From a8ec510fd171380a50bd9b99f20a772980aabe47 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Mon, 2 Sep 2024 10:24:37 +0200
Subject: [PATCH] proto: avoid panicking on rustls server config errors

---
 quinn-proto/src/config.rs        |  2 +-
 quinn-proto/src/crypto/rustls.rs | 15 +++++++--------
 quinn-proto/src/tests/util.rs    |  2 +-
 3 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/quinn-proto/src/config.rs b/quinn-proto/src/config.rs
index d4c8e6385..557ae2cf1 100644
--- a/quinn-proto/src/config.rs
+++ b/quinn-proto/src/config.rs
@@ -930,7 +930,7 @@ impl ServerConfig {
     ) -> Result<Self, rustls::Error> {
         Ok(Self::with_crypto(Arc::new(QuicServerConfig::new(
             cert_chain, key,
-        ))))
+        )?)))
     }
 }
 
diff --git a/quinn-proto/src/crypto/rustls.rs b/quinn-proto/src/crypto/rustls.rs
index aad4d0d3c..214ad83b3 100644
--- a/quinn-proto/src/crypto/rustls.rs
+++ b/quinn-proto/src/crypto/rustls.rs
@@ -414,14 +414,14 @@ impl QuicServerConfig {
     pub(crate) fn new(
         cert_chain: Vec<CertificateDer<'static>>,
         key: PrivateKeyDer<'static>,
-    ) -> Self {
-        let inner = Self::inner(cert_chain, key);
-        Self {
+    ) -> Result<Self, rustls::Error> {
+        let inner = Self::inner(cert_chain, key)?;
+        Ok(Self {
             // We're confident that the *ring* default provider contains TLS13_AES_128_GCM_SHA256
             initial: initial_suite_from_provider(inner.crypto_provider())
                 .expect("no initial cipher suite found"),
             inner: Arc::new(inner),
-        }
+        })
     }
 
     /// Initialize a QUIC-compatible TLS client configuration with a separate initial cipher suite
@@ -445,18 +445,17 @@ impl QuicServerConfig {
     pub(crate) fn inner(
         cert_chain: Vec<CertificateDer<'static>>,
         key: PrivateKeyDer<'static>,
-    ) -> rustls::ServerConfig {
+    ) -> Result<rustls::ServerConfig, rustls::Error> {
         let mut inner = rustls::ServerConfig::builder_with_provider(
             rustls::crypto::ring::default_provider().into(),
         )
         .with_protocol_versions(&[&rustls::version::TLS13])
         .unwrap() // The *ring* default provider supports TLS 1.3
         .with_no_client_auth()
-        .with_single_cert(cert_chain, key)
-        .unwrap();
+        .with_single_cert(cert_chain, key)?;
 
         inner.max_early_data_size = u32::MAX;
-        inner
+        Ok(inner)
     }
 }
 
diff --git a/quinn-proto/src/tests/util.rs b/quinn-proto/src/tests/util.rs
index 4b4625f7b..5c66a263d 100644
--- a/quinn-proto/src/tests/util.rs
+++ b/quinn-proto/src/tests/util.rs
@@ -598,7 +598,7 @@ fn server_crypto_inner(
         )
     });
 
-    let mut config = QuicServerConfig::inner(vec![cert], key);
+    let mut config = QuicServerConfig::inner(vec![cert], key).unwrap();
     if let Some(alpn) = alpn {
         config.alpn_protocols = alpn;
     }