X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fprotocol_key.c;h=b55e83078a045d975724de39d2d52cc0b57e61bf;hp=f2f317de5e9888a6d603a95e148bbde371ec139b;hb=6685f2c8afc4775c3656dccc5a37286c01c0e854;hpb=c4940a5c888d85b4c477b6face5e9a618e64718d

diff --git a/src/protocol_key.c b/src/protocol_key.c
index f2f317de..b55e8307 100644
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -127,7 +127,8 @@ bool req_key_h(connection_t *c) {
 	/* Check if this key request is for us */
 
 	if(to == myself) {			/* Yes, send our own key back */
-		send_ans_key(from);
+		if (!send_ans_key(from))
+			return false;
 	} else {
 		if(tunnelserver)
 			return true;
@@ -156,7 +157,12 @@ bool send_ans_key(node_t *to) {
 	to->inkey = xrealloc(to->inkey, to->inkeylength);
 
 	// Create a new key
-	RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength);
+	if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) {
+		int err = ERR_get_error();
+		logger(LOG_ERR, "Failed to generate random for key (%s)", "SEND_ANS_KEY", ERR_error_string(err, NULL));
+		return false; // Do not send insecure keys, let connection attempt fail.
+	}
+
 	if(to->incipher)
 		EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);