I think I see the bug with the view-only password...
First, this is done for the main password (if it exists):
// key is simply password padded with nulls
for (i = 0; i < 127 && i < strlen(password); i++) {
key[i] = password[i];
}
And then the key is used to encrypt the challenge.
But then it is done again for the view-only password:
// key is simply password padded with nulls
for (i = 0; i < 127 && i < strlen(VOpassword); i++) {
key[i] = VOpassword[i];
}
And then this new key is used to encrypt again.
But the new key (view-only password, in theory) can have garbage
left over from the main password if the main password is longer.
It is then not simply the "password padded with nulls"...
This explains quite effectively why the view-only password must
be at least as long as the main password for it to work correctly.
Hope that helps!
Adrian
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
