MySQL 8.4.2
Source Code Documentation
xcom_ssl_transport.h
Go to the documentation of this file.
1/* Copyright (c) 2016, 2024, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef XCOM_SSL_TRANSPORT_H
25#define XCOM_SSL_TRANSPORT_H
26
27#ifndef XCOM_WITHOUT_OPENSSL
28#ifdef _WIN32
29/* In OpenSSL before 1.1.0, we need this first. */
30#include <winsock2.h>
31#endif /* _WIN32 */
32
33#include <openssl/err.h>
34#include <openssl/ssl.h>
35
36#ifndef SSL_SUCCESS
37#define SSL_SUCCESS 1
38#define SSL_ERROR 0
39#endif
40
41/*
42 Possible operation modes as explained further down. If you
43 want to add a new mode, do it before the LAST_SSL_MODE.
44*/
53};
54
55/*
56 Possible operation fips modes as explained further down. If you
57 want to add a new ssl fips mode, do it before the LAST_SSL_FIPS_MODE.
58*/
65};
66
67/*
68 Return the operation fips mode as an integer from an operation fips mode
69 provided as a string. Note that the string must be provided in upper case
70 letters and the possible values are: "OFF", "ON", "STRICT",
71
72 If a different value is provide, INVALID_SSL_MODE (-1) is returned.
73*/
75
76/*
77 Set the operation fips mode which might be the following:
78
79 . SSL_FIPS_MODE_OFF (0): This will set openssl fips mode value to 0
80
81 . SSL_FIPS_MODE_ON (1): This will set openssl fips mode value to 1
82
83 . SSL_FIPS_MODE_STRICT (2): This will set openssl fips mode value to 2
84
85 If a different value is provide, INVALID_SSL_FIPS_MODE (-1) is returned.
86*/
88
89/*
90 Return the operation mode as an integer from an operation mode provided
91 as a string. Note that the string must be provided in upper case letters
92 and the possible values are: "DISABLED", "PREFERRED", "REQUIRED",
93 "VERIFY_CA" or "VERIFY_IDENTITY".
94
95 If a different value is provide, INVALID_SSL_MODE (-1) is returned.
96*/
97int xcom_get_ssl_mode(const char *mode);
98
99/*
100 Set the operation mode which might be the following:
101
102 . SSL_DISABLED (1): The SSL mode will be disabled and this is the default
103 value.
104
105 . SSL_PREFERRED (2): The SSL mode will be always disabled if this value is
106 provided and is only allowed to keep the solution compatibility with
107 MySQL server.
108
109 . SSL_REQUIRED (4): The SSL mode will be enabled but the verifications
110 described in the next modes are not performed.
111
112 . SSL_VERIFY_CA (4) - Verify the server TLS certificate against the configured
113 Certificate Authority (CA) certificates. The connection attempt fails if no
114 valid matching CA certificates are found.
115
116 . SSL_VERIFY_IDENTITY (5): Like VERIFY_CA, but additionally verify that the
117 server certificate matches the host to which the connection is attempted.
118
119 If a different value is provide, INVALID_SSL_MODE (-1) is returned.
120*/
122
123/*
124 Initialize the SSL.
125
126 server_key_file - Path of file that contains the server's X509 key in PEM
127 format.
128 server_cert_file - Path of file that contains the server's X509 certificate in
129 PEM format.
130 client_key_file - Path of file that contains the client's X509 key in PEM
131 format.
132 client_cert_file - Path of file that contains the client's X509 certificate in
133 PEM format.
134 ca_file - Path of file that contains list of trusted SSL CAs.
135 ca_path - Path of directory that contains trusted SSL CA certificates
136 in PEM format.
137 crl_file - Path of file that contains certificate revocation lists.
138 crl_path - Path of directory that contains certificate revocation list
139 files.
140 cipher - List of permitted ciphers to use for connection encryption.
141 tls_version - Protocols permitted for secure connections.
142
143 Note that only the server_key_file/server_cert_file and the client_key_file/
144 client_cert_file are required and the rest of the pointers can be NULL.
145 If the key is provided along with the certificate, either the key file or
146 the other can be omitted.
147
148 The caller can free the parameters after the call if this is necessary.
149
150 Return 0 if success 1 otherwise.
151*/
152int xcom_init_ssl(const char *server_key_file, const char *server_cert_file,
153 const char *client_key_file, const char *client_cert_file,
154 const char *ca_file, const char *ca_path,
155 const char *crl_file, const char *crl_path,
156 const char *cipher, const char *tls_version,
157 const char *tls_ciphersuites);
158
159/*
160 Destroy the SSL Configuration freeing allocated memory.
161*/
164
165/*
166 Return whether the SSL will be used to encrypt data or not.
167
168 Return 1 if it is enabled 0 otherwise.
169*/
171
172/*
173 Verify whether the server certificate matches the host to which
174 the connection is attempted.
175*/
176int ssl_verify_server_cert(SSL *ssl, const char *server_hostname);
177
178/*
179 Pointers to the SSL Context for the server and client
180 contexts respectively.
181*/
182extern SSL_CTX *server_ctx;
183extern SSL_CTX *client_ctx;
184
185#endif /* !XCOM_WITHOUT_OPENSSL */
186#endif /* XCOM_SSL_TRANSPORT_H */
constexpr value_type ssl
Definition: classic_protocol_constants.h:49
mode
Definition: file_handle.h:61
ssl_enum_fips_mode_options
Definition: network_provider.h:69
ssl_enum_mode_options
Definition: network_provider.h:55
int xcom_set_ssl_fips_mode(int mode)
int xcom_get_ssl_mode(const char *mode)
@ INVALID_SSL_FIPS_MODE
Definition: xcom_ssl_transport.h:60
@ SSL_FIPS_MODE_OFF
Definition: xcom_ssl_transport.h:61
@ SSL_FIPS_MODE_STRICT
Definition: xcom_ssl_transport.h:63
@ SSL_FIPS_MODE_ON
Definition: xcom_ssl_transport.h:62
@ LAST_SSL_FIPS_MODE
Definition: xcom_ssl_transport.h:64
int xcom_init_ssl(const char *server_key_file, const char *server_cert_file, const char *client_key_file, const char *client_cert_file, const char *ca_file, const char *ca_path, const char *crl_file, const char *crl_path, const char *cipher, const char *tls_version, const char *tls_ciphersuites)
int xcom_get_ssl_fips_mode(const char *mode)
int ssl_verify_server_cert(SSL *ssl, const char *server_hostname)
int xcom_use_ssl()
SSL_CTX * client_ctx
Definition: xcom_network_provider_ssl_native_lib.cc:173
void xcom_cleanup_ssl()
@ LAST_SSL_MODE
Definition: xcom_ssl_transport.h:52
@ SSL_VERIFY_CA
Definition: xcom_ssl_transport.h:50
@ SSL_VERIFY_IDENTITY
Definition: xcom_ssl_transport.h:51
@ SSL_REQUIRED
Definition: xcom_ssl_transport.h:49
@ SSL_PREFERRED
Definition: xcom_ssl_transport.h:48
@ INVALID_SSL_MODE
Definition: xcom_ssl_transport.h:46
@ SSL_DISABLED
Definition: xcom_ssl_transport.h:47
void xcom_destroy_ssl()
int xcom_set_ssl_mode(int mode)
SSL_CTX * server_ctx
Definition: xcom_network_provider_ssl_native_lib.cc:172