random seed too small
Submitted by Simon Josefsson
Link to original bug (#673140)
Description
Hi! I was looking at the randomness APIs in glib and noticed the seeding function:
http://git.gnome.org/browse/glib/tree/glib/grand.c#n206
That reads 4 bytes from /dev/urandom and falls back to using local time and PID/PPID if reading from /dev/urandom fails. I don't see any re-seeding happening. Generating the PRNG outputs for all 4 byte = 2^32 seeds is simple, and allows attackers to predict future PRNG outputs if they have been able to determine the seed by looking at earlier PRNG values.
I could not find any indication in the manual whether the functions are intended to be used for cryptographic purposes. The manual is here:
http://developer.gnome.org/glib/2.32/glib-Random-Numbers.html#glib-Random-Numbers.description
However, it refers to the Mersenne twister (a known crypto PRNG) and says glib uses a "good PRNG". It is easy to be misled into thinking the PRNG outputs are safe for crypto use.
At the least, I suggest the manual be updated to warn implementers that the generated numbers are not generally safe for use in cryptography. A better solution would be to make the numbers safe for use in cryptography, which requires reading a larger seed and avoiding the fallback, and to re-seed the PRNG continuously.
My understanding of the glib code is limited, so I may have missed something. Further discussion is appreciated. I have not analyzed whether there is any code out there that uses glib for crypto PRNG, which could be an interesting exercise.
/Simon