From: Chuck Lever <cel@kernel.org>
To: <kernel-tls-handshake@lists.linux.dev>
Cc: Chuck Lever <chuck.lever@oracle.com>, Xin Long <lucien.xin@gmail.com>
Subject: [PATCH] tlshd: Return errnos from QUIC helper functions
Date: Mon, 22 Sep 2025 18:07:10 -0400 [thread overview]
Message-ID: <20250922220710.1255102-1-cel@kernel.org> (raw)
From: Chuck Lever <chuck.lever@oracle.com>
Static analysis tools have noticed that
tlshd_quic_serverhello_handshake() expects its helper functions to
return errno values, but two of them return GNUTLS_E_* values in
most cases. Convert those functions to always return errno values
or zero (on success).
Cc: Xin Long <lucien.xin@gmail.com>
Fixes: 43a15fed2f33 ("tlshd: add support for quic handshake")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
src/tlshd/server.c | 54 +++++++++++++++++++++++++++-------------------
1 file changed, 32 insertions(+), 22 deletions(-)
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 6531f0819d2b..8c8295caedf1 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -575,45 +575,47 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
return ret;
}
- ret = gnutls_certificate_allocate_credentials(&cred);
- if (ret)
+ ret = -ENOMEM;
+ if (gnutls_certificate_allocate_credentials(&cred) != GNUTLS_E_SUCCESS)
goto err;
- ret = tlshd_server_get_truststore(cred);
- if (ret)
+ ret = -EINVAL;
+ if (tlshd_server_get_truststore(cred) != GNUTLS_E_SUCCESS)
goto err;
gnutls_certificate_set_retrieve_function2(cred, tlshd_x509_retrieve_key_cb);
gnutls_certificate_set_verify_function(cred, tlshd_quic_server_x509_verify_function);
- ret = gnutls_init(&session, GNUTLS_SERVER | GNUTLS_NO_AUTO_SEND_TICKET |
- GNUTLS_ENABLE_EARLY_DATA | GNUTLS_NO_END_OF_EARLY_DATA);
- if (ret)
+ ret = -ENOMEM;
+ if (gnutls_init(&session, GNUTLS_SERVER | GNUTLS_NO_AUTO_SEND_TICKET |
+ GNUTLS_ENABLE_EARLY_DATA |
+ GNUTLS_NO_END_OF_EARLY_DATA) != GNUTLS_E_SUCCESS)
goto err_cred;
if (!tlshd_quic_server_anti_replay) {
- ret = gnutls_anti_replay_init(&tlshd_quic_server_anti_replay);
- if (ret)
+ if (gnutls_anti_replay_init(&tlshd_quic_server_anti_replay) != GNUTLS_E_SUCCESS)
goto err_session;
gnutls_anti_replay_set_add_function(tlshd_quic_server_anti_replay,
tlshd_quic_server_anti_replay_db_add_func);
gnutls_anti_replay_set_ptr(tlshd_quic_server_anti_replay, NULL);
}
gnutls_anti_replay_enable(session, tlshd_quic_server_anti_replay);
- ret = gnutls_record_set_max_early_data_size(session, 0xffffffffu);
- if (ret)
+ ret = -EINVAL;
+ if (gnutls_record_set_max_early_data_size(session,
+ 0xffffffffu) != GNUTLS_E_SUCCESS)
goto err_session;
gnutls_session_set_ptr(session, conn);
ticket_key.data = conn->ticket;
ticket_key.size = conn->ticket_len;
- ret = gnutls_session_ticket_enable_server(session, &ticket_key);
- if (ret)
+ if (gnutls_session_ticket_enable_server(session,
+ &ticket_key) != GNUTLS_E_SUCCESS)
goto err_session;
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO,
GNUTLS_HOOK_POST, tlshd_quic_server_alpn_verify);
- ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
- if (ret)
+ ret = -ENOMEM;
+ if (gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE,
+ cred) != GNUTLS_E_SUCCESS)
goto err_session;
gnutls_certificate_server_set_request(session, conn->cert_req);
@@ -635,21 +637,29 @@ static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
{
gnutls_psk_server_credentials_t cred;
gnutls_session_t session;
- int ret;
+ int ret, err;
- ret = gnutls_psk_allocate_server_credentials(&cred);
- if (ret)
+ switch (gnutls_psk_allocate_server_credentials(&cred)) {
+ case GNUTLS_E_SUCCESS:
+ break;
+ case GNUTLS_E_MEMORY_ERROR:
+ ret = -ENOMEM;
goto err;
+ case GNUTLS_E_INVALID_REQUEST:
+ ret = -EINVAL;
+ goto err;
+ }
gnutls_psk_set_server_credentials_function(cred, tlshd_quic_server_psk_cb);
- ret = gnutls_init(&session, GNUTLS_SERVER | GNUTLS_NO_AUTO_SEND_TICKET);
- if (ret)
+ ret = -ENOMEM;
+ if (gnutls_init(&session, GNUTLS_SERVER |
+ GNUTLS_NO_AUTO_SEND_TICKET) != GNUTLS_E_SUCCESS)
goto err_cred;
gnutls_session_set_ptr(session, conn);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO,
GNUTLS_HOOK_POST, tlshd_quic_server_alpn_verify);
- ret = gnutls_credentials_set(session, GNUTLS_CRD_PSK, cred);
- if (ret)
+ if (gnutls_credentials_set(session, GNUTLS_CRD_PSK,
+ cred) != GNUTLS_E_SUCCESS)
goto err_session;
conn->is_serv = 1;
--
2.51.0
next reply other threads:[~2025-09-22 22:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-22 22:07 Chuck Lever [this message]
2025-09-23 19:18 ` [PATCH] tlshd: Return errnos from QUIC helper functions Chuck Lever
2025-09-23 20:27 ` Xin Long
2025-09-23 21:01 ` Chuck Lever
2025-09-23 22:41 ` Xin Long
2025-09-23 23:05 ` Chuck Lever
2025-09-24 0:00 ` Xin Long
2025-09-24 0:05 ` Chuck Lever
2025-09-24 1:40 ` Xin Long
2025-09-24 13:46 ` Chuck Lever
2025-09-24 13:56 ` Xin Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250922220710.1255102-1-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=lucien.xin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox