From 71a681ae50175a569bf832d2615fd11994c41d73 Mon Sep 17 00:00:00 2001 From: Iwan Timmer Date: Mon, 17 Jun 2019 22:33:50 +0200 Subject: [PATCH 1/1] resolved: add missing error code check when initializing DNS-over-TLS --- src/resolve/resolved-dnstls-gnutls.c | 9 +++++---- src/resolve/resolved-dnstls-openssl.c | 14 +++++++++----- src/resolve/resolved-dnstls.h | 2 +- src/resolve/resolved-manager.c | 4 +++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index 7defd119a4b..d824d6ca5ac 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -194,14 +194,15 @@ void dnstls_server_free(DnsServer *server) { gnutls_free(server->dnstls_data.session_data.data); } -void dnstls_manager_init(Manager *manager) { +int dnstls_manager_init(Manager *manager) { int r; assert(manager); - gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred); - r = gnutls_certificate_set_x509_trust_file(manager->dnstls_data.cert_cred, manager->trusted_certificate_file, GNUTLS_X509_FMT_PEM); + r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred); if (r < 0) - log_error("Failed to load trusted certificate file %s: %s", manager->trusted_certificate_file, gnutls_strerror(r)); + return -ENOMEM; + + return 0; } void dnstls_manager_free(Manager *manager) { diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c index 6b2e1b218f8..22d579a7f77 100644 --- a/src/resolve/resolved-dnstls-openssl.c +++ b/src/resolve/resolved-dnstls-openssl.c @@ -344,17 +344,21 @@ void dnstls_server_free(DnsServer *server) { SSL_SESSION_free(server->dnstls_data.session); } -void dnstls_manager_init(Manager *manager) { +int dnstls_manager_init(Manager *manager) { int r; assert(manager); ERR_load_crypto_strings(); SSL_load_error_strings(); manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method()); - if (manager->dnstls_data.ctx) { - SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); - SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); - } + + if (!manager->dnstls_data.ctx) + return -ENOMEM; + + SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); + SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); + + return 0; } void dnstls_manager_free(Manager *manager) { diff --git a/src/resolve/resolved-dnstls.h b/src/resolve/resolved-dnstls.h index b01de2d9d20..2212821bdff 100644 --- a/src/resolve/resolved-dnstls.h +++ b/src/resolve/resolved-dnstls.h @@ -31,5 +31,5 @@ ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count); void dnstls_server_free(DnsServer *server); -void dnstls_manager_init(Manager *manager); +int dnstls_manager_init(Manager *manager); void dnstls_manager_free(Manager *manager); diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index 433d50cc2b5..02153b929fb 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -598,7 +598,9 @@ int manager_new(Manager **ret) { log_warning_errno(r, "Failed to parse configuration file: %m"); #if ENABLE_DNS_OVER_TLS - dnstls_manager_init(m); + r = dnstls_manager_init(m); + if (r < 0) + return r; #endif r = sd_event_default(&m->event); -- 2.39.2