Full_Name: Jon Roose Version: HEAD OS: Linux URL: Submission from: (NULL) (68.134.180.197)

The b64_to_ab64 function within the pbkdf2 password module is incorrect.

When str[0] == '+' this function fails to convert that first character to a '.'

The file in question is here: contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c and occurs at line 62 in the current version of the file.

This occurs because when you write while (*p++), it changes the pointer and skips over the first character of str.

This needs to be replaced with a for loop such as: for(char* p = str; *p; p++)

This is a significant bug in this module, because it causes the hash algorithm to fail to be replicable by outside hash implementations 1 out of every 64 hashes on average.