Merge pull request #2690 from DennisHeimbigner/verifyhost.dmh

Fix handling of CURLOPT_CAINFO and CURLOPT_CAPATH
Unidata · May 30, 2023 · 43b03a4 · 43b03a4
2 parents feaa6cd + a14bfde
commit 43b03a4
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 11 deletions.
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -7,7 +7,7 @@ This file contains a high-level description of this package's evolution. Release
 
 ## 4.9.3 - TBD
 
-
+* [Bug Fix] Provide a partial fix to the libcurl certificates problem. See [Github #2690](https://github.com/Unidata/netcdf-c/pull/2690).
 * Improve S3 documentation, testing, and support See [Github #2686](https://github.com/Unidata/netcdf-c/pull/2686).
 * Remove obsolete code. See [Github #2680](https://github.com/Unidata/netcdf-c/pull/2680).
 * [Bug Fix] Add a crude test to see if an NCZarr path looks like a valid NCZarr/Zarr file. See [Github #2658](https://github.com/Unidata/netcdf-c/pull/2658).

diff --git a/configure.ac b/configure.ac
@@ -530,19 +530,19 @@ AC_MSG_RESULT([${havecurloption}])
 if test $havecurloption = yes; then
   AC_DEFINE([HAVE_CURLOPT_KEEPALIVE],[1],[Is CURLOPT_TCP_KEEPALIVE defined])
 fi
+
 # CURLOPT_VERIFYHOST semantics differ depending on version
 AC_MSG_CHECKING([whether libcurl is version 7.66 or later?])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
 [#include "curl/curl.h"],
 [[
-#if LIBCURL_VERSION_NUM < 0x074200
+#if !CURL_AT_LEAST_VERSION(7,66,0)
 error "<7.66";
 #endif
 ]])], [libcurl766=yes], [libcurl766=no])
-
 AC_MSG_RESULT([$libcurl766])
-if test x$libcurl66 = xno; then
-  AC_DEFINE([HAVE_LIBCURL_766],[1],[Is libcurl version 7.66 or later])
+if test x$libcurl766 = xyes; then
+AC_DEFINE([HAVE_LIBCURL_766],[1],[libcurl version is 7.66 or later])
 fi
 
 CFLAGS="$SAVECFLAGS"

diff --git a/libdispatch/drc.c b/libdispatch/drc.c
@@ -569,11 +569,12 @@ rcequal(NCRCentry* e1, NCRCentry* e2)
     nulltest = 0;
     if(e1->host == NULL) nulltest |= 1;
     if(e2->host == NULL) nulltest |= 2;
+    /* Use host to decide if entry applies */
     switch (nulltest) {
     case 0: if(strcmp(e1->host,e2->host) != 0) {return 0;}  break;
-    case 1: return 0;
-    case 2: return 0;
-    case 3: break;
+    case 1: break;    /* .rc->host == NULL && candidate->host != NULL */
+    case 2: return 0; /* .rc->host != NULL && candidate->host == NULL */
+    case 3: break;    /* .rc->host == NULL && candidate->host == NULL */
     default: return 0;
     }
     /* test urlpath take NULL into account*/
@@ -582,9 +583,9 @@ rcequal(NCRCentry* e1, NCRCentry* e2)
     if(e2->urlpath == NULL) nulltest |= 2;
     switch (nulltest) {
     case 0: if(strcmp(e1->urlpath,e2->urlpath) != 0) {return 0;} break;
-    case 1: return 0;
-    case 2: return 0;
-    case 3: break;
+    case 1: break;    /* .rc->urlpath == NULL && candidate->urlpath != NULL */
+    case 2: return 0; /* .rc->urlpath != NULL && candidate->urlpath == NULL */
+    case 3: break;    /* .rc->urlpath == NULL && candidate->urlpath == NULL */
     default: return 0;
     }
     return 1;

diff --git a/oc2/occurlfunctions.c b/oc2/occurlfunctions.c
@@ -130,6 +130,7 @@ ocset_curlflag(OCstate* state, int flag)
     case CURLOPT_USE_SSL:
     case CURLOPT_SSLCERT: case CURLOPT_SSLKEY:
     case CURLOPT_SSL_VERIFYPEER: case CURLOPT_SSL_VERIFYHOST:
+    case CURLOPT_CAINFO: case CURLOPT_CAPATH:
     {
         struct ssl* ssl = &state->auth->ssl;
 	/* VERIFYPEER == 0 => VERIFYHOST == 0 */