nts: don't exit if initialization of priority cache fails

Initialization of the gnutls priority cache can fail depending on the
system crypto policy (e.g. disabled TLS1.3). Log an error mentioning
TLS, but continue to run without the server/client credentials.

diff --git a/nts_ke_session.c b/nts_ke_session.c
index 96b08c14db6883b4c342c0031becc6835f384ebe..dfcd18ab3bedd442ef204569b561a71d4279b770 100644 (file)
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -594,13 +594,13 @@ handle_step(struct timespec *raw, struct timespec *cooked, double dfreq,
 
 static int gnutls_initialised = 0;
 
-static void
+static int
 init_gnutls(void)
 {
   int r;
 
   if (gnutls_initialised)
-    return;
+    return 1;
 
   r = gnutls_global_init();
   if (r < 0)
@@ -611,8 +611,12 @@ init_gnutls(void)
   r = gnutls_priority_init2(&priority_cache,
                             "-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS-ALL",
                             NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND);
-  if (r < 0)
-    LOG_FATAL("Could not initialise %s : %s", "priority cache", gnutls_strerror(r));
+  if (r < 0) {
+    LOG(LOGS_ERR, "Could not initialise %s : %s",
+        "priority cache for TLS", gnutls_strerror(r));
+    gnutls_global_deinit();
+    return 0;
+  }
 
   /* Use our clock instead of the system clock in certificate verification */
   gnutls_global_set_time_function(get_time);
@@ -621,6 +625,8 @@ init_gnutls(void)
   DEBUG_LOG("Initialised");
 
   LCL_AddParameterChangeHandler(handle_step, NULL);
+
+  return 1;
 }
 
 /* ================================================== */
@@ -649,7 +655,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys,
   gnutls_certificate_credentials_t credentials = NULL;
   int i, r;
 
-  init_gnutls();
+  if (!init_gnutls())
+    return NULL;
 
   r = gnutls_certificate_allocate_credentials(&credentials);
   if (r < 0)