lib/chkhash.c: is_valid_hash(): Allow passwordless account

[alejandro-colomar]

Reported-by: @hallyn
Reported-by: @Zugschlus
Cc: @stoeckmann

Serge, this PR is smaller than yours, as I acknowledge this one was an obvious oversight from me, while the other we still need to talk about it. Please merge this, and then we'll talk about allowing *hash. Does it sound good?

---

Revisions:

v2

• Add comments documenting each case.

$ git rd 
1:  12cc0aa0c ! 1:  bdf93b20a lib/chkhash.c: is_valid_hash(): Accept an empty hash
    @@ lib/chkhash.c: is_valid_hash(const char *hash)
      {
        hash = strprefix(hash, "!") ?: hash;
      
    ++  // Passwordless account; discouraged
     +  if (streq(hash, ""))
    -+          return true;  // Passwordless account; discouraged
    ++          return true;
     +
        if (streq(hash, "*"))
                return true;
2:  7e60f6d89 = 2:  051940ede lib/chkhash.c: is_valid_hash(): Update comment
-:  --------- > 3:  5bb2c2ecc lib/chkhash.c: is_valid_hash(): Comment meaning of !hash and *

v2b

• Commit 1 was actually co-authored-by @hallyn , as I based my code on his.

$ git rd 
1:  bdf93b20a ! 1:  52f1342e3 lib/chkhash.c: is_valid_hash(): Accept an empty hash
    @@ Commit message
         Link: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
         Reported-by: Marc 'Zugschlus' Haber <[email protected]>
         Reported-by: "Serge E. Hallyn" <[email protected]>
    +    Co-authored-by: "Serge E. Hallyn" <[email protected]>
         Signed-off-by: Alejandro Colomar <[email protected]>
     
      ## lib/chkhash.c ##
2:  051940ede = 2:  0bf0b7ccc lib/chkhash.c: is_valid_hash(): Update comment
3:  5bb2c2ecc = 3:  4186bdfe8 lib/chkhash.c: is_valid_hash(): Comment meaning of !hash and *

v2c

• Rebase

$ git rd 
1:  52f1342e3 = 1:  69688f6a4 lib/chkhash.c: is_valid_hash(): Accept an empty hash
2:  0bf0b7ccc = 2:  e57caf0c0 lib/chkhash.c: is_valid_hash(): Update comment
3:  4186bdfe8 = 3:  1938ad7ad lib/chkhash.c: is_valid_hash(): Comment meaning of !hash and *

v2d

• Add Fixes tag.

$ git rd 
1:  69688f6a4 ! 1:  14b120c15 lib/chkhash.c: is_valid_hash(): Accept an empty hash
    @@ Commit message
         It represents a passwordless account.
         That is discouraged, but accepted.
     
    +    Fixes: c44f1e096a19 (2025-07-20; "chpasswd: Check hash before write when using -e")
         Link: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
         Reported-by: Marc 'Zugschlus' Haber <[email protected]>
         Reported-by: "Serge E. Hallyn" <[email protected]>
2:  e57caf0c0 = 2:  b4a331b03 lib/chkhash.c: is_valid_hash(): Update comment
3:  1938ad7ad = 3:  29340f127 lib/chkhash.c: is_valid_hash(): Comment meaning of !hash and *

v2e

• Reported-by: @AdamWill

$ git rd 
1:  14b120c15 ! 1:  b323141ee lib/chkhash.c: is_valid_hash(): Accept an empty hash
    @@ Commit message
         Link: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835>
         Reported-by: Marc 'Zugschlus' Haber <[email protected]>
         Reported-by: "Serge E. Hallyn" <[email protected]>
    +    Reported-by: Adam Williamson <[email protected]>
         Co-authored-by: "Serge E. Hallyn" <[email protected]>
         Signed-off-by: Alejandro Colomar <[email protected]>
     
2:  b4a331b03 = 2:  8325ecafd lib/chkhash.c: is_valid_hash(): Update comment
3:  29340f127 = 3:  8dcba7ba1 lib/chkhash.c: is_valid_hash(): Comment meaning of !hash and *

v3

• shadow(5): Document *.

$ git rd 
1:  b323141ee = 1:  b323141ee lib/chkhash.c: is_valid_hash(): Accept an empty hash
2:  8325ecafd = 2:  8325ecafd lib/chkhash.c: is_valid_hash(): Update comment
3:  8dcba7ba1 = 3:  8dcba7ba1 lib/chkhash.c: is_valid_hash(): Comment meaning of !hash and *
-:  --------- > 4:  2ad5bd31e man/shadow.5.xml: Document "*"