?: "SHA512";
 
-	if (streq(method, "MD5")) {
-		MAGNUM(result, '1');
-		salt_len = MD5_CRYPT_SALT_SIZE;
-		rounds = 0;
+	if (streq(method, "SHA256")) {
+		MAGNUM(result, '5');
+		salt_len = SHA_CRYPT_SALT_SIZE;
+		rounds = SHA_get_salt_rounds (arg);
+		SHA_salt_rounds_to_buf (result, rounds);
 #ifdef USE_BCRYPT
 	} else if (streq(method, "BCRYPT")) {
 		BCRYPTMAGNUM(result);
@@ -375,11 +373,6 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
 		rounds = YESCRYPT_get_salt_cost (arg);
 		YESCRYPT_salt_cost_to_buf (result, rounds);
 #endif /* USE_YESCRYPT */
-	} else if (streq(method, "SHA256")) {
-		MAGNUM(result, '5');
-		salt_len = SHA_CRYPT_SALT_SIZE;
-		rounds = SHA_get_salt_rounds (arg);
-		SHA_salt_rounds_to_buf (result, rounds);
 	} else if (streq(method, "SHA512")) {
 sha512:
 		MAGNUM(result, '6');

man/chgpasswd.8.xml

@@ -92,7 +92,6 @@
 	  <para>
 	    The available methods are <phrase condition="bcrypt">
 	    <replaceable>BCRYPT</replaceable>,</phrase>
-	    <replaceable>MD5</replaceable>,
 	    <replaceable>SHA256</replaceable>,
 	    <replaceable>SHA512</replaceable>,
 	    <phrase condition="yescrypt">

man/chpasswd.8.xml

@@ -118,7 +118,6 @@
 	  <para>
 	    The available methods are <phrase condition="bcrypt">
 	    <replaceable>BCRYPT</replaceable>,</phrase>
-	    <replaceable>MD5</replaceable>,
 	    <replaceable>SHA256</replaceable>,
 	    <replaceable>SHA512</replaceable>,
 	    <phrase condition="yescrypt">

man/login.defs.d/ENCRYPT_METHOD.xml

@@ -12,12 +12,11 @@
     <para>
       It can take one of these values: <phrase condition="bcrypt">
       <replaceable>BCRYPT</replaceable>,</phrase>
-      <replaceable>MD5</replaceable>,
       <replaceable>SHA256</replaceable>,
       <replaceable>SHA512</replaceable>,
       <phrase condition="yescrypt">
       <replaceable>YESCRYPT</replaceable></phrase>.
-      MD5 should not be used for new hashes, see
+      See
       <refentrytitle>crypt</refentrytitle><manvolnum>5</manvolnum>
       for recommendations.
     </para>

man/newusers.8.xml

@@ -271,7 +271,7 @@
 	<listitem>
 	  <para>Use the specified method to encrypt the passwords.</para>
 	  <para>
-	    The available methods are MD5, NONE, and SHA256 or SHA512
+	    The available methods are NONE, and SHA256 or SHA512
 	    if your libc support these methods.
 	  </para>
 	</listitem>

src/chgpasswd.c

@@ -120,8 +120,7 @@ usage (int status)
 	                Prog);
 	(void) fprintf (usageout,
 	                _("  -c, --crypt-method METHOD     the crypt method (one of %s)\n"),
-	                "NONE MD5"
-	                " SHA256 SHA512"
+	                "NONE SHA256 SHA512"
 #if defined(USE_BCRYPT)
 	                " BCRYPT"
 #endif
@@ -237,8 +236,7 @@ static void check_flags (void)
 	}
 
 	if (cflg) {
-		if (   !streq(crypt_method, "MD5")
-		    && !streq(crypt_method, "NONE")
+		if (   !streq(crypt_method, "NONE")
 		    && !streq(crypt_method, "SHA256")
 		    && !streq(crypt_method, "SHA512")
 #ifdef USE_BCRYPT

src/chpasswd.c

@@ -117,8 +117,7 @@ usage (int status)
 	                Prog);
 	(void) fprintf (usageout,
 	                _("  -c, --crypt-method METHOD     the crypt method (one of %s)\n"),
-	                "NONE MD5"
-	                " SHA256 SHA512"
+	                "NONE SHA256 SHA512"
 #if defined(USE_BCRYPT)
 	                " BCRYPT"
 #endif
@@ -233,8 +232,7 @@ static void check_flags (void)
 	}
 
 	if (cflg) {
-		if (!IS_CRYPT_METHOD("MD5")
-		    &&(!IS_CRYPT_METHOD("NONE"))
+		if (!IS_CRYPT_METHOD("NONE")
 		    &&(!IS_CRYPT_METHOD("SHA256"))
 		    &&(!IS_CRYPT_METHOD("SHA512"))
 #ifdef USE_BCRYPT