From: Fabiano Rosas <farosas@suse.de>
To: "Daniel P. Berrangé" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Peter Xu" <peterx@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>
Subject: Re: [PATCH 4/4] crypto: add tracing & warning about GNUTLS countermeasures
Date: Mon, 21 Jul 2025 16:32:58 -0300 [thread overview]
Message-ID: <87tt35xrth.fsf@suse.de> (raw)
In-Reply-To: <20250718150514.2635338-5-berrange@redhat.com>
Daniel P. Berrangé <berrange@redhat.com> writes:
> We want some visibility on stderr when the GNUTLS thread
> safety countermeasures are activated, to encourage people
> to get the real fix deployed (once it exists). Some trace
> points will also help if we see any further wierd crash
> scenario we've not anticipated.
>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> crypto/tlssession.c | 10 ++++++++++
> crypto/trace-events | 2 ++
> 2 files changed, 12 insertions(+)
>
> diff --git a/crypto/tlssession.c b/crypto/tlssession.c
> index 939f69bdb3..246cd6f7c0 100644
> --- a/crypto/tlssession.c
> +++ b/crypto/tlssession.c
> @@ -615,10 +615,20 @@ qcrypto_tls_session_handshake(QCryptoTLSSession *session,
> * only have to protect against automatic rekeying
> * which doesn't trigger with CHACHA20
> */
> + trace_qcrypto_tls_session_parameters(
> + session,
> + session->requireThreadSafety,
> + gnutls_protocol_get_version(session->handle),
> + cipher);
> +
> if (session->requireThreadSafety &&
> gnutls_protocol_get_version(session->handle) ==
> GNUTLS_TLS1_3 &&
> cipher != GNUTLS_CIPHER_CHACHA20_POLY1305) {
> + warn_report("WARNING: activating thread safety countermeasures "
And this hit the missing error-report.h weirdness.
> + "for potentially broken GNUTLS with TLS1.3 cipher=%d",
> + cipher);
> + trace_qcrypto_tls_session_bug1717_workaround(session);
> session->lockEnabled = true;
> }
> #endif
> diff --git a/crypto/trace-events b/crypto/trace-events
> index bccd0bbf29..d0e33427fa 100644
> --- a/crypto/trace-events
> +++ b/crypto/trace-events
> @@ -21,6 +21,8 @@ qcrypto_tls_creds_x509_load_cert_list(void *creds, const char *file) "TLS creds
> # tlssession.c
> qcrypto_tls_session_new(void *session, void *creds, const char *hostname, const char *authzid, int endpoint) "TLS session new session=%p creds=%p hostname=%s authzid=%s endpoint=%d"
> qcrypto_tls_session_check_creds(void *session, const char *status) "TLS session check creds session=%p status=%s"
> +qcrypto_tls_session_parameters(void *session, int threadSafety, int protocol, int cipher) "TLS session parameters session=%p threadSafety=%d protocol=%d cipher=%d"
> +qcrypto_tls_session_bug1717_workaround(void *session) "TLS session bug1717 workaround session=%p"
>
> # tls-cipher-suites.c
> qcrypto_tls_cipher_suite_priority(const char *name) "priority: %s"
next prev parent reply other threads:[~2025-07-21 19:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-18 15:05 [PATCH 0/4] migration: workaround GNUTLS live migration crashes Daniel P. Berrangé
2025-07-18 15:05 ` [PATCH 1/4] crypto: implement workaround for GNUTLS thread safety problems Daniel P. Berrangé
2025-07-21 14:52 ` Fabiano Rosas
2025-07-21 19:19 ` Fabiano Rosas
2025-07-18 15:05 ` [PATCH 2/4] io: add support for activating TLS thread safety workaround Daniel P. Berrangé
2025-07-21 14:52 ` Fabiano Rosas
2025-07-18 15:05 ` [PATCH 3/4] migration: activate " Daniel P. Berrangé
2025-07-21 14:52 ` Fabiano Rosas
2025-07-18 15:05 ` [PATCH 4/4] crypto: add tracing & warning about GNUTLS countermeasures Daniel P. Berrangé
2025-07-21 14:52 ` Fabiano Rosas
2025-07-21 19:32 ` Fabiano Rosas [this message]
2025-07-21 14:56 ` [PATCH 0/4] migration: workaround GNUTLS live migration crashes Fabiano Rosas
2025-07-21 15:03 ` Daniel P. Berrangé
2025-07-21 15:14 ` Fabiano Rosas
2025-07-21 15:28 ` Daniel P. Berrangé
2025-07-26 6:24 ` Michael Tokarev
2025-07-28 9:04 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tt35xrth.fsf@suse.de \
--to=farosas@suse.de \
--cc=berrange@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.