Check for RAND_bytes failures in the ClientHello. (Imported from upstream's e1b568dd2462f7cacf98f3d117936c34e2849a6b.) Our RAND_bytes secretly can't actually fail, but we should propagate the check upwards. Change-Id: Ieaaea98dad00bf73b1c0a42c039507d76b10ac78 Reviewed-on: https://boringssl-review.googlesource.com/4003 Reviewed-by: Adam Langley <agl@google.com>

commit: 2ddba8cd48f8c5d3d7658470140393d5158ee6d4 [log] [tgz]
author: David Benjamin <davidben@chromium.org> Wed Mar 18 19:40:51 2015 -0400
committer: Adam Langley <agl@google.com> Thu Mar 19 11:08:25 2015 +0000
tree: 59960f4a0468e8a7e5bb9e8c6437af1aba5196d2
parent: 33058583422a78cdbaf706212b70409b003f1847 [diff]
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 5f891d4..d0dc2bd 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -629,8 +629,9 @@
 
     /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
      * renegerate the client_random. The random must be reused. */
-    if (!SSL_IS_DTLS(s) || !s->d1->send_cookie) {
-      ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
+    if ((!SSL_IS_DTLS(s) || !s->d1->send_cookie) &&
+        !ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random))) {
+      goto err;
     }
 
     /* Do the message type and length last. Note: the final argument to
commit	2ddba8cd48f8c5d3d7658470140393d5158ee6d4	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Wed Mar 18 19:40:51 2015 -0400
committer	Adam Langley <agl@google.com>	Thu Mar 19 11:08:25 2015 +0000
tree	59960f4a0468e8a7e5bb9e8c6437af1aba5196d2
parent	33058583422a78cdbaf706212b70409b003f1847 [diff]