diff --git a/CHANGES.md b/CHANGES.md index 1388167577363..3f4b9e6a0afd7 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,10 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * The -crypt option to the passwd command line tool has been removed. + + *Paul Dale* + * Add support for AES Key Wrap inverse ciphers to the EVP layer. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV", diff --git a/apps/passwd.c b/apps/passwd.c index 5ddcfe1c57560..5bf031566a25a 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -7,9 +7,6 @@ * https://www.openssl.org/source/license.html */ -/* We need to use some deprecated APIs */ -#define OPENSSL_SUPPRESS_DEPRECATED - #include #include "apps.h" @@ -41,7 +38,6 @@ static const char ascii_dollar[] = { 0x24, 0x00 }; typedef enum { passwd_unset = 0, - passwd_crypt, passwd_md5, passwd_apr1, passwd_sha256, @@ -57,7 +53,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_IN, OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1, - OPT_1, OPT_5, OPT_6, OPT_CRYPT, OPT_AIXMD5, OPT_SALT, OPT_STDIN, + OPT_1, OPT_5, OPT_6, OPT_AIXMD5, OPT_SALT, OPT_STDIN, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -85,9 +81,6 @@ const OPTIONS passwd_options[] = { {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"}, {"1", OPT_1, '-', "MD5-based password algorithm"}, {"aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm"}, -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"}, -#endif OPT_R_OPTIONS, OPT_PROV_OPTIONS, @@ -171,13 +164,6 @@ int passwd_main(int argc, char **argv) goto opthelp; mode = passwd_aixmd5; break; - case OPT_CRYPT: -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (mode != passwd_unset) - goto opthelp; - mode = passwd_crypt; -#endif - break; case OPT_SALT: passed_salt = 1; salt = opt_arg(); @@ -210,14 +196,9 @@ int passwd_main(int argc, char **argv) if (mode == passwd_unset) { /* use default */ - mode = passwd_crypt; + mode = passwd_md5; } -#if defined(OPENSSL_NO_DES) || defined(OPENSSL_NO_DEPRECATED_3_0) - if (mode == passwd_crypt) - goto opthelp; -#endif - if (infile != NULL && in_stdin) { BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog); goto end; @@ -233,9 +214,6 @@ int passwd_main(int argc, char **argv) goto end; } - if (mode == passwd_crypt) - pw_maxlen = 8; - if (passwds == NULL) { /* no passwords on the command line */ @@ -806,11 +784,6 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, size_t saltlen = 0; size_t i; -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (mode == passwd_crypt) - saltlen = 2; -#endif /* !OPENSSL_NO_DES */ - if (mode == passwd_md5 || mode == passwd_apr1 || mode == passwd_aixmd5) saltlen = 8; @@ -849,10 +822,6 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, assert(strlen(passwd) <= pw_maxlen); /* now compute password hash */ -#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_DEPRECATED_3_0) - if (mode == passwd_crypt) - hash = DES_crypt(passwd, *salt_p); -#endif if (mode == passwd_md5 || mode == passwd_apr1) hash = md5crypt(passwd, (mode == passwd_md5 ? "1" : "apr1"), *salt_p); if (mode == passwd_aixmd5) diff --git a/doc/man1/openssl-passwd.pod.in b/doc/man1/openssl-passwd.pod.in index 30159e35bfc17..8e1f6f2de73e3 100644 --- a/doc/man1/openssl-passwd.pod.in +++ b/doc/man1/openssl-passwd.pod.in @@ -9,7 +9,6 @@ openssl-passwd - compute password hashes B [B<-help>] -[B<-crypt>] [B<-1>] [B<-apr1>] [B<-aixmd5>] @@ -34,9 +33,8 @@ This command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for option B<-in>, from stdin for option B<-stdin>, or from the command line, or from the terminal otherwise. -The Unix standard algorithm B<-crypt> and the MD5-based BSD password -algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are -available. +The MD5-based BSD password algorithm B<-1>, its Apache variant B<-apr1>, +and its AIX variant are available. =head1 OPTIONS @@ -46,13 +44,9 @@ available. Print out a usage message. -=item B<-crypt> - -Use the B algorithm (default). - =item B<-1> -Use the MD5 based BSD password algorithm B<1>. +Use the MD5 based BSD password algorithm B<1> (default). =item B<-apr1> @@ -107,9 +101,6 @@ When the B<-table> option is used, reverse the order of cleartext and hash. =head1 EXAMPLES - % openssl passwd -crypt -salt xx password - xxj31ZMTZzkVA - % openssl passwd -1 -salt xxxxxxxx password $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a. @@ -119,6 +110,10 @@ When the B<-table> option is used, reverse the order of cleartext and hash. % openssl passwd -aixmd5 -salt xxxxxxxx password xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/ +=head1 HISTORY + +The B<-crypt> option was removed in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/test/recipes/20-test_passwd.t b/test/recipes/20-test_passwd.t index 65d6e0d25dcf1..9707ecc3f2813 100644 --- a/test/recipes/20-test_passwd.t +++ b/test/recipes/20-test_passwd.t @@ -76,12 +76,9 @@ my @sha_tests = expected => '$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.' } ); -plan tests => (disabled("des") || disabled('deprecated-3.0') ? 9 : 11) + scalar @sha_tests; +plan tests => 9 + scalar @sha_tests; -ok(compare1stline_re([qw{openssl passwd password}], '^.{13}\R$'), - 'crypt password with random salt') - if !disabled("des") && !disabled('deprecated-3.0'); ok(compare1stline_re([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'), 'BSD style MD5 password with random salt'); ok(compare1stline_re([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'), @@ -91,9 +88,6 @@ ok(compare1stline_re([qw{openssl passwd -5 password}], '^\$5\$.{16}\$.{43}\R$'), ok(compare1stline_re([qw{openssl passwd -6 password}], '^\$6\$.{16}\$.{86}\R$'), 'Apache SHA512 password with random salt'); -ok(compare1stline([qw{openssl passwd -salt xx password}], 'xxj31ZMTZzkVA'), - 'crypt password with salt xx') - if !disabled("des") && !disabled('deprecated-3.0'); ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.'), 'BSD style MD5 password with salt xxxxxxxx'); ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0'),