Tcl Library Source Code

View Ticket
Login
Ticket UUID: 861f53ff24c0a5c23306db9f5118d790a4cd3ec0
Title: md5_bin is used from SASL::SCRAM
Type: Patch Version:
Submitter: anonymous Created on: 2014-01-13 06:53:01
Subsystem: sasl Assigned To: aku
Priority: 5 Medium Severity: Important
Status: Closed Last Modified: 2014-01-21 17:29:30
Resolution: Fixed Closed By: aku
    Closed on: 2014-01-21 17:29:30
Description:
Hi!

SASL::SCRAM package uses [SASL::CreateNonce] to generate a random string, and it doesn't work well if /dev/urandom is not available, because it tries to call md5_bin and fails because md5_init wasn't called.

I'd like to propose the following patch to SASL.tcl (I've made it for an AS distribution, so the line numbers and filename are a bit off):

--- SASL-1.3.2.tm.orig	Mon Nov 26 15:27:07 2012
+++ SASL-1.3.2.tm	Mon Jan 13 10:46:51 2014
@@ -636,6 +636,7 @@
         }
     }
     if {[string length $bytes] < 1} {
+        md5_init
         set bytes [md5_bin [clock seconds]:[pid]:[expr {rand()}]]
     }
     return [binary scan $bytes h* r; set r]
User Comments: aku added on 2014-01-21 17:29:30:
Fix in revision [8175173735].
Committed.
Pushed.
Thank you for the report, and patch.

aku added on 2014-01-21 17:22:24:
Yes, that looks right.
Will apply.
(Should add tests for CreateNonce, if that is a public command).