nts: don't exit if initialization of priority cache fails

Initialization of the gnutls priority cache can fail depending on the system crypto policy (e.g. disabled TLS1.3). Log an error mentioning TLS, but continue to run without the server/client credentials.
2022-05-04 14:17:34 +02:00 · 2022-05-04 14:17:34 +02:00 · da3495c472
commit da3495c472
parent 356771c0c3
1 changed files with 12 additions and 5 deletions
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@ -594,13 +594,13 @@ handle_step(struct timespec *raw, struct timespec *cooked, double dfreq,

 static int gnutls_initialised = 0;

-static void
+static int
 init_gnutls(void)
 {
  int r;

  if (gnutls_initialised)
-    return;
+    return 1;

  r = gnutls_global_init();
  if (r < 0)
@ -611,8 +611,12 @@ init_gnutls(void)
  r = gnutls_priority_init2(&priority_cache,
                            "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS-ALL",
                            NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND);
-  if (r < 0)
-    LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r));
+  if (r < 0) {
+    LOG(LOGS_ERR, "Could not initialise %s : %s",
+        "priority cache for TLS", gnutls_strerror(r));
+    gnutls_global_deinit();
+    return 0;
+  }

  /* Use our clock instead of the system clock in certificate verification */
  gnutls_global_set_time_function(get_time);
@ -621,6 +625,8 @@ init_gnutls(void)
  DEBUG_LOG("Initialised");

  LCL_AddParameterChangeHandler(handle_step, NULL);
+
+  return 1;
 }

 /* ================================================== */
@ -649,7 +655,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys,
  gnutls_certificate_credentials_t credentials = NULL;
  int i, r;

-  init_gnutls();
+  if (!init_gnutls())
+    return NULL;

  r = gnutls_certificate_allocate_credentials(&credentials);
  if (r < 0)