On Mon, Mar 04, 2013 at 12:34:33PM -0500, Eric Blake wrote: > > When given a CA cert with basic constraints to set non-critical, > > and key usage of 'key signing', this should be rejected. Version > > of GNUTLS < 3 do not rejecte it though, so we never noticed the > > test case was broken > > > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> > > --- > > > + /* Technically a CA cert with basic constraints > > + * key purpose == key signing + non-critical should > > + * be rejected. GNUTLS < 3 does not reject it and > > + * we don't anticipate them changing this behaviour > > + */ > > +# if GNUTLS_VERSION_MAJOR >= 3 > > + DO_CTX_TEST(true, cacert5req, servercertreq, true); > > +# else > > + DO_CTX_TEST(true, cacert5req, servercertreq, false); > > +# endif > > To avoid the #if, you could write this as: > > DO_CTX_TEST(true, cacert5req, servercertreq, > GNUTLS_VERSION_MAJOR >= 3); > > ACK with that tweak. Ok pushed with that change & tested both gnutls 2.x and 3.x Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list