src/lib/https.c 01c79192840e6a0ce909b3b75741a0aed8d119f0

01c79192840e6a0ce909b3b75741a0aed8d119f0
galt
  Fri Dec 17 03:07:16 2021 -0800
Add support for a wildcard in httpsCertCheckDomainExceptions. A few are reported in the logs with one low-level wildcard, and it is easy to do and efficient to allow just one asterisk wildcard substitution on one lowest-level subdomain. refs #28657

diff --git src/lib/https.c src/lib/https.c
index 7a033a5..c71cb07 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -354,99 +354,126 @@
 	    chopByWhite(dmwl, words, wordCount);
 	    int w;
 	    for(w=0; w < wordCount; w++)
 		{
 		hashStoreName(domainHash, words[w]);
 		}
 	    freeMem(words);
 	    }
 	freez(&dmwl);
 
 	// useful for testing, turns off hardwired whitelist exceptions
 	if (!hashLookup(domainHash, "noHardwiredExceptions"))  
 	    {
 	    // Hardwired exceptions whitelist
 	    // openssl automatically whitelists domains which are given as IPv4 or IPv6 addresses
+	    hashStoreName(domainHash, "*.cbu.uib.no");
+	    hashStoreName(domainHash, "*.genebook.com.cn");
 	    hashStoreName(domainHash, "annotation.dbi.udel.edu");
 	    hashStoreName(domainHash, "apprisws.bioinfo.cnio.es");
 	    hashStoreName(domainHash, "arn.ugr.es");
 	    hashStoreName(domainHash, "bic2.ibi.upenn.edu");
 	    hashStoreName(domainHash, "bioinfo2.ugr.es");
 	    hashStoreName(domainHash, "bioshare.genomecenter.ucdavis.edu");
 	    hashStoreName(domainHash, "biowebport.com");
 	    hashStoreName(domainHash, "bx.bio.jhu.edu");
 	    hashStoreName(domainHash, "cluster.hpcc.ucr.edu");
 	    hashStoreName(domainHash, "costalab.ukaachen.de");
 	    hashStoreName(domainHash, "data.rc.fas.harvard.edu");
 	    hashStoreName(domainHash, "datahub-7ak6xof0.udes.genap.ca");
 	    hashStoreName(domainHash, "datahub-7mu6z13t.udes.genap.ca");
 	    hashStoreName(domainHash, "datahub-bx3mvzla.udes.genap.ca");
 	    hashStoreName(domainHash, "datahub-gvhsc2p7.udes.genap.ca");
 	    hashStoreName(domainHash, "datahub-i8kms5wt.udes.genap.ca");
 	    hashStoreName(domainHash, "datahub-kazb7g4u.udes.genap.ca");
 	    hashStoreName(domainHash, "datahub-nyt53rix.udes.genap.ca");
 	    hashStoreName(domainHash, "datahub-ruigbdoq.udes.genap.ca");
 	    hashStoreName(domainHash, "dev.herv.img.cas.cz");
 	    hashStoreName(domainHash, "dev.stanford.edu");
 	    hashStoreName(domainHash, "dice-green.liai.org");
 	    hashStoreName(domainHash, "dropbox.ogic.ca");
+	    hashStoreName(domainHash, "dropfile.hpc.qmul.ac.uk");
 	    hashStoreName(domainHash, "edn.som.umaryland.edu");
+	    hashStoreName(domainHash, "frigg.uio.no");
 	    hashStoreName(domainHash, "ftp--ncbi--nlm--nih--gov.ibrowse.co");
 	    hashStoreName(domainHash, "ftp.science.ru.nl");
+	    hashStoreName(domainHash, "galaxy.med.uvm.edu");
 	    hashStoreName(domainHash, "garfield.igh.cnrs.fr");
 	    hashStoreName(domainHash, "gcp.wenglab.org");
 	    hashStoreName(domainHash, "genome-tracks.ngs.omrf.in");
 	    hashStoreName(domainHash, "genomicsdata.cs.ucl.ac.uk");
 	    hashStoreName(domainHash, "gsmplot.deqiangsun.org");
 	    hashStoreName(domainHash, "hgdownload--soe--ucsc--edu.ibrowse.co");
+	    hashStoreName(domainHash, "hci-bio-app.hci.utah.edu");
 	    hashStoreName(domainHash, "hkgateway.med.umich.edu");
 	    hashStoreName(domainHash, "hsb.upf.edu");
 	    hashStoreName(domainHash, "icbi.at");
 	    hashStoreName(domainHash, "lichtlab.cancer.ufl.edu");
 	    hashStoreName(domainHash, "manticore.niehs.nih.gov");
 	    hashStoreName(domainHash, "microb215.med.upenn.edu");
+	    hashStoreName(domainHash, "mitranscriptome.path.med.umich.edu");
 	    hashStoreName(domainHash, "nextgen.izkf.rwth-aachen.de");
 	    hashStoreName(domainHash, "oculargenomics.meei.harvard.edu");
 	    hashStoreName(domainHash, "onesgateway.med.umich.edu");
 	    hashStoreName(domainHash, "openslice.fenyolab.org");
 	    hashStoreName(domainHash, "peromyscus.rc.fas.harvard.edu");
+	    hashStoreName(domainHash, "pgv19.virol.ucl.ac.uk");
 	    hashStoreName(domainHash, "pricenas.biochem.uiowa.edu");
+	    hashStoreName(domainHash, "redirect.medsch.ucla.edu");
 	    hashStoreName(domainHash, "rnaseqhub.brain.mpg.de");
 	    hashStoreName(domainHash, "schatzlabucscdata.yalespace.org.s3.amazonaws.com");
 	    hashStoreName(domainHash, "silo.bioinf.uni-leipzig.de");
 	    hashStoreName(domainHash, "snpinfo.niehs.nih.gov");
 	    hashStoreName(domainHash, "v91rc2.master.demo.encodedcc.org");
 	    hashStoreName(domainHash, "v91rc3.master.demo.encodedcc.org");
 	    hashStoreName(domainHash, "v94.rc2.demo.encodedcc.org");
 	    hashStoreName(domainHash, "virtlehre.informatik.uni-leipzig.de");
 	    hashStoreName(domainHash, "web1.bx.bio.jhu.edu");
 	    hashStoreName(domainHash, "www.datadepot.rcac.purdue.edu");
 	    hashStoreName(domainHash, "www.isical.ac.in");
+	    hashStoreName(domainHash, "www.morgridge.us");
 	    hashStoreName(domainHash, "www.ogic.ca");
 	    hashStoreName(domainHash, "www.v93rc2.demo.encodedcc.org");
 	    hashStoreName(domainHash, "xinglabtrackhub.research.chop.edu");
 	    hashStoreName(domainHash, "zlab-trackhub.umassmed.edu");
 	    hashStoreName(domainHash, "zlab.umassmed.edu");
 	    }
 
 	domainWhiteList = domainHash;
 	}
     pthread_mutex_unlock( &initInUseMutex );
     }
 return domainWhiteList;
 }
 
+struct hashEl *checkIfInHashWithWildCard(char *hostName)
+/* check if in hash, and if in hash with lowest-level domain set to "*" wildcard */
+{
+struct hashEl *result = hashLookup(initDomainWhiteListHash(), hostName);
+if (!result)
+    {
+    char *dot = strchr(hostName, '.');
+    if (dot && (dot - hostName) >= 1)
+	{
+        int length=strlen(hostName)+1;
+	char wildHost[length];
+	safef(wildHost, sizeof wildHost, "*%s", dot);
+	result = hashLookup(initDomainWhiteListHash(), wildHost);
+	}
+    }
+return result;
+}
 
 int netConnectHttps(char *hostName, int port, boolean noProxy)
 /* Return socket for https connection with server or -1 if error. */
 {
 
 int fd=0;
 
 // https_cert_check env var can be abort warn or none.
 
 setenv("https_cert_check", "log", 0);      // DEFAULT certificate check is log.
 
 setenv("https_cert_check_depth", "9", 0);   // DEFAULT depth check level is 9.
 
 setenv("https_cert_check_verbose", "off", 0);   // DEFAULT verbose is off.
 
@@ -464,31 +491,31 @@
 SSL_CTX *ctx;
 SSL *ssl;
 
 openSslInit();
 
 ctx = SSL_CTX_new(SSLv23_client_method());
 
 fd_set readfds;
 fd_set writefds;
 int err;
 struct timeval tv;
 
 
 if (!sameString(getenv("https_cert_check"), "none"))
     {
-    if (hashLookup(initDomainWhiteListHash(), hostName))
+    if (checkIfInHashWithWildCard(hostName))
 	{
 	// old existing domains which are not (yet) compatible with openssl.
 	if (getenv("SCRIPT_NAME"))  // CGI mode
 	    {
 	    fprintf(stderr, "domain %s cert check skipped because it is white-listed as an exception.\n", hostName);
 	    }
 	}
     else
 	{
 
 	// verify peer cert of the server.
 	// Set TRUSTED_FIRST for openssl 1.0
 	// Fixes common issue openssl 1.0 had with with LetsEncrypt certs in the Fall of 2021.
 	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_TRUSTED_FIRST);