Skip to content

Commit

Permalink
Fix Proxy problem for DAP2
Browse files Browse the repository at this point in the history 
re: Issue #2752

The authorization setup when using a proxy is apparently not
being used, or used incorrectly.

This PR ensures that the relevant curl options, specifically
CURLOPT_VERIFYHOST and CURLOPT_VERIFYPEER, are properly setup.
As part of this, the ability to turn off these options was fixed.
Note that no testing of this PR is currently possible because we
do not have access to a proxy.
  • Loading branch information
@DennisHeimbigner
DennisHeimbigner committed Oct 8, 2023
1 parent 8b5f1e2 commit 948304a
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 45 deletions.
65 changes: 43 additions & 22 deletions libdap4/d4curlfunctions.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@
* See netcdf/COPYRIGHT file for copying and redistribution conditions.
*********************************************************************/

/* WARNING: oc2/occurlfunctions.c and libdap4/d4curlfunctions.c
should be merged since they are essentially the same file.
In the meantime, changes to one should be propagated to the other.
*/

#include "d4includes.h"
#include "d4curlfunctions.h"

Expand Down Expand Up @@ -123,33 +128,43 @@ set_curlflag(NCD4INFO* state, int flag)
}
}
break;
case CURLOPT_USE_SSL:
case CURLOPT_SSLCERT: case CURLOPT_SSLKEY:
case CURLOPT_SSL_VERIFYPEER: case CURLOPT_SSL_VERIFYHOST:
{
struct ssl* ssl = &state->auth->ssl;
case CURLOPT_SSL_VERIFYPEER:
/* VERIFYPEER == 0 => VERIFYHOST == 0 */
/* We need to have 2 states: default and a set value */
/* So -1 => default, >= 0 => use value; */
if(ssl->verifypeer >= 0)
SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(ssl->verifypeer));
/* So -1 => default >= 0 => use value */
if(state->auth->ssl.verifypeer >= 0) {
SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(state->auth->ssl.verifypeer));
if(state->auth->ssl.verifypeer == 0) state->auth->ssl.verifyhost = 0;
}
break;
case CURLOPT_SSL_VERIFYHOST:
#ifdef HAVE_LIBCURL_766
if(ssl->verifyhost >= 0)
SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(ssl->verifyhost));
if(state->auth->ssl.verifyhost >= 0) {
SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(state->auth->ssl.verifyhost));
}
#endif
if(ssl->certificate)
SETCURLOPT(state, CURLOPT_SSLCERT, ssl->certificate);
if(ssl->key)
SETCURLOPT(state, CURLOPT_SSLKEY, ssl->key);
if(ssl->keypasswd)
break;
case CURLOPT_SSLCERT:
if(state->auth->ssl.certificate)
SETCURLOPT(state, CURLOPT_SSLCERT, state->auth->ssl.certificate);
break;
case CURLOPT_SSLKEY:
if(state->auth->ssl.key)
SETCURLOPT(state, CURLOPT_SSLKEY, state->auth->ssl.key);
if(state->auth->ssl.keypasswd)
/* libcurl prior to 7.16.4 used 'CURLOPT_SSLKEYPASSWD' */
SETCURLOPT(state, CURLOPT_KEYPASSWD, ssl->keypasswd);
if(ssl->cainfo)
SETCURLOPT(state, CURLOPT_CAINFO, ssl->cainfo);
if(ssl->capath)
SETCURLOPT(state, CURLOPT_CAPATH, ssl->capath);
}
break;
SETCURLOPT(state, CURLOPT_SSLKEYPASSWD, state->auth->ssl.keypasswd);
break;
case CURLOPT_CAINFO:
if(state->auth->ssl.cainfo)
SETCURLOPT(state, CURLOPT_CAINFO, state->auth->ssl.cainfo);
break;
case CURLOPT_CAPATH:
if(state->auth->ssl.capath)
SETCURLOPT(state, CURLOPT_CAPATH, state->auth->ssl.capath);
break;
case CURLOPT_USE_SSL:
break;

#ifdef HAVE_CURLOPT_BUFFERSIZE
case CURLOPT_BUFFERSIZE:
Expand Down Expand Up @@ -200,6 +215,12 @@ NCD4_set_flags_perlink(NCD4INFO* state)
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_COOKIEJAR);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_USERPWD);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_PROXY);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSL_VERIFYPEER);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSL_VERIFYHOST);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSLCERT);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSLKEY);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_CAINFO);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_CAPATH);
if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_USE_SSL);
if(ret == NC_NOERR) ret = set_curlflag(state, CURLOPT_FOLLOWLOCATION);
if(ret == NC_NOERR) ret = set_curlflag(state, CURLOPT_MAXREDIRS);
Expand Down
4 changes: 4 additions & 0 deletions ncdap_test/tst_remote.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
#!/bin/sh

if test "x$srcdir" = x ; then srcdir=`pwd`; fi
. ../test_common.sh

if test "x$SETX" != x ; then set -x ; fi

set -e

quiet=0
Expand Down
64 changes: 41 additions & 23 deletions oc2/occurlfunctions.c
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
/* Copyright 2018, UCAR/Unidata and OPeNDAP, Inc.
See the COPYRIGHT file for more information. */

/* WARNING: oc2/occurlfunctions.c and libdap4/d4curlfunctions.c
should be merged since they are essentially the same file.
In the meantime, changes to one should be propagated to the other.
*/

#include "config.h"
#include <stdlib.h>
#ifdef HAVE_STDINT_H
Expand Down Expand Up @@ -127,36 +132,43 @@ ocset_curlflag(OCstate* state, int flag)
}
break;

case CURLOPT_USE_SSL:
case CURLOPT_SSLCERT: case CURLOPT_SSLKEY:
case CURLOPT_SSL_VERIFYPEER: case CURLOPT_SSL_VERIFYHOST:
case CURLOPT_CAINFO: case CURLOPT_CAPATH:
{
struct ssl* ssl = &state->auth->ssl;
case CURLOPT_SSL_VERIFYPEER:
/* VERIFYPEER == 0 => VERIFYHOST == 0 */
/* We need to have 2 states: default and a set value */
/* So -1 => default >= 0 => use value */
if(ssl->verifypeer >= 0) {
SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(ssl->verifypeer));
}
if(state->auth->ssl.verifypeer >= 0) {
SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(state->auth->ssl.verifypeer));
if(state->auth->ssl.verifypeer == 0) state->auth->ssl.verifyhost = 0;
}
break;
case CURLOPT_SSL_VERIFYHOST:
#ifdef HAVE_LIBCURL_766
if(ssl->verifyhost >= 0) {
SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(ssl->verifyhost));
if(state->auth->ssl.verifyhost >= 0) {
SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(state->auth->ssl.verifyhost));
}
#endif
if(ssl->certificate)
SETCURLOPT(state, CURLOPT_SSLCERT, ssl->certificate);
if(ssl->key)
SETCURLOPT(state, CURLOPT_SSLKEY, ssl->key);
if(ssl->keypasswd)
break;
case CURLOPT_SSLCERT:
if(state->auth->ssl.certificate)
SETCURLOPT(state, CURLOPT_SSLCERT, state->auth->ssl.certificate);
break;
case CURLOPT_SSLKEY:
if(state->auth->ssl.key)
SETCURLOPT(state, CURLOPT_SSLKEY, state->auth->ssl.key);
if(state->auth->ssl.keypasswd)
/* libcurl prior to 7.16.4 used 'CURLOPT_SSLKEYPASSWD' */
SETCURLOPT(state, CURLOPT_KEYPASSWD, ssl->keypasswd);
if(ssl->cainfo)
SETCURLOPT(state, CURLOPT_CAINFO, ssl->cainfo);
if(ssl->capath)
SETCURLOPT(state, CURLOPT_CAPATH, ssl->capath);
}
break;
SETCURLOPT(state, CURLOPT_SSLKEYPASSWD, state->auth->ssl.keypasswd);
break;
case CURLOPT_CAINFO:
if(state->auth->ssl.cainfo)
SETCURLOPT(state, CURLOPT_CAINFO, state->auth->ssl.cainfo);
break;
case CURLOPT_CAPATH:
if(state->auth->ssl.capath)
SETCURLOPT(state, CURLOPT_CAPATH, state->auth->ssl.capath);
break;
case CURLOPT_USE_SSL:
break;

#ifdef HAVE_CURLOPT_BUFFERSIZE
case CURLOPT_BUFFERSIZE:
Expand Down Expand Up @@ -210,6 +222,12 @@ ocset_flags_perlink(OCstate* state)
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_COOKIEJAR);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_USERPWD);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_PROXY);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSL_VERIFYPEER);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSL_VERIFYHOST);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSLCERT);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSLKEY);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_CAINFO);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_CAPATH);
if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_USE_SSL);
if(stat == OC_NOERR) stat = ocset_curlflag(state, CURLOPT_FOLLOWLOCATION);
if(stat == OC_NOERR) stat = ocset_curlflag(state, CURLOPT_MAXREDIRS);
Expand Down

0 comments on commit 948304a

Please sign in to comment.