main-loop: Acquire main_context lock around os_host_main_loop_wait.

[mirror_qemu.git] / crypto / tlssession.c
diff --git a/crypto/tlssession.c b/crypto/tlssession.c

index 373552942cceca5d7c77d3b5eae1cc0dee2a1e42..96a02deb695cc50ac5400926ef19c7ba1eb3c62a 100644 (file)
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -18,9 +18,11 @@
   *
   */
  
+#include "qemu/osdep.h"
  #include "crypto/tlssession.h"
  #include "crypto/tlscredsanon.h"
  #include "crypto/tlscredsx509.h"
+#include "qapi/error.h"
  #include "qemu/acl.h"
  #include "trace.h"
  
@@ -130,14 +132,22 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
      if (object_dynamic_cast(OBJECT(creds),
                              TYPE_QCRYPTO_TLS_CREDS_ANON)) {
          QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds);
+        char *prio;
  
-        ret = gnutls_priority_set_direct(session->handle,
-                                         "NORMAL:+ANON-DH", NULL);
+        if (creds->priority != NULL) {
+            prio = g_strdup_printf("%s:+ANON-DH", creds->priority);
+        } else {
+            prio = g_strdup(CONFIG_TLS_PRIORITY ":+ANON-DH");
+        }
+
+        ret = gnutls_priority_set_direct(session->handle, prio, NULL);
          if (ret < 0) {
-            error_setg(errp, "Unable to set TLS session priority: %s",
-                       gnutls_strerror(ret));
+            error_setg(errp, "Unable to set TLS session priority %s: %s",
+                       prio, gnutls_strerror(ret));
+            g_free(prio);
              goto error;
          }
+        g_free(prio);
          if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
              ret = gnutls_credentials_set(session->handle,
                                           GNUTLS_CRD_ANON,
@@ -155,11 +165,15 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
      } else if (object_dynamic_cast(OBJECT(creds),
                                     TYPE_QCRYPTO_TLS_CREDS_X509)) {
          QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);
+        const char *prio = creds->priority;
+        if (!prio) {
+            prio = CONFIG_TLS_PRIORITY;
+        }
  
-        ret = gnutls_set_default_priority(session->handle);
+        ret = gnutls_priority_set_direct(session->handle, prio, NULL);
          if (ret < 0) {
-            error_setg(errp, "Cannot set default TLS session priority: %s",
-                       gnutls_strerror(ret));
+            error_setg(errp, "Cannot set default TLS session priority %s: %s",
+                       prio, gnutls_strerror(ret));
              goto error;
          }
          ret = gnutls_credentials_set(session->handle,
@@ -337,16 +351,22 @@ qcrypto_tls_session_check_credentials(QCryptoTLSSession *session,
  {
      if (object_dynamic_cast(OBJECT(session->creds),
                              TYPE_QCRYPTO_TLS_CREDS_ANON)) {
+        trace_qcrypto_tls_session_check_creds(session, "nop");
          return 0;
      } else if (object_dynamic_cast(OBJECT(session->creds),
                              TYPE_QCRYPTO_TLS_CREDS_X509)) {
          if (session->creds->verifyPeer) {
-            return qcrypto_tls_session_check_certificate(session,
-                                                         errp);
+            int ret = qcrypto_tls_session_check_certificate(session,
+                                                            errp);
+            trace_qcrypto_tls_session_check_creds(session,
+                                                  ret == 0 ? "pass" : "fail");
+            return ret;
          } else {
+            trace_qcrypto_tls_session_check_creds(session, "skip");
              return 0;
          }
      } else {
+        trace_qcrypto_tls_session_check_creds(session, "error");
          error_setg(errp, "Unexpected credential type %s",
                     object_get_typename(OBJECT(session->creds)));
          return -1;