MySQL  8.0.18
Source Code Documentation
ssl_acceptor_context.h
Go to the documentation of this file.
1 /* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef SSL_ACCEPTOR_CONTEXT_INCLUDED
24 #define SSL_ACCEPTOR_CONTEXT_INCLUDED
25 
26 #include <my_rcu_lock.h>
27 #include <mysql/status_var.h>
28 #include <sql/sql_class.h>
29 #include <violite.h>
30 #include <atomic>
31 #include "my_sys.h"
32 
33 /** helper class to deal with optionally empty strings */
35  public:
37  OptionalString(const char *s) : value_(s ? s : ""), empty_(!s) {}
39  OptionalString(const OptionalString &) = default;
40 
41  const char *c_str() const { return empty_ ? NULL : value_.c_str(); }
42  OptionalString &assign(const char *s) {
43  value_.assign(s ? s : "");
44  empty_ = !s;
45  return *this;
46  }
47 
48  private:
49  std::string value_;
50  bool empty_;
51 };
52 
53 /**
54  Class to encapsulate the Server SSL acceptor context
55 */
57  public:
58  /**
59  Initialize the single instance of the acceptor
60 
61  @param use_ssl_arg Pass false if you don't want the actual
62  SSL context created (as in when SSL is initially disabled)
63  @retval true failure to init
64  @retval false initialized ok
65  */
66  static bool singleton_init(bool use_ssl_arg);
67  /** De-initialize the single instance of the acceptor */
68  static void singleton_deinit();
69  /**
70  Re-initialize the single instance of the acceptor
71 
72  @param[out] error
73  @param force activate the SSL settings even if this will lead to
74  disabling SSL
75  */
76  static void singleton_flush(enum enum_ssl_init_error *error, bool force);
77 
78  // info functions, to be called for the session vars
79 
80  static int show_ssl_ctx_sess_accept(THD *, SHOW_VAR *var, char *buff);
81  static int show_ssl_ctx_sess_accept_good(THD *, SHOW_VAR *var, char *buff);
82  static int show_ssl_ctx_sess_connect_good(THD *, SHOW_VAR *var, char *buff);
84  char *buff);
86  char *buff);
87  static int show_ssl_ctx_sess_cb_hits(THD *, SHOW_VAR *var, char *buff);
88  static int show_ssl_ctx_sess_hits(THD *, SHOW_VAR *var, char *buff);
89  static int show_ssl_ctx_sess_cache_full(THD *, SHOW_VAR *var, char *buff);
90  static int show_ssl_ctx_sess_misses(THD *, SHOW_VAR *var, char *buff);
91  static int show_ssl_ctx_sess_timeouts(THD *, SHOW_VAR *var, char *buff);
92  static int show_ssl_ctx_sess_number(THD *, SHOW_VAR *var, char *buff);
93  static int show_ssl_ctx_sess_connect(THD *, SHOW_VAR *var, char *buff);
94  static int show_ssl_ctx_sess_get_cache_size(THD *, SHOW_VAR *var, char *buff);
95  static int show_ssl_ctx_get_verify_mode(THD *, SHOW_VAR *var, char *buff);
96  static int show_ssl_ctx_get_verify_depth(THD *, SHOW_VAR *var, char *buff);
98  char *buff);
99  static int show_ssl_get_server_not_before(THD *, SHOW_VAR *var, char *buff);
100  static int show_ssl_get_server_not_after(THD *, SHOW_VAR *var, char *buff);
101 
102  // info about the current set of ssl_ctx parameters
103  static int show_ssl_get_ssl_ca(THD *, SHOW_VAR *var, char *buff);
104  static int show_ssl_get_ssl_capath(THD *, SHOW_VAR *var, char *buff);
105  static int show_ssl_get_ssl_cert(THD *, SHOW_VAR *var, char *buff);
106  static int show_ssl_get_ssl_key(THD *, SHOW_VAR *var, char *buff);
107  static int show_ssl_get_ssl_cipher(THD *, SHOW_VAR *var, char *buff);
108  static int show_ssl_get_tls_ciphersuites(THD *, SHOW_VAR *var, char *buff);
109  static int show_ssl_get_tls_version(THD *, SHOW_VAR *var, char *buff);
110  static int show_ssl_get_ssl_crl(THD *, SHOW_VAR *var, char *buff);
111  static int show_ssl_get_ssl_crlpath(THD *, SHOW_VAR *var, char *buff);
112 
113  /**
114  Check if SSL was initialized
115 
116  retval true if the singleton holds a properly initialized SSL_CTX
117  */
118  static bool have_ssl();
119 
120  /**
121  An RCU lock type for @ref SslAcceptorContext
122  */
124 
125  /**
126  The prefered way to *read* SSL parameters.
127  This is a scope lock class. So initialize it and hold it for
128  as long as you need to access the data.
129  @note It's OK to release it and still use the data *ONLY*
130  if you apply other means to protect your data (e.g. SSL context
131  reference counts etc).
132 
133  @sa MyRcuLock, SslAcceptorContext
134  */
136  public:
140 
141  /**
142  Access to the SSL_CTX from the protected @ref SslAcceptorContext
143  */
144  operator SSL_CTX *() {
145  const SslAcceptorContext *c = *this;
146  return c->ssl_acceptor_fd->ssl_context;
147  }
148  /**
149  Access to the SSL from the protected @ref SslAcceptorContext
150  */
151  operator SSL *() {
152  const SslAcceptorContext *c = *this;
153  return c->acceptor;
154  }
155  operator struct st_VioSSLFd *() {
156  const SslAcceptorContext *c = *this;
157  return c->ssl_acceptor_fd;
158  }
159  /**
160  Check if the SSL context actually contains a valid SSL_CTX
161  @retval true there's no valid SSL_CTX
162  @retval false there's a valid SSL_CTX, SSL and st_VioSSLFd
163  */
164  bool empty() {
165  const SslAcceptorContext *c = *this;
166  return c->ssl_acceptor_fd == NULL;
167  }
168 
169  // functions to return the cached values for the parameters so that the
170  // status vars work.
171 
172  const char *get_current_ca() {
173  const SslAcceptorContext *c = *this;
174  return c->current_ca_.c_str();
175  }
176  const char *get_current_capath() {
177  const SslAcceptorContext *c = *this;
178  return c->current_capath_.c_str();
179  }
180  const char *get_current_cert() {
181  const SslAcceptorContext *c = *this;
182  return c->current_cert_.c_str();
183  }
184  const char *get_current_key() {
185  const SslAcceptorContext *c = *this;
186  return c->current_key_.c_str();
187  }
188  const char *get_current_version() {
189  const SslAcceptorContext *c = *this;
190  return c->current_version_.c_str();
191  }
192  const char *get_current_crl() {
193  const SslAcceptorContext *c = *this;
194  return c->current_crl_.c_str();
195  }
196  const char *get_current_crlpath() {
197  const SslAcceptorContext *c = *this;
198  return c->current_crlpath_.c_str();
199  }
200  const char *get_current_cipher() {
201  const SslAcceptorContext *c = *this;
202  return c->current_cipher_.c_str();
203  }
204  const char *get_current_ciphersuites() {
205  const SslAcceptorContext *c = *this;
206  return c->current_ciphersuites_.c_str();
207  }
208  };
209 
211 
212  /**
213  A workaround for consumers that need to read the values
214 
215  This is a temporary workaround for the subsystems that
216  are trying to access the mysql protocol TLS context parameters.
217  TODO: to be removed once these migrate to access the system variables.
218 
219  To use pass a non-null pointer to an std::string to any of the args
220  to receive a copy of the relevant value that you will then need to
221  dispose of.
222 
223  @param [out] ca
224  @param [out] capath
225  @param [out] version
226  @param [out] cert
227  @param [out] cipher
228  @param [out] ciphersuites
229  @param [out] key
230  @param [out] crl
231  @param [out] crl_path
232  */
233  static void read_parameters(
234  OptionalString *ca = nullptr, OptionalString *capath = nullptr,
235  OptionalString *version = nullptr, OptionalString *cert = nullptr,
236  OptionalString *cipher = nullptr, OptionalString *ciphersuites = nullptr,
237  OptionalString *key = nullptr, OptionalString *crl = nullptr,
238  OptionalString *crl_path = nullptr);
239 
240  protected:
241  /**
242  A protected constructor since it's only instantiated via the static
243  functions.
244 
245  @param use_ssl_arg don't bother at all to try and construct an SSL_CTX and
246  just make an empty SslAcceptorContext. Used to pass the --ssl option at
247  startup.
248  @param report_ssl_error report any SSL errors resulting from trying to
249  initialize the SSL_CTX to the server's error log.
250  @param [out] out_error an optional slot to return the SSL_CTX initialization
251  error location.
252  */
253  SslAcceptorContext(bool use_ssl_arg, bool report_ssl_error = true,
254  enum enum_ssl_init_error *out_error = nullptr);
255  /** Disable the copy constructor */
256  SslAcceptorContext(const SslAcceptorContext &) = delete;
257  /** Disable assignment operator */
259 
260  /** Try to auto-detect the SSL key material files. Called by @ref
261  * singleton_init */
263 
264  /** Put up a warning in the error log if the CA used is self-signed. Called by
265  * @ref singleton_init */
266  static int warn_self_signed_ca();
267 
268  protected:
269  /** SSL_CTX barerer */
270  struct st_VioSSLFd *ssl_acceptor_fd;
271  /**
272  An SSL for @ref ssl_acceptor_fd to allow access to parameters not in
273  SSL_CTX to be available even if the current connection is not encrypted.
274  */
276 
277  /**
278  Copies of the current effective values for quick return via the status vars
279  */
283 
284  /** singleton lock */
286 };
287 
288 #endif // SSL_ACCEPTOR_CONTEXT_INCLUDED
static int show_ssl_ctx_sess_connect_good(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:93
OptionalString current_key_
Definition: ssl_acceptor_context.h:280
static int show_ssl_ctx_sess_cb_hits(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:128
~OptionalString()
Definition: ssl_acceptor_context.h:38
static int show_ssl_get_ssl_crlpath(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:438
const char * get_current_key()
Definition: ssl_acceptor_context.h:184
static int show_ssl_ctx_sess_misses(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:161
~AutoLock()
Definition: ssl_acceptor_context.h:139
struct st_VioSSLFd * ssl_acceptor_fd
SSL_CTX barerer.
Definition: ssl_acceptor_context.h:270
static void singleton_flush(enum enum_ssl_init_error *error, bool force)
Re-initialize the single instance of the acceptor.
Definition: ssl_acceptor_context.cc:61
const char * get_current_cert()
Definition: ssl_acceptor_context.h:180
OptionalString current_version_
Definition: ssl_acceptor_context.h:280
static constexpr Flags SSL(1<< 11)
OptionalString current_crlpath_
Definition: ssl_acceptor_context.h:280
static int show_ssl_ctx_sess_hits(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:139
static int show_ssl_ctx_sess_cache_full(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:150
static void singleton_deinit()
De-initialize the single instance of the acceptor.
Definition: ssl_acceptor_context.cc:57
static int show_ssl_get_tls_version(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:415
static void read_parameters(OptionalString *ca=nullptr, OptionalString *capath=nullptr, OptionalString *version=nullptr, OptionalString *cert=nullptr, OptionalString *cipher=nullptr, OptionalString *ciphersuites=nullptr, OptionalString *key=nullptr, OptionalString *crl=nullptr, OptionalString *crl_path=nullptr)
A workaround for consumers that need to read the values.
Definition: ssl_acceptor_context.cc:685
const char * get_current_ca()
Definition: ssl_acceptor_context.h:172
static int show_ssl_ctx_sess_connect_renegotiate(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:116
static int show_ssl_get_ssl_ca(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:346
static int show_ssl_ctx_sess_connect(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:194
High level read API for readers.
Definition: my_rcu_lock.h:109
static SslAcceptorContextLockType * lock
singleton lock
Definition: ssl_acceptor_context.h:285
OptionalString current_cert_
Definition: ssl_acceptor_context.h:280
const char * get_current_crlpath()
Definition: ssl_acceptor_context.h:196
The prefered way to read SSL parameters.
Definition: ssl_acceptor_context.h:135
const char * get_current_cipher()
Definition: ssl_acceptor_context.h:200
static bool have_ssl()
Check if SSL was initialized.
Definition: ssl_acceptor_context.cc:450
bool empty_
Definition: ssl_acceptor_context.h:50
ReadLock(MyRcuLock *l)
construct a new read lock scope guard
Definition: my_rcu_lock.h:114
static int show_ssl_get_ssl_cert(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:369
OptionalString current_ca_
Copies of the current effective values for quick return via the status vars.
Definition: ssl_acceptor_context.h:280
OptionalString & assign(const char *s)
Definition: ssl_acceptor_context.h:42
static int show_ssl_ctx_sess_get_cache_size(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:205
OptionalString current_ciphersuites_
Definition: ssl_acceptor_context.h:280
static int show_ssl_get_server_not_before(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:295
~SslAcceptorContext()
Definition: ssl_acceptor_context.cc:555
SHOW STATUS Server status variable.
Definition: status_var.h:78
static int show_ssl_ctx_sess_accept_good(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:82
static int show_ssl_get_tls_ciphersuites(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:403
static int show_ssl_ctx_sess_number(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:183
const char * c_str() const
Definition: ssl_acceptor_context.h:41
OptionalString current_crl_
Definition: ssl_acceptor_context.h:280
static bool singleton_init(bool use_ssl_arg)
Initialize the single instance of the acceptor.
Definition: ssl_acceptor_context.cc:455
bool empty()
Check if the SSL context actually contains a valid SSL_CTX.
Definition: ssl_acceptor_context.h:164
static int show_ssl_ctx_sess_timeouts(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:172
#define true
Definition: config_static.h:44
SSL * acceptor
An SSL for ssl_acceptor_fd to allow access to parameters not in SSL_CTX to be available even if the c...
Definition: ssl_acceptor_context.h:275
static int warn_self_signed_ca()
Put up a warning in the error log if the CA used is self-signed.
Definition: ssl_acceptor_context.cc:643
helper class to deal with optionally empty strings
Definition: ssl_acceptor_context.h:34
const string version("\ersion\)
static int show_ssl_get_ssl_capath(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:357
Common header for many mysys elements.
OptionalString()
Definition: ssl_acceptor_context.h:36
static int show_ssl_ctx_sess_accept(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:71
OptionalString(const char *s)
Definition: ssl_acceptor_context.h:37
MyRcuLock< SslAcceptorContext > SslAcceptorContextLockType
An RCU lock type for SslAcceptorContext.
Definition: ssl_acceptor_context.h:123
static const char * key
Definition: suite_stubs.c:14
static int show_ssl_ctx_get_verify_mode(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:216
const char * get_current_version()
Definition: ssl_acceptor_context.h:188
A class that implements a limited version of the Read-Copy-Update lock pattern.
Definition: my_rcu_lock.h:76
static ssl_artifacts_status auto_detect_ssl()
Try to auto-detect the SSL key material files.
Definition: ssl_acceptor_context.cc:560
OptionalString current_cipher_
Definition: ssl_acceptor_context.h:280
AutoLock()
Definition: ssl_acceptor_context.h:137
static int show_ssl_get_ssl_key(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:381
Vio Lite.
const char * get_current_capath()
Definition: ssl_acceptor_context.h:176
static int show_ssl_ctx_get_verify_depth(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:227
#define NULL
Definition: types.h:55
std::string value_
Definition: ssl_acceptor_context.h:49
const char * get_current_crl()
Definition: ssl_acceptor_context.h:192
SslAcceptorContext(bool use_ssl_arg, bool report_ssl_error=true, enum enum_ssl_init_error *out_error=nullptr)
A protected constructor since it&#39;s only instantiated via the static functions.
Definition: ssl_acceptor_context.cc:522
static int show_ssl_ctx_sess_accept_renegotiate(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:104
const char * get_current_ciphersuites()
Definition: ssl_acceptor_context.h:204
Class to encapsulate the Server SSL acceptor context.
Definition: ssl_acceptor_context.h:56
static int show_ssl_ctx_get_session_cache_mode(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:238
static int show_ssl_get_server_not_after(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:320
static int show_ssl_get_ssl_crl(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:427
OptionalString current_capath_
Definition: ssl_acceptor_context.h:280
ssl_artifacts_status
Definition: auth_common.h:814
SslAcceptorContext operator=(const SslAcceptorContext)=delete
Disable assignment operator.
static int show_ssl_get_ssl_cipher(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:391
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:778