src/lib/https.c 8ac718f8496a6fbfbf00248a68e740a10c0bcf81

8ac718f8496a6fbfbf00248a68e740a10c0bcf81
galt
  Tue Nov 26 00:42:19 2024 -0800
This change accomodates upgrade to openssl3.3 and mariadb10 using custom-compiled libmariadb.a. These files are in /cluster/software/maridb and /cluster/software/openssl. refs #34014,#27440. It also handles the new mariadb 10 and 11 that have configuration with ssl turned on by default.

diff --git src/lib/https.c src/lib/https.c
index f27b5fe..513695e 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -1,25 +1,25 @@
 /* Connect via https. */
 
 /* Copyright (C) 2012 The Regents of the University of California 
  * See kent/LICENSE or http://genome.ucsc.edu/license/ for licensing information. */
 
-#include "openssl/ssl.h"
-#include "openssl/err.h"
+#include <openssl/ssl.h>
+#include <openssl/err.h>
 
-#include "openssl/x509v3.h"
-#include "openssl/x509_vfy.h"
+#include <openssl/x509v3.h>
+#include <openssl/x509_vfy.h>
 
 #include <sys/socket.h>
 #include <unistd.h>
 #include <pthread.h>
 #include <signal.h>
 
 #include "common.h"
 #include "internet.h"
 #include "errAbort.h"
 #include "hash.h"
 #include "net.h"
 
 char *https_cert_check = "log";                 // DEFAULT certificate check is log.
 char *https_cert_check_depth = "9";             // DEFAULT depth check level is 9.
 char *https_cert_check_verbose = "off";         // DEFAULT verbose is off.
@@ -29,44 +29,44 @@
 char *log_proxy = NULL;
 
 char *SCRIPT_NAME = NULL;
 
 // For use with callback. Set a variable into the connection itself,
 // and then use that during the callback.
 struct myData
     {
     char *hostName;
     };
 
 int myDataIndex = -1;
 
 static pthread_mutex_t *mutexes = NULL;
  
-static unsigned long openssl_id_callback(void)
+unsigned long openssl_id_callback(void)
 {
 return ((unsigned long)pthread_self());
 }
  
-static void openssl_locking_callback(int mode, int n, const char * file, int line)
+void openssl_locking_callback(int mode, int n, const char * file, int line)
 {
 if (mode & CRYPTO_LOCK)
     pthread_mutex_lock(&mutexes[n]);
 else
     pthread_mutex_unlock(&mutexes[n]);
 }
  
-void openssl_pthread_setup(void)
+static void openssl_pthread_setup(void)
 {
 int i;
 int numLocks = CRYPTO_num_locks();
 AllocArray(mutexes, numLocks);
 for (i = 0;  i < numLocks;  i++)
     pthread_mutex_init(&mutexes[i], NULL);
 CRYPTO_set_id_callback(openssl_id_callback);
 CRYPTO_set_locking_callback(openssl_locking_callback);
 }
  
 
 struct netConnectHttpsParams
 /* params to pass to thread */
 {
 pthread_t thread;
@@ -102,31 +102,31 @@
 static pthread_mutex_t osiMutex = PTHREAD_MUTEX_INITIALIZER;
 pthread_mutex_lock( &osiMutex );
 if (!done)
     {
     // setenv avoided since not thread-safe
     myGetenv(&https_cert_check,                   "https_cert_check");
     myGetenv(&https_cert_check_depth,             "https_cert_check_depth");
     myGetenv(&https_cert_check_verbose,           "https_cert_check_verbose");
     myGetenv(&https_cert_check_domain_exceptions, "https_cert_check_domain_exceptions");
     myGetenv(&https_proxy, "https_proxy");
     myGetenv(&log_proxy,   "log_proxy");
     myGetenv(&SCRIPT_NAME, "SCRIPT_NAME");
 
     SSL_library_init();
     ERR_load_crypto_strings();
-    ERR_load_SSL_strings();
+    SSL_load_error_strings();   // ERR_load_SSL_strings(); deprecated.
     OpenSSL_add_all_algorithms();
     openssl_pthread_setup();
     myDataIndex = SSL_get_ex_new_index(0, "myDataIndex", NULL, NULL, NULL);
     initDomainWhiteListHash();
     done = TRUE;
     }
 pthread_mutex_unlock( &osiMutex );
 }
 
 
 void *netConnectHttpsThread(void *threadParam)
 /* use a thread to run socket back to user */
 {
 /* child */
 
@@ -589,31 +589,38 @@
 char *connectHost;
 int connectPort;
 
 BIO *fbio=NULL;  // file descriptor bio
 BIO *sbio=NULL;  // ssl bio
 SSL_CTX *ctx;
 SSL *ssl;
 
 openSslInit();   // call early since it initializes vars from env vars in a thread-safe way.
 
 char *proxyUrl = https_proxy;
 
 if (noProxy)
     proxyUrl = NULL;
 
-ctx = SSL_CTX_new(SSLv23_client_method());
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L   // # 1.1
+ctx = SSL_CTX_new(TLSv1_2_client_method()); // OLD SSLv23_client_method());
+#else
+ctx = SSL_CTX_new(TLS_client_method());
+SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
+SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+#endif
 
 fd_set readfds;
 fd_set writefds;
 int err;
 struct timeval tv;
 
 struct myData myData;
 boolean doSetMyData = FALSE;
 
 X509_VERIFY_PARAM *param = NULL;
 
 if (!sameString(https_cert_check, "none"))
     {
     if (checkIfInHashWithWildCard(hostName))
 	{