Update OpenSSL dependency

Android.bp

@@ -148,6 +148,7 @@ cc_defaults {
         "-fPIC",
         "-DREALM_NO_CONFIG",
         "-DREALM_HAVE_OPENSSL=1",
+        "-DREALM_USE_SYSTEM_OPENSSL_PATHS=0",
         "-DREALM_INCLUDE_CERTS=1",
         "-DREALM_ENABLE_ENCRYPTION=1",
         "-DREALM_ENABLE_SYNC=1",

CHANGELOG.md

@@ -3,6 +3,7 @@
 ### Enhancements
 * <New feature description> (PR [#????](https://github.com/realm/realm-core/pull/????))
 * Allow the query builder to construct >, >=, <, <= queries for string constants. This is a case sensitive lexicographical comparison. Improved performance of RQL (parsed) queries on a non-linked string property using: >, >=, <, <=, operators and fixed behaviour that a null string should be evaulated as less than everything, previously nulls were not matched. ([#3939](https://github.com/realm/realm-core/issues/3939), this is a prerequisite for https://github.com/realm/realm-swift/issues/8008).
+* Updated bundled OpenSSL version to 3.2.0 (PR [#7303](https://github.com/realm/realm-core/pull/7303))
 
 ### Fixed
 * Uploading the changesets recovered during an automatic client reset recovery may lead to 'Bad server version' errors and a new client reset. ([#7279](https://github.com/realm/realm-core/issues/7279), since v13.24.1)

CMakeLists.txt

@@ -306,18 +306,22 @@ elseif(REALM_ENABLE_ENCRYPTION AND CMAKE_SYSTEM_NAME MATCHES "Linux|Android")
 endif()
 
 if(REALM_NEEDS_OPENSSL OR REALM_FORCE_OPENSSL)
+    option(REALM_USE_SYSTEM_OPENSSL "Look for an external OpenSSL installation instead of using prebuilt one." OFF)
+    set(_REALM_USE_OPENSSL_DEFAULT_VERIFY_PATHS ON)
     if(NOT REALM_USE_SYSTEM_OPENSSL AND (ANDROID OR WIN32 OR CMAKE_SYSTEM_NAME STREQUAL "Linux"))
         # Use our own prebuilt OpenSSL
         realm_acquire_dependency(openssl ${DEP_OPENSSL_VERSION} OPENSSL_CMAKE_INCLUDE_FILE)
 
         include(${OPENSSL_CMAKE_INCLUDE_FILE})
+        set(_REALM_USE_OPENSSL_DEFAULT_VERIFY_PATHS OFF)
     endif()
 
     if(NOT DEFINED OPENSSL_USE_STATIC_LIBS)
         set(OPENSSL_USE_STATIC_LIBS ON)
     endif()
     find_package(OpenSSL REQUIRED)
     set(REALM_HAVE_OPENSSL ON)
+    option(REALM_USE_SYSTEM_OPENSSL_PATHS "Use the system OpenSSL certificate store (specified by the OPENSSLDIR environment variable) at runtime for TLS handshake." ${_REALM_USE_OPENSSL_DEFAULT_VERIFY_PATHS})
     string(REGEX MATCH "^([0-9]+)\\.([0-9]+)" OPENSSL_VERSION_MAJOR_MINOR "${OPENSSL_VERSION}")
 elseif(APPLE)
     set(REALM_HAVE_SECURE_TRANSPORT "1")

dependencies.list

@@ -1,6 +1,6 @@
 PACKAGE_NAME=realm-core
 VERSION=13.26.0
-OPENSSL_VERSION=3.0.8
+OPENSSL_VERSION=3.2.0
 ZLIB_VERSION=1.2.13
 # https://github.com/10gen/baas/commits
 # 5087f is 2024 Jan 13

src/realm/sync/network/network_ssl.cpp

@@ -326,12 +326,14 @@ void Context::ssl_use_private_key_file(const std::string& path, std::error_code&
 
 void Context::ssl_use_default_verify(std::error_code& ec)
 {
+#if REALM_USE_SYSTEM_OPENSSL_PATHS
     ERR_clear_error();
     int ret = SSL_CTX_set_default_verify_paths(m_ssl_ctx);
     if (ret != 1) {
         ec = std::error_code(int(ERR_get_error()), openssl_error_category);
         return;
     }
+#endif
     ec = std::error_code();
 }
 

src/realm/util/config.h.in

@@ -4,6 +4,7 @@
 // Feature detection
 #cmakedefine01 REALM_HAVE_READDIR64
 #cmakedefine01 REALM_HAVE_POSIX_FALLOCATE
+#cmakedefine01 REALM_USE_SYSTEM_OPENSSL_PATHS
 #cmakedefine01 REALM_HAVE_OPENSSL
 #cmakedefine01 REALM_HAVE_SECURE_TRANSPORT
 #cmakedefine01 REALM_HAVE_PTHREAD_GETNAME