crypto: propagate errors from TLS session I/O callbacks

GNUTLS doesn't know how to perform I/O on anything other than plain FDs, so the TLS session provides it with some I/O callbacks. The GNUTLS API design requires these callbacks to return a unix errno value, which means we're currently loosing the useful QEMU "Error" object. This changes the I/O callbacks in QEMU to stash the "Error" object in the QCryptoTLSSession class, and fetch it when seeing an I/O error returned from GNUTLS, thus preserving useful error messages. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2025-08-02 23:33:54 -06:00 · 2024-03-15 14:29:11 +00:00 · 2024-03-15 14:29:11 +00:00 · 97f7bf113e
commit 97f7bf113e
parent 57941c9c86
4 changed files with 108 additions and 26 deletions
--- a/include/crypto/tlssession.h
+++ b/include/crypto/tlssession.h
@ -178,12 +178,18 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC(QCryptoTLSSession, qcrypto_tls_session_free)
 int qcrypto_tls_session_check_credentials(QCryptoTLSSession *sess,
                                          Error **errp);

+/*
+ * These must return QCRYPTO_TLS_SESSION_ERR_BLOCK if the I/O
+ * would block, but on other errors, must fill 'errp'
+ */
 typedef ssize_t (*QCryptoTLSSessionWriteFunc)(const char *buf,
                                              size_t len,
-                                              void *opaque);
+                                              void *opaque,
+                                              Error **errp);
 typedef ssize_t (*QCryptoTLSSessionReadFunc)(char *buf,
                                             size_t len,
-                                             void *opaque);
+                                             void *opaque,
+                                             Error **errp);

 /**
 * qcrypto_tls_session_set_callbacks: