summary refs log tree commit diff stats
path: root/crypto/tlssession.c
diff options
context:
space:
mode:
authorDaniel P. Berrangé <berrange@redhat.com>2025-07-18 16:05:14 +0100
committerFabiano Rosas <farosas@suse.de>2025-07-22 19:39:30 -0300
commit0db6f798024ea6f57ecf2020209b761b50a01d71 (patch)
tree0741b07544b3b0cdac5e5443840654204e8318e4 /crypto/tlssession.c
parenteb3618e9e259ef93f5a1a76867fbccae540fcd61 (diff)
downloadfocaccia-qemu-0db6f798024ea6f57ecf2020209b761b50a01d71.tar.gz
focaccia-qemu-0db6f798024ea6f57ecf2020209b761b50a01d71.zip
crypto: add tracing & warning about GNUTLS countermeasures
We want some visibility on stderr when the GNUTLS thread
safety countermeasures are activated, to encourage people
to get the real fix deployed (once it exists). Some trace
points will also help if we see any further wierd crash
scenario we've not anticipated.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/qemu-devel/20250718150514.2635338-5-berrange@redhat.com
[add missing include]
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Diffstat (limited to 'crypto/tlssession.c')
-rw-r--r--crypto/tlssession.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index baef878fa0..86d407a142 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -19,6 +19,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/error-report.h"
 #include "qemu/thread.h"
 #include "crypto/tlssession.h"
 #include "crypto/tlscredsanon.h"
@@ -615,10 +616,20 @@ qcrypto_tls_session_handshake(QCryptoTLSSession *session,
          * only have to protect against automatic rekeying
          * which doesn't trigger with CHACHA20
          */
+        trace_qcrypto_tls_session_parameters(
+            session,
+            session->requireThreadSafety,
+            gnutls_protocol_get_version(session->handle),
+            cipher);
+
         if (session->requireThreadSafety &&
             gnutls_protocol_get_version(session->handle) ==
             GNUTLS_TLS1_3 &&
             cipher != GNUTLS_CIPHER_CHACHA20_POLY1305) {
+            warn_report("WARNING: activating thread safety countermeasures "
+                        "for potentially broken GNUTLS with TLS1.3 cipher=%d",
+                        cipher);
+            trace_qcrypto_tls_session_bug1717_workaround(session);
             session->lockEnabled = true;
         }
 #endif