From nobody Thu Dec 18 03:20:30 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1751304339; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SWhtMQi0T3wJT/YvdqFvDMEyNxW+r89UCckZdME53HnXAhUbEeSnQVltgVc6/SxeqRXAkPlO5lgpIPt8o6xnIkUjve5ErUU7cIa0utiMMISKiL9KzCgi1xZpkQBM1YSn1O6XuuopEjD44zhZm/jfzP3Ee/oWtQ0EJG9u76WX7fw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1751304339;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id;
	bh=9xW7rfzdSG3f6OK4Q576YzCFNHxxP5dBb/pcx7KLnos=;
	b=SjIU9zVWG2QeSJ53DoOVYXLOLLFK+dYMWaJxD+azCpQrFI6DhQ5fSFKszM6IqIZNNNVH4v2kTqJEiAkfu4pmf3xWs9k8fH5JaA79hjZ37AGfPxU4z8Ui+rj49fnuWYsPNK7Uwx+euGEukSqCBqnvnt2NeGL6ucWd5SR0ftor+j8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1751304339568191.74317232316616;
 Mon, 30 Jun 2025 10:25:39 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 847C2151C; Mon, 30 Jun 2025 13:25:38 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id AE86C14CB;
	Mon, 30 Jun 2025 13:25:19 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id A1B8A14AE; Mon, 30 Jun 2025 13:25:16 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 08805147B
	for <devel@lists.libvirt.org>; Mon, 30 Jun 2025 13:25:15 -0400 (EDT)
Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-241-_FuliFEQMYqNahdfaSzqVQ-1; Mon,
 30 Jun 2025 13:25:11 -0400
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 4A0231801219
	for <devel@lists.libvirt.org>; Mon, 30 Jun 2025 17:25:10 +0000 (UTC)
Received: from speedmetal.redhat.com (unknown [10.45.242.5])
	by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 45F0630001B1;
	Mon, 30 Jun 2025 17:25:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5,
	RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1751304315;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=fF3Rb6og3u0WYf8Y6717L5+z2LXwjKQ7ZXdoidXbVns=;
	b=jFXk/HB/ySnNmX0KSwPpAuJAUDPw0GiyMNp5I2IrqVgzx75qXh6/oIc/3uxYdGywDQWF9F
	Xc+fVrM0l9aLHlsOF/QNqokxJyOGvGWaHsmRavoKR0pnCwd7j0KZGu43ubX0yh6dbUcunc
	NXBY3nsPCsgNDiudE7r1Q+QnjA7/8T8=
X-MC-Unique: _FuliFEQMYqNahdfaSzqVQ-1
X-Mimecast-MFC-AGG-ID: _FuliFEQMYqNahdfaSzqVQ_1751304310
To: devel@lists.libvirt.org
Subject: [PATCH] tls: Don't require 'keyEncipherment' to be enabled altoghther
Date: Mon, 30 Jun 2025 19:25:05 +0200
Message-ID: 
 <d23a3793b9fb18bf2e31ec1ed3fb710f858fda9d.1751304305.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: paL6qh4B3lyTrnvT3G0Z-0fZjHNey5xFkyrDAMeMfMA_1751304310
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: KTWR2MMFAEC4MWC4JKZPO6LE4Z73TDJH
X-Message-ID-Hash: KTWR2MMFAEC4MWC4JKZPO6LE4Z73TDJH
X-MailFrom: pkrempa@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
CC: Peter Krempa <pkrempa@redhat.com>
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/KTWR2MMFAEC4MWC4JKZPO6LE4Z73TDJH/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Peter Krempa via Devel <devel@lists.libvirt.org>
Reply-To: Peter Krempa <pkrempa@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1751304342821116600
Content-Type: text/plain; charset="utf-8"

From: Peter Krempa <pkrempa@redhat.com>

Key encipherment is required only for RSA key exchange algorithm. With
TLS 1.3 this is not even used as RSA is used only for authentication.

Since we can't really check when it's required ahead of time drop the
check completely. GnuTLS will moan if it will not be able to use RSA
key exchange.

In commit 11867b0224a2 I tried to relax the check for some eliptic
curve algorithm that explicitly forbid it. Based on the above the proper
solution is to completely remove it.

Resolves: https://issues.redhat.com/browse/RHEL-100711
Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/rpc/virnettlscert.c | 28 ----------------------------
 1 file changed, 28 deletions(-)

diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index f197995633..7024e858f0 100644
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -162,34 +162,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_=
t cert,
                          certFile);
             }
         }
-        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
-            int alg =3D gnutls_x509_crt_get_pk_algorithm(cert, NULL);
-
-            /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and E=
CMQV
-             * algorithms must not have 'keyEncipherment' present.
-             *
-             * [1] https://datatracker.ietf.org/doc/rfc8813/
-             * [2] https://datatracker.ietf.org/doc/rfc5480
-             */
-
-            switch (alg) {
-            case GNUTLS_PK_ECDSA:
-            case GNUTLS_PK_ECDH_X25519:
-            case GNUTLS_PK_ECDH_X448:
-                break;
-
-            default:
-                if (critical) {
-                    virReportError(VIR_ERR_SYSTEM_ERROR,
-                                   _("Certificate %1$s usage does not perm=
it key encipherment"),
-                                   certFile);
-                    return -1;
-                } else {
-                    VIR_WARN("Certificate %s usage does not permit key enc=
ipherment",
-                             certFile);
-                }
-            }
-        }
     }

     return 0;
--=20
2.49.0