diff options
| -rw-r--r-- | crypto/tlssession.c | 11 | ||||
| -rw-r--r-- | crypto/trace-events | 2 |
2 files changed, 13 insertions, 0 deletions
diff --git a/crypto/tlssession.c b/crypto/tlssession.c index baef878fa0..86d407a142 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -19,6 +19,7 @@ */ #include "qemu/osdep.h" +#include "qemu/error-report.h" #include "qemu/thread.h" #include "crypto/tlssession.h" #include "crypto/tlscredsanon.h" @@ -615,10 +616,20 @@ qcrypto_tls_session_handshake(QCryptoTLSSession *session, * only have to protect against automatic rekeying * which doesn't trigger with CHACHA20 */ + trace_qcrypto_tls_session_parameters( + session, + session->requireThreadSafety, + gnutls_protocol_get_version(session->handle), + cipher); + if (session->requireThreadSafety && gnutls_protocol_get_version(session->handle) == GNUTLS_TLS1_3 && cipher != GNUTLS_CIPHER_CHACHA20_POLY1305) { + warn_report("WARNING: activating thread safety countermeasures " + "for potentially broken GNUTLS with TLS1.3 cipher=%d", + cipher); + trace_qcrypto_tls_session_bug1717_workaround(session); session->lockEnabled = true; } #endif diff --git a/crypto/trace-events b/crypto/trace-events index bccd0bbf29..d0e33427fa 100644 --- a/crypto/trace-events +++ b/crypto/trace-events @@ -21,6 +21,8 @@ qcrypto_tls_creds_x509_load_cert_list(void *creds, const char *file) "TLS creds # tlssession.c qcrypto_tls_session_new(void *session, void *creds, const char *hostname, const char *authzid, int endpoint) "TLS session new session=%p creds=%p hostname=%s authzid=%s endpoint=%d" qcrypto_tls_session_check_creds(void *session, const char *status) "TLS session check creds session=%p status=%s" +qcrypto_tls_session_parameters(void *session, int threadSafety, int protocol, int cipher) "TLS session parameters session=%p threadSafety=%d protocol=%d cipher=%d" +qcrypto_tls_session_bug1717_workaround(void *session) "TLS session bug1717 workaround session=%p" # tls-cipher-suites.c qcrypto_tls_cipher_suite_priority(const char *name) "priority: %s" |