From b7bb472af02fae62cf6061cacf55ff9d2034dc23 Mon Sep 17 00:00:00 2001
From: steering7253
Date: Mon, 18 May 2026 08:16:50 -0600
Subject: check rand_bytes for error

---
 pam_autopeer/pam_autopeer.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/pam_autopeer/pam_autopeer.c b/pam_autopeer/pam_autopeer.c
index f5051f3..b8b5457 100644
--- a/pam_autopeer/pam_autopeer.c
+++ b/pam_autopeer/pam_autopeer.c
@@ -12,6 +12,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam
 #include <syslog.h>
 #include <sys/wait.h>
 #include <openssl/rand.h>
+#include <openssl/err.h>
 
 int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
 	return PAM_SUCCESS;
@@ -37,20 +38,27 @@ static const char *errors[] = {
 int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
 	const char *username;
 	int retval = pam_get_user(pamh, &username, "Username: ");
-	if (retval != PAM_SUCCESS)
+	if (retval != PAM_SUCCESS) {
+		pam_syslog(pamh, LOG_ERR, "Error get_user: %d", retval);
+		pam_error(pamh, "Error get_user: %d", retval);
 		return PAM_SYSTEM_ERR;
+	}
 
-	int err;
 	unsigned char nonce[10];
-	RAND_bytes(nonce, 10);
+	if (RAND_bytes(nonce, 10) != 1) {
+		pam_syslog(pamh, LOG_ERR, "Error RAND_bytes: %d", ERR_get_error());
+		pam_error(pamh, "Error RAND_bytes: %d", ERR_get_error());
+		return PAM_SYSTEM_ERR;
+	}
 	char s_nonce[21];
 	sprintf(s_nonce, "%x%x%x%x%x%x%x%x%x%x", nonce[0], nonce[1], nonce[2], nonce[3], nonce[4], nonce[5], nonce[6], nonce[7], nonce[8], nonce[9]);
+
 	char *key, *sig;
 	pam_prompt(pamh, PAM_TEXT_INFO, NULL, "No SSH key was successful; entering PGP auth mode.");
 	pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &key, "Please enter a URL to download your ASCII-armored key:\n");
 	pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &sig, "Please enter a ASCII-armored detached signature of the nonce '%s\\n', without newlines,\ni.e. `gpg -a --detach-sign -o - -u $YOUR_KEY <(echo %s) | tr -d '\\n'; echo`:\n", s_nonce, s_nonce);
 
-	int pid;
+	int pid, err;
 	switch (pid = fork()) {
 		case -1: // error
 			err = errno;
-- 
cgit v1.3.1-10-gc9f91