| Subject: | minor error in salt generation |
[ We've been in contact before with regard to this issue ( see http://bugs.debian.org/306293 ), I just file it here for tracking purposes... ]
When you let Crypt::PasswdMD5 generate its own salt,
it only uses 63 values out of 64:
$itoa64 =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
...
$salt .= substr($itoa64,int(rand(64)+1),1)
while length($salt) < 8;
The int(rand(64)+1) returns 1..64, so "." is never used, and one out of
64 times an empty string is appended.
Because of the loop we'll still have 8 bytes, so it's a not a big deal
(total of 8*log(63)/log(2) = 47.8 bits of randomness instead of 48)
--- libcrypt-passwdmd5-perl-1.3.orig/PasswdMD5.pm
+++ libcrypt-passwdmd5-perl-1.3/PasswdMD5.pm
@@ -95,7 +95,7 @@
}
else {
$salt = ''; # in case no salt was proffered
- $salt .= substr($itoa64,int(rand(64)+1),1)
+ $salt .= substr($itoa64,int(rand(64)),1)
while length($salt) < 8;
}