Full_Name: Jon Roose
Submission from: (NULL) (18.104.22.168)
The b64_to_ab64 function within the pbkdf2 password module is incorrect.
When str == '+' this function fails to convert that first character to a
The file in question is here: contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
and occurs at line 62 in the current version of the file.
This occurs because when you write while (*p++), it changes the pointer and
skips over the first character of str.
This needs to be replaced with a for loop such as:
for(char* p = str; *p; p++)
This is a significant bug in this module, because it causes the hash algorithm
to fail to be replicable by outside hash implementations 1 out of every 64
hashes on average.
Show replies by date