pam_timestamp: prefer getrandom(2) when available

* configure.ac (AC_CHECK_HEADERS): Add sys/random.h.
(AC_CHECK_FUNCS): Add getrandom.
* modules/pam_timestamp/hmac_openssl_wrapper.c [HAVE_SYS_RANDOM_H]:
Include <sys/random.h>.
(generate_key) [HAVE_GETRANDOM]: Call getrandom(2) before trying
to open /dev/urandom.

1 files changed, 13 insertions, 0 deletions

diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c
index a633a2bf..bf0f6e9c 100644
--- a/modules/pam_timestamp/hmac_openssl_wrapper.c
+++ b/modules/pam_timestamp/hmac_openssl_wrapper.c
@@ -56,6 +56,10 @@
 #include "hmac_openssl_wrapper.h"
 #include "pam_inline.h"
 
+#ifdef HAVE_SYS_RANDOM_H
+#include <sys/random.h>
+#endif
+
 #define LOGIN_DEFS          "/etc/login.defs"
 #define CRYPTO_KEY          "HMAC_CRYPTO_ALGO"
 #define DEFAULT_ALGORITHM   "SHA512"
@@ -94,6 +98,15 @@ generate_key(pam_handle_t *pamh, char **key, size_t key_size)
         return PAM_AUTH_ERR;
     }
 
+#ifdef HAVE_GETRANDOM
+    /* Fallback to getrandom(2) if available */
+    if (getrandom(tmp, key_size, 0) == (ssize_t)key_size) {
+        *key = tmp;
+        return PAM_SUCCESS;
+    }
+#endif
+
+    /* Fallback to /dev/urandom */
     fd = open("/dev/urandom", O_RDONLY);
     if (fd == -1) {
         pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m");