From da3495c47226dff0419400d0f55aa7eaa8c6f7ef Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 4 May 2022 14:17:34 +0200 Subject: [PATCH] nts: don't exit if initialization of priority cache fails Initialization of the gnutls priority cache can fail depending on the system crypto policy (e.g. disabled TLS1.3). Log an error mentioning TLS, but continue to run without the server/client credentials. --- nts_ke_session.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/nts_ke_session.c b/nts_ke_session.c index 96b08c1..dfcd18a 100644 --- a/nts_ke_session.c +++ b/nts_ke_session.c @@ -594,13 +594,13 @@ handle_step(struct timespec *raw, struct timespec *cooked, double dfreq, static int gnutls_initialised = 0; -static void +static int init_gnutls(void) { int r; if (gnutls_initialised) - return; + return 1; r = gnutls_global_init(); if (r < 0) @@ -611,8 +611,12 @@ init_gnutls(void) r = gnutls_priority_init2(&priority_cache, "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS-ALL", NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND); - if (r < 0) - LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r)); + if (r < 0) { + LOG(LOGS_ERR, "Could not initialise %s : %s", + "priority cache for TLS", gnutls_strerror(r)); + gnutls_global_deinit(); + return 0; + } /* Use our clock instead of the system clock in certificate verification */ gnutls_global_set_time_function(get_time); @@ -621,6 +625,8 @@ init_gnutls(void) DEBUG_LOG("Initialised"); LCL_AddParameterChangeHandler(handle_step, NULL); + + return 1; } /* ================================================== */ @@ -649,7 +655,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, gnutls_certificate_credentials_t credentials = NULL; int i, r; - init_gnutls(); + if (!init_gnutls()) + return NULL; r = gnutls_certificate_allocate_credentials(&credentials); if (r < 0)