Libguestfs - Nov 2022 - [PATCH v2] curl: Fix verification of CURLOPT_TLS13_CIPHERS

The code checking for CURLOPT_TLS13_CIPHERS option did not work
properly, because of incorrect assumption that this symbol was a
preprocessor macro. It is in fact element of enum type, which
resulted with #ifdef directive working improperly. Fix changes that
check to be based on curl version instead.

Signed-off-by: Michal Orzel <michalx.orzel at intel.com>
---
 plugins/curl/curl.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
index 77f88fff..724ffd43 100644
--- a/plugins/curl/curl.c
+++ b/plugins/curl/curl.c
@@ -560,10 +560,11 @@ curl_open (int readonly)
   if (ssl_cipher_list)
     curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
   if (tls13_ciphers) {
-#ifdef CURLOPT_TLS13_CIPHERS
+#if (LIBCURL_VERSION_MAJOR > 7) || \
+    (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 61)
     curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
 #else
-    /* This is not available in, eg, RHEL 7 */
+    /* This is not available before curl-7.61 */
     nbdkit_error ("tls13-ciphers is not supported in this build of "
                   "nbdkit-curl-plugin");
     goto err;
-- 
2.25.1

---------------------------------------------------------------------
Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial
Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 |
Kapital zakladowy 200.000 PLN.
Spolka oswiadcza, ze posiada status duzego przedsiebiorcy w rozumieniu ustawy z
dnia 8 marca 2013 r. o przeciwdzialaniu nadmiernym opoznieniom w transakcjach
handlowych.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i
moze zawierac informacje poufne. W razie przypadkowego otrzymania tej
wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie;
jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). If you are not the intended recipient, please
contact the sender and delete all copies; any review or distribution by others
is strictly prohibited.

On Thu, Nov 10, 2022 at 05:17:35PM +0100, Michal Orzel
wrote:
> The code checking for CURLOPT_TLS13_CIPHERS option did not work
> properly, because of incorrect assumption that this symbol was a
> preprocessor macro. It is in fact element of enum type, which
> resulted with #ifdef directive working improperly. Fix changes that
> check to be based on curl version instead.
> 
> Signed-off-by: Michal Orzel <michalx.orzel at intel.com>
> ---
>  plugins/curl/curl.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
> index 77f88fff..724ffd43 100644
> --- a/plugins/curl/curl.c
> +++ b/plugins/curl/curl.c
> @@ -560,10 +560,11 @@ curl_open (int readonly)
>    if (ssl_cipher_list)
>      curl_easy_setopt (h->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
>    if (tls13_ciphers) {
> -#ifdef CURLOPT_TLS13_CIPHERS
> +#if (LIBCURL_VERSION_MAJOR > 7) || \
> +    (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 61)
>      curl_easy_setopt (h->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
>  #else
> -    /* This is not available in, eg, RHEL 7 */
> +    /* This is not available before curl-7.61 */
>      nbdkit_error ("tls13-ciphers is not supported in this build of
"
>                    "nbdkit-curl-plugin");
>      goto err;
Thanks Michal.  I confirmed that this compiles on RHEL 7 and gives an
error (as expected):

$ ./nbdkit -U - curl file:///dev/null tls13-ciphers=test --run
'../libnbd/run nbdinfo $uri'
nbdkit: curl[1]: error: tls13-ciphers is not supported in this build of
nbdkit-curl-plugin
nbdkit: curl[1]: error: tls13-ciphers is not supported in this build of
nbdkit-curl-plugin
/home/rjones/d/libnbd/info/.libs/lt-nbdinfo: nbd_opt_go: server replied with
error to opt_go request: No such file or directory for the default export
/home/rjones/d/libnbd/info/.libs/lt-nbdinfo: suggestion: to list all exports on
the server, use --list
protocol: newstyle-fixed without TLS

And on Fedora it works:

$ ./nbdkit -U - curl file:///dev/null tls13-ciphers=test --run 'nbdinfo
$uri'
protocol: newstyle-fixed without TLS, using structured packets
export="":
	export-size: 0
	content: empty
	uri: nbd+unix:///?socket=/tmp/nbdkitZwdPXJ/socket
	contexts:
		base:allocation
		is_rotational: false
		is_read_only: false
		can_cache: false
		can_df: true
		can_fast_zero: true
		can_flush: false
		can_fua: false
		can_multi_conn: false
		can_trim: false
		can_zero: true

I have pushed this as commit 242757dd5c9fbf00a487ab934d67db442fe08661.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit