Libguestfs - Nov 2022 - [PATCH] curl: Fix verification of CURLOPT_TLS13_CIPHERS

The code checking for CURLOPT_TLS13_CIPHERS option did not work
properly, because of incorrect assumption that this symbol was a
preprocessor macro. It is in fact element of enum type, which
resulted with #ifdef directive working improperly. Change replaces
compile-time verification with run-time, based on return value of
curl_easy_setopt function.

Signed-off-by: Michal Orzel <michalx.orzel at intel.com>
---
 plugins/curl/curl.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
index 9a818bfa..42b70f01 100644
--- a/plugins/curl/curl.c
+++ b/plugins/curl/curl.c
@@ -560,14 +560,13 @@ curl_open (int readonly)
   if (ssl_cipher_list)
     curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
   if (tls13_ciphers) {
-#ifdef CURLOPT_TLS13_CIPHERS
-    curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
-#else
-    /* This is not available in, eg, RHEL 7 */
-    nbdkit_error ("tls13-ciphers is not supported in this build of "
-                  "nbdkit-curl-plugin");
-    goto err;
-#endif
+    r = curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
+    if (r != CURLE_OK) {
+      /* This is not available in, eg, RHEL 7 */
+      display_curl_error (h, r, "curl_easy_setopt: CURLOPT_TLS13_CIPHERS
[%s]",
+        tls13_ciphers);
+      goto err;
+    }
   }
   if (tcp_keepalive)
     curl_easy_setopt (h->c, CURLOPT_TCP_KEEPALIVE, 1L);
-- 
2.25.1

---------------------------------------------------------------------
Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial
Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 |
Kapital zakladowy 200.000 PLN.
Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu ustawy z
dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w transakcjach
handlowych.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i
moze zawierac informacje poufne. W razie przypadkowego otrzymania tej
wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie;
jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). If you are not the intended recipient, please
contact the sender and delete all copies; any review or distribution by others
is strictly prohibited.

On Tue, Nov 08, 2022 at 12:56:13PM +0100, Michal Orzel
wrote:
> The code checking for CURLOPT_TLS13_CIPHERS option did not work
> properly, because of incorrect assumption that this symbol was a
> preprocessor macro. It is in fact element of enum type, which
> resulted with #ifdef directive working improperly. Change replaces
> compile-time verification with run-time, based on return value of
> curl_easy_setopt function.
Understood, but ...
> Signed-off-by: Michal Orzel <michalx.orzel at intel.com>
> ---
>  plugins/curl/curl.c | 15 +++++++--------
>  1 file changed, 7 insertions(+), 8 deletions(-)
> 
> diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
> index 9a818bfa..42b70f01 100644
> --- a/plugins/curl/curl.c
> +++ b/plugins/curl/curl.c
> @@ -560,14 +560,13 @@ curl_open (int readonly)
>    if (ssl_cipher_list)
>      curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
>    if (tls13_ciphers) {
> -#ifdef CURLOPT_TLS13_CIPHERS
> -    curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
> -#else
> -    /* This is not available in, eg, RHEL 7 */
> -    nbdkit_error ("tls13-ciphers is not supported in this build of
"
> -                  "nbdkit-curl-plugin");
> -    goto err;
> -#endif
> +    r = curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
... this still fails on RHEL 7 as the enum isn't defined:

$ rpm -q curl
curl-7.29.0-59.el7.x86_64

----------------------------------------------------------------------
In file included from /usr/include/curl/curl.h:2251:0,
                 from curl.c:47:
curl.c: In function 'curl_open':
curl.c:563:33: error: 'CURLOPT_TLS13_CIPHERS' undeclared (first use in
this function)
     r = curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
                                 ^
curl.c:563:33: note: each undeclared identifier is reported only once for each
function it appears in
----------------------------------------------------------------------

I think you need to check for the enum in configure.ac.  Unfortunately
autoconf provides no useful facility for this so you have to use
AC_COMPILE_IFELSE :-(

Let me know if you get into any difficulties ...

Rich.

> +    if (r != CURLE_OK) {
> +      /* This is not available in, eg, RHEL 7 */
> +      display_curl_error (h, r, "curl_easy_setopt:
CURLOPT_TLS13_CIPHERS [%s]",
> +        tls13_ciphers);
> +      goto err;
> +    }
>    }
>    if (tcp_keepalive)
>      curl_easy_setopt (h->c, CURLOPT_TCP_KEEPALIVE, 1L);
> -- 
> 2.25.1
> 
> ---------------------------------------------------------------------
> Intel Technology Poland sp. z o.o.
> ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII
Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316
| Kapital zakladowy 200.000 PLN.
> Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu
ustawy z dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w
transakcjach handlowych.
> 
> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata
i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej
wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie;
jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
> This e-mail and any attachments may contain confidential material for the
sole use of the intended recipient(s). If you are not the intended recipient,
please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.
> 
-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v