Re: [Libguestfs] [PATCH v2] curl: Fix verification of CURLOPT_TLS13_CIPHERS

Thu, 10 Nov 2022 09:10:24 -0800 

On Thu, Nov 10, 2022 at 05:17:35PM +0100, Michal Orzel wrote:
> The code checking for CURLOPT_TLS13_CIPHERS option did not work
> properly, because of incorrect assumption that this symbol was a
> preprocessor macro. It is in fact element of enum type, which
> resulted with #ifdef directive working improperly. Fix changes that
> check to be based on curl version instead.
> 
> Signed-off-by: Michal Orzel <michalx.or...@intel.com>
> ---
>  plugins/curl/curl.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
> index 77f88fff..724ffd43 100644
> --- a/plugins/curl/curl.c
> +++ b/plugins/curl/curl.c
> @@ -560,10 +560,11 @@ curl_open (int readonly)
>    if (ssl_cipher_list)
>      curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
>    if (tls13_ciphers) {
> -#ifdef CURLOPT_TLS13_CIPHERS
> +#if (LIBCURL_VERSION_MAJOR > 7) || \
> +    (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 61)
>      curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
>  #else
> -    /* This is not available in, eg, RHEL 7 */
> +    /* This is not available before curl-7.61 */
>      nbdkit_error ("tls13-ciphers is not supported in this build of "
>                    "nbdkit-curl-plugin");
>      goto err;

Thanks Michal.  I confirmed that this compiles on RHEL 7 and gives an
error (as expected):

$ ./nbdkit -U - curl file:///dev/null tls13-ciphers=test --run '../libnbd/run 
nbdinfo $uri'
nbdkit: curl[1]: error: tls13-ciphers is not supported in this build of 
nbdkit-curl-plugin
nbdkit: curl[1]: error: tls13-ciphers is not supported in this build of 
nbdkit-curl-plugin
/home/rjones/d/libnbd/info/.libs/lt-nbdinfo: nbd_opt_go: server replied with 
error to opt_go request: No such file or directory for the default export
/home/rjones/d/libnbd/info/.libs/lt-nbdinfo: suggestion: to list all exports on 
the server, use --list
protocol: newstyle-fixed without TLS

And on Fedora it works:

$ ./nbdkit -U - curl file:///dev/null tls13-ciphers=test --run 'nbdinfo $uri'
protocol: newstyle-fixed without TLS, using structured packets
export="":
        export-size: 0
        content: empty
        uri: nbd+unix:///?socket=/tmp/nbdkitZwdPXJ/socket
        contexts:
                base:allocation
                is_rotational: false
                is_read_only: false
                can_cache: false
                can_df: true
                can_fast_zero: true
                can_flush: false
                can_fua: false
                can_multi_conn: false
                can_trim: false
                can_zero: true

I have pushed this as commit 242757dd5c9fbf00a487ab934d67db442fe08661.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit
_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

Reply via email to