From 948304a79f099508823dce55761adceb3fce1de9 Mon Sep 17 00:00:00 2001
From: Dennis Heimbigner <dmh@ucar.edu>
Date: Sun, 8 Oct 2023 14:38:07 -0600
Subject: [PATCH] Fix Proxy problem for DAP2

re: Issue https://github.com/Unidata/netcdf-c/issues/2752

The authorization setup when using a proxy is apparently not
being used, or used incorrectly.

This PR ensures that the relevant curl options, specifically
CURLOPT_VERIFYHOST and CURLOPT_VERIFYPEER, are properly setup.
As part of this, the ability to turn off these options was fixed.
Note that no testing of this PR is currently possible because we
do not have access to a proxy.
---
 libdap4/d4curlfunctions.c | 65 ++++++++++++++++++++++++++-------------
 ncdap_test/tst_remote.sh  |  4 +++
 oc2/occurlfunctions.c     | 64 ++++++++++++++++++++++++--------------
 3 files changed, 88 insertions(+), 45 deletions(-)

diff --git a/libdap4/d4curlfunctions.c b/libdap4/d4curlfunctions.c
index eb1fe9fc6d..ee06e4cacd 100644
--- a/libdap4/d4curlfunctions.c
+++ b/libdap4/d4curlfunctions.c
@@ -3,6 +3,11 @@
  *   See netcdf/COPYRIGHT file for copying and redistribution conditions.
  *********************************************************************/
 
+/* WARNING: oc2/occurlfunctions.c and libdap4/d4curlfunctions.c
+should be merged since they are essentially the same file.
+In the meantime, changes to one should be propagated to the other.
+*/
+
 #include "d4includes.h"
 #include "d4curlfunctions.h"
 
@@ -123,33 +128,43 @@ set_curlflag(NCD4INFO* state, int flag)
 	    }
 	}
 	break;
-    case CURLOPT_USE_SSL:
-    case CURLOPT_SSLCERT: case CURLOPT_SSLKEY:
-    case CURLOPT_SSL_VERIFYPEER: case CURLOPT_SSL_VERIFYHOST:
-    {
-        struct ssl* ssl = &state->auth->ssl;
+    case CURLOPT_SSL_VERIFYPEER:
 	/* VERIFYPEER == 0 => VERIFYHOST == 0 */
 	/* We need to have 2 states: default and a set value */
-	/* So -1 => default, >= 0 => use value; */
-	if(ssl->verifypeer >= 0)
-            SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(ssl->verifypeer));
+	/* So -1 => default >= 0 => use value */
+	if(state->auth->ssl.verifypeer >= 0) {
+            SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(state->auth->ssl.verifypeer));
+	    if(state->auth->ssl.verifypeer == 0) state->auth->ssl.verifyhost = 0;
+        }
+	break;
+    case CURLOPT_SSL_VERIFYHOST:
 #ifdef HAVE_LIBCURL_766
-	if(ssl->verifyhost >= 0)
-            SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(ssl->verifyhost));
+	if(state->auth->ssl.verifyhost >= 0) {
+            SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(state->auth->ssl.verifyhost));
+	}
 #endif
-        if(ssl->certificate)
-            SETCURLOPT(state, CURLOPT_SSLCERT, ssl->certificate);
-        if(ssl->key)
-            SETCURLOPT(state, CURLOPT_SSLKEY, ssl->key);
-        if(ssl->keypasswd)
+	break;
+    case CURLOPT_SSLCERT:
+        if(state->auth->ssl.certificate)
+            SETCURLOPT(state, CURLOPT_SSLCERT, state->auth->ssl.certificate);
+	break;
+    case CURLOPT_SSLKEY:
+        if(state->auth->ssl.key)
+            SETCURLOPT(state, CURLOPT_SSLKEY, state->auth->ssl.key);
+        if(state->auth->ssl.keypasswd)
             /* libcurl prior to 7.16.4 used 'CURLOPT_SSLKEYPASSWD' */
-            SETCURLOPT(state, CURLOPT_KEYPASSWD, ssl->keypasswd);
-        if(ssl->cainfo)
-            SETCURLOPT(state, CURLOPT_CAINFO, ssl->cainfo);
-        if(ssl->capath)
-            SETCURLOPT(state, CURLOPT_CAPATH, ssl->capath);
-    }
-    break;
+            SETCURLOPT(state, CURLOPT_SSLKEYPASSWD, state->auth->ssl.keypasswd);
+	break;
+    case CURLOPT_CAINFO:
+        if(state->auth->ssl.cainfo)
+            SETCURLOPT(state, CURLOPT_CAINFO, state->auth->ssl.cainfo);
+	break;
+    case CURLOPT_CAPATH:
+	if(state->auth->ssl.capath)
+            SETCURLOPT(state, CURLOPT_CAPATH, state->auth->ssl.capath);
+        break;
+    case CURLOPT_USE_SSL:
+	break;
 
 #ifdef HAVE_CURLOPT_BUFFERSIZE
     case CURLOPT_BUFFERSIZE:
@@ -200,6 +215,12 @@ NCD4_set_flags_perlink(NCD4INFO* state)
     if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_COOKIEJAR);
     if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_USERPWD);
     if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_PROXY);
+    if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSL_VERIFYPEER);
+    if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSL_VERIFYHOST);
+    if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSLCERT);
+    if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_SSLKEY);
+    if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_CAINFO);
+    if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_CAPATH);
     if(ret == NC_NOERR) ret = set_curlflag(state,CURLOPT_USE_SSL);
     if(ret == NC_NOERR) ret = set_curlflag(state, CURLOPT_FOLLOWLOCATION);
     if(ret == NC_NOERR) ret = set_curlflag(state, CURLOPT_MAXREDIRS);
diff --git a/ncdap_test/tst_remote.sh b/ncdap_test/tst_remote.sh
index d7cc2a636f..2a4dedf72c 100755
--- a/ncdap_test/tst_remote.sh
+++ b/ncdap_test/tst_remote.sh
@@ -1,6 +1,10 @@
 #!/bin/sh
 
+if test "x$srcdir" = x ; then srcdir=`pwd`; fi
+. ../test_common.sh
+
 if test "x$SETX" != x ; then set -x ; fi
+
 set -e
 
 quiet=0
diff --git a/oc2/occurlfunctions.c b/oc2/occurlfunctions.c
index 06b3fd352e..275d42eb4d 100644
--- a/oc2/occurlfunctions.c
+++ b/oc2/occurlfunctions.c
@@ -1,6 +1,11 @@
 /* Copyright 2018, UCAR/Unidata and OPeNDAP, Inc.
    See the COPYRIGHT file for more information. */
 
+/* WARNING: oc2/occurlfunctions.c and libdap4/d4curlfunctions.c
+should be merged since they are essentially the same file.
+In the meantime, changes to one should be propagated to the other.
+*/
+
 #include "config.h"
 #include <stdlib.h>
 #ifdef HAVE_STDINT_H
@@ -127,36 +132,43 @@ ocset_curlflag(OCstate* state, int flag)
 	}
 	break;
 
-    case CURLOPT_USE_SSL:
-    case CURLOPT_SSLCERT: case CURLOPT_SSLKEY:
-    case CURLOPT_SSL_VERIFYPEER: case CURLOPT_SSL_VERIFYHOST:
-    case CURLOPT_CAINFO: case CURLOPT_CAPATH:
-    {
-        struct ssl* ssl = &state->auth->ssl;
+    case CURLOPT_SSL_VERIFYPEER:
 	/* VERIFYPEER == 0 => VERIFYHOST == 0 */
 	/* We need to have 2 states: default and a set value */
 	/* So -1 => default >= 0 => use value */
-	if(ssl->verifypeer >= 0) {
-            SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(ssl->verifypeer));
-	}
+	if(state->auth->ssl.verifypeer >= 0) {
+            SETCURLOPT(state, CURLOPT_SSL_VERIFYPEER, (OPTARG)(state->auth->ssl.verifypeer));
+	    if(state->auth->ssl.verifypeer == 0) state->auth->ssl.verifyhost = 0;
+        }
+	break;
+    case CURLOPT_SSL_VERIFYHOST:
 #ifdef HAVE_LIBCURL_766
-	if(ssl->verifyhost >= 0) {
-            SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(ssl->verifyhost));
+	if(state->auth->ssl.verifyhost >= 0) {
+            SETCURLOPT(state, CURLOPT_SSL_VERIFYHOST, (OPTARG)(state->auth->ssl.verifyhost));
 	}
 #endif
-        if(ssl->certificate)
-            SETCURLOPT(state, CURLOPT_SSLCERT, ssl->certificate);
-        if(ssl->key)
-            SETCURLOPT(state, CURLOPT_SSLKEY, ssl->key);
-        if(ssl->keypasswd)
+	break;
+    case CURLOPT_SSLCERT:
+        if(state->auth->ssl.certificate)
+            SETCURLOPT(state, CURLOPT_SSLCERT, state->auth->ssl.certificate);
+	break;
+    case CURLOPT_SSLKEY:
+        if(state->auth->ssl.key)
+            SETCURLOPT(state, CURLOPT_SSLKEY, state->auth->ssl.key);
+        if(state->auth->ssl.keypasswd)
             /* libcurl prior to 7.16.4 used 'CURLOPT_SSLKEYPASSWD' */
-            SETCURLOPT(state, CURLOPT_KEYPASSWD, ssl->keypasswd);
-        if(ssl->cainfo)
-            SETCURLOPT(state, CURLOPT_CAINFO, ssl->cainfo);
-        if(ssl->capath)
-            SETCURLOPT(state, CURLOPT_CAPATH, ssl->capath);
-    }
-    break;
+            SETCURLOPT(state, CURLOPT_SSLKEYPASSWD, state->auth->ssl.keypasswd);
+	break;
+    case CURLOPT_CAINFO:
+        if(state->auth->ssl.cainfo)
+            SETCURLOPT(state, CURLOPT_CAINFO, state->auth->ssl.cainfo);
+	break;
+    case CURLOPT_CAPATH:
+	if(state->auth->ssl.capath)
+            SETCURLOPT(state, CURLOPT_CAPATH, state->auth->ssl.capath);
+        break;
+    case CURLOPT_USE_SSL:
+	break;
 
 #ifdef HAVE_CURLOPT_BUFFERSIZE
     case CURLOPT_BUFFERSIZE:
@@ -210,6 +222,12 @@ ocset_flags_perlink(OCstate* state)
     if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_COOKIEJAR);
     if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_USERPWD);
     if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_PROXY);
+    if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSL_VERIFYPEER);
+    if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSL_VERIFYHOST);
+    if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSLCERT);
+    if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_SSLKEY);
+    if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_CAINFO);
+    if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_CAPATH);
     if(stat == OC_NOERR) stat = ocset_curlflag(state,CURLOPT_USE_SSL);
     if(stat == OC_NOERR) stat = ocset_curlflag(state, CURLOPT_FOLLOWLOCATION);
     if(stat == OC_NOERR) stat = ocset_curlflag(state, CURLOPT_MAXREDIRS);