[PATCH 4/4] crypto: add tracing & warning about GNUTLS countermeasures

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	"Peter Xu" <peterx@redhat.com>,
	"Philippe Mathieu-Daudé" <philmd@linaro.org>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>,
	"Fabiano Rosas" <farosas@suse.de>
Subject: [PATCH 4/4] crypto: add tracing & warning about GNUTLS countermeasures
Date: Fri, 18 Jul 2025 16:05:14 +0100	[thread overview]
Message-ID: <20250718150514.2635338-5-berrange@redhat.com> (raw)
In-Reply-To: <20250718150514.2635338-1-berrange@redhat.com>

We want some visibility on stderr when the GNUTLS thread
safety countermeasures are activated, to encourage people
to get the real fix deployed (once it exists). Some trace
points will also help if we see any further wierd crash
scenario we've not anticipated.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/tlssession.c | 10 ++++++++++
 crypto/trace-events |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index 939f69bdb3..246cd6f7c0 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -615,10 +615,20 @@ qcrypto_tls_session_handshake(QCryptoTLSSession *session,
          * only have to protect against automatic rekeying
          * which doesn't trigger with CHACHA20
          */
+        trace_qcrypto_tls_session_parameters(
+            session,
+            session->requireThreadSafety,
+            gnutls_protocol_get_version(session->handle),
+            cipher);
+
         if (session->requireThreadSafety &&
             gnutls_protocol_get_version(session->handle) ==
             GNUTLS_TLS1_3 &&
             cipher != GNUTLS_CIPHER_CHACHA20_POLY1305) {
+            warn_report("WARNING: activating thread safety countermeasures "
+                        "for potentially broken GNUTLS with TLS1.3 cipher=%d",
+                        cipher);
+            trace_qcrypto_tls_session_bug1717_workaround(session);
             session->lockEnabled = true;
         }
 #endif
diff --git a/crypto/trace-events b/crypto/trace-events
index bccd0bbf29..d0e33427fa 100644
--- a/crypto/trace-events
+++ b/crypto/trace-events
@@ -21,6 +21,8 @@ qcrypto_tls_creds_x509_load_cert_list(void *creds, const char *file) "TLS creds
 # tlssession.c
 qcrypto_tls_session_new(void *session, void *creds, const char *hostname, const char *authzid, int endpoint) "TLS session new session=%p creds=%p hostname=%s authzid=%s endpoint=%d"
 qcrypto_tls_session_check_creds(void *session, const char *status) "TLS session check creds session=%p status=%s"
+qcrypto_tls_session_parameters(void *session, int threadSafety, int protocol, int cipher) "TLS session parameters session=%p threadSafety=%d protocol=%d cipher=%d"
+qcrypto_tls_session_bug1717_workaround(void *session) "TLS session bug1717 workaround session=%p"
 
 # tls-cipher-suites.c
 qcrypto_tls_cipher_suite_priority(const char *name) "priority: %s"
-- 
2.50.1

next prev parent reply	other threads:[~2025-07-18 15:15 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-18 15:05 [PATCH 0/4] migration: workaround GNUTLS live migration crashes Daniel P. Berrangé
2025-07-18 15:05 ` [PATCH 1/4] crypto: implement workaround for GNUTLS thread safety problems Daniel P. Berrangé
2025-07-21 14:52   ` Fabiano Rosas
2025-07-21 19:19   ` Fabiano Rosas
2025-07-18 15:05 ` [PATCH 2/4] io: add support for activating TLS thread safety workaround Daniel P. Berrangé
2025-07-21 14:52   ` Fabiano Rosas
2025-07-18 15:05 ` [PATCH 3/4] migration: activate " Daniel P. Berrangé
2025-07-21 14:52   ` Fabiano Rosas
2025-07-18 15:05 ` Daniel P. Berrangé [this message]
2025-07-21 14:52   ` [PATCH 4/4] crypto: add tracing & warning about GNUTLS countermeasures Fabiano Rosas
2025-07-21 19:32   ` Fabiano Rosas
2025-07-21 14:56 ` [PATCH 0/4] migration: workaround GNUTLS live migration crashes Fabiano Rosas
2025-07-21 15:03   ` Daniel P. Berrangé
2025-07-21 15:14     ` Fabiano Rosas
2025-07-21 15:28       ` Daniel P. Berrangé
2025-07-26  6:24 ` Michael Tokarev
2025-07-28  9:04   ` Daniel P. Berrangé

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:939f69bdb dfblob:246cd6f7c dfblob:bccd0bbf2 dfblob:d0e33427f )
 OR (
bs:"[PATCH 4/4] crypto: add tracing & warning about GNUTLS countermeasures" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250718150514.2635338-5-berrange@redhat.com \
    --to=berrange@redhat.com \
    --cc=farosas@suse.de \
    --cc=marcandre.lureau@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peterx@redhat.com \
    --cc=philmd@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).