D 2020-03-26T11:22:00.323
J foundin 4.0
J icomment The\scrypt\scommand\sused\sin\stclhttpd\srequires\sa\s2\scharacters\ssalt\sbut\ssometimes\sPassgen_Salt\sgenerates\sa\sshorter\ssalt\scaused\sby\sa\swrong\srandom\sindex\scalculation\sand\scrypt\sthows\san\serror.\r\n\r\nHow\sto\sreproduce:\r\n\r\nwhile\s{1}\s{\r\n\s\s\s\sset\ssalt\s[Passgen_Salt]\r\n\s\s\s\sif\s{[string\slength\s$salt]\s<\s2}\s{\r\n\s\s\s\s\s\s\s\sputs\s"salt=$salt"\r\n\s\s\s\s\s\s\s\scrypt\s"password"\s$salt\r\n\s\s\s\s}\r\n}\r\n\r\nThe\sproblemi\sis\scaused\sby\s[expr\sround(rand()*$slen)]\swhich\ssometimes\scalculates\san\sindex\sequal\sto\sthe\slength\sof\sthe\ssalt\sstring\sso\sthat\s[string\sindex\s$saltstr\s$index]\s=\s"".\r\n\r\nTo\sfix\sthe\sproblem\swe\sneed\sto\sreplace\sround()\swith\sint()\sin\spassgen.tcl:Passgen_Salt:\r\n\r\nproc\sPassgen_Salt\s{}\s{\r\n\s\s\s\sglobal\spassgen\r\n\s\s\s\sset\sslen\s[string\slen\s$passgen(saltstr)]\r\n\s\s\s\sreturn\s"[string\sindex\s$passgen(saltstr)\s[expr\s{int(rand()*$slen)}]][string\sindex\s$passgen(saltstr)\s[expr\s{int(rand()*$slen)}]]"\r\n}
J login anonymous
J mimetype text/x-fossil-plain
J private_contact 906425e3591abc7243c4f379097280af643e594c
J severity Important
J status Open
J title wrong\sindex\scalculation\sin\stclhttpd\sPassgen_Salt
J type Code_Defect
K fa1e4e0e6c6fa1e68188b594f357f39e7af976d6
U anonymous
Z 43f40438ed29d255f7e62b884d9726c6