Check rng return value when generating secrets and IVs in libtls

1 files changed, 8 insertions, 6 deletions

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 068dd3ae7..65072d087 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -709,13 +709,15 @@ static status_t send_client_hello(private_tls_peer_t *this,
 
 	htoun32(&this->client_random, time(NULL));
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	if (!rng ||
+		!rng->get_bytes(rng, sizeof(this->client_random) - 4,
+						this->client_random + 4))
 	{
-		DBG1(DBG_TLS, "no suitable RNG found to generate client random");
+		DBG1(DBG_TLS, "failed to generate client random");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		DESTROY_IF(rng);
 		return NEED_MORE;
 	}
-	rng->get_bytes(rng, sizeof(this->client_random) - 4, this->client_random + 4);
 	rng->destroy(rng);
 
 	/* TLS version */
@@ -903,13 +905,13 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
 	chunk_t encrypted;
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (!rng)
+	if (!rng || !rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2))
 	{
-		DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
+		DBG1(DBG_TLS, "failed to generate TLS premaster secret");
 		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		DESTROY_IF(rng);
 		return NEED_MORE;
 	}
-	rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
 	rng->destroy(rng);
 	htoun16(premaster, TLS_1_2);