From nobody Sun Dec 14 02:00:26 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1751371792; cv=none; d=zohomail.com; s=zohoarc; b=f5x+nE8hbPv7s9sqpeXexv6JTR1PB7Wg2v3LrRpShFtnevjT5cQ0wTFN7e1PpL5A6eIbTZNSTynyG5N7rfB9hhoWfDjd5iyhycHvQlfza/hDQWCHCkfn9t5IbRrWwG75Jp7P9T43Sqt6Tl/1kGWsjGOLESt7+KcHMfbXRanHp/M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1751371792; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=n/JPXqXtZjiTjogX2I6VBxVvtzvLT02m8xKRpBrxuvo=; b=CV3sDK4IrUrPGlFMciXG09JXm6iql1Ax0aflfGUPCfiwDP0RflZOBzr7nFFMcAqCIGo0trB+PZimIprssuzn7MyoXHlsO+r5lXsIFDPJwZbjxJqrNWZb2YC2s461k65zt5wFs6HL2rfLEvWXJdVXJmDgYz+X8cNWQzfDMDOBrwY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1751371792117206.0752741859418; Tue, 1 Jul 2025 05:09:52 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 1C93315C0; Tue, 1 Jul 2025 08:09:51 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id AD6B31601; Tue, 1 Jul 2025 08:08:57 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B96FB159A; Tue, 1 Jul 2025 08:08:50 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 372AB1423 for ; Tue, 1 Jul 2025 08:08:49 -0400 (EDT) Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-157-ewU5D-jfOsejNGMehX9nRg-1; Tue, 01 Jul 2025 08:08:46 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CF1531800368 for ; Tue, 1 Jul 2025 12:08:45 +0000 (UTC) Received: from speedmetal.redhat.com (unknown [10.45.242.5]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 152A5180045B for ; Tue, 1 Jul 2025 12:08:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1751371728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E55oq3ugu6V5B40/wf9+72nhdE6jLb2gKpc3IsUz/f0=; b=R8z3AvSNViEet1gbmHPHsiE/t8g3KOptFkPRhutnJoa70AYzjddg/oCI7Pn2qI0UuwUtM5 T8lb7rOWOnFwlny/0CsyMnUcylNPIATSxYW34pTe8dGkAg9XoUKdQd9iysrh2Ot7sTL/Tc /wgozM4Qu2GUaNGzwrM93wiTyFP86QI= X-MC-Unique: ewU5D-jfOsejNGMehX9nRg-1 X-Mimecast-MFC-AGG-ID: ewU5D-jfOsejNGMehX9nRg_1751371725 To: devel@lists.libvirt.org Subject: [PATCH v2 1/3] tls: Don't require 'keyEncipherment' to be enabled altoghther Date: Tue, 1 Jul 2025 14:08:40 +0200 Message-ID: <0acb5d082864d851f4f31e62af4c85a0aee78001.1751371167.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: eNHvUyDuLllBCSiu9fmAzDhnhicEPblaWJLaEzJzTqk_1751371725 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: EFAWY3EXTDPUGFV7HLWTDNZKPNZU5UY5 X-Message-ID-Hash: EFAWY3EXTDPUGFV7HLWTDNZKPNZU5UY5 X-MailFrom: pkrempa@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Peter Krempa via Devel Reply-To: Peter Krempa X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1751371793219116600 Content-Type: text/plain; charset="utf-8" From: Peter Krempa Key encipherment is required only for RSA key exchange algorithm. With TLS 1.3 this is not even used as RSA is used only for authentication. Since we can't really check when it's required ahead of time drop the check completely. GnuTLS will moan if it will not be able to use RSA key exchange. In commit 11867b0224a2 I tried to relax the check for some eliptic curve algorithm that explicitly forbid it. Based on the above the proper solution is to completely remove it. Resolves: https://issues.redhat.com/browse/RHEL-100711 Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1 Signed-off-by: Peter Krempa Reviewed-by: J=C3=A1n Tomko --- src/rpc/virnettlscert.c | 34 ++++------------------------------ 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index f197995633..6a723c1ed4 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_= t cert, VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile= , status, usage, critical); if (status < 0) { if (status =3D=3D GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - usage =3D isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT; + if (isCA) + usage =3D GNUTLS_KEY_KEY_CERT_SIGN; + else + usage =3D GNUTLS_KEY_DIGITAL_SIGNATURE; } else { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to query certificate %1$s key usage %= 2$s"), @@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_= t cert, certFile); } } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - int alg =3D gnutls_x509_crt_get_pk_algorithm(cert, NULL); - - /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and E= CMQV - * algorithms must not have 'keyEncipherment' present. - * - * [1] https://datatracker.ietf.org/doc/rfc8813/ - * [2] https://datatracker.ietf.org/doc/rfc5480 - */ - - switch (alg) { - case GNUTLS_PK_ECDSA: - case GNUTLS_PK_ECDH_X25519: - case GNUTLS_PK_ECDH_X448: - break; - - default: - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not perm= it key encipherment"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit key enc= ipherment", - certFile); - } - } - } } return 0; --=20 2.49.0 From nobody Sun Dec 14 02:00:26 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1751371770; cv=none; d=zohomail.com; s=zohoarc; b=mfLs+/Az2+VMjUzbNG42o5G6j3r0pAY+9Ps8nDDPaf72C3ePFk0CKzAsPGQQKA3TVDDS2IzpblgHjzdr4IkOTWugd6oH/40n+mkN8chUsO0yjAFdEfZ4cC8vAJ13PhTdXGMzDOfsnxW76z6JdZrXgPel4FSbsiqNQwAm+JwBf4I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1751371770; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=vs5YxdDPK5hBG8POp+CiZVIQv+Qcv+UU23C6/859MGU=; b=BJQtdgus9fXfnAGYfajbO+T9MB6nfIerUR6WKWjjsUGBAHOsqnaBWIrPT5+L2zEL1CIJnCU9oDsJiLjWj8HC5EuR7brthgKY/e+4xsKSlGgyHcMh1mpXAuhJ1SENQprBBcnEJjeVhpTno8pfi4KkSR+HOFrxjZgalwxcX3l1RTQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1751371770653626.4643269704414; Tue, 1 Jul 2025 05:09:30 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id B1640163C; Tue, 1 Jul 2025 08:09:29 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 7C06215D1; Tue, 1 Jul 2025 08:08:54 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 237CB1404; Tue, 1 Jul 2025 08:08:50 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 9B32B1404 for ; Tue, 1 Jul 2025 08:08:49 -0400 (EDT) Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-636-He2aEVzjPRmMs8BgkWb4Eg-1; Tue, 01 Jul 2025 08:08:48 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 24F551800287 for ; Tue, 1 Jul 2025 12:08:47 +0000 (UTC) Received: from speedmetal.redhat.com (unknown [10.45.242.5]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 54B50180045B for ; Tue, 1 Jul 2025 12:08:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1751371729; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=anfaZ1JHktf1cs9acxEqDcxxekj0SDtdMZdaeCIaxhg=; b=fFUtce9SgQD0SHq25HAJeH6pVdcJ//Mc39Zs7e3DQrMDBHTOqGQM93WtNtJ5vVtuiRTn/2 /isR7kPfZFkaMLtPY3MKfiS2PfJhZgkfHrxYh4cp7k4B3W8sWvKPGuvWe5qx9+GwOoGzzB c9M8oPfzcaaZCYOuHfC1x2IDta+ZWBk= X-MC-Unique: He2aEVzjPRmMs8BgkWb4Eg-1 X-Mimecast-MFC-AGG-ID: He2aEVzjPRmMs8BgkWb4Eg_1751371727 To: devel@lists.libvirt.org Subject: [PATCH v2 2/3] kbase: tlscerts: Drop 'encryption_key' feature request Date: Tue, 1 Jul 2025 14:08:41 +0200 Message-ID: <6205e842c0b5e515f694a851f77f857bcc26d911.1751371167.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: WalL6Zp_uBkRLg_Y54QFvm73MrPe70Q_U-9_F1qITeY_1751371727 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: DSEKHMUYWT53QKADRFMP7E7UWGWPCFMB X-Message-ID-Hash: DSEKHMUYWT53QKADRFMP7E7UWGWPCFMB X-MailFrom: pkrempa@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Peter Krempa via Devel Reply-To: Peter Krempa X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1751371772618116600 Content-Type: text/plain; charset="utf-8" From: Peter Krempa As TLS 1.3 performs key exchange separately from the algorithm used to verify authenticity, the certificates for libvirt's use of TLS don't need to require the 'encryption_key' feature any more. Signed-off-by: Peter Krempa Reviewed-by: J=C3=A1n Tomko --- docs/kbase/tlscerts.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index e4aa5bb3c9..215d454998 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -204,7 +204,6 @@ define the server as follows: ip_address =3D 2001:cafe::74 ip_address =3D fe20::24 tls_www_server - encryption_key signing_key The 'cn' field should refer to the fully qualified public hostname of the @@ -298,7 +297,6 @@ briefly cover the steps. organization =3D Libvirt Project cn =3D client1 tls_www_client - encryption_key signing_key and sign by doing: --=20 2.49.0 From nobody Sun Dec 14 02:00:26 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1751371829; cv=none; d=zohomail.com; s=zohoarc; b=Lduj1vCzvTfRV9SSO3OHVt2MEaahZ69gBf7E5Af+gBSK7ySRtDTfaHjYDIS+l8afwyvcd/3Yzn3xKGX7Hc2ve8QRh3Z9KGdSeL/feDIh+jkM42nvjXfd0OMgfcNvAaH7ygqL5FVqSUvzqqooytQvoHu9+a1S4LnP0Pby8CdNqhQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1751371829; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=XhV1x4TUwM446sb900Ri3I6EN9rDV0SgKsdbTt+iwAs=; b=XvOr7hUyOxOxJLxSRp/rHHB7TRM2/af9HgjSZU4plI/vMCK/cWBC9q6AVYNCFN+6bdMPa4nEgHLXbSEHyGp6m+hwh8lnsuJ4A+SwrF2mS/1r0RLbaR4j51+Kl15TRrjYzDo5etnrh/h9njvy7DrWEfjHmkBQi/Ql81AerI05ayk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1751371829826243.27825626507172; Tue, 1 Jul 2025 05:10:29 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id CF96C15C8; Tue, 1 Jul 2025 08:10:28 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 7ED631656; Tue, 1 Jul 2025 08:09:02 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 9B22015F4; Tue, 1 Jul 2025 08:08:56 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id DFC8315EB for ; Tue, 1 Jul 2025 08:08:50 -0400 (EDT) Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-548-q26kk4vyM9mlxHpa9Ecdcg-1; Tue, 01 Jul 2025 08:08:49 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6EF791978C9A for ; Tue, 1 Jul 2025 12:08:48 +0000 (UTC) Received: from speedmetal.redhat.com (unknown [10.45.242.5]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id A7AE3180045B for ; Tue, 1 Jul 2025 12:08:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,UPPERCASE_50_75 autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1751371730; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=161CeCBl+sq+a9W9Q3/SNnYDKQacQzgxUA2fj2LpyJg=; b=eunQXOgFgLDAKPocZXPUfJxQfRPwpE+C440OkY+2uhWaagT2IJnEbCdSN+wmEhQFeBD0Iz 52FUrVIUKPgP05BiHTQp5FJeqq/ouIyJlDkSGWQyAzmbHYAgnIk/uasyxGsO6x/KgRvKCV 9vnM0+b5FRVphtNBe6kskY7NigzqW/Y= X-MC-Unique: q26kk4vyM9mlxHpa9Ecdcg-1 X-Mimecast-MFC-AGG-ID: q26kk4vyM9mlxHpa9Ecdcg_1751371728 To: devel@lists.libvirt.org Subject: [PATCH v2 3/3] tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT Date: Tue, 1 Jul 2025 14:08:42 +0200 Message-ID: <7ae93a13c19d981ebece34b3fb7f37d375bb13f4.1751371167.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: e-h2XmFKwK8Xdl8LUYLatHeiJKDCfiJ5ReA4CPuTaYI_1751371728 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 6K3ZZ6YU6HB3UPA5FKOYRERZGQ4YPKYO X-Message-ID-Hash: 6K3ZZ6YU6HB3UPA5FKOYRERZGQ4YPKYO X-MailFrom: pkrempa@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Peter Krempa via Devel Reply-To: Peter Krempa X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1751371831409116600 Content-Type: text/plain; charset="utf-8" From: Peter Krempa It's not needed with TLS 1.3 any more. Signed-off-by: Peter Krempa Reviewed-by: J=C3=A1n Tomko --- tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------ tests/virnettlssessiontest.c | 14 +++++++------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c index 2311524db8..48bdefdd76 100644 --- a/tests/virnettlscontexttest.c +++ b/tests/virnettlscontexttest.c @@ -156,13 +156,13 @@ mymain(void) TLS_CERT_REQ(servercertreq, cacertreq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); @@ -182,7 +182,7 @@ mymain(void) TLS_CERT_REQ(servercert1req, cacert1req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -196,7 +196,7 @@ mymain(void) TLS_CERT_REQ(servercert2req, cacert2req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -210,7 +210,7 @@ mymain(void) TLS_CERT_REQ(servercert3req, cacert3req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -230,7 +230,7 @@ mymain(void) TLS_CERT_REQ(servercert4req, cacert4req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* no-basic */ @@ -243,7 +243,7 @@ mymain(void) TLS_CERT_REQ(servercert5req, cacert5req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* Key usage:dig-sig:critical */ @@ -256,7 +256,7 @@ mymain(void) TLS_CERT_REQ(servercert6req, cacert6req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -284,7 +284,7 @@ mymain(void) TLS_CERT_REQ(servercert8req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _CERT_SIGN, false, false, NULL, NULL, 0, 0); /* usage:cert-sign:not-critical */ @@ -372,7 +372,7 @@ mymain(void) TLS_CERT_REQ(clientcert2req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _CERT_SIGN, false, false, NULL, NULL, 0, 0); /* usage:cert-sign:not-critical */ @@ -459,19 +459,19 @@ mymain(void) TLS_CERT_REQ(servercertexpreq, cacertexpreq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertexp1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, -1); TLS_CERT_REQ(clientcertexp1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, -1); @@ -491,19 +491,19 @@ mymain(void) TLS_CERT_REQ(servercertnewreq, cacertnewreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertnew1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 1, 2); TLS_CERT_REQ(clientcertnew1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 1, 2); @@ -538,13 +538,13 @@ mymain(void) TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c index 285cde57d8..459e17c52c 100644 --- a/tests/virnettlssessiontest.c +++ b/tests/virnettlssessiontest.c @@ -314,20 +314,20 @@ mymain(void) TLS_CERT_REQ(servercertreq, cacertreq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); TLS_CERT_REQ(clientcertaltreq, altcacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); @@ -342,14 +342,14 @@ mymain(void) TLS_CERT_REQ(servercertalt1req, cacertreq, "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "1= 92.168.122.1", "fec0::dead:beaf", true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* This intentionally doesn't replicate */ TLS_CERT_REQ(servercertalt2req, cacertreq, "UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org= ", "192.168.122.1", "fec0::dead:beaf", true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -433,13 +433,13 @@ mymain(void) TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY= _ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); --=20 2.49.0