Bug#1115914: unblock: libvirt/11.3.0-3+deb13u1
retitle 1115914 trixie-pu: package libvirt/11.3.0-3+deb13u1
tags 1115914 trixie
user release.debian.org@packages.debian.org
usertags 1115914 pu -unblock
Fixing bug meta-data.
Cheers
On 2025-09-21 18:52:29 +0200, Andrea Bolognani wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: libvirt@packages.debian.org
> Control: affects -1 + src:libvirt
>
> Please unblock package libvirt.
>
> Note: this is a preemptive unblock request. I will proceed with the
> upload once the release team has confirmed that they're okay with it.
>
> [ Reason ]
>
> Various fixes for libvirt in trixie.
>
> [ Tests ]
>
> I have manually verified that the fixes work as intended. They all
> come directly from upstream, which means that they were validated in
> that context already.
>
> [ Risks ]
>
> Very little risk given the targeted nature of the fixes and the fact
> that they are straightforward backports from upstream.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> unblock libvirt/11.3.0-3+deb13u1
>
> --
> Andrea Bolognani <eof@kiyuko.org>
> Resistance is futile, you will be garbage collected.
> diff -Nru libvirt-11.3.0/debian/changelog libvirt-11.3.0/debian/changelog
> --- libvirt-11.3.0/debian/changelog 2025-07-02 22:15:28.000000000 +0200
> +++ libvirt-11.3.0/debian/changelog 2025-09-21 18:29:38.000000000 +0200
> @@ -1,3 +1,25 @@
> +libvirt (11.3.0-3+deb13u1) trixie; urgency=medium
> +
> + * [6a549fc] patches: Add backports
> + - backport/tlscert-Don-t-force-keyEncipherment[...]
> + - backport/tls-Don-t-require-keyEncipherment-[...]
> + - backport/tests-[...]-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM[...]
> + - Removes the requirement to have keyEncipherment enabled
> + for TLS certificates
> + - Closes: #1110816
> + * [8b355a8] patches: Add backports
> + - backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-[...]
> + - Prevents journal spam when using the LXC driver
> + - Closes: #1110963
> + * [f5079ab] patches: Add backports
> + - backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-[...]
> + - Fixes a daemon crash that occurs when probing capabilities
> + for a QEMU binary that doesn't report information about
> + CPU models
> + - Closes: #1112481
> +
> + -- Andrea Bolognani <eof@kiyuko.org> Sun, 21 Sep 2025 18:29:38 +0200
> +
> libvirt (11.3.0-3) unstable; urgency=medium
>
> * [d10b70f] patches: Add backports
> diff -Nru libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch
> --- libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-11.3.0/debian/patches/backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch 2025-09-21 18:29:38.000000000 +0200
> @@ -0,0 +1,34 @@
> +From: Peter Krempa <pkrempa@redhat.com>
> +Date: Tue, 26 Aug 2025 13:57:42 +0200
> +Subject: daemon: Drop log level of VIR_ERR_NO_SUPPORT to debug
> +
> +The error code signals that the API the user called is not supported by
> +the driver. This can happen with some hypervisor drivers which don't
> +have everything implemented yet. There's no point in spamming the log
> +with it.
> +
> +Closes: https://gitlab.com/libvirt/libvirt/-/issues/805
> +Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> +Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
> +(cherry picked from commit 37a1bd945899308d1c071bb885e5d1d9529d6b85)
> +
> +Bug-Debian: https://bugs.debian.org/1110963
> +
> +Forwarded: not-needed
> +Origin: https://gitlab.com/libvirt/libvirt/-/commits/37a1bd945899308d1c071bb885e5d1d9529d6b85
> +---
> + src/remote/remote_daemon.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
> +index 1424d4c..2973813 100644
> +--- a/src/remote/remote_daemon.c
> ++++ b/src/remote/remote_daemon.c
> +@@ -108,6 +108,7 @@ static int daemonErrorLogFilter(virErrorPtr err, int priority)
> + case VIR_ERR_NO_CLIENT:
> + case VIR_ERR_NO_HOSTNAME:
> + case VIR_ERR_NO_NETWORK_METADATA:
> ++ case VIR_ERR_NO_SUPPORT:
> + return VIR_LOG_DEBUG;
> + }
> +
> diff -Nru libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch
> --- libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-11.3.0/debian/patches/backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch 2025-09-21 18:29:38.000000000 +0200
> @@ -0,0 +1,76 @@
> +From: anonymix007 <48598263+anonymix007@users.noreply.github.com>
> +Date: Wed, 4 Jun 2025 12:05:23 +0300
> +Subject: qemu: capabilities: Check if cpuModels is not NULL before trying to
> + dereference it
> +
> +accel->cpuModels field might be NULL if QEMU does not return CPU models.
> +The following backtrace is observed in such cases:
> +0 virQEMUCapsProbeQMPCPUDefinitions (qemuCaps=qemuCaps@entry=0x7f1890003ae0, accel=accel@entry=0x7f1890003c10, mon=mon@entry=0x7f1890005270)
> + at ../src/qemu/qemu_capabilities.c:3091
> +1 0x00007f18b42fa7b1 in virQEMUCapsInitQMPMonitor (qemuCaps=qemuCaps@entry=0x7f1890003ae0, mon=0x7f1890005270) at ../src/qemu/qemu_capabilities.c:5746
> +2 0x00007f18b42fafaf in virQEMUCapsInitQMPSingle (qemuCaps=qemuCaps@entry=0x7f1890003ae0, libDir=libDir@entry=0x7f186c1e70f0 "/var/lib/libvirt/qemu",
> + runUid=runUid@entry=955, runGid=runGid@entry=955, onlyTCG=onlyTCG@entry=false) at ../src/qemu/qemu_capabilities.c:5832
> +3 0x00007f18b42fb1a5 in virQEMUCapsInitQMP (qemuCaps=0x7f1890003ae0, libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955)
> + at ../src/qemu/qemu_capabilities.c:5848
> +4 virQEMUCapsNewForBinaryInternal (hostArch=VIR_ARCH_X86_64, binary=binary@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha",
> + libDir=0x7f186c1e70f0 "/var/lib/libvirt/qemu", runUid=955, runGid=955,
> + hostCPUSignature=0x7f186c1e9f20 "AuthenticAMD, AMD Ryzen 9 7950X 16-Core Processor, family: 25, model: 97, stepping: 2", microcodeVersion=174068233,
> + kernelVersion=0x7f186c194200 "6.14.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 29 May 2025 21:42:15 +0000", cpuData=0x7f186c1ea490)
> + at ../src/qemu/qemu_capabilities.c:5907
> +5 0x00007f18b42fb4c9 in virQEMUCapsNewData (binary=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", privData=0x7f186c194280)
> + at ../src/qemu/qemu_capabilities.c:5942
> +6 0x00007f18bd42d302 in virFileCacheNewData (cache=0x7f186c193730, name=0x7f1868002fc0 "/usr/bin/qemu-system-alpha") at ../src/util/virfilecache.c:206
> +7 virFileCacheValidate (cache=cache@entry=0x7f186c193730, name=name@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha", data=data@entry=0x7f18b67c37c0)
> + at ../src/util/virfilecache.c:269
> +8 0x00007f18bd42d5b8 in virFileCacheLookup (cache=cache@entry=0x7f186c193730, name=name@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha")
> + at ../src/util/virfilecache.c:301
> +9 0x00007f18b42fb679 in virQEMUCapsCacheLookup (cache=cache@entry=0x7f186c193730, binary=binary@entry=0x7f1868002fc0 "/usr/bin/qemu-system-alpha")
> + at ../src/qemu/qemu_capabilities.c:6036
> +10 0x00007f18b42fb785 in virQEMUCapsInitGuest (caps=<optimized out>, cache=<optimized out>, hostarch=VIR_ARCH_X86_64, guestarch=VIR_ARCH_ALPHA)
> + at ../src/qemu/qemu_capabilities.c:1037
> +11 virQEMUCapsInit (cache=0x7f186c193730) at ../src/qemu/qemu_capabilities.c:1229
> +12 0x00007f18b431d311 in virQEMUDriverCreateCapabilities (driver=driver@entry=0x7f186c01f410) at ../src/qemu/qemu_conf.c:1553
> +13 0x00007f18b431d663 in virQEMUDriverGetCapabilities (driver=0x7f186c01f410, refresh=<optimized out>) at ../src/qemu/qemu_conf.c:1623
> +14 0x00007f18b435e3e4 in qemuConnectGetVersion (conn=<optimized out>, version=0x7f18b67c39b0) at ../src/qemu/qemu_driver.c:1492
> +15 0x00007f18bd69c5e8 in virConnectGetVersion (conn=0x55bc5f4cda20, hvVer=hvVer@entry=0x7f18b67c39b0) at ../src/libvirt-host.c:201
> +16 0x000055bc34ef3627 in remoteDispatchConnectGetVersion (server=0x55bc5f4b93f0, msg=0x55bc5f4cdf60, client=0x55bc5f4c66d0, rerr=0x7f18b67c3a80,
> + ret=0x55bc5f4b8670) at src/remote/remote_daemon_dispatch_stubs.h:1265
> +17 remoteDispatchConnectGetVersionHelper (server=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60, rerr=0x7f18b67c3a80, args=0x0, ret=0x55bc5f4b8670)
> + at src/remote/remote_daemon_dispatch_stubs.h:1247
> +18 0x00007f18bd5506da in virNetServerProgramDispatchCall (prog=0x55bc5f4cae90, server=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60)
> + at ../src/rpc/virnetserverprogram.c:423
> +19 virNetServerProgramDispatch (prog=0x55bc5f4cae90, server=server@entry=0x55bc5f4b93f0, client=0x55bc5f4c66d0, msg=0x55bc5f4cdf60)
> + at ../src/rpc/virnetserverprogram.c:299
> +20 0x00007f18bd556c32 in virNetServerProcessMsg (srv=srv@entry=0x55bc5f4b93f0, client=<optimized out>, prog=<optimized out>, msg=<optimized out>)
> + at ../src/rpc/virnetserver.c:135
> +21 0x00007f18bd556f77 in virNetServerHandleJob (jobOpaque=0x55bc5f4d2bb0, opaque=0x55bc5f4b93f0) at ../src/rpc/virnetserver.c:155
> +22 0x00007f18bd47dd19 in virThreadPoolWorker (opaque=<optimized out>) at ../src/util/virthreadpool.c:164
> +23 0x00007f18bd47d253 in virThreadHelper (data=0x55bc5f4b7810) at ../src/util/virthread.c:256
> +24 0x00007f18bce117eb in start_thread (arg=<optimized out>) at pthread_create.c:448
> +25 0x00007f18bce9518c in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
> +
> +Signed-off-by: anonymix007 <anonymix007@users.noreply.github.com>
> +(cherry picked from commit e7239c619fcaf35b8b605ce07c5d5b15351b3a62)
> +
> +Bug-Debian: https://bugs.debian.org/1112481
> +
> +Forwarded: not-needed
> +Origin: https://gitlab.com/libvirt/libvirt/-/commits/e7239c619fcaf35b8b605ce07c5d5b15351b3a62
> +---
> + src/qemu/qemu_capabilities.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> +index a804335..e937fe3 100644
> +--- a/src/qemu/qemu_capabilities.c
> ++++ b/src/qemu/qemu_capabilities.c
> +@@ -3078,6 +3078,9 @@ virQEMUCapsProbeQMPCPUDefinitions(virQEMUCaps *qemuCaps,
> + if (virQEMUCapsFetchCPUDefinitions(mon, qemuCaps->arch, &accel->cpuModels) < 0)
> + return -1;
> +
> ++ if (!accel->cpuModels)
> ++ return 0;
> ++
> + defs = accel->cpuModels;
> + for (i = 0; i < defs->ncpus; i++) {
> + if (STREQ_NULLABLE(defs->cpus[i].name, "max")) {
> diff -Nru libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch
> --- libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-11.3.0/debian/patches/backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch 2025-09-21 18:29:38.000000000 +0200
> @@ -0,0 +1,237 @@
> +From: Peter Krempa <pkrempa@redhat.com>
> +Date: Tue, 1 Jul 2025 13:48:00 +0200
> +Subject: tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +It's not needed with TLS 1.3 any more.
> +
> +Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> +Reviewed-by: Ján Tomko <jtomko@redhat.com>
> +(cherry picked from commit e67952b0e612c9ad3c3eec8bb692589602953ee8)
> +
> +Bug-Debian: https://bugs.debian.org/1110816
> +
> +Forwarded: not-needed
> +Origin: https://gitlab.com/libvirt/libvirt/-/commits/e67952b0e612c9ad3c3eec8bb692589602953ee8
> +---
> + tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------
> + tests/virnettlssessiontest.c | 14 +++++++-------
> + 2 files changed, 25 insertions(+), 25 deletions(-)
> +
> +diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
> +index 2311524..48bdefd 100644
> +--- a/tests/virnettlscontexttest.c
> ++++ b/tests/virnettlscontexttest.c
> +@@ -156,13 +156,13 @@ mymain(void)
> + TLS_CERT_REQ(servercertreq, cacertreq,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + TLS_CERT_REQ(clientcertreq, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
> + 0, 0);
> +
> +@@ -182,7 +182,7 @@ mymain(void)
> + TLS_CERT_REQ(servercert1req, cacert1req,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> +
> +@@ -196,7 +196,7 @@ mymain(void)
> + TLS_CERT_REQ(servercert2req, cacert2req,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> +
> +@@ -210,7 +210,7 @@ mymain(void)
> + TLS_CERT_REQ(servercert3req, cacert3req,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> +
> +@@ -230,7 +230,7 @@ mymain(void)
> + TLS_CERT_REQ(servercert4req, cacert4req,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + /* no-basic */
> +@@ -243,7 +243,7 @@ mymain(void)
> + TLS_CERT_REQ(servercert5req, cacert5req,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + /* Key usage:dig-sig:critical */
> +@@ -256,7 +256,7 @@ mymain(void)
> + TLS_CERT_REQ(servercert6req, cacert6req,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> +
> +@@ -284,7 +284,7 @@ mymain(void)
> + TLS_CERT_REQ(servercert8req, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
> + false, false, NULL, NULL,
> + 0, 0);
> + /* usage:cert-sign:not-critical */
> +@@ -372,7 +372,7 @@ mymain(void)
> + TLS_CERT_REQ(clientcert2req, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
> + false, false, NULL, NULL,
> + 0, 0);
> + /* usage:cert-sign:not-critical */
> +@@ -459,19 +459,19 @@ mymain(void)
> + TLS_CERT_REQ(servercertexpreq, cacertexpreq,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + TLS_CERT_REQ(servercertexp1req, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, -1);
> + TLS_CERT_REQ(clientcertexp1req, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
> + 0, -1);
> +
> +@@ -491,19 +491,19 @@ mymain(void)
> + TLS_CERT_REQ(servercertnewreq, cacertnewreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + TLS_CERT_REQ(servercertnew1req, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 1, 2);
> + TLS_CERT_REQ(clientcertnew1req, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
> + 1, 2);
> +
> +@@ -538,13 +538,13 @@ mymain(void)
> + TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
> + "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
> + 0, 0);
> +
> +diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
> +index 285cde5..459e17c 100644
> +--- a/tests/virnettlssessiontest.c
> ++++ b/tests/virnettlssessiontest.c
> +@@ -314,20 +314,20 @@ mymain(void)
> + TLS_CERT_REQ(servercertreq, cacertreq,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + TLS_CERT_REQ(clientcertreq, cacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
> + 0, 0);
> +
> + TLS_CERT_REQ(clientcertaltreq, altcacertreq,
> + "UK", "libvirt", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
> + 0, 0);
> +
> +@@ -342,14 +342,14 @@ mymain(void)
> + TLS_CERT_REQ(servercertalt1req, cacertreq,
> + "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + /* This intentionally doesn't replicate */
> + TLS_CERT_REQ(servercertalt2req, cacertreq,
> + "UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> +
> +@@ -433,13 +433,13 @@ mymain(void)
> + TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
> + "UK", "libvirt.org", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
> + 0, 0);
> + TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
> + "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
> + true, true, false,
> +- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
> ++ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
> + true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
> + 0, 0);
> +
> diff -Nru libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch
> --- libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-11.3.0/debian/patches/backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch 2025-09-21 18:29:38.000000000 +0200
> @@ -0,0 +1,73 @@
> +From: Peter Krempa <pkrempa@redhat.com>
> +Date: Tue, 17 Jun 2025 15:01:26 +0200
> +Subject: tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
> +algorithms must not have 'keyEncipherment' present, but our code did
> +check it. Add exemption for known algorithms which don't use it.
> +
> +[1] https://datatracker.ietf.org/doc/rfc8813/
> +[2] https://datatracker.ietf.org/doc/rfc5480
> +
> +Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
> +Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> +Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
> +Reviewed-by: Ján Tomko <jtomko@redhat.com>
> +(cherry picked from commit 11867b0224a2b8dc34755ff0ace446b6842df1c1)
> +
> +Bug-Debian: https://bugs.debian.org/1110816
> +
> +Forwarded: not-needed
> +Origin: https://gitlab.com/libvirt/libvirt/-/commits/11867b0224a2b8dc34755ff0ace446b6842df1c1
> +---
> + src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++--------
> + 1 file changed, 25 insertions(+), 8 deletions(-)
> +
> +diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
> +index 1befbe0..f197995 100644
> +--- a/src/rpc/virnettlscert.c
> ++++ b/src/rpc/virnettlscert.c
> +@@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
> + }
> + }
> + if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
> +- if (critical) {
> +- virReportError(VIR_ERR_SYSTEM_ERROR,
> +- _("Certificate %1$s usage does not permit key encipherment"),
> +- certFile);
> +- return -1;
> +- } else {
> +- VIR_WARN("Certificate %s usage does not permit key encipherment",
> +- certFile);
> ++ int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
> ++
> ++ /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
> ++ * algorithms must not have 'keyEncipherment' present.
> ++ *
> ++ * [1] https://datatracker.ietf.org/doc/rfc8813/
> ++ * [2] https://datatracker.ietf.org/doc/rfc5480
> ++ */
> ++
> ++ switch (alg) {
> ++ case GNUTLS_PK_ECDSA:
> ++ case GNUTLS_PK_ECDH_X25519:
> ++ case GNUTLS_PK_ECDH_X448:
> ++ break;
> ++
> ++ default:
> ++ if (critical) {
> ++ virReportError(VIR_ERR_SYSTEM_ERROR,
> ++ _("Certificate %1$s usage does not permit key encipherment"),
> ++ certFile);
> ++ return -1;
> ++ } else {
> ++ VIR_WARN("Certificate %s usage does not permit key encipherment",
> ++ certFile);
> ++ }
> + }
> + }
> + }
> diff -Nru libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch
> --- libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-11.3.0/debian/patches/backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch 2025-09-21 18:29:38.000000000 +0200
> @@ -0,0 +1,84 @@
> +From: Peter Krempa <pkrempa@redhat.com>
> +Date: Mon, 30 Jun 2025 19:19:42 +0200
> +Subject: tls: Don't require 'keyEncipherment' to be enabled altoghther
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +Key encipherment is required only for RSA key exchange algorithm. With
> +TLS 1.3 this is not even used as RSA is used only for authentication.
> +
> +Since we can't really check when it's required ahead of time drop the
> +check completely. GnuTLS will moan if it will not be able to use RSA
> +key exchange.
> +
> +In commit 11867b0224a2 I tried to relax the check for some eliptic
> +curve algorithm that explicitly forbid it. Based on the above the proper
> +solution is to completely remove it.
> +
> +Resolves: https://issues.redhat.com/browse/RHEL-100711
> +Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
> +Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> +Reviewed-by: Ján Tomko <jtomko@redhat.com>
> +(cherry picked from commit 8cecd3249e5fa5478a7c53567971b4d969274ea3)
> +
> +Bug-Debian: https://bugs.debian.org/1110816
> +
> +Forwarded: not-needed
> +Origin: https://gitlab.com/libvirt/libvirt/-/commits/8cecd3249e5fa5478a7c53567971b4d969274ea3
> +---
> + src/rpc/virnettlscert.c | 34 ++++------------------------------
> + 1 file changed, 4 insertions(+), 30 deletions(-)
> +
> +diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
> +index f197995..6a723c1 100644
> +--- a/src/rpc/virnettlscert.c
> ++++ b/src/rpc/virnettlscert.c
> +@@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
> + VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
> + if (status < 0) {
> + if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
> +- usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
> +- GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
> ++ if (isCA)
> ++ usage = GNUTLS_KEY_KEY_CERT_SIGN;
> ++ else
> ++ usage = GNUTLS_KEY_DIGITAL_SIGNATURE;
> + } else {
> + virReportError(VIR_ERR_SYSTEM_ERROR,
> + _("Unable to query certificate %1$s key usage %2$s"),
> +@@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
> + certFile);
> + }
> + }
> +- if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
> +- int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
> +-
> +- /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
> +- * algorithms must not have 'keyEncipherment' present.
> +- *
> +- * [1] https://datatracker.ietf.org/doc/rfc8813/
> +- * [2] https://datatracker.ietf.org/doc/rfc5480
> +- */
> +-
> +- switch (alg) {
> +- case GNUTLS_PK_ECDSA:
> +- case GNUTLS_PK_ECDH_X25519:
> +- case GNUTLS_PK_ECDH_X448:
> +- break;
> +-
> +- default:
> +- if (critical) {
> +- virReportError(VIR_ERR_SYSTEM_ERROR,
> +- _("Certificate %1$s usage does not permit key encipherment"),
> +- certFile);
> +- return -1;
> +- } else {
> +- VIR_WARN("Certificate %s usage does not permit key encipherment",
> +- certFile);
> +- }
> +- }
> +- }
> + }
> +
> + return 0;
> diff -Nru libvirt-11.3.0/debian/patches/series libvirt-11.3.0/debian/patches/series
> --- libvirt-11.3.0/debian/patches/series 2025-07-02 22:15:28.000000000 +0200
> +++ libvirt-11.3.0/debian/patches/series 2025-09-21 18:29:38.000000000 +0200
> @@ -1,5 +1,10 @@
> backport/qemuProcessStartWithMemoryState-Don-t-setup-qemu-for-inco.patch
> backport/qemu-Be-more-forgiving-when-acquiring-QUERY-job-when-form.patch
> +backport/tlscert-Don-t-force-keyEncipherment-for-ECDSA-and-ECDH.patch
> +backport/tls-Don-t-require-keyEncipherment-to-be-enabled-altoghthe.patch
> +backport/tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERM.patch
> +backport/daemon-Drop-log-level-of-VIR_ERR_NO_SUPPORT-to-debug.patch
> +backport/qemu-capabilities-Check-if-cpuModels-is-not-NULL-before-t.patch
> debian/Debianize-libvirt-guests.patch
> debian/apparmor_profiles_local_include.patch
> debian/Use-sensible-editor-by-default.patch
--
Sebastian Ramacher
Reply to: