Przemyslaw Czarnowski
2021-Oct-12 14:31 UTC
[Libguestfs] [PATCH 1/3] nbdkit/curl: add support for ssl configuration
From: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at intel.com> Some clients may want to enforce specific TLS/SSL version and ciphers, what is not possible at the moment. To make it possible, curl plugin options are added: - ssl-version, and - ssl-cipher-list. Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at intel.com> --- plugins/curl/curl.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c index 135f70b5..50440bf9 100644 --- a/plugins/curl/curl.c +++ b/plugins/curl/curl.c @@ -83,6 +83,8 @@ const char *proxy = NULL; char *proxy_password = NULL; const char *proxy_user = NULL; bool sslverify = true; +const char *ssl_version = NULL; +const char *ssl_cipher_list = NULL; bool tcp_keepalive = false; bool tcp_nodelay = true; uint32_t timeout = 0; @@ -301,6 +303,12 @@ curl_config (const char *key, const char *value) sslverify = r; } + else if (strcmp (key, "ssl-version") == 0) + ssl_version = value; + + else if (strcmp (key, "ssl-cipher-list") == 0) + ssl_cipher_list = value; + else if (strcmp (key, "tcp-keepalive") == 0) { r = nbdkit_parse_bool (value); if (r == -1) @@ -403,6 +411,8 @@ curl_config_complete (void) "proxy-user=<USER> The proxy user.\n" \ "timeout=<TIMEOUT> Set the timeout for requests (seconds).\n" \ "sslverify=false Do not verify SSL certificate of remote host.\n" \ + "ssl-version=<VERSION> Specify preferred TLS/SSL version.\n " \ + "ssl-cipher-list=C1:C2:.. Specify TLS/SSL cipher suites to be used.\n" \ "tcp-keepalive=true Enable TCP keepalives.\n" \ "tcp-nodelay=false Disable Nagle?s algorithm.\n" \ "unix-socket-path=<PATH> Open Unix domain socket instead of TCP/IP.\n" \ @@ -516,6 +526,30 @@ curl_open (int readonly) curl_easy_setopt (h->c, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt (h->c, CURLOPT_SSL_VERIFYHOST, 0L); } + if (ssl_version) { + if (strcmp (ssl_version, "tlsv1") == 0) + curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); + else if (strcmp (ssl_version, "sslv2") == 0) + curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv2); + else if (strcmp (ssl_version, "sslv3") == 0) + curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3); + else if (strcmp (ssl_version, "tlsv1.0") == 0) + curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0); + else if (strcmp (ssl_version, "tlsv1.1") == 0) + curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1); + else if (strcmp (ssl_version, "tlsv1.2") == 0) + curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); + else if (strcmp (ssl_version, "tlsv1.3") == 0) + curl_easy_setopt (h->c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_3); + else { + display_curl_error (h, r, "curl_easy_setopt: CURLOPT_SSLVERSION [%s]", + ssl_version); + goto err; + } + + } + if (ssl_cipher_list) + curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list); if (tcp_keepalive) curl_easy_setopt (h->c, CURLOPT_TCP_KEEPALIVE, 1L); if (!tcp_nodelay) -- 2.26.2
Przemyslaw Czarnowski
2021-Oct-12 14:31 UTC
[Libguestfs] [PATCH 2/3] nbdkit/curl: added support for tls13 ciphers
From: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at intel.com> Added tls13-ciphers parameter which translates to CURLOPT_TLS13_CIPHERS. Signed-off-by: Karol Niczyj <karol.niczyj at intel.com> Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at intel.com> --- plugins/curl/curl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c index 50440bf9..2e823b3f 100644 --- a/plugins/curl/curl.c +++ b/plugins/curl/curl.c @@ -85,6 +85,7 @@ const char *proxy_user = NULL; bool sslverify = true; const char *ssl_version = NULL; const char *ssl_cipher_list = NULL; +const char *tls13_ciphers = NULL; bool tcp_keepalive = false; bool tcp_nodelay = true; uint32_t timeout = 0; @@ -309,6 +310,9 @@ curl_config (const char *key, const char *value) else if (strcmp (key, "ssl-cipher-list") == 0) ssl_cipher_list = value; + else if (strcmp (key, "tls13-ciphers") == 0) + tls13_ciphers = value; + else if (strcmp (key, "tcp-keepalive") == 0) { r = nbdkit_parse_bool (value); if (r == -1) @@ -413,6 +417,7 @@ curl_config_complete (void) "sslverify=false Do not verify SSL certificate of remote host.\n" \ "ssl-version=<VERSION> Specify preferred TLS/SSL version.\n " \ "ssl-cipher-list=C1:C2:.. Specify TLS/SSL cipher suites to be used.\n" \ + "tls13-ciphers=C1:C2:.. Specify TLS 1.3 cipher suites to be used.\n" \ "tcp-keepalive=true Enable TCP keepalives.\n" \ "tcp-nodelay=false Disable Nagle?s algorithm.\n" \ "unix-socket-path=<PATH> Open Unix domain socket instead of TCP/IP.\n" \ @@ -550,6 +555,8 @@ curl_open (int readonly) } if (ssl_cipher_list) curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list); + if (tls13_ciphers) + curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers); if (tcp_keepalive) curl_easy_setopt (h->c, CURLOPT_TCP_KEEPALIVE, 1L); if (!tcp_nodelay) -- 2.26.2
Przemyslaw Czarnowski
2021-Oct-12 14:31 UTC
[Libguestfs] [PATCH 3/3] nbdkit/curl: handle zero-length CAInfo string in nbdkit curl plugin.
From: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at intel.com> Recent change in libcurl causes the certificate store file option (CAINFO) to be set to a specific value during the compilation. To mitigate this behavior, zero-length string is passed as option cainfo to nbdkit curl plugin, which sets the CAINFO option to null. Signed-off-by: Wiktor Golgowski <wiktor.golgowski at intel.com> Signed-off-by: Przemyslaw Czarnowski <przemyslaw.hawrylewicz.czarnowski at intel.com> --- plugins/curl/curl.c | 8 ++++++-- plugins/curl/nbdkit-curl-plugin.pod | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c index 2e823b3f..a1b0afba 100644 --- a/plugins/curl/curl.c +++ b/plugins/curl/curl.c @@ -503,8 +503,12 @@ curl_open (int readonly) curl_easy_setopt (h->c, CURLOPT_FAILONERROR, 1L); /* Options. */ - if (cainfo) - curl_easy_setopt (h->c, CURLOPT_CAINFO, cainfo); + if (cainfo) { + if (strlen (cainfo) == 0) + curl_easy_setopt (h->c, CURLOPT_CAINFO, NULL); + else + curl_easy_setopt (h->c, CURLOPT_CAINFO, cainfo); + } if (capath) curl_easy_setopt (h->c, CURLOPT_CAPATH, capath); if (cookie) diff --git a/plugins/curl/nbdkit-curl-plugin.pod b/plugins/curl/nbdkit-curl-plugin.pod index 3842421e..44e050df 100644 --- a/plugins/curl/nbdkit-curl-plugin.pod +++ b/plugins/curl/nbdkit-curl-plugin.pod @@ -42,6 +42,9 @@ ports and protocols used to serve NBD see L<nbdkit(1)>). Configure CA bundle for libcurl. See L<CURLOPT_CAINFO(3)> for details. +Pass empty string in order to not use the default certificate store +that libcurl is compiled with. + =item B<capath=>PATH (nbdkit E<ge> 1.18) -- 2.26.2