crypto: add tracing & warning about GNUTLS countermeasures

We want some visibility on stderr when the GNUTLS thread safety countermeasures are activated, to encourage people to get the real fix deployed (once it exists). Some trace points will also help if we see any further wierd crash scenario we've not anticipated. Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/qemu-devel/20250718150514.2635338-5-berrange@redhat.com [add missing include] Signed-off-by: Fabiano Rosas <farosas@suse.de>
2025-07-18 16:05:14 +01:00 · 2025-07-18 16:05:14 +01:00 · 0db6f79802
commit 0db6f79802
parent eb3618e9e2
2 changed files with 13 additions and 0 deletions
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@ -19,6 +19,7 @@
 */

 #include "qemu/osdep.h"
+#include "qemu/error-report.h"
 #include "qemu/thread.h"
 #include "crypto/tlssession.h"
 #include "crypto/tlscredsanon.h"
@ -615,10 +616,20 @@ qcrypto_tls_session_handshake(QCryptoTLSSession *session,
         * only have to protect against automatic rekeying
         * which doesn't trigger with CHACHA20
         */
+        trace_qcrypto_tls_session_parameters(
+            session,
+            session->requireThreadSafety,
+            gnutls_protocol_get_version(session->handle),
+            cipher);
+
        if (session->requireThreadSafety &&
            gnutls_protocol_get_version(session->handle) ==
            GNUTLS_TLS1_3 &&
            cipher != GNUTLS_CIPHER_CHACHA20_POLY1305) {
+            warn_report("WARNING: activating thread safety countermeasures "
+                        "for potentially broken GNUTLS with TLS1.3 cipher=%d",
+                        cipher);
+            trace_qcrypto_tls_session_bug1717_workaround(session);
            session->lockEnabled = true;
        }
 #endif
--- a/crypto/trace-events
+++ b/crypto/trace-events
@ -21,6 +21,8 @@ qcrypto_tls_creds_x509_load_cert_list(void *creds, const char *file) "TLS creds
 # tlssession.c
 qcrypto_tls_session_new(void *session, void *creds, const char *hostname, const char *authzid, int endpoint) "TLS session new session=%p creds=%p hostname=%s authzid=%s endpoint=%d"
 qcrypto_tls_session_check_creds(void *session, const char *status) "TLS session check creds session=%p status=%s"
+qcrypto_tls_session_parameters(void *session, int threadSafety, int protocol, int cipher) "TLS session parameters session=%p threadSafety=%d protocol=%d cipher=%d"
+qcrypto_tls_session_bug1717_workaround(void *session) "TLS session bug1717 workaround session=%p"

 # tls-cipher-suites.c
 qcrypto_tls_cipher_suite_priority(const char *name) "priority: %s"