MySQL  8.0.19
Source Code Documentation
ssl_acceptor_context.h
Go to the documentation of this file.
1 /* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef SSL_ACCEPTOR_CONTEXT_INCLUDED
24 #define SSL_ACCEPTOR_CONTEXT_INCLUDED
25 
26 #include <my_rcu_lock.h>
27 #include <violite.h>
28 #include <string>
29 #include "sql/auth/auth_common.h"
30 
31 class THD;
32 struct SHOW_VAR;
33 
34 /** helper class to deal with optionally empty strings */
36  public:
38  OptionalString(const char *s) : value_(s ? s : ""), empty_(!s) {}
40  OptionalString(const OptionalString &) = default;
41 
42  const char *c_str() const { return empty_ ? nullptr : value_.c_str(); }
43  OptionalString &assign(const char *s) {
44  value_.assign(s ? s : "");
45  empty_ = !s;
46  return *this;
47  }
48 
49  private:
50  std::string value_;
51  bool empty_;
52 };
53 
54 /**
55  Class to encapsulate the Server SSL acceptor context
56 */
58  public:
59  /**
60  Initialize the single instance of the acceptor
61 
62  @param use_ssl_arg Pass false if you don't want the actual
63  SSL context created (as in when SSL is initially disabled)
64  @retval true failure to init
65  @retval false initialized ok
66  */
67  static bool singleton_init(bool use_ssl_arg);
68  /** De-initialize the single instance of the acceptor */
69  static void singleton_deinit();
70  /**
71  Re-initialize the single instance of the acceptor
72 
73  @param[out] error
74  @param force activate the SSL settings even if this will lead to
75  disabling SSL
76  */
77  static void singleton_flush(enum enum_ssl_init_error *error, bool force);
78 
79  // info functions, to be called for the session vars
80 
81  static int show_ssl_ctx_sess_accept(THD *, SHOW_VAR *var, char *buff);
82  static int show_ssl_ctx_sess_accept_good(THD *, SHOW_VAR *var, char *buff);
83  static int show_ssl_ctx_sess_connect_good(THD *, SHOW_VAR *var, char *buff);
85  char *buff);
87  char *buff);
88  static int show_ssl_ctx_sess_cb_hits(THD *, SHOW_VAR *var, char *buff);
89  static int show_ssl_ctx_sess_hits(THD *, SHOW_VAR *var, char *buff);
90  static int show_ssl_ctx_sess_cache_full(THD *, SHOW_VAR *var, char *buff);
91  static int show_ssl_ctx_sess_misses(THD *, SHOW_VAR *var, char *buff);
92  static int show_ssl_ctx_sess_timeouts(THD *, SHOW_VAR *var, char *buff);
93  static int show_ssl_ctx_sess_number(THD *, SHOW_VAR *var, char *buff);
94  static int show_ssl_ctx_sess_connect(THD *, SHOW_VAR *var, char *buff);
95  static int show_ssl_ctx_sess_get_cache_size(THD *, SHOW_VAR *var, char *buff);
96  static int show_ssl_ctx_get_verify_mode(THD *, SHOW_VAR *var, char *buff);
97  static int show_ssl_ctx_get_verify_depth(THD *, SHOW_VAR *var, char *buff);
99  char *buff);
100  static int show_ssl_get_server_not_before(THD *, SHOW_VAR *var, char *buff);
101  static int show_ssl_get_server_not_after(THD *, SHOW_VAR *var, char *buff);
102 
103  // info about the current set of ssl_ctx parameters
104  static int show_ssl_get_ssl_ca(THD *, SHOW_VAR *var, char *buff);
105  static int show_ssl_get_ssl_capath(THD *, SHOW_VAR *var, char *buff);
106  static int show_ssl_get_ssl_cert(THD *, SHOW_VAR *var, char *buff);
107  static int show_ssl_get_ssl_key(THD *, SHOW_VAR *var, char *buff);
108  static int show_ssl_get_ssl_cipher(THD *, SHOW_VAR *var, char *buff);
109  static int show_ssl_get_tls_ciphersuites(THD *, SHOW_VAR *var, char *buff);
110  static int show_ssl_get_tls_version(THD *, SHOW_VAR *var, char *buff);
111  static int show_ssl_get_ssl_crl(THD *, SHOW_VAR *var, char *buff);
112  static int show_ssl_get_ssl_crlpath(THD *, SHOW_VAR *var, char *buff);
113 
114  /**
115  Check if SSL was initialized
116 
117  retval true if the singleton holds a properly initialized SSL_CTX
118  */
119  static bool have_ssl();
120 
121  /**
122  An RCU lock type for @ref SslAcceptorContext
123  */
125 
126  /**
127  The prefered way to *read* SSL parameters.
128  This is a scope lock class. So initialize it and hold it for
129  as long as you need to access the data.
130  @note It's OK to release it and still use the data *ONLY*
131  if you apply other means to protect your data (e.g. SSL context
132  reference counts etc).
133 
134  @sa MyRcuLock, SslAcceptorContext
135  */
137  public:
141 
142  /**
143  Access to the SSL_CTX from the protected @ref SslAcceptorContext
144  */
145  operator SSL_CTX *() {
146  const SslAcceptorContext *c = *this;
147  return c->ssl_acceptor_fd->ssl_context;
148  }
149  /**
150  Access to the SSL from the protected @ref SslAcceptorContext
151  */
152  operator SSL *() {
153  const SslAcceptorContext *c = *this;
154  return c->acceptor;
155  }
156  operator struct st_VioSSLFd *() {
157  const SslAcceptorContext *c = *this;
158  return c->ssl_acceptor_fd;
159  }
160  /**
161  Check if the SSL context actually contains a valid SSL_CTX
162  @retval true there's no valid SSL_CTX
163  @retval false there's a valid SSL_CTX, SSL and st_VioSSLFd
164  */
165  bool empty() {
166  const SslAcceptorContext *c = *this;
167  return c->ssl_acceptor_fd == nullptr;
168  }
169 
170  // functions to return the cached values for the parameters so that the
171  // status vars work.
172 
173  const char *get_current_ca() {
174  const SslAcceptorContext *c = *this;
175  return c->current_ca_.c_str();
176  }
177  const char *get_current_capath() {
178  const SslAcceptorContext *c = *this;
179  return c->current_capath_.c_str();
180  }
181  const char *get_current_cert() {
182  const SslAcceptorContext *c = *this;
183  return c->current_cert_.c_str();
184  }
185  const char *get_current_key() {
186  const SslAcceptorContext *c = *this;
187  return c->current_key_.c_str();
188  }
189  const char *get_current_version() {
190  const SslAcceptorContext *c = *this;
191  return c->current_version_.c_str();
192  }
193  const char *get_current_crl() {
194  const SslAcceptorContext *c = *this;
195  return c->current_crl_.c_str();
196  }
197  const char *get_current_crlpath() {
198  const SslAcceptorContext *c = *this;
199  return c->current_crlpath_.c_str();
200  }
201  const char *get_current_cipher() {
202  const SslAcceptorContext *c = *this;
203  return c->current_cipher_.c_str();
204  }
205  const char *get_current_ciphersuites() {
206  const SslAcceptorContext *c = *this;
207  return c->current_ciphersuites_.c_str();
208  }
209  };
210 
212 
213  /**
214  A workaround for consumers that need to read the values
215 
216  This is a temporary workaround for the subsystems that
217  are trying to access the mysql protocol TLS context parameters.
218  TODO: to be removed once these migrate to access the system variables.
219 
220  To use pass a non-null pointer to an std::string to any of the args
221  to receive a copy of the relevant value that you will then need to
222  dispose of.
223 
224  @param [out] ca
225  @param [out] capath
226  @param [out] version
227  @param [out] cert
228  @param [out] cipher
229  @param [out] ciphersuites
230  @param [out] key
231  @param [out] crl
232  @param [out] crl_path
233  */
234  static void read_parameters(
235  OptionalString *ca = nullptr, OptionalString *capath = nullptr,
236  OptionalString *version = nullptr, OptionalString *cert = nullptr,
237  OptionalString *cipher = nullptr, OptionalString *ciphersuites = nullptr,
238  OptionalString *key = nullptr, OptionalString *crl = nullptr,
239  OptionalString *crl_path = nullptr);
240 
241  protected:
242  /**
243  A protected constructor since it's only instantiated via the static
244  functions.
245 
246  @param use_ssl_arg don't bother at all to try and construct an SSL_CTX and
247  just make an empty SslAcceptorContext. Used to pass the --ssl option at
248  startup.
249  @param report_ssl_error report any SSL errors resulting from trying to
250  initialize the SSL_CTX to the server's error log.
251  @param [out] out_error an optional slot to return the SSL_CTX initialization
252  error location.
253  */
254  SslAcceptorContext(bool use_ssl_arg, bool report_ssl_error = true,
255  enum enum_ssl_init_error *out_error = nullptr);
256  /** Disable the copy constructor */
257  SslAcceptorContext(const SslAcceptorContext &) = delete;
258  /** Disable assignment operator */
260 
261  /** Try to auto-detect the SSL key material files. Called by @ref
262  * singleton_init */
264 
265  /** Put up a warning in the error log if the CA used is self-signed. Called by
266  * @ref singleton_init */
267  static int warn_self_signed_ca();
268 
269  protected:
270  /** SSL_CTX barerer */
271  struct st_VioSSLFd *ssl_acceptor_fd;
272  /**
273  An SSL for @ref ssl_acceptor_fd to allow access to parameters not in
274  SSL_CTX to be available even if the current connection is not encrypted.
275  */
277 
278  /**
279  Copies of the current effective values for quick return via the status vars
280  */
284 
285  /** singleton lock */
287 };
288 
289 #endif // SSL_ACCEPTOR_CONTEXT_INCLUDED
SslAcceptorContext::singleton_init
static bool singleton_init(bool use_ssl_arg)
Initialize the single instance of the acceptor.
Definition: ssl_acceptor_context.cc:469
auth_common.h
SslAcceptorContext::AutoLock::get_current_crl
const char * get_current_crl()
Definition: ssl_acceptor_context.h:193
THD
Definition: sql_class.h:764
SslAcceptorContext::show_ssl_ctx_sess_connect_renegotiate
static int show_ssl_ctx_sess_connect_renegotiate(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:130
SslAcceptorContext::singleton_deinit
static void singleton_deinit()
De-initialize the single instance of the acceptor.
Definition: ssl_acceptor_context.cc:70
SslAcceptorContext::acceptor
SSL * acceptor
An SSL for ssl_acceptor_fd to allow access to parameters not in SSL_CTX to be available even if the c...
Definition: ssl_acceptor_context.h:276
SslAcceptorContext::SslAcceptorContext
SslAcceptorContext(bool use_ssl_arg, bool report_ssl_error=true, enum enum_ssl_init_error *out_error=nullptr)
A protected constructor since it's only instantiated via the static functions.
Definition: ssl_acceptor_context.cc:536
SslAcceptorContext::show_ssl_ctx_get_verify_mode
static int show_ssl_ctx_get_verify_mode(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:230
my_rcu_lock.h
SslAcceptorContext::show_ssl_get_ssl_capath
static int show_ssl_get_ssl_capath(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:371
OptionalString::assign
OptionalString & assign(const char *s)
Definition: ssl_acceptor_context.h:43
SslAcceptorContext::warn_self_signed_ca
static int warn_self_signed_ca()
Put up a warning in the error log if the CA used is self-signed.
Definition: ssl_acceptor_context.cc:657
version
const string version("\"Version\"")
SslAcceptorContext::show_ssl_ctx_sess_connect_good
static int show_ssl_ctx_sess_connect_good(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:107
SslAcceptorContext::SslAcceptorContextLockType
MyRcuLock< SslAcceptorContext > SslAcceptorContextLockType
An RCU lock type for SslAcceptorContext.
Definition: ssl_acceptor_context.h:124
SslAcceptorContext::show_ssl_ctx_get_verify_depth
static int show_ssl_ctx_get_verify_depth(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:241
ssl_artifacts_status
ssl_artifacts_status
Definition: auth_common.h:821
violite.h
mysql_protocol::Capabilities::SSL
static constexpr Flags SSL(1<< 11)
SslAcceptorContext::show_ssl_ctx_sess_accept_good
static int show_ssl_ctx_sess_accept_good(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:96
SslAcceptorContext::show_ssl_ctx_sess_cb_hits
static int show_ssl_ctx_sess_cb_hits(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:142
SslAcceptorContext::current_cipher_
OptionalString current_cipher_
Definition: ssl_acceptor_context.h:282
OptionalString::OptionalString
OptionalString()
Definition: ssl_acceptor_context.h:37
SslAcceptorContext::AutoLock::get_current_key
const char * get_current_key()
Definition: ssl_acceptor_context.h:185
SslAcceptorContext::show_ssl_ctx_sess_number
static int show_ssl_ctx_sess_number(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:197
true
#define true
Definition: config_static.h:44
SslAcceptorContext::AutoLock::get_current_cert
const char * get_current_cert()
Definition: ssl_acceptor_context.h:181
key
static const char * key
Definition: suite_stubs.c:14
SHOW_VAR
SHOW STATUS Server status variable.
Definition: status_var.h:78
SslAcceptorContext::AutoLock::~AutoLock
~AutoLock()
Definition: ssl_acceptor_context.h:140
SslAcceptorContext::show_ssl_ctx_sess_hits
static int show_ssl_ctx_sess_hits(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:153
SslAcceptorContext::AutoLock
The prefered way to read SSL parameters.
Definition: ssl_acceptor_context.h:136
MyRcuLock::ReadLock
High level read API for readers.
Definition: my_rcu_lock.h:109
SslAcceptorContext::AutoLock::get_current_ca
const char * get_current_ca()
Definition: ssl_acceptor_context.h:173
SslAcceptorContext::show_ssl_get_ssl_crl
static int show_ssl_get_ssl_crl(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:441
OptionalString::OptionalString
OptionalString(const char *s)
Definition: ssl_acceptor_context.h:38
OptionalString::empty_
bool empty_
Definition: ssl_acceptor_context.h:51
SslAcceptorContext::current_capath_
OptionalString current_capath_
Definition: ssl_acceptor_context.h:281
SslAcceptorContext::AutoLock::get_current_crlpath
const char * get_current_crlpath()
Definition: ssl_acceptor_context.h:197
SslAcceptorContext::~SslAcceptorContext
~SslAcceptorContext()
Definition: ssl_acceptor_context.cc:569
SslAcceptorContext::AutoLock::get_current_cipher
const char * get_current_cipher()
Definition: ssl_acceptor_context.h:201
SslAcceptorContext::show_ssl_get_ssl_key
static int show_ssl_get_ssl_key(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:395
SslAcceptorContext::have_ssl
static bool have_ssl()
Check if SSL was initialized.
Definition: ssl_acceptor_context.cc:464
SslAcceptorContext::current_version_
OptionalString current_version_
Definition: ssl_acceptor_context.h:281
SslAcceptorContext::show_ssl_get_tls_version
static int show_ssl_get_tls_version(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:429
SslAcceptorContext::read_parameters
static void read_parameters(OptionalString *ca=nullptr, OptionalString *capath=nullptr, OptionalString *version=nullptr, OptionalString *cert=nullptr, OptionalString *cipher=nullptr, OptionalString *ciphersuites=nullptr, OptionalString *key=nullptr, OptionalString *crl=nullptr, OptionalString *crl_path=nullptr)
A workaround for consumers that need to read the values.
Definition: ssl_acceptor_context.cc:699
OptionalString::value_
std::string value_
Definition: ssl_acceptor_context.h:50
SslAcceptorContext::show_ssl_ctx_sess_misses
static int show_ssl_ctx_sess_misses(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:175
SslAcceptorContext::show_ssl_get_server_not_after
static int show_ssl_get_server_not_after(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:334
SslAcceptorContext::current_crlpath_
OptionalString current_crlpath_
Definition: ssl_acceptor_context.h:283
SslAcceptorContext::AutoLock::get_current_capath
const char * get_current_capath()
Definition: ssl_acceptor_context.h:177
SslAcceptorContext::show_ssl_get_server_not_before
static int show_ssl_get_server_not_before(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:309
SslAcceptorContext::show_ssl_ctx_get_session_cache_mode
static int show_ssl_ctx_get_session_cache_mode(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:252
SslAcceptorContext::current_ca_
OptionalString current_ca_
Copies of the current effective values for quick return via the status vars.
Definition: ssl_acceptor_context.h:281
MyRcuLock::ReadLock::ReadLock
ReadLock(MyRcuLock *l)
construct a new read lock scope guard
Definition: my_rcu_lock.h:114
SslAcceptorContext::AutoLock::get_current_ciphersuites
const char * get_current_ciphersuites()
Definition: ssl_acceptor_context.h:205
OptionalString
helper class to deal with optionally empty strings
Definition: ssl_acceptor_context.h:35
SslAcceptorContext::AutoLock::empty
bool empty()
Check if the SSL context actually contains a valid SSL_CTX.
Definition: ssl_acceptor_context.h:165
SslAcceptorContext::show_ssl_get_ssl_cipher
static int show_ssl_get_ssl_cipher(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:405
OptionalString::c_str
const char * c_str() const
Definition: ssl_acceptor_context.h:42
SslAcceptorContext::current_cert_
OptionalString current_cert_
Definition: ssl_acceptor_context.h:281
SslAcceptorContext::show_ssl_ctx_sess_accept_renegotiate
static int show_ssl_ctx_sess_accept_renegotiate(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:118
SslAcceptorContext::show_ssl_get_tls_ciphersuites
static int show_ssl_get_tls_ciphersuites(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:417
SslAcceptorContext::show_ssl_ctx_sess_cache_full
static int show_ssl_ctx_sess_cache_full(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:164
SslAcceptorContext::s_lock
static SslAcceptorContextLockType * s_lock
singleton lock
Definition: ssl_acceptor_context.h:286
SslAcceptorContext::show_ssl_ctx_sess_timeouts
static int show_ssl_ctx_sess_timeouts(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:186
SslAcceptorContext::show_ssl_ctx_sess_connect
static int show_ssl_ctx_sess_connect(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:208
OptionalString::~OptionalString
~OptionalString()
Definition: ssl_acceptor_context.h:39
SslAcceptorContext::operator=
SslAcceptorContext operator=(const SslAcceptorContext)=delete
Disable assignment operator.
SslAcceptorContext::current_key_
OptionalString current_key_
Definition: ssl_acceptor_context.h:282
SslAcceptorContext::show_ssl_ctx_sess_accept
static int show_ssl_ctx_sess_accept(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:85
SslAcceptorContext::show_ssl_get_ssl_cert
static int show_ssl_get_ssl_cert(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:383
SslAcceptorContext::show_ssl_ctx_sess_get_cache_size
static int show_ssl_ctx_sess_get_cache_size(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:219
SslAcceptorContext::show_ssl_get_ssl_ca
static int show_ssl_get_ssl_ca(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:360
privilege_status::error
@ error
SslAcceptorContext::current_crl_
OptionalString current_crl_
Definition: ssl_acceptor_context.h:282
SslAcceptorContext::auto_detect_ssl
static ssl_artifacts_status auto_detect_ssl()
Try to auto-detect the SSL key material files.
Definition: ssl_acceptor_context.cc:574
SslAcceptorContext::AutoLock::get_current_version
const char * get_current_version()
Definition: ssl_acceptor_context.h:189
SslAcceptorContext::AutoLock::AutoLock
AutoLock()
Definition: ssl_acceptor_context.h:138
SslAcceptorContext
Class to encapsulate the Server SSL acceptor context.
Definition: ssl_acceptor_context.h:57
SslAcceptorContext::current_ciphersuites_
OptionalString current_ciphersuites_
Definition: ssl_acceptor_context.h:282
SslAcceptorContext::ssl_acceptor_fd
struct st_VioSSLFd * ssl_acceptor_fd
SSL_CTX barerer.
Definition: ssl_acceptor_context.h:271
SslAcceptorContext::singleton_flush
static void singleton_flush(enum enum_ssl_init_error *error, bool force)
Re-initialize the single instance of the acceptor.
Definition: ssl_acceptor_context.cc:75
SslAcceptorContext::show_ssl_get_ssl_crlpath
static int show_ssl_get_ssl_crlpath(THD *, SHOW_VAR *var, char *buff)
Definition: ssl_acceptor_context.cc:452
MyRcuLock
A class that implements a limited version of the Read-Copy-Update lock pattern.
Definition: my_rcu_lock.h:76