From 8e95e2af01b5880b37b17bb23b4c187a88046bdf Mon Sep 17 00:00:00 2001
From: Benny Baumann <BenBE@geshi.org>
Date: Mon, 11 Dec 2023 13:46:15 +0100
Subject: pam_timestamp: try RAND_priv_bytes first

* modules/pam_timestamp/hmac_openssl_wrapper.c: Include <openssl/rand.h>.
(generate_key): Try RAND_priv_bytes before getrandom.
---
 modules/pam_timestamp/hmac_openssl_wrapper.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'modules/pam_timestamp')

diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c
index bf0f6e9c..8fa6068e 100644
--- a/modules/pam_timestamp/hmac_openssl_wrapper.c
+++ b/modules/pam_timestamp/hmac_openssl_wrapper.c
@@ -49,6 +49,7 @@
 #include <openssl/evp.h>
 #include <openssl/params.h>
 #include <openssl/core_names.h>
+#include <openssl/rand.h>
 
 #include <security/pam_ext.h>
 #include <security/pam_modutil.h>
@@ -98,6 +99,12 @@ generate_key(pam_handle_t *pamh, char **key, size_t key_size)
         return PAM_AUTH_ERR;
     }
 
+    /* Try to get random data from OpenSSL first */
+    if (RAND_priv_bytes((unsigned char *)tmp, key_size) == 1) {
+        *key = tmp;
+        return PAM_SUCCESS;
+    }
+
 #ifdef HAVE_GETRANDOM
     /* Fallback to getrandom(2) if available */
     if (getrandom(tmp, key_size, 0) == (ssize_t)key_size) {
-- 
cgit v1.2.3