From nobody Sun Dec 14 06:18:07 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1751371792; cv=none; d=zohomail.com; s=zohoarc; b=f5x+nE8hbPv7s9sqpeXexv6JTR1PB7Wg2v3LrRpShFtnevjT5cQ0wTFN7e1PpL5A6eIbTZNSTynyG5N7rfB9hhoWfDjd5iyhycHvQlfza/hDQWCHCkfn9t5IbRrWwG75Jp7P9T43Sqt6Tl/1kGWsjGOLESt7+KcHMfbXRanHp/M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1751371792; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=n/JPXqXtZjiTjogX2I6VBxVvtzvLT02m8xKRpBrxuvo=; b=CV3sDK4IrUrPGlFMciXG09JXm6iql1Ax0aflfGUPCfiwDP0RflZOBzr7nFFMcAqCIGo0trB+PZimIprssuzn7MyoXHlsO+r5lXsIFDPJwZbjxJqrNWZb2YC2s461k65zt5wFs6HL2rfLEvWXJdVXJmDgYz+X8cNWQzfDMDOBrwY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1751371792117206.0752741859418; Tue, 1 Jul 2025 05:09:52 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 1C93315C0; Tue, 1 Jul 2025 08:09:51 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id AD6B31601; Tue, 1 Jul 2025 08:08:57 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B96FB159A; Tue, 1 Jul 2025 08:08:50 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 372AB1423 for ; Tue, 1 Jul 2025 08:08:49 -0400 (EDT) Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-157-ewU5D-jfOsejNGMehX9nRg-1; Tue, 01 Jul 2025 08:08:46 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CF1531800368 for ; Tue, 1 Jul 2025 12:08:45 +0000 (UTC) Received: from speedmetal.redhat.com (unknown [10.45.242.5]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 152A5180045B for ; Tue, 1 Jul 2025 12:08:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1751371728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E55oq3ugu6V5B40/wf9+72nhdE6jLb2gKpc3IsUz/f0=; b=R8z3AvSNViEet1gbmHPHsiE/t8g3KOptFkPRhutnJoa70AYzjddg/oCI7Pn2qI0UuwUtM5 T8lb7rOWOnFwlny/0CsyMnUcylNPIATSxYW34pTe8dGkAg9XoUKdQd9iysrh2Ot7sTL/Tc /wgozM4Qu2GUaNGzwrM93wiTyFP86QI= X-MC-Unique: ewU5D-jfOsejNGMehX9nRg-1 X-Mimecast-MFC-AGG-ID: ewU5D-jfOsejNGMehX9nRg_1751371725 To: devel@lists.libvirt.org Subject: [PATCH v2 1/3] tls: Don't require 'keyEncipherment' to be enabled altoghther Date: Tue, 1 Jul 2025 14:08:40 +0200 Message-ID: <0acb5d082864d851f4f31e62af4c85a0aee78001.1751371167.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: eNHvUyDuLllBCSiu9fmAzDhnhicEPblaWJLaEzJzTqk_1751371725 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: EFAWY3EXTDPUGFV7HLWTDNZKPNZU5UY5 X-Message-ID-Hash: EFAWY3EXTDPUGFV7HLWTDNZKPNZU5UY5 X-MailFrom: pkrempa@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Peter Krempa via Devel Reply-To: Peter Krempa X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1751371793219116600 Content-Type: text/plain; charset="utf-8" From: Peter Krempa Key encipherment is required only for RSA key exchange algorithm. With TLS 1.3 this is not even used as RSA is used only for authentication. Since we can't really check when it's required ahead of time drop the check completely. GnuTLS will moan if it will not be able to use RSA key exchange. In commit 11867b0224a2 I tried to relax the check for some eliptic curve algorithm that explicitly forbid it. Based on the above the proper solution is to completely remove it. Resolves: https://issues.redhat.com/browse/RHEL-100711 Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1 Signed-off-by: Peter Krempa --- src/rpc/virnettlscert.c | 34 ++++------------------------------ 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index f197995633..6a723c1ed4 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_= t cert, VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile= , status, usage, critical); if (status < 0) { if (status =3D=3D GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - usage =3D isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT; + if (isCA) + usage =3D GNUTLS_KEY_KEY_CERT_SIGN; + else + usage =3D GNUTLS_KEY_DIGITAL_SIGNATURE; } else { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to query certificate %1$s key usage %= 2$s"), @@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_= t cert, certFile); } } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - int alg =3D gnutls_x509_crt_get_pk_algorithm(cert, NULL); - - /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and E= CMQV - * algorithms must not have 'keyEncipherment' present. - * - * [1] https://datatracker.ietf.org/doc/rfc8813/ - * [2] https://datatracker.ietf.org/doc/rfc5480 - */ - - switch (alg) { - case GNUTLS_PK_ECDSA: - case GNUTLS_PK_ECDH_X25519: - case GNUTLS_PK_ECDH_X448: - break; - - default: - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not perm= it key encipherment"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit key enc= ipherment", - certFile); - } - } - } } return 0; --=20 2.49.0