From nobody Mon Oct 27 13:50:42 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761312120; cv=none; d=zohomail.com; s=zohoarc; b=mMFDVvf8M+FWkox2E3PdPSHLPhz/U0CI7g3p7xnIiJgv8vgYm0k0nrAOZ0w0U9b/KUFKCljgm1NnqRkJHOMFX1bSXnGs4kWJsgoLVKAyOcfr4skKIyqIJNynybdzNv5NQwQQ4UMsDifFQnGE1YhI223CaVv4DY8k44sHvFCLJ0o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761312120; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=x0OsWMKNICT1Jpvz22FMkZQGYpmTAf7xxZVb2pCzkS4=; b=VdAWCtlhVT1Va6moRH1jH3GHJqA+LC6q+3BNXDPSSvxQh5J5ewCdNHI8sfw14svYCpQmZAsqmD6AodnHjaX3DNBsta/OH0VN8N6v/EANEHEqJdb9AKuT4NOVkRKc71UsFecAQWGkW7Tvd7XH+6PIUJcBy6R55vBAFvzeP+b1l7U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761312120663906.0694754625533; Fri, 24 Oct 2025 06:22:00 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vCHii-0006Cq-TU; Fri, 24 Oct 2025 09:20:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vCHiJ-0005bl-St for qemu-devel@nongnu.org; Fri, 24 Oct 2025 09:20:19 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vCHiG-0004pB-H3 for qemu-devel@nongnu.org; Fri, 24 Oct 2025 09:20:15 -0400 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-616-1PnisbarMreyyiQSWVVDPw-1; Fri, 24 Oct 2025 09:20:09 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E8B631800637; Fri, 24 Oct 2025 13:20:08 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.2]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 6CD11195398C; Fri, 24 Oct 2025 13:20:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761312011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x0OsWMKNICT1Jpvz22FMkZQGYpmTAf7xxZVb2pCzkS4=; b=fluUHQaHOhWwiObwLlKIaCe4dHFz92j2fnUTvL6GIoKWWVx1GJHWohsY9bRQvgAJhawpOj 3uNZsNV/0bFU3PyjLsX0zkzRZ2pk+zn9vzXW8QZ5PYHQRTSYH93PaUpCG+cfn+bdtTCFTl BPWq1qeSYnmHwRyYz/DbVYbR7DjqgHs= X-MC-Unique: 1PnisbarMreyyiQSWVVDPw-1 X-Mimecast-MFC-AGG-ID: 1PnisbarMreyyiQSWVVDPw_1761312009 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Paolo Bonzini , Eric Blake Subject: [PULL 12/13] crypto: stop requiring "key encipherment" usage in x509 certs Date: Fri, 24 Oct 2025 14:19:36 +0100 Message-ID: <20251024131937.56673-13-berrange@redhat.com> In-Reply-To: <20251024131937.56673-1-berrange@redhat.com> References: <20251024131937.56673-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761312122904158500 This usage flag was deprecated by RFC8813, such that it is forbidden to be present for certs using ECDSA/ECDH algorithms, and in TLS 1.3 is conceptually obsolete. As such many valid certs will no longer have this key usage flag set, and QEMU should not be rejecting them, as this prevents use of otherwise valid & desirable algorithms. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 --- crypto/tlscredsx509.c | 10 +------- docs/system/tls.rst | 13 +++------- tests/unit/crypto-tls-x509-helpers.h | 6 ++--- tests/unit/test-crypto-tlscredsx509.c | 36 +++++++++++++-------------- tests/unit/test-crypto-tlssession.c | 14 +++++------ tests/unit/test-io-channel-tls.c | 4 +-- 6 files changed, 34 insertions(+), 49 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index e21d85fe16..f26429736c 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -144,7 +144,7 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX= 509 *creds, if (status < 0) { if (status =3D=3D GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { usage =3D isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT; + GNUTLS_KEY_DIGITAL_SIGNATURE; } else { error_setg(errp, "Unable to query certificate %s key usage: %s", @@ -171,14 +171,6 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCreds= X509 *creds, return -1; } } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - if (critical) { - error_setg(errp, - "Certificate %s usage does not permit key " - "encipherment", certFile); - return -1; - } - } } =20 return 0; diff --git a/docs/system/tls.rst b/docs/system/tls.rst index e284c82801..a4f6781d62 100644 --- a/docs/system/tls.rst +++ b/docs/system/tls.rst @@ -118,7 +118,6 @@ information for each server, and use it to issue server= certificates. ip_address =3D 2620:0:cafe::87 ip_address =3D 2001:24::92 tls_www_server - encryption_key signing_key EOF # certtool --generate-privkey > server-hostNNN-key.pem @@ -134,9 +133,8 @@ the subject alt name extension data. The ``tls_www_serv= er`` keyword is the key purpose extension to indicate this certificate is intended for usage in a web server. Although QEMU network services are not in fact HTTP servers (except for VNC websockets), setting this key purpose is -still recommended. The ``encryption_key`` and ``signing_key`` keyword is -the key usage extension to indicate this certificate is intended for -usage in the data session. +still recommended. The ``signing_key`` keyword is the key usage extension +to indicate this certificate is intended for usage in the data session. =20 The ``server-hostNNN-key.pem`` and ``server-hostNNN-cert.pem`` files should now be securely copied to the server for which they were @@ -171,7 +169,6 @@ certificates. organization =3D Name of your organization cn =3D hostNNN.foo.example.com tls_www_client - encryption_key signing_key EOF # certtool --generate-privkey > client-hostNNN-key.pem @@ -187,9 +184,8 @@ the ``dns_name`` and ``ip_address`` fields are not incl= uded. The ``tls_www_client`` keyword is the key purpose extension to indicate this certificate is intended for usage in a web client. Although QEMU network clients are not in fact HTTP clients, setting this key purpose is still -recommended. The ``encryption_key`` and ``signing_key`` keyword is the -key usage extension to indicate this certificate is intended for usage -in the data session. +recommended. The ``signing_key`` keyword is the key usage extension to +indicate this certificate is intended for usage in the data session. =20 The ``client-hostNNN-key.pem`` and ``client-hostNNN-cert.pem`` files should now be securely copied to the client for which they were @@ -222,7 +218,6 @@ client and server instructions in one. ip_address =3D 2001:24::92 tls_www_server tls_www_client - encryption_key signing_key EOF # certtool --generate-privkey > both-hostNNN-key.pem diff --git a/tests/unit/crypto-tls-x509-helpers.h b/tests/unit/crypto-tls-x= 509-helpers.h index 2a0f7c04fd..7e9a508ad6 100644 --- a/tests/unit/crypto-tls-x509-helpers.h +++ b/tests/unit/crypto-tls-x509-helpers.h @@ -148,8 +148,7 @@ void test_tls_cleanup(const char *keyfile); .basicConstraintsIsCA =3D false, \ .keyUsageEnable =3D true, \ .keyUsageCritical =3D true, \ - .keyUsageValue =3D \ - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ + .keyUsageValue =3D GNUTLS_KEY_DIGITAL_SIGNATURE, \ .keyPurposeEnable =3D true, \ .keyPurposeCritical =3D true, \ .keyPurposeOID1 =3D GNUTLS_KP_TLS_WWW_CLIENT, \ @@ -168,8 +167,7 @@ void test_tls_cleanup(const char *keyfile); .basicConstraintsIsCA =3D false, \ .keyUsageEnable =3D true, \ .keyUsageCritical =3D true, \ - .keyUsageValue =3D \ - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ + .keyUsageValue =3D GNUTLS_KEY_DIGITAL_SIGNATURE, \ .keyPurposeEnable =3D true, \ .keyPurposeCritical =3D true, \ .keyPurposeOID1 =3D GNUTLS_KP_TLS_WWW_SERVER, \ diff --git a/tests/unit/test-crypto-tlscredsx509.c b/tests/unit/test-crypto= -tlscredsx509.c index 96ad4e741b..a5f21728d4 100644 --- a/tests/unit/test-crypto-tlscredsx509.c +++ b/tests/unit/test-crypto-tlscredsx509.c @@ -169,14 +169,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -199,7 +199,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -214,7 +214,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -229,7 +229,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -253,7 +253,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* no-basic */ @@ -267,7 +267,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* Key usage:dig-sig:critical */ @@ -281,7 +281,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -306,7 +306,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T | + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); @@ -409,7 +409,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T | + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); @@ -511,21 +511,21 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertexp1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, -1); TLS_CERT_REQ(clientcertexp1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, -1); =20 @@ -549,21 +549,21 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertnew1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 1, 2); TLS_CERT_REQ(clientcertnew1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 1, 2); =20 @@ -614,14 +614,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 diff --git a/tests/unit/test-crypto-tlssession.c b/tests/unit/test-crypto-t= lssession.c index 61311cbe6e..d0baf3b304 100644 --- a/tests/unit/test-crypto-tlssession.c +++ b/tests/unit/test-crypto-tlssession.c @@ -472,14 +472,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -487,7 +487,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -506,7 +506,7 @@ int main(int argc, char **argv) "192.168.122.1", "fec0::dead:beaf", true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* This intentionally doesn't replicate */ @@ -515,7 +515,7 @@ int main(int argc, char **argv) "192.168.122.1", "fec0::dead:beaf", true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -619,14 +619,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 diff --git a/tests/unit/test-io-channel-tls.c b/tests/unit/test-io-channel-= tls.c index 6f282ad45d..4e4034af67 100644 --- a/tests/unit/test-io-channel-tls.c +++ b/tests/unit/test-io-channel-tls.c @@ -302,14 +302,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 --=20 2.50.1