From 4936f7dc386e0f0e16d4835954ab061e87399912 Mon Sep 17 00:00:00 2001
From: Benny Baumann <BenBE@geshi.org>
Date: Mon, 11 Dec 2023 13:44:41 +0100
Subject: pam_timestamp: prefer getrandom(2) when available

* configure.ac (AC_CHECK_HEADERS): Add sys/random.h.
(AC_CHECK_FUNCS): Add getrandom.
* modules/pam_timestamp/hmac_openssl_wrapper.c [HAVE_SYS_RANDOM_H]:
Include <sys/random.h>.
(generate_key) [HAVE_GETRANDOM]: Call getrandom(2) before trying
to open /dev/urandom.
---
 modules/pam_timestamp/hmac_openssl_wrapper.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'modules/pam_timestamp')

diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c
index a633a2bf..bf0f6e9c 100644
--- a/modules/pam_timestamp/hmac_openssl_wrapper.c
+++ b/modules/pam_timestamp/hmac_openssl_wrapper.c
@@ -56,6 +56,10 @@
 #include "hmac_openssl_wrapper.h"
 #include "pam_inline.h"
 
+#ifdef HAVE_SYS_RANDOM_H
+#include <sys/random.h>
+#endif
+
 #define LOGIN_DEFS          "/etc/login.defs"
 #define CRYPTO_KEY          "HMAC_CRYPTO_ALGO"
 #define DEFAULT_ALGORITHM   "SHA512"
@@ -94,6 +98,15 @@ generate_key(pam_handle_t *pamh, char **key, size_t key_size)
         return PAM_AUTH_ERR;
     }
 
+#ifdef HAVE_GETRANDOM
+    /* Fallback to getrandom(2) if available */
+    if (getrandom(tmp, key_size, 0) == (ssize_t)key_size) {
+        *key = tmp;
+        return PAM_SUCCESS;
+    }
+#endif
+
+    /* Fallback to /dev/urandom */
     fd = open("/dev/urandom", O_RDONLY);
     if (fd == -1) {
         pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m");
-- 
cgit v1.2.3