apps/passwd: remove the -crypt option.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #13313)

CHANGES.md

@@ -23,6 +23,10 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * The -crypt option to the passwd command line tool has been removed.
+
+   *Paul Dale*
+
  * Add support for AES Key Wrap inverse ciphers to the EVP layer.
    The algorithms are:
    "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV",

apps/passwd.c

@@ -7,9 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use some deprecated APIs */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
 #include <string.h>
 
 #include "apps.h"
@@ -41,7 +38,6 @@ static const char ascii_dollar[] = { 0x24, 0x00 };
 
 typedef enum {
     passwd_unset = 0,
-    passwd_crypt,
     passwd_md5,
     passwd_apr1,
     passwd_sha256,
@@ -57,7 +53,7 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_IN,
     OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
-    OPT_1, OPT_5, OPT_6, OPT_CRYPT, OPT_AIXMD5, OPT_SALT, OPT_STDIN,
+    OPT_1, OPT_5, OPT_6, OPT_AIXMD5, OPT_SALT, OPT_STDIN,
     OPT_R_ENUM, OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -85,9 +81,6 @@ const OPTIONS passwd_options[] = {
     {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
     {"1", OPT_1, '-', "MD5-based password algorithm"},
     {"aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm"},
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-    {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"},
-#endif
 
     OPT_R_OPTIONS,
     OPT_PROV_OPTIONS,
@@ -171,13 +164,6 @@ int passwd_main(int argc, char **argv)
                 goto opthelp;
             mode = passwd_aixmd5;
             break;
-        case OPT_CRYPT:
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-            if (mode != passwd_unset)
-                goto opthelp;
-            mode = passwd_crypt;
-#endif
-            break;
         case OPT_SALT:
             passed_salt = 1;
             salt = opt_arg();
@@ -210,14 +196,9 @@ int passwd_main(int argc, char **argv)
 
     if (mode == passwd_unset) {
         /* use default */
-        mode = passwd_crypt;
+        mode = passwd_md5;
     }
 
-#if defined(OPENSSL_NO_DES) || defined(OPENSSL_NO_DEPRECATED_3_0)
-    if (mode == passwd_crypt)
-        goto opthelp;
-#endif
-
     if (infile != NULL && in_stdin) {
         BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog);
         goto end;
@@ -233,9 +214,6 @@ int passwd_main(int argc, char **argv)
             goto end;
     }
 
-    if (mode == passwd_crypt)
-        pw_maxlen = 8;
-
     if (passwds == NULL) {
         /* no passwords on the command line */
 
@@ -806,11 +784,6 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
         size_t saltlen = 0;
         size_t i;
 
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-        if (mode == passwd_crypt)
-            saltlen = 2;
-#endif                         /* !OPENSSL_NO_DES */
-
         if (mode == passwd_md5 || mode == passwd_apr1 || mode == passwd_aixmd5)
             saltlen = 8;
 
@@ -849,10 +822,6 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
     assert(strlen(passwd) <= pw_maxlen);
 
     /* now compute password hash */
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-    if (mode == passwd_crypt)
-        hash = DES_crypt(passwd, *salt_p);
-#endif
     if (mode == passwd_md5 || mode == passwd_apr1)
         hash = md5crypt(passwd, (mode == passwd_md5 ? "1" : "apr1"), *salt_p);
     if (mode == passwd_aixmd5)

doc/man1/openssl-passwd.pod.in

@@ -9,7 +9,6 @@ openssl-passwd - compute password hashes
 
 B<openssl passwd>
 [B<-help>]
-[B<-crypt>]
 [B<-1>]
 [B<-apr1>]
 [B<-aixmd5>]
@@ -34,9 +33,8 @@ This command computes the hash of a password typed at
 run-time or the hash of each password in a list.  The password list is
 taken from the named file for option B<-in>, from stdin for
 option B<-stdin>, or from the command line, or from the terminal otherwise.
-The Unix standard algorithm B<-crypt> and the MD5-based BSD password
-algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are
-available.
+The MD5-based BSD password algorithm B<-1>, its Apache variant B<-apr1>,
+and its AIX variant are available.
 
 =head1 OPTIONS
 
@@ -46,13 +44,9 @@ available.
 
 Print out a usage message.
 
-=item B<-crypt>
-
-Use the B<crypt> algorithm (default).
-
 =item B<-1>
 
-Use the MD5 based BSD password algorithm B<1>.
+Use the MD5 based BSD password algorithm B<1> (default).
 
 =item B<-apr1>
 
@@ -107,9 +101,6 @@ When the B<-table> option is used, reverse the order of cleartext and hash.
 
 =head1 EXAMPLES
 
-  % openssl passwd -crypt -salt xx password
-  xxj31ZMTZzkVA
-
   % openssl passwd -1 -salt xxxxxxxx password
   $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.
 
@@ -119,6 +110,10 @@ When the B<-table> option is used, reverse the order of cleartext and hash.
   % openssl passwd -aixmd5 -salt xxxxxxxx password
   xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/
 
+=head1 HISTORY
+
+The B<-crypt> option was removed in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.

test/recipes/20-test_passwd.t

@@ -76,12 +76,9 @@ my @sha_tests =
        expected => '$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.' }
     );
 
-plan tests => (disabled("des") || disabled('deprecated-3.0') ? 9 : 11) + scalar @sha_tests;
+plan tests => 9 + scalar @sha_tests;
 
 
-ok(compare1stline_re([qw{openssl passwd password}], '^.{13}\R$'),
-   'crypt password with random salt')
-    if !disabled("des") && !disabled('deprecated-3.0');
 ok(compare1stline_re([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'),
    'BSD style MD5 password with random salt');
 ok(compare1stline_re([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'),
@@ -91,9 +88,6 @@ ok(compare1stline_re([qw{openssl passwd -5 password}], '^\$5\$.{16}\$.{43}\R$'),
 ok(compare1stline_re([qw{openssl passwd -6 password}], '^\$6\$.{16}\$.{86}\R$'),
    'Apache SHA512 password with random salt');
 
-ok(compare1stline([qw{openssl passwd -salt xx password}], 'xxj31ZMTZzkVA'),
-   'crypt password with salt xx')
-    if !disabled("des") && !disabled('deprecated-3.0');
 ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.'),
    'BSD style MD5 password with salt xxxxxxxx');
 ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0'),