*: Make support for SHA256 and SHA512 unconditional

This is necessary for later changing the fallback from the insecure DES
to something secure such as SHA512.

Link: <#1278>
Cc: Andre Boscatto <andreboscatto@gmail.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

Author: alejandro-colomar

configure.ac

@@ -187,9 +187,6 @@ AC_ARG_WITH([skey],
 AC_ARG_WITH([tcb],
 	[AS_HELP_STRING([--with-tcb], [use tcb support (incomplete) @<:@default=yes if found@:>@])],
 	[with_tcb=$withval], [with_tcb=maybe])
-AC_ARG_WITH([sha-crypt],
-	[AS_HELP_STRING([--with-sha-crypt], [allow the SHA256 and SHA512 password encryption algorithms @<:@default=yes@:>@])],
-	[with_sha_crypt=$withval], [with_sha_crypt=yes])
 AC_ARG_WITH([bcrypt],
 	[AS_HELP_STRING([--with-bcrypt], [allow the bcrypt password encryption algorithm @<:@default=no@:>@])],
 	[with_bcrypt=$withval], [with_bcrypt=no])
@@ -222,11 +219,6 @@ AC_SUBST([GROUP_NAME_MAX_LENGTH])
 GROUP_NAME_MAX_LENGTH="$with_group_name_max_length"
 
 
-AM_CONDITIONAL([USE_SHA_CRYPT], [test "x$with_sha_crypt" = "xyes"])
-if test "X$with_sha_crypt" = "Xyes"; then
-	AC_DEFINE([USE_SHA_CRYPT], [1], [Define to allow the SHA256 and SHA512 password encryption algorithms])
-fi
-
 AM_CONDITIONAL([USE_BCRYPT], [test "x$with_bcrypt" = "xyes"])
 if test "X$with_bcrypt" = "Xyes"; then
 	AC_DEFINE([USE_BCRYPT], [1], [Define to allow the bcrypt password encryption algorithm])
@@ -708,7 +700,6 @@ AC_MSG_NOTICE([shadow ${PACKAGE_VERSION} has been configured with the following
 	tcb support (incomplete):	$with_tcb
 	shadow group support:		$enable_shadowgrp
 	S/Key support:			$with_skey
-	SHA passwords encryption:	$with_sha_crypt
 	bcrypt passwords encryption:	$with_bcrypt
 	yescrypt passwords encryption:	$with_yescrypt
 	nscd support:			$with_nscd

lib/getdef.c

@@ -112,10 +112,8 @@ static struct itemdef def_table[] = {
 	{"PASS_MAX_DAYS", NULL},
 	{"PASS_MIN_DAYS", NULL},
 	{"PASS_WARN_AGE", NULL},
-#ifdef USE_SHA_CRYPT
 	{"SHA_CRYPT_MAX_ROUNDS", NULL},
 	{"SHA_CRYPT_MIN_ROUNDS", NULL},
-#endif
 #ifdef USE_BCRYPT
 	{"BCRYPT_MAX_ROUNDS", NULL},
 	{"BCRYPT_MIN_ROUNDS", NULL},

lib/obscure.c

@@ -221,10 +221,8 @@ obscure_get_range(int *minlen, int *maxlen)
 		}
 	} else {
 		if (   streq(method, "MD5")
-#ifdef USE_SHA_CRYPT
 		    || streq(method, "SHA256")
 		    || streq(method, "SHA512")
-#endif
 #ifdef USE_BCRYPT
 		    || streq(method, "BCRYPT")
 #endif

lib/salt.c

@@ -51,7 +51,6 @@
 #define B_ROUNDS_MAX 31
 #endif /* USE_BCRYPT */
 
-#ifdef USE_SHA_CRYPT
 /* Fixed salt len for sha{256,512}crypt. */
 #define SHA_CRYPT_SALT_SIZE 16
 /* Default number of rounds if not explicitly specified.  */
@@ -60,7 +59,6 @@
 #define SHA_ROUNDS_MIN 1000
 /* Maximum number of rounds.  */
 #define SHA_ROUNDS_MAX 999999999
-#endif
 
 #ifdef USE_YESCRYPT
 /*
@@ -93,10 +91,8 @@
 #if !USE_XCRYPT_GENSALT
 static /*@observer@*/const char *gensalt (size_t salt_size);
 #endif /* !USE_XCRYPT_GENSALT */
-#ifdef USE_SHA_CRYPT
 static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds);
 static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long rounds);
-#endif /* USE_SHA_CRYPT */
 #ifdef USE_BCRYPT
 static /*@observer@*/unsigned long BCRYPT_get_salt_rounds (/*@null@*/const int *prefered_rounds);
 static /*@observer@*/void BCRYPT_salt_rounds_to_buf (char *buf, unsigned long rounds);
@@ -107,7 +103,6 @@ static /*@observer@*/void YESCRYPT_salt_cost_to_buf (char *buf, unsigned long co
 #endif /* USE_YESCRYPT */
 
 
-#ifdef USE_SHA_CRYPT
 /* Return the the rounds number for the SHA crypt methods. */
 static /*@observer@*/unsigned long SHA_get_salt_rounds (/*@null@*/const int *prefered_rounds)
 {
@@ -179,7 +174,6 @@ static /*@observer@*/void SHA_salt_rounds_to_buf (char *buf, unsigned long round
 
 	(void) snprintf (buf + buf_begin, 18, "rounds=%lu$", rounds);
 }
-#endif /* USE_SHA_CRYPT */
 
 #ifdef USE_BCRYPT
 /* Return the the rounds number for the BCRYPT method. */
@@ -392,7 +386,6 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
 		rounds = YESCRYPT_get_salt_cost (arg);
 		YESCRYPT_salt_cost_to_buf (result, rounds);
 #endif /* USE_YESCRYPT */
-#ifdef USE_SHA_CRYPT
 	} else if (streq(method, "SHA256")) {
 		MAGNUM(result, '5');
 		salt_len = SHA_CRYPT_SALT_SIZE;
@@ -403,7 +396,6 @@ static /*@observer@*/const char *gensalt (size_t salt_size)
 		salt_len = SHA_CRYPT_SALT_SIZE;
 		rounds = SHA_get_salt_rounds (arg);
 		SHA_salt_rounds_to_buf (result, rounds);
-#endif /* USE_SHA_CRYPT */
 	} else if (!streq(method, "DES")) {
 		fprintf (log_get_logfd(),
 			 _("Invalid ENCRYPT_METHOD value: '%s'.\n"

man/chgpasswd.8.xml

@@ -94,9 +94,10 @@
 	    The available methods are <phrase condition="bcrypt">
 	    <replaceable>BCRYPT</replaceable>,</phrase>
 	    <replaceable>DES</replaceable>,
-	    <replaceable>MD5</replaceable><phrase condition="sha_crypt">,
+	    <replaceable>MD5</replaceable>,
 	    <replaceable>SHA256</replaceable>,
-	    <replaceable>SHA512</replaceable></phrase><phrase condition="yescrypt">,
+	    <replaceable>SHA512</replaceable>,
+	    <phrase condition="yescrypt">
 	    <replaceable>YESCRYPT</replaceable></phrase> and
 	    <replaceable>NONE</replaceable>
 	    if your libc supports these methods.
@@ -138,7 +139,7 @@
 	  </para>
 	</listitem>
       </varlistentry>
-      <varlistentry condition="bcrypt;sha_crypt;yescrypt">
+      <varlistentry>
 	<term><option>-s</option>, <option>--sha-rounds</option></term>
 	<listitem>
 	  <para>
@@ -148,9 +149,8 @@
 	    You can only use this option with crypt method:
 	    <phrase condition="bcrypt">
 	    <replaceable>BCRYPT</replaceable></phrase>
-	    <phrase condition="sha_crypt">
 	    <replaceable>SHA256</replaceable>
-	    <replaceable>SHA512</replaceable></phrase>
+	    <replaceable>SHA512</replaceable>
 	    <phrase condition="yescrypt">
 	    <replaceable>YESCRYPT</replaceable></phrase>
 	  </para>
@@ -163,12 +163,12 @@
 	    A minimal value of 4 and a maximal value of 31
 	    will be enforced for BCRYPT. The default number of rounds is 13.
 	  </para>
-	  <para condition="sha_crypt">
+	  <para>
 	    By default, the number of rounds for SHA256 or SHA512 is defined by
 	    the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
 	    <filename>/etc/login.defs</filename>.
 	  </para>
-	  <para condition="sha_crypt">
+	  <para>
 	    A minimal value of 1000 and a maximal value of 999,999,999
 	    will be enforced for SHA256 and SHA512. The default number of rounds
 	    is 5000.

man/chpasswd.8.xml

@@ -121,9 +121,10 @@
 	    The available methods are <phrase condition="bcrypt">
 	    <replaceable>BCRYPT</replaceable>,</phrase>
 	    <replaceable>DES</replaceable>,
-	    <replaceable>MD5</replaceable><phrase condition="sha_crypt">,
+	    <replaceable>MD5</replaceable>,
 	    <replaceable>SHA256</replaceable>,
-	    <replaceable>SHA512</replaceable></phrase><phrase condition="yescrypt">,
+	    <replaceable>SHA512</replaceable>,
+	    <phrase condition="yescrypt">
 	    <replaceable>YESCRYPT</replaceable></phrase> and
 	    <replaceable>NONE</replaceable>
 	    if your libc supports these methods.
@@ -195,7 +196,7 @@
 	  </para>
 	</listitem>
       </varlistentry>
-      <varlistentry condition="bcrypt;sha_crypt;yescrypt">
+      <varlistentry>
 	<term>
 	  <option>-s</option>, <option>--sha-rounds</option>&nbsp;<replaceable>ROUNDS</replaceable>
 	</term>
@@ -207,9 +208,8 @@
 	    You can only use this option with crypt method:
 	    <phrase condition="bcrypt">
 	    <replaceable>BCRYPT</replaceable></phrase>
-	    <phrase condition="sha_crypt">
 	    <replaceable>SHA256</replaceable>
-	    <replaceable>SHA512</replaceable></phrase>
+	    <replaceable>SHA512</replaceable>
 	    <phrase condition="yescrypt">
 	    <replaceable>YESCRYPT</replaceable></phrase>
 	  </para>
@@ -222,12 +222,12 @@
 	    A minimal value of 4 and a maximal value of 31
 	    will be enforced for BCRYPT. The default number of rounds is 13.
 	  </para>
-	  <para condition="sha_crypt">
+	  <para>
 	    By default, the number of rounds for SHA256 or SHA512 is defined by
 	    the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
 	    <filename>/etc/login.defs</filename>.
 	  </para>
-	  <para condition="sha_crypt">
+	  <para>
 	    A minimal value of 1000 and a maximal value of 999,999,999
 	    will be enforced for SHA256 and SHA512. The default number of rounds
 	    is 5000.

man/generate_mans.mak

@@ -19,12 +19,6 @@ else
 TCB_COND=no_tcb
 endif
 
-if USE_SHA_CRYPT
-SHA_CRYPT_COND=sha_crypt
-else
-SHA_CRYPT_COND=no_sha_crypt
-endif
-
 if USE_BCRYPT
 BCRYPT_COND=bcrypt
 else
@@ -62,7 +56,7 @@ if ENABLE_REGENERATE_MAN
 	fi
 
 man1/% man3/% man5/% man8/%: %.xml-config Makefile config.xml
-	$(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(SHA_CRYPT_COND);$(BCRYPT_COND);$(YESCRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \
+	$(XSLTPROC) --stringparam profile.condition "$(PAM_COND);$(SHADOWGRP_COND);$(TCB_COND);$(BCRYPT_COND);$(YESCRYPT_COND);$(SUBIDS_COND);$(VENDORDIR_COND);$(LASTLOG_COND)" \
 	            --param "man.authors.section.enabled" "0" \
 	            --stringparam "man.output.base.dir" "" \
 	            --stringparam vendordir "$(VENDORDIR)" \

man/login.defs.5.xml

@@ -256,8 +256,7 @@
 	    <phrase condition="bcrypt">BCRYPT_MAX_ROUNDS
 	    BCRYPT_MIN_ROUNDS</phrase>
 	    ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+	    SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
 	    <phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
 	  </para>
 	</listitem>
@@ -270,8 +269,7 @@
 	    BCRYPT_MIN_ROUNDS</phrase>
 	    <phrase condition="no_pam">ENCRYPT_METHOD
 	    MD5_CRYPT_ENAB </phrase>
-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+	    SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
 	    <phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
 	  </para>
 	</listitem>
@@ -293,8 +291,7 @@
 	    <phrase condition="bcrypt">BCRYPT_MAX_ROUNDS
 	    BCRYPT_MIN_ROUNDS</phrase>
 	    ENCRYPT_METHOD MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+	    SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
 	    <phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
 	  </para>
 	</listitem>
@@ -399,8 +396,7 @@
 	    MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
 	    HOME_MODE
 	    PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+	    SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
 	    SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
 	    SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
 	    SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
@@ -418,8 +414,7 @@
 	    BCRYPT_MIN_ROUNDS</phrase>
 	    ENCRYPT_METHOD MD5_CRYPT_ENAB OBSCURE_CHECKS_ENAB
 	    PASS_ALWAYS_WARN PASS_CHANGE_TRIES PASS_MAX_LEN PASS_MIN_LEN
-	    <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
-	    SHA_CRYPT_MIN_ROUNDS</phrase>
+	    SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
 	    <phrase condition="yescrypt">YESCRYPT_COST_FACTOR</phrase>
 	  </para>
 	</listitem>

man/login.defs.d/ENCRYPT_METHOD.xml

@@ -13,9 +13,10 @@
       It can take one of these values: <phrase condition="bcrypt">
       <replaceable>BCRYPT</replaceable>,</phrase>
       <replaceable>DES</replaceable> (default),
-      <replaceable>MD5</replaceable><phrase condition="sha_crypt">,
+      <replaceable>MD5</replaceable>,
       <replaceable>SHA256</replaceable>,
-      <replaceable>SHA512</replaceable></phrase><phrase condition="yescrypt">,
+      <replaceable>SHA512</replaceable>,
+      <phrase condition="yescrypt">
       <replaceable>YESCRYPT</replaceable></phrase>.
       MD5 and DES should not be used for new hashes, see
       <refentrytitle>crypt</refentrytitle><manvolnum>5</manvolnum>

man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml

@@ -2,7 +2,7 @@
    SPDX-FileCopyrightText: 2007 - 2008, Nicolas François
    SPDX-License-Identifier: BSD-3-Clause
 -->
-<varlistentry condition="sha_crypt">
+<varlistentry>
   <term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term>
   <term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term>
   <listitem>