From c8e3fac7a1dafd03f1dc67f372f7dfd4340aa9a7 Mon Sep 17 00:00:00 2001
From: "Andrey A. Chernov" <ache@FreeBSD.org>
Date: Sat, 19 Jan 2002 04:58:51 +0000
Subject: [PATCH] Add yet one expired-right-now password check, in
 pam_sm_chauthtok

srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()
---
 lib/libpam/modules/pam_unix/pam_unix.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 6f8c0b454ff..791bb49c98c 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -351,7 +351,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		PAM_LOG("Encrypted password 1 is: %s", encrypted);
 		PAM_LOG("Encrypted password 2 is: %s", pwd->pw_passwd);
 
-		if (strcmp(encrypted, pwd->pw_passwd) != 0)
+		if (strcmp(encrypted, pwd->pw_passwd) != 0 ||
+		    (pwd->pw_expire && time(NULL) >= pwd->pw_expire))
 			PAM_RETURN(PAM_AUTH_ERR);
 
 		retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *)pass);
@@ -504,15 +505,14 @@ local_passwd(const char *user, const char *pass)
 		syslog(LOG_ERR, "cannot set password cipher");
 	login_close(lc);
 	/* Salt suitable for anything */
-	srandomdev();
 	gettimeofday(&tv, 0);
-	to64(&salt[0], random(), 3);
+	to64(&salt[0], arc4random(), 3);
 	to64(&salt[3], tv.tv_usec, 3);
 	to64(&salt[6], tv.tv_sec, 2);
-	to64(&salt[8], random(), 5);
-	to64(&salt[13], random(), 5);
-	to64(&salt[17], random(), 5);
-	to64(&salt[22], random(), 5);
+	to64(&salt[8], arc4random(), 5);
+	to64(&salt[13], arc4random(), 5);
+	to64(&salt[17], arc4random(), 5);
+	to64(&salt[22], arc4random(), 5);
 	salt[27] = '\0';
 
 	pwd->pw_passwd = crypt(pass, salt);
@@ -598,15 +598,14 @@ yp_passwd(const char *user, const char *pass)
 		syslog(LOG_ERR, "cannot set password cipher");
 	login_close(lc);
 	/* Salt suitable for anything */
-	srandomdev();
 	gettimeofday(&tv, 0);
-	to64(&salt[0], random(), 3);
+	to64(&salt[0], arc4random(), 3);
 	to64(&salt[3], tv.tv_usec, 3);
 	to64(&salt[6], tv.tv_sec, 2);
-	to64(&salt[8], random(), 5);
-	to64(&salt[13], random(), 5);
-	to64(&salt[17], random(), 5);
-	to64(&salt[22], random(), 5);
+	to64(&salt[8], arc4random(), 5);
+	to64(&salt[13], arc4random(), 5);
+	to64(&salt[17], arc4random(), 5);
+	to64(&salt[22], arc4random(), 5);
 	salt[27] = '\0';
 
 	if (suser_override)