bin/44808: opiepasswd makes bad seed for existing user

Sun Jun 8 23:40:09 PDT 2003

The following reply was made to PR bin/44808; it has been noted by GNATS.

From: Alan Amesbury <aka-CHKE7RJUQGNmU-freebsd.com at mailswitch.net>
To: freebsd-gnats-submit at FreeBSD.org
Cc: sakamoto at hlla.is.tsukuba.ac.jp
Subject: Re: bin/44808: opiepasswd makes bad seed for existing user
Date: Mon, 9 Jun 2003 01:32:38 -0500

 This behaviour is also present in 4.8-RELEASE.  Hideki Sakamoto's patch
 seems to correct the behaviour, though.  (It wouldn't apply cleanly,
 possibly due to minor formatting differences in the source files or
 something.  Easily corrected, though.)  This is a severe bug for those
 of us who use OPIE.

 I'm curious why newseed.c seems to build its value based on the previous
 seed.  It would seem to make more sense to use random(3) (not rand(3)!)
 and verify that 1) the new value doesn't equal the old, and 2) the seed
 size conforms with OPIE's seed size requirements.  I'd write such
 functionality, but I'm a bit out of my depth when it comes to serious
 crypto.

 In case it's needed, the exact patch applied against the newseed.c in
 4.8-RELEASE is:

 ---------- Patch for newseed.c ----------
 *** newseed.c.orig	Mon Jul 15 09:48:47 2002
 --- newseed.c	Mon Jun  9 01:13:25 2003
 ***************
 *** 54,65 ****
   			max *= 10;

   		if ((i = strtoul(++c, (char **)0, 10)) < max) {
 ! 			if (++i >= max)
 ! 				i = 1;
 ! 
 ! 			snprintf(c, end - c, "%d", i);
 ! 			seed[OPIE_SEED_MAX] = 0;
 ! 			return 0;
   		}
   	}

 --- 54,64 ----
   			max *= 10;

   		if ((i = strtoul(++c, (char **)0, 10)) < max) {
 ! 			if (++i < max) {
 ! 				snprintf(c, end - c + 2, "%d", i);
 ! 				seed[OPIE_SEED_MAX] = 0;
 ! 				return 0;
 ! 			}
   		}
   	}

 -------- End patch for newseed.c --------

 Again, I take no credit for it... and thanks to Hideki for coming up
 with it in the first place!

 -- 
 Alan Amesbury

            -  -  -  "Deep Thoughts," by Jack Handey  -  -  -
 You know something that would really make me applaud? A guy gets stuck in
 quicksand, then sinks, then suddenly comes shooting out, riding on water
 skis! How do they do that?!