Tcl Library Source Code
View Ticket
Not logged in
Bounty program for improvements to Tcl and certain Tcl packages.
Ticket UUID: 861f53ff24c0a5c23306db9f5118d790a4cd3ec0
Title: md5_bin is used from SASL::SCRAM
Type: Patch Version:
Submitter: anonymous Created on: 2014-01-13 06:53:01
Subsystem: sasl Assigned To: aku
Priority: 5 Medium Severity: Important
Status: Closed Last Modified: 2014-01-21 17:29:30
Resolution: Fixed Closed By: aku
    Closed on: 2014-01-21 17:29:30

SASL::SCRAM package uses [SASL::CreateNonce] to generate a random string, and it doesn't work well if /dev/urandom is not available, because it tries to call md5_bin and fails because md5_init wasn't called.

I'd like to propose the following patch to SASL.tcl (I've made it for an AS distribution, so the line numbers and filename are a bit off):

---	Mon Nov 26 15:27:07 2012
+++	Mon Jan 13 10:46:51 2014
@@ -636,6 +636,7 @@
     if {[string length $bytes] < 1} {
+        md5_init
         set bytes [md5_bin [clock seconds]:[pid]:[expr {rand()}]]
     return [binary scan $bytes h* r; set r]
User Comments: aku added on 2014-01-21 17:29:30:
Fix in revision [8175173735].
Thank you for the report, and patch.

aku added on 2014-01-21 17:22:24:
Yes, that looks right.
Will apply.
(Should add tests for CreateNonce, if that is a public command).