From 9457552a6543fe739a1f090bb657e634a70ffafe Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@suse.de>
Date: Wed, 22 Jul 2020 15:45:47 +0200
Subject: [PATCH 1/8] use openssl for random data generation

48a4e5b475836bcb952fb53a8bde45bdf68fe38f added an openssl dependency, so
use it for obtaining random buffers via RAND_bytes().

Suggested-by: Marcus Meissner <meissner@suse.de>
Signed-off-by: David Disseldorp <ddiss@suse.de>
---
 usr/auth.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/usr/auth.c b/usr/auth.c
index a222c53..a1d99e9 100644
--- a/usr/auth.c
+++ b/usr/auth.c
@@ -43,6 +43,7 @@ static const char acl_authmethod_set_chap_alg_list[] = "CHAP";
 static const char acl_reject_option_name[] = "Reject";
 
 #include <openssl/evp.h>
+#include <openssl/rand.h>
 static int auth_hash_init(EVP_MD_CTX **context, int chap_alg);
 static void auth_hash_update(EVP_MD_CTX *context, unsigned char *md, unsigned int);
 static unsigned int auth_hash_final(unsigned char *, EVP_MD_CTX *context);
@@ -1008,6 +1009,7 @@ acl_rmt_auth(struct iscsi_acl *client)
 	enum auth_dbg_status dbg_status;
 	const char *chap_rsp_key_val;
 	const char *chap_username_key_val;
+	int ssl_ret = 0;
 
 	switch (client->rmt_state) {
 	case AUTH_RMT_STATE_SEND_ALG:
@@ -1023,7 +1025,13 @@ acl_rmt_auth(struct iscsi_acl *client)
 			client->rmt_state = AUTH_RMT_STATE_DONE;
 			break;
 		}
-		get_random_bytes(id_data, 1);
+
+		ssl_ret = RAND_bytes(id_data, sizeof(id_data));
+		if (ssl_ret != 1) {
+			client->rmt_state = AUTH_RMT_STATE_ERROR;
+			client->dbg_status = AUTH_DBG_STATUS_AUTH_FAIL;
+			break;
+		}
 		client->send_chap_identifier = id_data[0];
 		snprintf(client->scratch_key_value, AUTH_STR_MAX_LEN, "%lu",
 			 (unsigned long)client->send_chap_identifier);
@@ -1032,8 +1040,13 @@ acl_rmt_auth(struct iscsi_acl *client)
 				  client->scratch_key_value);
 
 		client->send_chap_challenge.length = client->chap_challenge_len;
-		get_random_bytes(client->send_chap_challenge.large_binary,
-				 client->send_chap_challenge.length);
+		ssl_ret = RAND_bytes(client->send_chap_challenge.large_binary,
+				     client->send_chap_challenge.length);
+		if (ssl_ret != 1) {
+			client->rmt_state = AUTH_RMT_STATE_ERROR;
+			client->dbg_status = AUTH_DBG_STATUS_AUTH_FAIL;
+			break;
+		}
 		acl_set_key_value(&client->send_key_block,
 				  AUTH_KEY_TYPE_CHAP_CHALLENGE, "");
 
-- 
1.8.3.1