MySQL 8.4.0
Source Code Documentation
ssl_init_callback.h
Go to the documentation of this file.
1/* Copyright (c) 2020, 2024, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef SSL_INIT_CALLBACK_INCLUDED
25#define SSL_INIT_CALLBACK_INCLUDED
26
27#include <atomic>
28#include <string>
29
30#include <sql/auth/auth_common.h> /* ssl_artifacts_status */
31
32/** The runtime value of whether admin TLS used different config or not */
33extern std::atomic_bool g_admin_ssl_configured;
34/**
35 The configure time value of whether admin TLS used different config or not.
36 The value for this is determined during system variable update.
37 True means that the ADMIN channel is using its own TLS configuration.
38 False means that the ADMIN channel is reusing the main channel's
39 TLS configuration.
40 To put this value into effect (and update @ref g_admin_ssl_configured)
41 one needs to execute the "ALTER INSTANCE RELOAD TLS" SQL command.
42*/
43extern bool opt_admin_ssl_configured;
44
45extern std::string mysql_main_channel;
46extern std::string mysql_admin_channel;
47extern bool opt_tls_certificates_enforced_validation;
48
49/** helper class to deal with optionally empty strings */
50class OptionalString {
51 public:
52 OptionalString() : value_(), empty_(true) {}
53 OptionalString(const char *s) : value_(s ? s : ""), empty_(!s) {}
54 ~OptionalString() = default;
55 OptionalString(const OptionalString &) = default;
56
57 const char *c_str() const { return empty_ ? nullptr : value_.c_str(); }
58 OptionalString &assign(const char *s) {
59 value_.assign(s ? s : "");
60 empty_ = !s;
61 return *this;
62 }
63
64 private:
65 std::string value_;
66 bool empty_;
67};
68
69/* Class to encasulate callbacks for init/reinit */
70class Ssl_init_callback {
71 public:
72 virtual void read_parameters(OptionalString *ca, OptionalString *capath,
73 OptionalString *version, OptionalString *cert,
74 OptionalString *cipher,
75 OptionalString *ciphersuites,
76 OptionalString *key, OptionalString *crl,
77 OptionalString *crl_path,
78 bool *session_cache_mode,
79 long *session_cache_timeout) = 0;
80
81 virtual bool provision_certs() = 0;
82
83 virtual bool warn_self_signed_ca() = 0;
84
85 virtual ~Ssl_init_callback() = default;
86};
87
88/**
89 Class to encasulate callbacks for init/reinit
90 for client server connection port
91*/
92class Ssl_init_callback_server_main final : public Ssl_init_callback {
93 public:
94 void read_parameters(OptionalString *ca, OptionalString *capath,
95 OptionalString *version, OptionalString *cert,
96 OptionalString *cipher, OptionalString *ciphersuites,
97 OptionalString *key, OptionalString *crl,
98 OptionalString *crl_path, bool *session_cache_mode,
99 long *session_cache_timeout) override;
100
101 bool provision_certs() override;
102
103 bool warn_self_signed_ca() override;
104
105 ~Ssl_init_callback_server_main() override = default;
106
107 private:
108 ssl_artifacts_status auto_detect_ssl();
109};
110
111/**
112 Class to encasulate callbacks for init/reinit
113 for admin connection port
114*/
115class Ssl_init_callback_server_admin final : public Ssl_init_callback {
116 public:
117 void read_parameters(OptionalString *ca, OptionalString *capath,
118 OptionalString *version, OptionalString *cert,
119 OptionalString *cipher, OptionalString *ciphersuites,
120 OptionalString *key, OptionalString *crl,
121 OptionalString *crl_path, bool *session_cache_mode,
122 long *session_cache_timeout) override;
123
124 bool provision_certs() override {
125 /*
126 No automatic provisioning. Always return
127 success to fallback to system variables.
128 */
129 return false;
130 }
131
132 bool warn_self_signed_ca() override;
133
134 ~Ssl_init_callback_server_admin() override = default;
135};
136
137extern Ssl_init_callback_server_main server_main_callback;
138extern Ssl_init_callback_server_admin server_admin_callback;
139
140/**
141 Helper method to validate values of --tls-version and --admin-tls-version
142*/
143bool validate_tls_version(const char *val);
144
145enum class TLS_version { TLSv12 = 0, TLSv13 };
146/**
147 Helper method to validate values of --ssl-cipher and --admin-ssl-cipher
148*/
149bool validate_ciphers(const char *option, const char *val, TLS_version version);
150#endif // !SSL_INIT_CALLBACK_INCLUDED
auth_common.h
ssl_artifacts_status
ssl_artifacts_status
Definition: auth_common.h:891
nullptr
Kerberos Client Authentication nullptr
Definition: auth_kerberos_client_plugin.cc:251
OptionalString
helper class to deal with optionally empty strings
Definition: ssl_init_callback.h:50
OptionalString::assign
OptionalString & assign(const char *s)
Definition: ssl_init_callback.h:58
OptionalString::~OptionalString
~OptionalString()=default
OptionalString::OptionalString
OptionalString(const char *s)
Definition: ssl_init_callback.h:53
OptionalString::value_
std::string value_
Definition: ssl_init_callback.h:65
OptionalString::OptionalString
OptionalString(const OptionalString &)=default
OptionalString::empty_
bool empty_
Definition: ssl_init_callback.h:66
OptionalString::OptionalString
OptionalString()
Definition: ssl_init_callback.h:52
OptionalString::c_str
const char * c_str() const
Definition: ssl_init_callback.h:57
Ssl_init_callback_server_admin
Class to encasulate callbacks for init/reinit for admin connection port.
Definition: ssl_init_callback.h:115
Ssl_init_callback_server_admin::warn_self_signed_ca
bool warn_self_signed_ca() override
Definition: ssl_init_callback.cc:500
Ssl_init_callback_server_admin::~Ssl_init_callback_server_admin
~Ssl_init_callback_server_admin() override=default
Ssl_init_callback_server_admin::read_parameters
void read_parameters(OptionalString *ca, OptionalString *capath, OptionalString *version, OptionalString *cert, OptionalString *cipher, OptionalString *ciphersuites, OptionalString *key, OptionalString *crl, OptionalString *crl_path, bool *session_cache_mode, long *session_cache_timeout) override
Definition: ssl_init_callback.cc:478
Ssl_init_callback_server_admin::provision_certs
bool provision_certs() override
Definition: ssl_init_callback.h:124
Ssl_init_callback_server_main
Class to encasulate callbacks for init/reinit for client server connection port.
Definition: ssl_init_callback.h:92
Ssl_init_callback_server_main::provision_certs
bool provision_certs() override
Definition: ssl_init_callback.cc:459
Ssl_init_callback_server_main::warn_self_signed_ca
bool warn_self_signed_ca() override
Definition: ssl_init_callback.cc:471
Ssl_init_callback_server_main::~Ssl_init_callback_server_main
~Ssl_init_callback_server_main() override=default
Ssl_init_callback_server_main::read_parameters
void read_parameters(OptionalString *ca, OptionalString *capath, OptionalString *version, OptionalString *cert, OptionalString *cipher, OptionalString *ciphersuites, OptionalString *key, OptionalString *crl, OptionalString *crl_path, bool *session_cache_mode, long *session_cache_timeout) override
Definition: ssl_init_callback.cc:400
Ssl_init_callback_server_main::auto_detect_ssl
ssl_artifacts_status auto_detect_ssl()
Definition: ssl_init_callback.cc:420
Ssl_init_callback
Definition: ssl_init_callback.h:70
Ssl_init_callback::read_parameters
virtual void read_parameters(OptionalString *ca, OptionalString *capath, OptionalString *version, OptionalString *cert, OptionalString *cipher, OptionalString *ciphersuites, OptionalString *key, OptionalString *crl, OptionalString *crl_path, bool *session_cache_mode, long *session_cache_timeout)=0
Ssl_init_callback::warn_self_signed_ca
virtual bool warn_self_signed_ca()=0
Ssl_init_callback::provision_certs
virtual bool provision_certs()=0
Ssl_init_callback::~Ssl_init_callback
virtual ~Ssl_init_callback()=default
key
required string key
Definition: replication_asynchronous_connection_failover.proto:60
version
required uint64 version
Definition: replication_group_member_actions.proto:41
Ssl_acceptor_context_property_type::session_cache_timeout
@ session_cache_timeout
Ssl_acceptor_context_property_type::session_cache_mode
@ session_cache_mode
mysql_admin_channel
std::string mysql_admin_channel
mysql_main_channel
std::string mysql_main_channel
server_admin_callback
Ssl_init_callback_server_admin server_admin_callback
Definition: ssl_init_callback.cc:506
opt_admin_ssl_configured
bool opt_admin_ssl_configured
The configure time value of whether admin TLS used different config or not.
Definition: ssl_init_callback.cc:70
opt_tls_certificates_enforced_validation
bool opt_tls_certificates_enforced_validation
SSL context options.
Definition: ssl_init_callback.cc:43
validate_ciphers
bool validate_ciphers(const char *option, const char *val, TLS_version version)
Helper method to validate values of –ssl-cipher and –admin-ssl-cipher.
Definition: ssl_init_callback.cc:100
TLS_version
TLS_version
Definition: ssl_init_callback.h:145
TLS_version::TLSv12
@ TLSv12
TLS_version::TLSv13
@ TLSv13
validate_tls_version
bool validate_tls_version(const char *val)
Helper method to validate values of –tls-version and –admin-tls-version.
Definition: ssl_init_callback.cc:74
g_admin_ssl_configured
std::atomic_bool g_admin_ssl_configured
The runtime value of whether admin TLS used different config or not.
server_main_callback
Ssl_init_callback_server_main server_main_callback
Definition: ssl_init_callback.cc:505