[{"id":1759517,"web_url":"http://patchwork.ozlabs.org/comment/1759517/","msgid":"","list_archive_url":null,"date":"2017-08-29T16:31:24","subject":"Re: [Qemu-devel] [PATCH] crypto: fix test cert generation to not\n\tuse SHA1 algorithm","submitter":{"id":6591,"url":"http://patchwork.ozlabs.org/api/people/6591/","name":"Eric Blake","email":"eblake@redhat.com"},"content":"On 08/29/2017 11:27 AM, Daniel P. Berrange wrote:\n> GNUTLS 3.6.0 marked SHA1 as untrusted for certificates.\n> Unfortunately the gnutls_x509_crt_sign() method we are\n> using to create certificates in the test suite is fixed\n> to always use SHA1. We must switch to a different method\n> and explicitly ask for SHA256.\n> \n> Signed-off-by: Daniel P. Berrange \n> ---\n> tests/crypto-tls-x509-helpers.c | 3 ++-\n> 1 file changed, 2 insertions(+), 1 deletion(-)\n> \n> diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c\n> index 64073d3bd3..173d4e28fb 100644\n> --- a/tests/crypto-tls-x509-helpers.c\n> +++ b/tests/crypto-tls-x509-helpers.c\n> @@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,\n> * If no 'ca' is set then we are self signing\n> * the cert. This is done for the root CA certs\n> */\n> - err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);\n> + err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,\n> + GNUTLS_DIG_SHA256, 0);\n\nIs _sign2() available on all the older versions of gnutls that we must\nsupport, or do we need this to be a conditional compilation?","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx08.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx08.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=eblake@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xhZ0c6cLmz9rvt\n\tfor ;\n\tWed, 30 Aug 2017 02:32:00 +1000 (AEST)","from localhost ([::1]:45996 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmjQk-0007v4-O6\n\tfor incoming@patchwork.ozlabs.org; Tue, 29 Aug 2017 12:31:58 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:40311)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmjQJ-0007tp-Jt\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:31:32 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmjQF-0008IY-17\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:31:31 -0400","from mx1.redhat.com ([209.132.183.28]:44918)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dmjQE-0008I2-OL\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:31:26 -0400","from smtp.corp.redhat.com\n\t(int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id AEAFFC056793\n\tfor ; Tue, 29 Aug 2017 16:31:25 +0000 (UTC)","from [10.10.122.186] (ovpn-122-186.rdu2.redhat.com [10.10.122.186])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 372845D9C0;\n\tTue, 29 Aug 2017 16:31:24 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com AEAFFC056793","To":"\"Daniel P. Berrange\" , qemu-devel@nongnu.org","References":"<20170829162727.13081-1-berrange@redhat.com>","From":"Eric Blake ","Openpgp":"url=http://people.redhat.com/eblake/eblake.gpg","Organization":"Red Hat, Inc.","Message-ID":"","Date":"Tue, 29 Aug 2017 11:31:24 -0500","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<20170829162727.13081-1-berrange@redhat.com>","Content-Type":"multipart/signed; micalg=pgp-sha256;\n\tprotocol=\"application/pgp-signature\";\n\tboundary=\"8QuGReDRsQ1qbEHMvVNQRXxlgxixNhWrU\"","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.14","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.32]);\n\tTue, 29 Aug 2017 16:31:25 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","X-Content-Filtered-By":"Mailman/MimeDel 2.1.21","Subject":"Re: [Qemu-devel] [PATCH] crypto: fix test cert generation to not\n\tuse SHA1 algorithm","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1759525,"web_url":"http://patchwork.ozlabs.org/comment/1759525/","msgid":"<20170829163427.GG25801@redhat.com>","list_archive_url":null,"date":"2017-08-29T16:34:27","subject":"Re: [Qemu-devel] [PATCH] crypto: fix test cert generation to not\n\tuse SHA1 algorithm","submitter":{"id":2694,"url":"http://patchwork.ozlabs.org/api/people/2694/","name":"Daniel P. Berrangé","email":"berrange@redhat.com"},"content":"On Tue, Aug 29, 2017 at 11:31:24AM -0500, Eric Blake wrote:\n> On 08/29/2017 11:27 AM, Daniel P. Berrange wrote:\n> > GNUTLS 3.6.0 marked SHA1 as untrusted for certificates.\n> > Unfortunately the gnutls_x509_crt_sign() method we are\n> > using to create certificates in the test suite is fixed\n> > to always use SHA1. We must switch to a different method\n> > and explicitly ask for SHA256.\n> > \n> > Signed-off-by: Daniel P. Berrange \n> > ---\n> > tests/crypto-tls-x509-helpers.c | 3 ++-\n> > 1 file changed, 2 insertions(+), 1 deletion(-)\n> > \n> > diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c\n> > index 64073d3bd3..173d4e28fb 100644\n> > --- a/tests/crypto-tls-x509-helpers.c\n> > +++ b/tests/crypto-tls-x509-helpers.c\n> > @@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,\n> > * If no 'ca' is set then we are self signing\n> > * the cert. This is done for the root CA certs\n> > */\n> > - err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);\n> > + err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,\n> > + GNUTLS_DIG_SHA256, 0);\n> \n> Is _sign2() available on all the older versions of gnutls that we must\n> support, or do we need this to be a conditional compilation?\n\nIt dates to gnutls 1.2.0 from 2005, so we're fine even if using RHEL5\nvintage :-)\n\nRegards,\nDaniel","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx03.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx03.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=berrange@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xhZ7Q6RFVz9t38\n\tfor ;\n\tWed, 30 Aug 2017 02:37:54 +1000 (AEST)","from localhost ([::1]:46033 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmjWS-0003wX-Rv\n\tfor incoming@patchwork.ozlabs.org; Tue, 29 Aug 2017 12:37:52 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:41314)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmjTI-0001hw-R2\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:34:38 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmjTE-000156-U3\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:34:36 -0400","from mx1.redhat.com ([209.132.183.28]:43520)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dmjTE-00014k-NM\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:34:32 -0400","from smtp.corp.redhat.com\n\t(int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id A941F7E42F\n\tfor ; Tue, 29 Aug 2017 16:34:31 +0000 (UTC)","from redhat.com (unknown [10.33.36.95])\n\tby smtp.corp.redhat.com (Postfix) with ESMTPS id C77C7692A7;\n\tTue, 29 Aug 2017 16:34:30 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com A941F7E42F","Date":"Tue, 29 Aug 2017 17:34:27 +0100","From":"\"Daniel P. Berrange\" ","To":"Eric Blake ","Message-ID":"<20170829163427.GG25801@redhat.com>","References":"<20170829162727.13081-1-berrange@redhat.com>\n\t","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"","User-Agent":"Mutt/1.8.3 (2017-05-23)","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.16","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.27]);\n\tTue, 29 Aug 2017 16:34:31 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","Subject":"Re: [Qemu-devel] [PATCH] crypto: fix test cert generation to not\n\tuse SHA1 algorithm","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Reply-To":"\"Daniel P. Berrange\" ","Cc":"qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}},{"id":1759529,"web_url":"http://patchwork.ozlabs.org/comment/1759529/","msgid":"<3aec24f8-b5ba-b18c-58ec-462c3483f6f0@redhat.com>","list_archive_url":null,"date":"2017-08-29T16:42:05","subject":"Re: [Qemu-devel] [PATCH] crypto: fix test cert generation to not\n\tuse SHA1 algorithm","submitter":{"id":6591,"url":"http://patchwork.ozlabs.org/api/people/6591/","name":"Eric Blake","email":"eblake@redhat.com"},"content":"On 08/29/2017 11:34 AM, Daniel P. Berrange wrote:\n> On Tue, Aug 29, 2017 at 11:31:24AM -0500, Eric Blake wrote:\n>> On 08/29/2017 11:27 AM, Daniel P. Berrange wrote:\n>>> GNUTLS 3.6.0 marked SHA1 as untrusted for certificates.\n>>> Unfortunately the gnutls_x509_crt_sign() method we are\n>>> using to create certificates in the test suite is fixed\n>>> to always use SHA1. We must switch to a different method\n>>> and explicitly ask for SHA256.\n>>>\n>>> Signed-off-by: Daniel P. Berrange \n>>> ---\n>>> tests/crypto-tls-x509-helpers.c | 3 ++-\n>>> 1 file changed, 2 insertions(+), 1 deletion(-)\n>>>\n>>> diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c\n>>> index 64073d3bd3..173d4e28fb 100644\n>>> --- a/tests/crypto-tls-x509-helpers.c\n>>> +++ b/tests/crypto-tls-x509-helpers.c\n>>> @@ -406,7 +406,8 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,\n>>> * If no 'ca' is set then we are self signing\n>>> * the cert. This is done for the root CA certs\n>>> */\n>>> - err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey);\n>>> + err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,\n>>> + GNUTLS_DIG_SHA256, 0);\n>>\n>> Is _sign2() available on all the older versions of gnutls that we must\n>> support, or do we need this to be a conditional compilation?\n> \n> It dates to gnutls 1.2.0 from 2005, so we're fine even if using RHEL5\n> vintage :-)\n\nGood to know. Not sure if it's worth mentioning that in the commit\nmessage. Either way,\n\nReviewed-by: Eric Blake ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=)","ext-mx09.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx09.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=eblake@redhat.com"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xhZF76VKgz9t38\n\tfor ;\n\tWed, 30 Aug 2017 02:42:51 +1000 (AEST)","from localhost ([::1]:46056 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t)\n\tid 1dmjbF-00072P-R0\n\tfor incoming@patchwork.ozlabs.org; Tue, 29 Aug 2017 12:42:49 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:45710)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from ) id 1dmjae-00070u-77\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:42:13 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from ) id 1dmjaa-0005eO-7a\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:42:12 -0400","from mx1.redhat.com ([209.132.183.28]:36584)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from ) id 1dmjaZ-0005dx-Th\n\tfor qemu-devel@nongnu.org; Tue, 29 Aug 2017 12:42:08 -0400","from smtp.corp.redhat.com\n\t(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id D95744DD4B\n\tfor ; Tue, 29 Aug 2017 16:42:06 +0000 (UTC)","from [10.10.122.186] (ovpn-122-186.rdu2.redhat.com [10.10.122.186])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 58BEB18B37;\n\tTue, 29 Aug 2017 16:42:06 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com D95744DD4B","To":"\"Daniel P. Berrange\" ","References":"<20170829162727.13081-1-berrange@redhat.com>\n\t\n\t<20170829163427.GG25801@redhat.com>","From":"Eric Blake ","Openpgp":"url=http://people.redhat.com/eblake/eblake.gpg","Organization":"Red Hat, Inc.","Message-ID":"<3aec24f8-b5ba-b18c-58ec-462c3483f6f0@redhat.com>","Date":"Tue, 29 Aug 2017 11:42:05 -0500","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<20170829163427.GG25801@redhat.com>","Content-Type":"multipart/signed; micalg=pgp-sha256;\n\tprotocol=\"application/pgp-signature\";\n\tboundary=\"cGfxeqFMiQ1cPOAlexRMAaqbq1G79QqmV\"","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.12","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.38]);\n\tTue, 29 Aug 2017 16:42:07 +0000 (UTC)","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"209.132.183.28","X-Content-Filtered-By":"Mailman/MimeDel 2.1.21","Subject":"Re: [Qemu-devel] [PATCH] crypto: fix test cert generation to not\n\tuse SHA1 algorithm","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"qemu-devel@nongnu.org","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t"}}]