Full_Name: Jon Roose
Version: HEAD
OS: Linux
URL:
Submission from: (NULL) (68.134.180.197)
The b64_to_ab64 function within the pbkdf2 password module is incorrect.
When str[0] == '+' this function fails to convert that first character to a '.'
The file in question is here: contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
and occurs at line 62 in the current version of the file.
This occurs because when you write while (*p++), it changes the pointer and
skips over the first character of str.
This needs to be replaced with a for loop such as:
for(char* p = str; *p; p++)
This is a significant bug in this module, because it causes the hash algorithm
to fail to be replicable by outside hash implementations 1 out of every 64
hashes on average.