diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2020-02-10 14:50:03 +0900 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-03-01 14:02:23 +0100 |
| commit | df70539f9fe01a16d0f561ad9c6f5d7a955039c0 (patch) | |
| tree | 0788e31c067ec2974766a70d60a655b673444498 /src/resolve/resolved-dnstls-openssl.c | |
| parent | 972e81629d405b2a9fe0781c483feb3775546609 (diff) | |
| download | systemd-df70539f9fe01a16d0f561ad9c6f5d7a955039c0.tar.gz | |
resolve: error handling improvements
Diffstat (limited to 'src/resolve/resolved-dnstls-openssl.c')
| -rw-r--r-- | src/resolve/resolved-dnstls-openssl.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c index ce0a437371..8f58efacbd 100644 --- a/src/resolve/resolved-dnstls-openssl.c +++ b/src/resolve/resolved-dnstls-openssl.c @@ -73,7 +73,9 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { return -ENOMEM; SSL_set_connect_state(s); - SSL_set_session(s, server->dnstls_data.session); + r = SSL_set_session(s, server->dnstls_data.session); + if (r == 0) + return -EIO; SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb)); if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { @@ -83,7 +85,7 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { SSL_set_verify(s, SSL_VERIFY_PEER, NULL); v = SSL_get0_param(s); ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr; - if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family))) + if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0) return -ECONNREFUSED; } @@ -106,8 +108,8 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { char errbuf[256]; ERR_error_string_n(error, errbuf, sizeof(errbuf)); - log_debug("Failed to invoke SSL_do_handshake: %s", errbuf); - return -ECONNREFUSED; + return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED), + "Failed to invoke SSL_do_handshake: %s", errbuf); } } @@ -368,20 +370,27 @@ void dnstls_server_free(DnsServer *server) { int dnstls_manager_init(Manager *manager) { int r; + assert(manager); ERR_load_crypto_strings(); SSL_load_error_strings(); - manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method()); + manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method()); if (!manager->dnstls_data.ctx) return -ENOMEM; - SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); - SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); + r = SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); + if (r == 0) + return -EIO; + + (void) SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); + r = SSL_CTX_set_default_verify_paths(manager->dnstls_data.ctx); - if (r < 0) - log_warning("Failed to load system trust store: %s", ERR_error_string(ERR_get_error(), NULL)); + if (r == 0) + return log_warning_errno(SYNTHETIC_ERRNO(EIO), + "Failed to load system trust store: %s", + ERR_error_string(ERR_get_error(), NULL)); return 0; } |