Bug#658700: libpam-usb: Insufficient entropy in pad files

[Toby Speight]

Package: libpam-usb
Version: 0.5.0-1+tms1
Severity: normal
Tags: security, patch

When creating pad files of "random" data, the randomness is quite small.
For an attacker with a local account, the time of login and process id
are quite easy to guess.  (Using the deterministic rand() generator to
increase the length to 1024 bytes doesn't generate any extra randomness,
so that's a red herring).  Being generous, there's probably 8-12 bits of
entropy, from the point of view of a local adversary.

This patch increases the entropy bits sizeof(int)*CHAR_BIT bits (i.e. 32
bits where int is 32 bits), although it does nothing to deal with the
false impression of security given by creating a 8192-bit file.


Description: Increase entropy of generated pad files
  Seeding the random number generator from PID and current time
  provides very little entropy, as these can be guessed quite closely
  by an attacker, so use the kernel's random number generator instead.
Author: Toby Speight <t.m.speight...@cantab.net>
---
--- libpam-usb-0.5.0.orig/src/pad.c
+++ libpam-usb-0.5.0/src/pad.c
@@ -22,6 +22,7 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <pwd.h>
 #include <time.h>
 #include "conf.h"
@@ -181,6 +182,8 @@ static void pusb_pad_update(t_pusb_optio
 	FILE	*f_system = NULL;
 	char	magic[1024];
 	int		i;
+	unsigned int seed;
+	int devrandom;
 
 	if (!pusb_pad_should_update(opts, user))
 		return ;
@@ -201,7 +204,14 @@ static void pusb_pad_update(t_pusb_optio
 	pusb_pad_protect(user, fileno(f_system));
 
 	log_debug("Generating %d bytes unique pad...\n", sizeof(magic));
-	srand(getpid() * time(NULL));
+	devrandom = open("/dev/random", O_RDONLY);
+	if (devrandom < 0 || read(devrandom, &seed, sizeof seed) != sizeof seed) {
+		log_debug("/dev/random seeding failed...\n");
+		seed = getpid() * time(NULL); /* low-entropy fallback */
+	}
+	if (devrandom > 0)
+		close(devrandom);
+	srand(seed);
 	for (i = 0; i < sizeof(magic); ++i)
 		magic[i] = (char)rand();
 	log_debug("Writing pad to the device...\n");

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (900, 'testing'), (900, 'stable'), (400, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.1-balti (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-usb depends on:
ii  libc6              2.13-24
ii  libdbus-1-3        1.4.16-1
ii  libxml2            2.7.8.dfsg-7
ii  multiarch-support  2.13-24
ii  pamusb-common      0.5.0-1+tms1
ii  pmount             0.9.23-2
ii  udisks             1.0.4-3

libpam-usb recommends no packages.

libpam-usb suggests no packages.

-- no debconf information