Bug#651510: gpw does not generate full length passwords sometimes

Fri, 09 Dec 2011 03:15:43 -0800 

Package: gpw
Version: 0.0.19940601-8.1
Severity: normal
Tags: patch

Hi,

in some (seldom) cases gpw does not generate a password with the length the 
user declared.

an example to see this problem:
> gpw 1000000 10 | sed '/^.\{10\}$/d'
prints out ~20 lines which are shorter than 10 chars.
The reason is, that there are bigrams whithout trigrams (qs in this case), 
which can not get completed.

I resolved this problem by checking the bi- and trigrams in loadtris.c before
writing and exclude bi- and trigrams, which cannot be continued.

PS: I am not sure of the servity of this bug. On the one side, this bug 
appears very seldom and shouldn't affect a typical user, but on the
other site, may a script uses this to generate a password (for example an
initial user password for a website or so), and when the bug appears here
a 2 or 3 char password could be generated instead a secure long password.
In this case, the bug could be security relevant.

Greetings,
Michael

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.1.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gpw depends on:
ii  libc6  2.13-21

gpw recommends no packages.

gpw suggests no packages.

-- no debconf information

--- gpw-0.0.19940601/loadtris.c	2001-05-30 19:26:16.000000000 +0200
+++ a/gpw-0.0.19940601/loadtris.c	2011-12-09 10:38:15.350335891 +0100
@@ -20,6 +20,28 @@
 
 FILE *fp;
 
+void checktris() {
+	int c1, c2, c3;
+	for(c1=0; c1<26; c1++) {
+		for(c2=0; c2<26; c2++) {
+			int hastris = 0;
+			for(c3=0; c3<26; c3++) {
+				if(tris[c1][c2][c3]) {
+					hastris = 1;
+					break;
+				}
+			}
+			if(!hastris) {				/* if [c1][c2] has no tris... */
+				duos[c1][c2] = 0; 		/* ... do not use the duo ...*/
+				for(c3=0; c3<26; c3++) {	/* ... and don't use tris */
+					sigma-=tris[c3][c1][c2];/*     which are ending */
+					tris[c3][c1][c2] = 0;	/*     on [c1][c2] ...*/
+				}
+			}
+		}
+	}
+}
+
 int main (int argc, char ** argv) {
 	char buf[100];
 	int j;
@@ -89,6 +111,7 @@
 	}							    /* for argno */
 
 	if (nfiles) {				    /* find any input? */
+		checktris();
 		printf ("/* BEGIN INCLUDE FILE .. trigram.h */\n"); /* Multics style */
 		printf ("\n");
 		printf ("const long sigma = %ld;\n", sigma);

Reply via email to