Re: [Libguestfs] [PATCH] curl: Fix verification of CURLOPT_TLS13_CIPHERS

Thu, 10 Nov 2022 08:18:42 -0800 

And what about checking curl version (LIBCURL_VERSION_MAJOR, 
LIBCURL_VERSION_MINOR) instead? That option was introduced in version 7.61, and 
I see that You're using 7.21.
Please verify the second version if it would do its job.

Best regards,
Michał Orzeł

-----Original Message-----
From: Richard W.M. Jones <rjo...@redhat.com> 
Sent: Tuesday, November 8, 2022 5:06 PM
To: Orzel, MichalX <michalx.or...@intel.com>
Cc: libguestfs@redhat.com
Subject: Re: [PATCH] curl: Fix verification of CURLOPT_TLS13_CIPHERS

On Tue, Nov 08, 2022 at 12:56:13PM +0100, Michal Orzel wrote:
> The code checking for CURLOPT_TLS13_CIPHERS option did not work 
> properly, because of incorrect assumption that this symbol was a 
> preprocessor macro. It is in fact element of enum type, which resulted 
> with #ifdef directive working improperly. Change replaces compile-time 
> verification with run-time, based on return value of curl_easy_setopt 
> function.

Understood, but ...

> Signed-off-by: Michal Orzel <michalx.or...@intel.com>
> ---
>  plugins/curl/curl.c | 15 +++++++--------
>  1 file changed, 7 insertions(+), 8 deletions(-)
> 
> diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c index 
> 9a818bfa..42b70f01 100644
> --- a/plugins/curl/curl.c
> +++ b/plugins/curl/curl.c
> @@ -560,14 +560,13 @@ curl_open (int readonly)
>    if (ssl_cipher_list)
>      curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
>    if (tls13_ciphers) {
> -#ifdef CURLOPT_TLS13_CIPHERS
> -    curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
> -#else
> -    /* This is not available in, eg, RHEL 7 */
> -    nbdkit_error ("tls13-ciphers is not supported in this build of "
> -                  "nbdkit-curl-plugin");
> -    goto err;
> -#endif
> +    r = curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, 
> + tls13_ciphers);

... this still fails on RHEL 7 as the enum isn't defined:

$ rpm -q curl
curl-7.29.0-59.el7.x86_64

----------------------------------------------------------------------
In file included from /usr/include/curl/curl.h:2251:0,
                 from curl.c:47:
curl.c: In function 'curl_open':
curl.c:563:33: error: 'CURLOPT_TLS13_CIPHERS' undeclared (first use in this 
function)
     r = curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
                                 ^
curl.c:563:33: note: each undeclared identifier is reported only once for each 
function it appears in
----------------------------------------------------------------------

I think you need to check for the enum in configure.ac.  Unfortunately autoconf 
provides no useful facility for this so you have to use AC_COMPILE_IFELSE :-(

Let me know if you get into any difficulties ...

Rich.


> +    if (r != CURLE_OK) {
> +      /* This is not available in, eg, RHEL 7 */
> +      display_curl_error (h, r, "curl_easy_setopt: CURLOPT_TLS13_CIPHERS 
> [%s]",
> +        tls13_ciphers);
> +      goto err;
> +    }
>    }
>    if (tcp_keepalive)
>      curl_easy_setopt (h->c, CURLOPT_TCP_KEEPALIVE, 1L);
> --
> 2.25.1
> 
> ---------------------------------------------------------------------
> Intel Technology Poland sp. z o.o.
> ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII 
> Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 
> 957-07-52-316 | Kapital zakladowy 200.000 PLN.
> Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu ustawy 
> z dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w 
> transakcjach handlowych.
> 
> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i 
> moze zawierac informacje poufne. W razie przypadkowego otrzymania tej 
> wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; 
> jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
> This e-mail and any attachments may contain confidential material for the 
> sole use of the intended recipient(s). If you are not the intended recipient, 
> please contact the sender and delete all copies; any review or distribution 
> by others is strictly prohibited.
> 

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones 
Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v 
converts physical machines to virtual machines.  Boot with a live CD or over 
the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

---------------------------------------------------------------------
Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial 
Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | 
Kapital zakladowy 200.000 PLN.
Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu ustawy z 
dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w transakcjach 
handlowych.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i 
moze zawierac informacje poufne. W razie przypadkowego otrzymania tej 
wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; 
jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole 
use of the intended recipient(s). If you are not the intended recipient, please 
contact the sender and delete all copies; any review or distribution by others 
is strictly prohibited.

_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

Reply via email to